IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Google Ads




 

Testimony of Terry C. Vickers Benzel

Vice President of Advanced Security Research

Network Associates, Inc.

 

Before the

House Committee on Science

 

"Cyber Security-How Can We Protect American Computer Networks from Attack: The Importance of Research and Development"

 

October 10, 2001

 

 

 

1         Introduction

 

Chairman Boehlert, Ranking Member Hall and Members of the Committee, thank you for inviting me to testify today on the role and importance of research and development in the protection of our nation's computer networks from cyber attacks. My name is Terry Benzel, and I am the Vice President of Advanced Security Research at Network Associates, Inc. I am honored to have the opportunity to be here today to discuss the action needed to protect our nation's computer networks from attack and how this Committee can help advance the research that is required to ensure that effective protection measures can be put in place.

From our Chairman, CEO and President, George Samenuk, and the more than 3540 employees of Network Associates, I share with you and the American family our thoughts and prayers for all those affected by the tragic events of September 11th. And now, as the American response begins, we extend those thoughts to our men and women serving in the armed forces and to their families at home, including the employees of our company who have been called to active duty through the military reserve.

With headquarters in Santa Clara, Calif., Network Associates, Inc. is a leading supplier of network security and availability solutions for e-businesses. Our four product lines-McAfee, PGP Security, Sniffer Technologies, and Magic Solutions-deliver a complete range of security solutions, including anti-virus protection, firewalls, intrusion detection, encryption, network and application management.

Network Associates is committed to working with industry and government to ensure the protection of our critical infrastructures, and our employees actively participate in a number of collaborative efforts to share our knowledge with others. In addition, we take part in numerous industry-led activities, including those of such leading associations as the Business Software Alliance (BSA) and the Information Technology Association of America (ITAA).

I am here today to share with you my perspectives on the importance of cyber-security research and development to the protection of our infrastructures. Within Network Associates, I serve as the Director of NAI Labs, an industry leading security research and development organization with 120 dedicated staff in four research facilities throughout the United States. We were formally Trusted Information Systems (or TIS), and have been contributing to network and information systems security since 1983. NAI Labs is a multi-discipline research organization with world-renowned expertise in the areas of network security, applied cryptographic technologies, secure execution environments, security infrastructure, adaptive network defenses, distributed systems security, and information assurance. Our research is supported by ongoing projects funded through the US Defense Advanced Research Projects Agency (or DARPA), Air Force, Navy, Army, National Security Agency, and other Department of Defense and government agencies. In addition to our prominent role in the security research community, all unclassified network and information systems research is shared with Network Associates' product development and support organizations in an effort to transfer research results to consumers.

In addition to my work with Network Associates, I come here today to share with you my experience working with two other collaborative organizations: the Security Research Alliance (SRA) and the Partnership for Critical Infrastructure Security (PCIS). Launched in 1999, the SRA is a vendor neutral alliance of industry leaders focussed on bringing security issues to industry at large from a purely research-driven perspective. Network Associates is joined in the SRA by Cisco Systems, Sun Microsystems, Lucent Technologies Bell Labs, BBN Technologies, Entrust Technologies, and GTE Government Systems. The Partnership for Critical Infrastructure Security is a collaborative effort of industry and Government to address risks and assure the delivery of essential services over the nation's critical infrastructures. I co-chair the PCIS Research and Development Working Group, tasked with identifying an R&D roadmap for critical infrastructure security.

Mr. Chairman, I'd like to commend you and the Members of this Committee for your leadership in holding today's hearing. While the attacks of September 11th were physical in nature, I believe they serve to underscore how important it is to understand the potential impact of a coordinated physical and cyber attack on the delivery of critical services to our citizens, and to help prepare the United States in advance.

The "What-Ifs?" of a physical and cyber-attack are many. "What if" the terrorists were also able to impact our communications system, thus hampering the rescue and recovery efforts? "What if" the attackers were able to compromise systems monitoring the water supply for Manhattan? "What if" power to parts of the northeast corridor could have been brought down through a cyber-attack on key systems? We must prepare now to prevent this from happening and ensure that technologies, plans and procedures are in place to prevent and respond to any future attack.

