Testimony of Terry
C. Vickers Benzel
Vice President of
Advanced Security Research
Network Associates,
Inc.
Before the
House Committee on
Science
"Cyber Security-How
Can We Protect American Computer Networks from Attack: The Importance of
Research and Development"
October 10, 2001
Chairman Boehlert, Ranking Member Hall and Members of the
Committee, thank you for inviting me to testify today on the role and
importance of research and development in the protection of our nation's
computer networks from cyber attacks. My name is Terry Benzel, and I am the
Vice President of Advanced Security Research at Network Associates, Inc. I am
honored to have the opportunity to be here today to discuss the action needed
to protect our nation's computer networks from attack and how this Committee
can help advance the research that is required to ensure that effective
protection measures can be put in place.
From our Chairman, CEO and President, George Samenuk, and the
more than 3540 employees of Network Associates, I share with you and the
American family our thoughts and prayers for all those affected by the tragic
events of September 11th. And now, as the American response begins,
we extend those thoughts to our men and women serving in the armed forces and
to their families at home, including the employees of our company who have been
called to active duty through the military reserve.
With headquarters in Santa Clara, Calif., Network
Associates, Inc. is a leading supplier of network security and availability
solutions for e-businesses. Our four product lines-McAfee, PGP Security,
Sniffer Technologies, and Magic Solutions-deliver a complete range of security
solutions, including anti-virus protection, firewalls, intrusion detection,
encryption, network and application management.
Network Associates is committed to working with industry
and government to ensure the protection of our critical infrastructures, and
our employees actively participate in a number of collaborative efforts to
share our knowledge with others. In addition, we take part in numerous
industry-led activities, including those of such leading associations as the
Business Software Alliance (BSA) and the Information Technology Association of
America (ITAA).
I am here today to share with you my perspectives on the
importance of cyber-security research and development to the protection of our
infrastructures. Within Network Associates, I serve as the Director of NAI
Labs, an industry leading security research and development organization with 120
dedicated staff in four research facilities throughout the United States. We
were formally Trusted Information Systems (or TIS), and have been contributing
to network and information systems security since 1983. NAI Labs is a
multi-discipline research organization with world-renowned expertise in the
areas of network security, applied cryptographic technologies, secure execution
environments, security infrastructure, adaptive network defenses, distributed
systems security, and information assurance. Our research is supported by
ongoing projects funded through the US Defense Advanced Research Projects
Agency (or DARPA), Air Force, Navy, Army, National Security Agency, and other
Department of Defense and government agencies. In addition to our prominent role
in the security research community, all unclassified network and information
systems research is shared with Network Associates' product development and
support organizations in an effort to transfer research results to consumers.
In addition to my work with Network Associates, I come
here today to share with you my experience working with two other collaborative
organizations: the Security Research Alliance (SRA) and the Partnership for
Critical Infrastructure Security (PCIS). Launched in 1999, the SRA is a vendor
neutral alliance of industry leaders focussed on bringing security issues to
industry at large from a purely research-driven perspective. Network Associates
is joined in the SRA by Cisco Systems, Sun Microsystems, Lucent Technologies
Bell Labs, BBN Technologies, Entrust Technologies, and GTE Government Systems.
The Partnership for Critical Infrastructure Security is a collaborative effort
of industry and Government to address risks and assure the delivery of
essential services over the nation's critical infrastructures. I co-chair the
PCIS Research and Development Working Group, tasked with identifying an R&D
roadmap for critical infrastructure security.
Mr. Chairman, I'd like to commend you and the Members of
this Committee for your leadership in holding today's hearing. While the
attacks of September 11th were physical in nature, I believe they
serve to underscore how important it is to understand the potential impact of a
coordinated physical and cyber attack on the delivery of critical services to
our citizens, and to help prepare the United States in advance.
The "What-Ifs?" of a physical and
cyber-attack are many. "What if" the terrorists were also able to impact our
communications system, thus hampering the rescue and recovery efforts? "What if"
the attackers were able to compromise systems monitoring the water supply for
Manhattan? "What if" power to parts of the northeast corridor could have been
brought down through a cyber-attack on key systems? We must prepare now to
prevent this from happening and ensure that technologies, plans and procedures
are in place to prevent and respond to any future attack.
As the nation begins to regain its footing
after the attacks on the World Trade Center, the Pentagon, and in Pennsylvania, we
are poised to leverage a heightened awareness of our vulnerabilities into
ongoing efforts to ensure continuous operation of our national critical
infrastructures -- Energy, Financial Services, Transportation,
Communications & Information Services and Vital Human Services.
Stable and continuing operation of these
interdependent sectors is vital to maintaining safety, public order, vital
human services as well economic stability.
Fundamentally,
we are facing the same R&D challenges as before the September attacks - the
vulnerabilities both cyber and physical are the same, but our collective
awareness of the reality of malicious intent towards the United States has
changed, as has awareness of potentially immense consequence of a relatively
small act. While concern is warranted and action is critical, it is certainly
possible to compound our terror by overstating our vulnerabilities before we
have a clear picture of our situation.