As the nation begins to regain its footing after the attacks on the World Trade Center, the Pentagon, and in Pennsylvania, we are poised to leverage a heightened awareness of our vulnerabilities into ongoing efforts to ensure continuous operation of our national critical infrastructures -- Energy, Financial Services, Transportation, Communications & Information Services and Vital Human Services.[1]

Stable and continuing operation of these interdependent sectors is vital to maintaining safety, public order, vital human services as well economic stability.

Fundamentally, we are facing the same R&D challenges as before the September attacks - the vulnerabilities both cyber and physical are the same, but our collective awareness of the reality of malicious intent towards the United States has changed, as has awareness of potentially immense consequence of a relatively small act. While concern is warranted and action is critical, it is certainly possible to compound our terror by overstating our vulnerabilities before we have a clear picture of our situation.

Our success will depend on unprecedented cooperation between and among the private, quasi-private and public sector entities and an unrelenting focus on building our polices, assessments, strategies and actions on a powerful, flexible & comprehensive foundation of information security R&D. To understand how best to protect American computer networks from attack, therefore, we must dramatically increase our understanding of what kinds of attack we are vulnerable to, what systems are available and working and, what is missing.

2         How big is this issue and what are the priorities in information security R&D?

2.1      We know that we are vulnerable, but not how vulnerable.

A notable, but often overlooked, gap in our understanding is the extent of our computer network vulnerabilities. We know that we are vulnerable, but not how vulnerable.

Worse yet, by failing to understand the extent of the vulnerabilities and the reality of the interdependencies, we compound our risk - not only are networks vulnerable as such, but critical systems may be accessible through less critical systems and the relatively small vulnerabilities can be exploited to conduct simultaneous electronic and physical attacks. Have we overstated the threat or understated it? We just don't know.

Our R&D proposals will necessarily include developing appropriate assessment strategies and criteria, including identifying areas where good policies have been developed, but are not yet in practice. This understanding can keep us from diverting R&D energy and resources from explorations of crucial outstanding areas. For example, as you have heard in recent GAO testimony on Aviation Security,[2] some security breaches result from an incomplete application of existing knowledge - for example, incomplete deployment of existing technology or a lapse in following procedures. In these cases, we don't need to know anything new, we need to do something with what we already know.

Generally, our expertise in information technology and networking has outpaced our understanding of its effect on the integrity of our systems and of our understanding of how to prevent, contain or mitigate the damage from malicious cyber-attacks and potentially devastating user errors and failures. We will not only need to "catch-up" we will need to "keep-up" with developments in information technology. There is much to explore.

2.2      Much Research, But Too Many Unknowns

There is a broad range of information security R&D being done and being considered to help protect our cyber systems from attack. But there are especially urgent areas for study that we have barely begun to investigate-as a result, we can only guess at the extent of our vulnerability. Terrorists are motivated to understand and study our vulnerabilities, we should be too. As we are now painfully aware, there are people in the world who are sufficiently motivated to look for our security vulnerabilities. Are we sufficiently motivated to do the same?

2.2.1        Focus this morning on highest priority types of attacks

This morning, I'd like to focus on what I see as the highest priority targets of attack, and most significant threats. There are many kinds of threats and many kinds of systems at risk, but none are more critical than the computer systems and networks that control our nation's critical infrastructure (CI). And, as we shall see, most significant threat to these CI systems is cyber-terrorism.

To this we need to look both forward and backwards. Look backwards at practices, interdependencies and technologies - we need to know what is being done well, what is failing and what is not being done at all. And look forward at what can be improved and-even more critically-how to develop a shared understanding of assessing the vulnerabilities. To complete the challenge, all of this must be done across and among the five industry sectors with an as yet uncounted number of private, public and quasi-public entities connected in as yet unknown number of networks with a range of practices, interdependencies and technologies.

2.2.2        Not just funding- congressional leadership is needed

We ask for your help in setting the agenda, dispersing funding and championing an unprecedented kind of collaboration within the CI industry, across sectors and including government agencies of all types. This will require a transformation that is quite like what the intelligence community is currently undergoing - sharing information across decades old - and sometimes centuries old - organizational barriers. For this to be accomplished the leadership needs to come from the very top, just as the pressure for results is coming from your constituencies.

2.3      CI Systems and Cyber-Terrorism

CI systems are called critical just because of what happens if they are crippled by cyber-attacks, physical attacks or a combination of both.

2.3.1        Attack on CI systems devastating

If CI systems are successfully attacked, people will die, the nation's economy will be crippled and protective services systems will be weakened - fire, health, police, minimum essential services - all of the systems vital to public safety, domestic order and economic stability.

2.3.2        Critical Infrastructure protection and cyber-protection are interwoven

We cannot protect ourselves from cyber terrorism without protecting these CI's, just as we cannot protect these CI's without protecting ourselves from Cyber-Terrorism.

Always interrelated, the operations of our critical infrastructures are increasingly interdependent and operations within each entity are increasingly dependent on their information technology and they are increasingly connected to one another over private networks and the public Internet.

Because of this vast interconnectedness, we know that the potential damage to our critical infrastructures - in the form of multiple, simultaneous, and cascading disruptions on a regional, national or international scale - is high.

Correspondingly high is the need to assess that potential by engaging in operational research of critical infrastructure provider's technical operations - not only of their control systems, but also of their other technical operations, at least far enough to determine the extent of their interdependence and the security requirements of their interfaces. We also know that sharing such sensitive information within and among the critical information sectors will pose a unique challenge.

What are critical infrastructure assets?

Critical Infrastructure assets are defined as assets essential to the functioning of the Energy, Financial Services, Transportation, Communications & Information Services and Vital Human Services sectors [3] - i.e., the assets of those systems vital to maintaining safety, public order, vital human services as well economic stability.

Which systems are critical infrastructure systems?

In brief, CI systems are the control systems and any connected system that can modify control systems. Control systems are those that directly manage the assets or implement the services on a moment-to-moment basis; as well as any system that the control systems depend on, or which can modify the operation of control systems, or have an indirect effect upon them. In some cases, CI systems may even include ordinary, Internet-connected workstations on the corporate LANs of infrastructure provider companies-all that is necessary is that the CI system has the ability to alter any of the control systems of a critical infrastructure IS.

Greatest national exposure to cyber-terrorism is a homeland attack, distinct from more ordinary cyber vandals, hackers and thieves

The most alarming scenario - and the one most likely to be the cause of multiple, simultaneous, and cascading disruptions on a regional, national or international scale -- is a combination physical and cyber attack made by adversaries with the same motivation and ruthlessness of those committing the attacks this September.

This form of attack is a direct attack on the U.S. homeland, and is distinct from the activities of ordinary vandals, thieves," hacktivists," and other types of people who exploit information security vulnerabilities of many kinds on many types of systems.

2.4      What is at Stake?

The most pressing protection issue for information security today is preparing for the ability of cyber-terrorists to work in conjunction with physical terrorists. As an industry and a nation, we understand and are pursuing information security issues that will help us prevent, protect and mitigate damage to our critical infrastructures.

Here is an overview of the risk scenario as we understand it today.

         Terrorism can be more devastating.

         Threats to CI are more extensive

         The fallout from cyber-assisted terror is far greater than well-known examples of cyber attack

 

The addition of cyber attacks to a standard terrorist scenario could increase the effectiveness and success rate of physical assaults and increase instability, physical damage and casualties. As our systems are more complex and interdependent and as our systems - both electronic and operational - increase in complexity and geographic reach the risk of cascading damage and the vulnerability to attacks, increases. The threat is more extensive. Each computer connected to the Internet can increase the risk, and it just keeps growing.

It is relatively easy to imagine a terrorist developing a scenario that combined the September 11 attack with a cyber attack on the computers and networks of air traffic control radar, reducing our ability to track off-course airplanes and increasing the danger for other planes in the sky at the same time. Another combination-risk scenario would combine a cyber attack on water supply control systems with chemical weapons attack. This attack on the control systems of the water supply could mask effects of chemical or biological agents. It is worth noting that the fallout would be greater than that from viruses and worms that overload enterprise networks, or distributed denial of service attacks that cripple web sites.