Our success will depend on unprecedented
cooperation between and among the private, quasi-private and public sector
entities and an unrelenting focus on building our polices, assessments,
strategies and actions on a powerful, flexible & comprehensive foundation
of information security R&D. To understand how best to protect American
computer networks from attack, therefore, we must dramatically increase our
understanding of what kinds of attack we are vulnerable to, what systems are
available and working and, what is missing.
2.1 We
know that we are vulnerable, but not how vulnerable.
A notable, but often overlooked, gap in our
understanding is the extent of our computer network vulnerabilities. We know
that we are vulnerable, but not how vulnerable.
Worse
yet, by failing to understand the extent of the vulnerabilities and the reality
of the interdependencies, we compound our risk - not only are networks
vulnerable as such, but critical systems may be accessible through less
critical systems and the relatively small vulnerabilities can be exploited to
conduct simultaneous electronic and physical attacks. Have we overstated the
threat or understated it? We just don't know.
Our
R&D proposals will necessarily include developing appropriate assessment
strategies and criteria, including identifying areas where good policies have
been developed, but are not yet in practice. This understanding can keep us
from diverting R&D energy and resources from explorations of crucial
outstanding areas. For example, as you have heard in recent GAO testimony
on Aviation Security, some security breaches result from
an incomplete application of existing knowledge - for example, incomplete
deployment of existing technology or a lapse in following procedures. In these
cases, we don't need to know anything new, we need to do something with what we
already know.
Generally, our expertise in information
technology and networking has outpaced our understanding of its effect on the
integrity of our systems and of our understanding of how to prevent, contain or
mitigate the damage from malicious cyber-attacks and potentially devastating
user errors and failures. We will not only need to "catch-up" we will need to
"keep-up" with developments in information technology. There is much to
explore.
2.2 Much
Research, But Too Many Unknowns
There is a broad range of information
security R&D being done and being considered to help protect our cyber
systems from attack. But there are especially urgent areas for study that we
have barely begun to investigate-as a result, we can only guess at the extent of our vulnerability. Terrorists are motivated to understand and study our vulnerabilities,
we should be too. As we are
now painfully aware, there are people in the world who are sufficiently
motivated to look for our security vulnerabilities. Are we sufficiently
motivated to do the same?
This morning, I'd like to focus on what I
see as the highest priority targets of attack, and most significant threats.
There are many kinds of threats and many kinds of systems at risk, but none are
more critical than the computer systems and networks that control our nation's
critical infrastructure (CI). And, as we shall see, most significant threat to
these CI systems is cyber-terrorism.
To
this we need to look both forward and backwards. Look backwards at practices,
interdependencies and technologies - we need to know what is being done well,
what is failing and what is not being done at all. And look forward at what can
be improved and-even more critically-how to develop a shared understanding of
assessing the vulnerabilities. To complete the challenge, all of this must be
done across and among the five industry sectors with an as yet uncounted number
of private, public and quasi-public entities connected in as yet unknown number
of networks with a range of practices, interdependencies and technologies.
We
ask for your help in setting the agenda, dispersing funding and championing an
unprecedented kind of collaboration within the CI industry, across
sectors and including government agencies of all types. This will require a
transformation that is quite like what the intelligence community is currently
undergoing - sharing information across decades old - and sometimes centuries
old - organizational barriers. For this to be accomplished the leadership needs
to come from the very top, just as the pressure for results is coming from your
constituencies.
CI systems are called critical just because
of what happens if they are crippled by cyber-attacks, physical attacks or a
combination of both.
If CI systems are successfully attacked,
people will die, the nation's economy will be crippled and protective services
systems will be weakened - fire, health, police, minimum essential services -
all of the systems vital to public safety, domestic order and economic
stability.
We cannot protect ourselves from cyber
terrorism without protecting these CI's, just as we cannot protect these CI's
without protecting ourselves from Cyber-Terrorism.
Always interrelated, the operations of our
critical infrastructures are increasingly interdependent and operations within
each entity are increasingly dependent on their information technology and they
are increasingly connected to one another over private networks and the public
Internet.
Because of this vast interconnectedness, we
know that the potential damage to our critical infrastructures - in the form of
multiple, simultaneous, and cascading disruptions on a regional, national or
international scale - is high.
Correspondingly high is the need to assess
that potential by engaging in operational research of critical infrastructure
provider's technical operations - not only of their control systems, but also
of their other technical operations, at least far enough to determine the
extent of their interdependence and the security requirements of their
interfaces. We also know that sharing such sensitive information within and
among the critical information sectors will pose a unique challenge.
What are critical infrastructure assets?
Critical Infrastructure assets are defined
as assets essential to the functioning of the Energy, Financial Services,
Transportation, Communications & Information Services and Vital Human
Services sectors [3] -
i.e., the assets of those systems vital to maintaining safety, public order,
vital human services as well economic stability.
Which systems are critical infrastructure
systems?
In brief, CI systems are the control systems
and any connected system that can
modify control systems. Control systems are those that directly
manage the assets or implement the services on a moment-to-moment basis; as
well as any system that the control systems depend on, or which can modify the
operation of control systems, or have an indirect effect upon them. In some
cases, CI systems may even include ordinary, Internet-connected workstations on
the corporate LANs of infrastructure provider companies-all that is necessary
is that the CI system has the ability to alter any of the control systems of a
critical infrastructure IS.
Greatest national exposure to cyber-terrorism is a homeland attack, distinct from more
ordinary cyber vandals, hackers and thieves
The most alarming scenario - and the one
most likely to be the cause of multiple, simultaneous, and cascading
disruptions on a regional, national or international scale -- is a combination
physical and cyber attack made by adversaries with the same motivation and
ruthlessness of those committing the attacks this September.
This form of attack is a direct attack on
the U.S. homeland, and is distinct from the activities of ordinary vandals,
thieves," hacktivists," and other types of people who exploit information
security vulnerabilities of many kinds on many types of systems.
The most pressing protection issue for
information security today is preparing for the ability of cyber-terrorists to
work in conjunction with physical terrorists. As an industry and a nation, we
understand and are pursuing information security issues that will help us
prevent, protect and mitigate damage to our critical infrastructures.
Here is an overview of the risk scenario as
we understand it today.
§
Terrorism can be more devastating.
§
Threats to CI are more extensive
§
The fallout from cyber-assisted terror is far greater
than well-known examples of cyber attack
The
addition of cyber attacks to a standard terrorist scenario could increase the effectiveness and success rate of
physical assaults and increase instability,
physical damage and casualties. As our systems are
more complex and interdependent and as our systems - both electronic and
operational - increase in complexity and geographic reach the risk of cascading
damage and the vulnerability to attacks, increases. The threat is more
extensive. Each computer connected to the Internet can increase the risk, and
it just keeps growing.
It is relatively
easy to imagine a terrorist developing a scenario that combined the September
11 attack with a cyber attack on the computers and networks of air traffic
control radar, reducing our ability to track off-course airplanes and
increasing the danger for other planes in the sky at the same time. Another combination-risk scenario would combine a cyber
attack on water supply control systems with chemical weapons attack. This
attack on the control systems of the water supply could mask effects of chemical
or biological agents. It is worth noting that the fallout would be greater than
that from viruses and worms that overload enterprise networks, or distributed
denial of service attacks that cripple web sites.
While cyber-vandalism threats are significant
and deserve attention including R&D, we know much about their damage
potential and vulnerabilities. But are the vulnerabilities of CI systems
sufficiently addressed? It is unlikely. We need to dramatically increase the
magnitude and scope of R&D to include both the risks of "traditional"
information security and to begin to address the investigation of the
vulnerabilities of CI systems as a whole and the understanding of the real risk
to our national security.
2.5 Urgent
Challenges
I am concerned about four urgent challenges
to InfoSec research and critical infrastructure. This committee can help in
each case.
1.
Critical
Infrastructure Vulnerabilities
We need to
assess the vulnerabilities of nation's critical infrastructure systems.
We lack a specific, accurate, complete understanding of the vulnerabilities
of CI systems. One type of R&D not being performed now is the operations
research needed for this assessment. Operations research should focus on a
range of representative CI systems- real world systems in operation today- to
determine how current InfoSec technology and practices fit with those
vulnerabilities, by answering these questions:
·
How can current InfoSec be better used for remediation
of vulnerabilities, to make our CI systems more resistant to attacks today?
·
How can we define "standard" approaches to apply
current InfoSec to CI systems?
·
What are the limits of current InfoSec with respect to
existing vulnerabilities and threats?
·
What are the technical R&D efforts needed to
address the gaps?
2.
Difficult R&D
Problems
There are some
hard R&D problems that urgently need attention in order to
understand what these gaps may be, and how to effectively address them once
we've defined them.
·
Interdependencies - Our nation's networking and
systems-including but not limited to CI systems-have grown increasingly
dependent on one another for correct operation. Within CI, it is not only the
systems that are interdependent, but each infrastructure area's delivery
capability is logistically dependent on others.
·
Converged Networks - We have a new threat
environment, with cascading effects on multiple information domains, potential
for widespread outages impacting what are traditionally seen as redundant,
fault tolerant sources.
·
Control Systems - There is an alarming dearth of
information security technology for the embedded control systems that are used
pervasively from manufacturing to power plants, throughout our CI systems and
beyond.
3. R&D information sharing
Today's world of InfoSec R&D is sufficiently
fragmented and uncoordinated that it is not feasible to do more than a partial
and cursory attempt to catalog efforts, assess relevance to CI-related InfoSec
needs, and determine priorities. Indeed, the whole notion of setting new
priorities is beset with difficulties based in the organizational structure of
current government funding of InfoSec research-as well as government-performed
R&D and the largely unconnected world of corporate funded and executed
InfoSec R&D. Consequently, there is a real need for R&D information
sharing and collaboration on a new level.
4.
CI information
sharing
Similarly,
there is a need for information sharing and collaboration within the
world of CI operators. The required vulnerability assessment, much less
actually securing our networked infrastructure from cyber attack (or even from
accidents causing cascading damage), requires an unprecedented type of
information sharing and collaboration with the CI industry, and between
industry and government. Put simply, the CI industry has never before had a
reason to share information and collaborate on security. Government may have a
critical role in ensuring that effective collaboration develops in a timely
manner.
I'd like to elaborate on each of these challenging areas,
and then make some suggestions about what this committee can do to help.
Through Network Associates' work with the Partnership for
Critical Infrastructure Security (PCIS), three challenge areas have been
identified. These are: interdependency, converged networks, and control
systems. These were identified as leading problem areas early on because of
their criticality due to the scale of potential consequences of even partially
successful attacks.