While cyber-vandalism threats are significant and deserve attention including R&D, we know much about their damage potential and vulnerabilities. But are the vulnerabilities of CI systems sufficiently addressed? It is unlikely. We need to dramatically increase the magnitude and scope of R&D to include both the risks of "traditional" information security and to begin to address the investigation of the vulnerabilities of CI systems as a whole and the understanding of the real risk to our national security.

2.5      Urgent Challenges

I am concerned about four urgent challenges to InfoSec research and critical infrastructure. This committee can help in each case.

1.      Critical Infrastructure Vulnerabilities

We need to assess the vulnerabilities of nation's critical infrastructure systems. We lack a specific, accurate, complete understanding of the vulnerabilities of CI systems. One type of R&D not being performed now is the operations research needed for this assessment. Operations research should focus on a range of representative CI systems- real world systems in operation today- to determine how current InfoSec technology and practices fit with those vulnerabilities, by answering these questions:

        How can current InfoSec be better used for remediation of vulnerabilities, to make our CI systems more resistant to attacks today?

        How can we define "standard" approaches to apply current InfoSec to CI systems?

        What are the limits of current InfoSec with respect to existing vulnerabilities and threats?

        What are the technical R&D efforts needed to address the gaps?

2.      Difficult R&D Problems

There are some hard R&D problems that urgently need attention in order to understand what these gaps may be, and how to effectively address them once we've defined them.

        Interdependencies - Our nation's networking and systems-including but not limited to CI systems-have grown increasingly dependent on one another for correct operation. Within CI, it is not only the systems that are interdependent, but each infrastructure area's delivery capability is logistically dependent on others.

        Converged Networks - We have a new threat environment, with cascading effects on multiple information domains, potential for widespread outages impacting what are traditionally seen as redundant, fault tolerant sources.

        Control Systems - There is an alarming dearth of information security technology for the embedded control systems that are used pervasively from manufacturing to power plants, throughout our CI systems and beyond.

 

3.      R&D information sharing

Today's world of InfoSec R&D is sufficiently fragmented and uncoordinated that it is not feasible to do more than a partial and cursory attempt to catalog efforts, assess relevance to CI-related InfoSec needs, and determine priorities. Indeed, the whole notion of setting new priorities is beset with difficulties based in the organizational structure of current government funding of InfoSec research-as well as government-performed R&D and the largely unconnected world of corporate funded and executed InfoSec R&D. Consequently, there is a real need for R&D information sharing and collaboration on a new level.

 

4.      CI information sharing

Similarly, there is a need for information sharing and collaboration within the world of CI operators. The required vulnerability assessment, much less actually securing our networked infrastructure from cyber attack (or even from accidents causing cascading damage), requires an unprecedented type of information sharing and collaboration with the CI industry, and between industry and government. Put simply, the CI industry has never before had a reason to share information and collaborate on security. Government may have a critical role in ensuring that effective collaboration develops in a timely manner.

 

3         Challenges

 

I'd like to elaborate on each of these challenging areas, and then make some suggestions about what this committee can do to help.

3.1      Hard Problems, Urgent Needs for New Research

 

Through Network Associates' work with the Partnership for Critical Infrastructure Security (PCIS), three challenge areas have been identified. These are: interdependency, converged networks, and control systems. These were identified as leading problem areas early on because of their criticality due to the scale of potential consequences of even partially successful attacks.

Control systems are at the heart of CI operations. While being the most significant asset (in terms of impact and cost of successful attack), control systems may also be highly dependent on other systems, as described above. And given the dearth of InfoSec R&D relevant to them, we really don't have an adequate understanding of either the applicability of current InfoSec to control systems, or the relevance of current R&D to gaps pertinent to control systems. Likewise, given the increasing trend to converged networks, interdependencies and cascading attacks are a growing concern. Convergence ranges form data/telephony network convergence to multi-company shared e-business computing to CI providers' networks and computers interoperating with those of other CI providers.