Control systems are at the heart of CI operations. While
being the most significant asset (in terms of impact and cost of successful
attack), control systems may also be highly dependent on other systems, as
described above. And given the dearth of InfoSec R&D relevant to them, we
really don't have an adequate understanding of either the applicability of
current InfoSec to control systems, or the relevance of current R&D to gaps
pertinent to control systems. Likewise, given the increasing trend to converged
networks, interdependencies and cascading attacks are a growing concern.
Convergence ranges form data/telephony network convergence to multi-company
shared e-business computing to CI providers' networks and computers
interoperating with those of other CI providers.
All of these concerns come together because of various
types of interdependencies. First, each infrastructure company has its own
needs for infrastructure provided by other sectors, so failure in one sector
can cascade effects to other infrastructure sectors. For example, water supply
companies depend on chemical supplies that are delivered by transportation
systems that, if disrupted by attack, can lead to supply shortages, degraded
service, and increased risk. A second type of interdependency results from the
fact that some infrastructure company's computer systems regularly interact
with computing systems of others. As a result, each infrastructure company's
computing systems are dependent on (regularly interact with, are vulnerable to)
the computing systems of other companies, both other infrastructure providers
and other companies in supply chain or partner roles. All of these interfaces
create multiple entry points for cyber attack, so that a cyber-attack on one
company's systems can create opportunities for cascading cyber-attack on
others.
These interdependency issues cut across physical
operations (delivery of infrastructure services), information sharing, and
protection and response technology. In each aspect of interdependency there are
exacerbating factors that make the R&D issues even more critical:
·
Most existing InfoSec R&D may not be directly
relevant to CI. The majority of traditional InfoSec research has been done in
context of TCP/IP networks only, and standard commercial operating systems and
software. Because control systems do not entirely share this technology base,
current InfoSec may not be relevant to control systems specifically, CI systems
and networks generally.
·
Most current R&D is oriented to technology and
practices that are common in commercial world, and/or
military/government's use of the same COTS technology for different purposes.
·
Existing InfoSec technology was developed with a
single-owner/operator model. In practice, interdependent CI systems have
dependencies and trust issues that span multiple operators' systems. Although
these situations exist to some extent in more typical commercial computing,
they are often not treated as technical issues but rather business issues. In
CI computing however, the risk of one system to abuse from another is simply a
risk that cannot be accepted. Although there is some limited "inter-enterprise
security" research in extranets and e-commerce applications which focus on
extending security perimeters in controlled ways, current InfoSec R&D is
not targeted towards developing solutions to these interdependency issues.
In summary, if we are to address critical infrastructure
protection, then we need to examine technology and research solutions to
address security threats that arise from the inter-dependency of multiple
owners, operators, sectors and technology.
3.1.1
CI-Oriented InfoSec R&D
Although we are not yet in a position to identify all of the
R&D needs of CI (due the lack of vulnerability knowledge discussed above),
there are some areas of InfoSec R&D that the R&D working group of the
PCIS has identified as very likely to be relevant to CI needs.
·
Inter-enterprise
security. R&D is needed to overcome the single owner/operator model
mentioned above. Only very recently have we started doing technical R&D on
security for this type of complex inter-enterprise computing. Commercial
practice of linking systems, sharing e-business infrastructure, supply chain
management-has outstripped commercially available security technology and
current research. There is plenty of room for technical R&D here.
·
Anomaly-based
security monitoring is a needed complement to current intrusion detection
systems (IDS). Current IDS techniques are based on a technique familiar to
users of anti-virus software: maintain and update a database of known attacks,
and look for occurrences of a match with any of the items in the database. In
the case of IDS, network traffic is monitored for a match with any of the known
attack signatures. Anomaly-based monitoring, by contrast, is based on the
notion of an existing policy, or set of rules, about what kinds of network
traffic are permitted. Anything that is not specifically permitted is flagged
as a potential security error or breach. Self-learning systems are an important
capability, so that security systems can infer policies, and can modify
policies when anomalies are deemed to be new behavior that is allowed.
Inter-enterprise computing generally, and perhaps CI computing specifically,
includes a more complex set of applications and dataflows than the Internet
connections that are typically protected by IDS. As a consequence, policy-based
anomaly detection is needed to build up and evolve the set of rules about what
it permitted; the simple lack of a match of IDS signatures would not, alone,
ensure that an inter-enterprise security policy is in force.
- Situation-specific
security mechanisms are needed for real-time
sharing of information on vulnerability and potential incidents. These
needs would derive from current efforts to build ISACs. An ISAC is an organization
whose members are infrastructure operator companies in a CI sector, who
are willing to share information about possible attacks, or
sector-specific vulnerabilities for which countermeasures are available.
Unlike public alert forums such as CERT, ISACs handle extremely sensitive
information, both because of the sensitivity attached to the information
by member companies, and because of the information being of significant
value to an attacker. Consequently, there are complex need to know issues,
authorization requirements, and the need to use them to control
inter-enterprise data flows to and through an ISAC. There are similar
issues for ISAC-to-ISAC sharing, across CI sectors, as well as ISAC
collaboration with public alert forums and cyber components of homeland
defense organizations.
Consequently, there is a need to develop both new
technology and new standards and schemas for security usage to enable this type
of information sharing. Also, without both basic and applied R&D on these
issues, infrastructure provider companies may have significant security and
privacy concerns that could be an impediment to otherwise desirable information
sharing and collaboration (see Section 2.4).
·
Data mining
techniques for ex post facto audit and reduction of large amounts of
security log data. Currently, large amounts of log data go unregarded because
of the lack of tools to analyze them. However, if such tools were developed, an
effective security posture would include audit log reduction and security analysis
to check for discovering well-camouflaged attacks in progress or lying dormant.
In current commercial practice, many security incidents are discovered some
time after the initial break-in occurs. While undesirable, this situation is
acceptable in business computing because of the consequences of attacks do not
often include a fundamental breakdown of the enterprise's ability to perform
its mission. With CI systems, this is not the case. Furthermore, the current
and typically costly and time-consuming approach to incident response is not
likely to be workable for CI systems when an attack has been discovered. Again,
much more effective data mining techniques will be required for analysis of an
attack and determination of effective responses.
·
Another part of incident response is recovery,
including reconstitution of systems to a secure initial state, followed by
backup/restore operations. Again a very costly part of current incident
response, these operations could be greatly enhanced by large-scale system-level checkpoint/rollback transaction technology
for entire system states for rapid post-attack reconstitution. Such rapid
reconstitution will be extremely important for CI systems, as an alternative to
going back to square one and rebuilding entire systems from scratch.
·
Analytic tools
for modeling CI interdependencies are need to first model systems and
dependencies, and then plan logistical improvements to mitigate scope of
cascading effects of attack. While such tools can be very important for
infrastructure operators to mitigate risks, there would also be substantial
sector-wide and national-level benefit. Eventually we would need to model the
entirety of nation's CI systems of note, to identify nodes of interdependency
and/or shared risk that create greatest possibility for cascades. Such nodes
represent the highest "degree of return" for an attacker efforts- physical or
cyber-terrorism or both.
These R&D areas are in addition to needed
operations research (described in Section 2.2 below) that will better define
R&D needs as well near-term priorities for vulnerability remediation.
There is a pressing need for operations research to fill
large and critical gaps in the information security communities understanding of
the logistical and technological aspects of infrastructure operators'
operations. The "facts on the ground today" are critical for assessing the
vulnerability of our critical infrastructure to cyber-terrorism. At present,
information about these vulnerabilities exists only as closely held information
of those infrastructure operators that have performed any security assessment.
And no one understands the vulnerabilities that are
shared across companies and sectors. Because our nation's CI is operated by
private CI operator companies, little is known about common vulnerabilities, or
shortcomings of existing InfoSec technology and practice. This is just one
glaring example of the types of collaboration that is needed; Collaboration
between researchers in infrastructure operations and researchers in information
security.
Some practical results of
collaborative operations research would be:
·
More precisely understand vulnerabilities.
·
Determine effective near-term remediation with existing
InfoSec technologies, products, practices, and procedures.
·
Develop shared guidelines and standards for applying
current InfoSec to CI systems.
·
Develop shared criteria for assessing the adherence of
CI systems to guidelines and standards.
·
Define needs of CI security that are not met by current
InfoSec technology and practices.
·
Assess these unmet needs in terms of current R&D,
and define the gaps in current R&D.
Note that these "standards" (guidelines for applying
current InfoSec technology, recommended policy/procedures, assessment criteria,
remediation guidelines, etc.) would be standard within a CI sector, or across
CI providers generally.
However, without these "standards,"
individual CI companies will be very challenged to assess vulnerability,
remediate, and identify tech gaps and practices gaps to be filled by R&D.
Public
policy issues include
questions about how to go about meeting these goals. How much effort is needed
and appropriate to devote to achieving these goals? What is the government's
role in articulating them and achieving them? What role does government have in
creating motivation for acceptance and application of "standards" and R&D
goals? How should infrastructure operators be held accountable for security?
The problems in addressing cyber security
are too big for any one community to tackle. The challenges here go far beyond
those that can be addressed through forms of traditional government sponsored
R&D (both DOD and Civilian), privately funded industry R&D, and University
R&D. The threats are real and imminent. We cannot afford to engage in
politics and territorial disputes over R&D arenas. Furthermore, the
magnitude of R&D required to even begin to address this area dictates that
we must work together to collaboratively develop solutions and to identify
synergies between various communities of R&D.
3.3.1
Solutions to Cyber-Security R&D: Opportunities through
Partnerships
We are not proposing incremental approaches,
rather we believe that it is imperative for all R&D stakeholders to embrace
a completely unprecedented collaboration both in and across CI sectors to
assess vulnerabilities today, establish standards, define gaps, and define
R&D needs. Furthermore, this unprecedented level of collaboration must
continue once research agendas are underway and throughout the full life cycle
of R&D. We cannot afford to be less than vigilant in our steps towards
understanding and addressing the ever-evolving set of threats in information
security. This means that the critical infrastructure research community must
become an integral part of steering and tracking information security R&D,
in order to ensure that critical infrastructure needs are being articulated and
addressed.