All of these concerns come together because of various types of interdependencies. First, each infrastructure company has its own needs for infrastructure provided by other sectors, so failure in one sector can cascade effects to other infrastructure sectors. For example, water supply companies depend on chemical supplies that are delivered by transportation systems that, if disrupted by attack, can lead to supply shortages, degraded service, and increased risk. A second type of interdependency results from the fact that some infrastructure company's computer systems regularly interact with computing systems of others. As a result, each infrastructure company's computing systems are dependent on (regularly interact with, are vulnerable to) the computing systems of other companies, both other infrastructure providers and other companies in supply chain or partner roles. All of these interfaces create multiple entry points for cyber attack, so that a cyber-attack on one company's systems can create opportunities for cascading cyber-attack on others.

These interdependency issues cut across physical operations (delivery of infrastructure services), information sharing, and protection and response technology. In each aspect of interdependency there are exacerbating factors that make the R&D issues even more critical:

        Most existing InfoSec R&D may not be directly relevant to CI. The majority of traditional InfoSec research has been done in context of TCP/IP networks only, and standard commercial operating systems and software. Because control systems do not entirely share this technology base, current InfoSec may not be relevant to control systems specifically, CI systems and networks generally.

        Most current R&D is oriented to technology and practices that are common in commercial world, and/or military/government's use of the same COTS technology for different purposes.

        Existing InfoSec technology was developed with a single-owner/operator model. In practice, interdependent CI systems have dependencies and trust issues that span multiple operators' systems. Although these situations exist to some extent in more typical commercial computing, they are often not treated as technical issues but rather business issues. In CI computing however, the risk of one system to abuse from another is simply a risk that cannot be accepted. Although there is some limited "inter-enterprise security" research in extranets and e-commerce applications which focus on extending security perimeters in controlled ways, current InfoSec R&D is not targeted towards developing solutions to these interdependency issues.

In summary, if we are to address critical infrastructure protection, then we need to examine technology and research solutions to address security threats that arise from the inter-dependency of multiple owners, operators, sectors and technology.

 

3.1.1        CI-Oriented InfoSec R&D

Although we are not yet in a position to identify all of the R&D needs of CI (due the lack of vulnerability knowledge discussed above), there are some areas of InfoSec R&D that the R&D working group of the PCIS has identified as very likely to be relevant to CI needs.

 

        Inter-enterprise security. R&D is needed to overcome the single owner/operator model mentioned above. Only very recently have we started doing technical R&D on security for this type of complex inter-enterprise computing. Commercial practice of linking systems, sharing e-business infrastructure, supply chain management-has outstripped commercially available security technology and current research. There is plenty of room for technical R&D here.

 

        Anomaly-based security monitoring is a needed complement to current intrusion detection systems (IDS). Current IDS techniques are based on a technique familiar to users of anti-virus software: maintain and update a database of known attacks, and look for occurrences of a match with any of the items in the database. In the case of IDS, network traffic is monitored for a match with any of the known attack signatures. Anomaly-based monitoring, by contrast, is based on the notion of an existing policy, or set of rules, about what kinds of network traffic are permitted. Anything that is not specifically permitted is flagged as a potential security error or breach. Self-learning systems are an important capability, so that security systems can infer policies, and can modify policies when anomalies are deemed to be new behavior that is allowed. Inter-enterprise computing generally, and perhaps CI computing specifically, includes a more complex set of applications and dataflows than the Internet connections that are typically protected by IDS. As a consequence, policy-based anomaly detection is needed to build up and evolve the set of rules about what it permitted; the simple lack of a match of IDS signatures would not, alone, ensure that an inter-enterprise security policy is in force.

 

  • Situation-specific security mechanisms are needed for real-time sharing of information on vulnerability and potential incidents. These needs would derive from current efforts to build ISACs. An ISAC is an organization whose members are infrastructure operator companies in a CI sector, who are willing to share information about possible attacks, or sector-specific vulnerabilities for which countermeasures are available. Unlike public alert forums such as CERT, ISACs handle extremely sensitive information, both because of the sensitivity attached to the information by member companies, and because of the information being of significant value to an attacker. Consequently, there are complex need to know issues, authorization requirements, and the need to use them to control inter-enterprise data flows to and through an ISAC. There are similar issues for ISAC-to-ISAC sharing, across CI sectors, as well as ISAC collaboration with public alert forums and cyber components of homeland defense organizations.