At this stage we see three stakeholders that
must embrace a radically different approach to R&D and new forms of
cooperation, collaboration, and information sharing:
§
Federally funded R&D - both across agencies in
terms of funding of contracted efforts and between agencies for internally
funded and executed R&D.
§
Privately funded R&D by Industry - Because most
privately funded R&D is focused on next generation products, we should
expect to encounter barriers to info sharing and collaboration as corporations
strive to protect their intellectual property. We encourage you to explore
policy issues and develop new incentives for industry to share information and
jointly pursue longer term, less product-oriented R&D. We must be
innovative and find ways for corporations to dedicate some of the nation's top
brainpower towards solving problems for the greater good. Approaches might
include corporate participation in consortia or through temporary assignment of
key staff to a virtual think tank addressing these problems.
§
University R&D - This group presents a mixed bag of
government funded R&D (both state and Federal) and industry and university
funded R&D. Here the challenge is not so much sharing of research (the many
academic conferences and journals make the research available) but how to
capitalize in a timely manner on these research results.
Over the past several years, NAI Labs has
been a leader in developing new forms of collaboration and partnerships in
critical infrastructure protection research. Many of these are fledgling
efforts, but they can serve as examples and we should seek opportunities to
enhance and duplicate these efforts.
3.3.2
Three Examples of Collaborative Partnerships
Partnership for Critical Infrastructure
Security
The Partnership is a collaborative effort of
industry and Government to address risks to the Nation's critical
infrastructures and assures the delivery of essential services over the
nation's critical infrastructures. These infrastructures, identified in PDD-63,
include:
·
Energy
·
Financial Services
·
Transportation
·
Communications and Information Services
·
Vital Human Services, including Health, Safety, and
Water
Federal Lead Agencies are currently building
partnerships with individual infrastructure sectors in industry. The
Partnership will serve as a forum in which to draw these individual efforts
together to facilitate a dialogue on cross-sector interdependencies, explore
common approaches and experiences, and engage other key professional and
business communities that have an interest in infrastructure assurance. By
doing so, the Partnership can raise awareness and understanding of, and to
serve, when appropriate, as a catalyst for action among the owners and
operators of critical infrastructures, risk management and investment
communities, and other members of the business community and state and local
governments. The mission of the Partnership is to work with the Federal
government to promote the critical infrastructure security of the United States
by focusing on cross-industry sector issues.
The PCIS has five working groups:
§
Interdependency Vulnerability Assessment
§
Information Sharing, Awareness and Education
§
Legislative and Public Policy Objectives
§
R&D and Workforce Development
§
Organization Issues/Public Private Cooperation
Many people from industry and government
have worked long and hard to bring the Partnership into existence and each of
the working groups is actively engaged in addressing requirements, plans and
developing road maps. The Partnership is a leading example of the collaboration
across a wide range of organizations. However, funding for the partnership is
small and the majority of participants do so in a "volunteer" role in addition
to their regular responsibilities within their organizations. In order for the
Partnership to make substantial progress towards its ambitious goals in this
challenging arena, new forms of funding and staffing need to be explored so
that dedicated staff and funded projects can support the objectives of the
organization.
Security Research Alliance (SRA)
The SRA is a professional scientific alliance
pursuing advanced research efforts bearing on the future of network security
and related technology.
Network Associates formed the Security
Research Alliance in 1999. It is a vendor-neutral organization of commercial
information security vendors, each of whom have significant investments in the
area of advanced security research. Charter members of the Alliance are BBN
Technologies, Cisco Systems, Entrust Technologies, GTE, Lucent Technologies,
Network Associates, and Sun Microsystems.
This group organized to form a true alliance
between research laboratories of major information security vendors. Each
organization is actively engaged in forward-looking research that explores
information security technologies and issues 2-5 years out. Unlike product-focused
R&D efforts, advanced security research projects take a broader look at
security technologies and looks for better ways to overcome current
limitations.
The group's primary objectives are
threefold:
1. Better Communication of Research Findings
to IT Community
2. Increase Likelihood of Transferring
Research Findings into Commercial Solutions
3. Enhance Research Efforts through
Collaborative Research and Peer Review
The Alliance seeks to improve communication
of advanced security research findings to the IT community in order to provide
the IT consumer with a longer-term view of technology. By doing so it is
believed that we can move the state of practice from a reactive stance to a
more proactive stance. This objective is synergistic with the Alliance's second
objective of increasing opportunities for technology transfer. Better-educated
consumers will demand increasingly sophisticated solutions. All research
suffers to some degree from challenges of technology transfer. Through
collaboration, on research projects, the Alliance aims to increase the
likelihood that successful research findings will be transferred into
commercial products. Alliance membership facilitates this process by sharing
research findings, where appropriate. Ultimately, the Alliance believes these
efforts will help to improve the overall quality of security products and
technologies available to customers worldwide. Finally, the Alliance seeks to
bring scientific discipline to the investigation of information security. Many
researchers have backgrounds in mathematics and the hard sciences and well
understand the value of peer review. However, due to the very early stages of
information security research, little in the way of scientific discipline has
yet evolved. The Alliance engages in peer review as a means of moving
information security from art to a science.
Army Research Labs, Collaborative Technology
Alliance:
The Army
Research Laboratory (ARL) is in the second phase of its innovative
Collaborative Technology Alliance program. In its first phase, ARL created a new paradigm for Army research-a
"federated laboratory." This new paradigm spanned the combination of government
in-house, industry, and academic components striving together for excellence.
ARL expanded and improved this concept with the creation of Collaborative Technology Alliances.
These new alliances include five new programs focused on those technologies
critical to transforming the Army, including aspects of information security
and critical infrastructure research. The Army Research Laboratory's strategy
is to continue exploiting commercial technology and expertise where it exists
through the issuance of cooperative agreements and task order contracts.
The ARL
CTA's are a set of programs covering 5 different technology areas: Advanced
Sensors, Advanced Decision Architectures, Communications & Networks
(C&N), Robotics, and Power & Energy.
NAI Labs
is a member of the Communications & Networks (C&N) consortium led by
Telcordia with industry teammates BAE Systems, Motorola, Network Associates,
and BBN, and academic members University of Maryland, University of Delaware,
Princeton University, the City College of New York, the Johns Hopkins
University APL, Georgia Tech, Morgan State, and Clark Atlanta. NAI Labs has a lead
role in developing efficient security services, including encryption and
intrusion detection technologies, for these networks. Despite the military
focus, the technology has great potential for transfer to the civilian world.
The terms of the alliance recognize this and provide liberal intellectual
property rights for consortium members encouraging rapid commercialization of
research results.
3.3.3
Future Directions
for Enhanced Partnership and Collaboration
Each of these demonstrates a different
approach to partnership and collaboration: the PCIS, a true partnership of
industry sectors and civilian government agencies; the SRA, an alliance of
leading information technology vendors; and the ARL CTA, an alliance of
government, industry and academia. Each still faces many challenges, among them
funding, dedicated staff, and concerns around intellectual property. However,
we believe that these can serve as first case worked examples for R&D
information sharing (as opposed to vulnerability and incident information sharing
as in the ISACs), partnerships and collaboration. It is vital to recognize
though, that as beneficial as these organizations are, they do not go far
enough. They are a necessary, but not sufficient, first step towards addressing
the national level coordination and collaboration that is required to ensure
adequate R&D today, tomorrow, and into the future to protect our critical
infrastructure resources.
We specifically recommend that congress
develop new mandates and funding for unprecedented levels of collaboration.
Such mandates must be motivated and encouraged through incentives that
encourages new kinds of collaboration. All R&D research in the critical
infrastructure protection arena should include requirements for developing
research alliances and leveraging other research community R&D. All
researchers should be directed to take a participatory approach to R&D.
Furthermore, we recommend that all information security R&D funding
organizations (public and private) and researchers participate in an ongoing
national effort to catalog and track their efforts applicable to the critical
infrastructure threat. In order to accomplish this, the Federal government must
create incentives for broad public/private participation, between and among
government agencies and through private collaboration consortia like the
Security Research Alliance. This will require direct action to promote the
urgent need for new collaboration and new approaches to policy in order to
identify and eliminate barriers to collaboration within government and between
government and private industry.
3.4 CI
Information Sharing and Collaboration
The need for
CI information sharing and collaboration is unprecedented but required in order
to address the CI vulnerability issues described in Section 2.2, and to define
effective R&D goals to drive the R&D collaboration described in Section
2.3. The need is for security collaboration both within the CI industry and
between industry and government.
Just as the
intelligence and law enforcement communities, after September 11, realized the
inadequacy of current approaches to collaboration, CI players are realizing
that neither comprehensive improvement in security nor creating an effective
preparedness/response capability is possible without collaboration. Yet unlike
intelligence and law enforcement, CI players have never had any significant
motivation for collaboration-and indeed in many cases are competitors in a
field of private for-profit delivery of CI services.
The PCIS has
started to build some collaborative structures, but is still in the early days
of the work. Some degree of R&D gap analysis has been done (as described in
Section 2.1.2), but clearly done without any but the most general understanding
of the InfoSec needs of actual CI systems as they are operated today. Work on
those needs has been primarily focused on gaining a better understanding of the
interdependency problems, and considering how working groups can research the
needs to address those problems- within the constraints of PCIS operation as
public/private consortium.
However, a
much greater degree of collaboration is needed, as indicated by the following
goals of the working group.
·
Within and across sectors in the CI industry, perform
pilot vulnerability assessments of representative systems.
·
Share the results, work to define the specific needs
for addressing CI vulnerabilities.
·
Determine the extent to which current InfoSec can
address those needs, and how to codify recommendations for doing so.
·
Determine the extent to which current InfoSec is
insufficient, define the specific technical and procedural InfoSec gaps.
·
Define R&D needs
·
Work honestly to flag unknowns, keep flexible and
collaborative, yet strive to define "standards" that useful tools for CI
providers to improve security and identify R&D needs.
·
The CI community must become
integral part of steering and tracking InfoSec R&D, ensure that CI needs
are being articulated and addressed in R&D, as defined in Section 2.3
above.
·
The CI community must work with
homeland defense, to collaborate on requirements for detection, response,
and recovery from attacks. This is a broad area with
many issues relevant to formation of ISACs, information sharing ISACs and with
homeland defense.
Public Policy Issues:
For many of these goals, there are important public policy issues, ranging from
anti-trust concerns to concerns over development of new, unfunded mandates
(similar to the decision that commercial airlines should not be compelled to
operate heightened security measures without assistance and guidance).
Our call for congressional
action falls into two areas in which this Committee's efforts can begin to
be effective in the short term.
·
Foster highest-impact R&D - spending and set
direction
·
Promote focus on CI protection - spending and set
direction
This Committee can take immediate steps to ensure that R&D
spending is focused on efforts of the highest impact in both the near- and
long-term. High-impact R&D does not mean only near-term; rather impact
should be sought through innovative approaches towards bringing together
distinct research teams to focus on common problems and understanding. Some
suggested steps that the committee can do to start to help are:
·
Work towards mandate and funding for unprecedented
collaboration
i.
Including all
InfoSec R&D funders/researchers to catalog and track efforts applicable to
CI. Create incentives for broad public/private participation: government
agencies and private collaboration consortia like SRA.
ii.
Promote urgent need for new collaboration
iii.
Identify and eliminate barriers to collaboration within
government and between government and private
·
Help accelerate work of public and private
organizations including public/private partnerships like PCIS, with groups
working on R&D, interdependency, and public policy.
This Committee
can foster a focus on CI protection by developing public policies that support
CI protection:
·
Promote Congressional action on public policy issues-both
in creating new public policy and in eliminating public policy barriers
(e.g., antitrust relief for collaboration with CI sectors).
·
Create new agenda for CI InfoSec research, starting
with operations research needed for vulnerability assessment and R&D gaps.
·
Feed new R&D results into public policy evaluations.
·
Use this evaluation information to set R&D
priorities, redirect efforts, begin to set assessment criteria, best practices
and priorities for future research. This must be an ongoing effort, as we work
to fill the gaps in our knowledge about CI vulnerabilities and InfoSec
technology gaps.
·
Fostering sharing of information between
government/industry/university R&D work - while honoring and protecting
legitimate competitive concerns. (Private IP rights
important to maintain benefits to customer, rights to developer, and preserve
private incentive for R&D.)
4.2.1
New Mandate
Perhaps the
most basic goal is funding and mandate to accelerate CI
vulnerability assessments, resulting R&D gap analysis, and subsequent
R&D to fill the gaps. The resulting "standards" are needed for an improved
security posture, while the R&D gap information is required to better
direct R&D. Both are needed to overcome limits and gaps in current InfoSec,
for guidance of government-funded research, and for aid in public/private
advocacy of private R&D that is both infrastructure-critical and
potentially strategic to company funding the research.
Continuing the information security
R&D that is currently underway is necessary but not sufficient. Current
efforts provide a technology and knowledge base to draw on once a more complete
picture of CI vulnerabilities is in process. Thus, more research money (via
NSF, NIST, NSA, DARPA, etc. for technical R&D in InfoSec) would be
beneficial, but in parallel with this, we must
work to assess CI vulnerability to determine needs.
In light of the challenges I have just outlined, I
respectfully offer to the Committee suggestions on five steps that this Committee
and Congress can take in the area of cyber-security research and development.
1. Ensure
cyber-security is part of Homeland Security
As the new Office of Homeland Security begins to take shape
and as the new Cabinet Secretary begins his role, I ask Congress to ensure that
cyber-security is a part of our nation's approach to Homeland Security. While
the events of September 11th were physical in nature, we must
remember that protecting our doors but leaving open a cyber-window makes the
American house vulnerable.
2. Authorize
a study of our nation's critical infrastructure vulnerabilities
As I have conveyed throughout this testimony, before we expand
our R&D agenda, we must fully understand our critical infrastructure
vulnerabilities. I ask this Committee
to authorize and Congress to fund a rapid but thorough analysis of our
vulnerabilities The study should focus on bringing together the many analyses
that already exist, while identifying needs for further study.
3. Authorize
increases in funds for technical R&D to leading departments and agencies
Currently, many departments and agencies throughout the
Federal government are engaged in extensive R&D projects. I ask Congress to
provide these agencies, such as NIST, DARPA, NSA, NSF and others, with expanded
resources to conduct research to meet their own cyber-security needs.
4. Improve
coordination among government-funded
R&D projects
While each Federal department and agency certainly needs to
pursue projects for its own needs, Congress should work with them to ensure that
plans and results are shared widely to avoid duplicative work and fully
leverage the knowledge gained. From its oversight role, Congress can ensure
that continued coordination takes place.
5.
Develop a new
collaborative research mechanism
Within government, industry and academia, a tremendous amount
of research is taking place. Yet, much of the results go unshared. I ask
Congress to develop a collaborative mechanism to catalog and track efforts
applicable to critical infrastructure and to create incentives for broad
public/private participation.
6
Conclusion
Mr. Chairman, the opportunity to have a real impact on the
cyber-security of our nation's critical infrastructures is tremendous. But
doing so will require a strong commitment to research and development, for we
cannot rely on today's solutions for tomorrow's challenges. We urge your
Committee and Congress to continue putting energy into the R&D issues I
have outlined. In return, I pledge to you our company's support to continue to
work with government to identify our
nation's R&D needs and conduct the research essential to ensure our
nation's cyber-security.
I thank you again for the opportunity to testify here
today, and I look forward to answering any questions the Committee may have.