 

Consequently, there is a need to develop both new technology and new standards and schemas for security usage to enable this type of information sharing. Also, without both basic and applied R&D on these issues, infrastructure provider companies may have significant security and privacy concerns that could be an impediment to otherwise desirable information sharing and collaboration (see Section 2.4).

 

        Data mining techniques for ex post facto audit and reduction of large amounts of security log data. Currently, large amounts of log data go unregarded because of the lack of tools to analyze them. However, if such tools were developed, an effective security posture would include audit log reduction and security analysis to check for discovering well-camouflaged attacks in progress or lying dormant. In current commercial practice, many security incidents are discovered some time after the initial break-in occurs. While undesirable, this situation is acceptable in business computing because of the consequences of attacks do not often include a fundamental breakdown of the enterprise's ability to perform its mission. With CI systems, this is not the case. Furthermore, the current and typically costly and time-consuming approach to incident response is not likely to be workable for CI systems when an attack has been discovered. Again, much more effective data mining techniques will be required for analysis of an attack and determination of effective responses.

 

        Another part of incident response is recovery, including reconstitution of systems to a secure initial state, followed by backup/restore operations. Again a very costly part of current incident response, these operations could be greatly enhanced by large-scale system-level checkpoint/rollback transaction technology for entire system states for rapid post-attack reconstitution. Such rapid reconstitution will be extremely important for CI systems, as an alternative to going back to square one and rebuilding entire systems from scratch.

 

        Analytic tools for modeling CI interdependencies are need to first model systems and dependencies, and then plan logistical improvements to mitigate scope of cascading effects of attack. While such tools can be very important for infrastructure operators to mitigate risks, there would also be substantial sector-wide and national-level benefit. Eventually we would need to model the entirety of nation's CI systems of note, to identify nodes of interdependency and/or shared risk that create greatest possibility for cascades. Such nodes represent the highest "degree of return" for an attacker efforts- physical or cyber-terrorism or both.

 

These R&D areas are in addition to needed operations research (described in Section 2.2 below) that will better define R&D needs as well near-term priorities for vulnerability remediation.

3.2      Critical Infrastructure Vulnerabilities

There is a pressing need for operations research to fill large and critical gaps in the information security communities understanding of the logistical and technological aspects of infrastructure operators' operations. The "facts on the ground today" are critical for assessing the vulnerability of our critical infrastructure to cyber-terrorism. At present, information about these vulnerabilities exists only as closely held information of those infrastructure operators that have performed any security assessment. And no one understands the vulnerabilities that are shared across companies and sectors. Because our nation's CI is operated by private CI operator companies, little is known about common vulnerabilities, or shortcomings of existing InfoSec technology and practice. This is just one glaring example of the types of collaboration that is needed; Collaboration between researchers in infrastructure operations and researchers in information security.

Some practical results of collaborative operations research would be:

        More precisely understand vulnerabilities.

        Determine effective near-term remediation with existing InfoSec technologies, products, practices, and procedures.

        Develop shared guidelines and standards for applying current InfoSec to CI systems.

        Develop shared criteria for assessing the adherence of CI systems to guidelines and standards.

        Define needs of CI security that are not met by current InfoSec technology and practices.

        Assess these unmet needs in terms of current R&D, and define the gaps in current R&D.

Note that these "standards" (guidelines for applying current InfoSec technology, recommended policy/procedures, assessment criteria, remediation guidelines, etc.) would be standard within a CI sector, or across CI providers generally.

However, without these "standards," individual CI companies will be very challenged to assess vulnerability, remediate, and identify tech gaps and practices gaps to be filled by R&D.

Public policy issues include questions about how to go about meeting these goals. How much effort is needed and appropriate to devote to achieving these goals? What is the government's role in articulating them and achieving them? What role does government have in creating motivation for acceptance and application of "standards" and R&D goals? How should infrastructure operators be held accountable for security?

3.3      R&D Information Sharing and Collaboration

 

The problems in addressing cyber security are too big for any one community to tackle. The challenges here go far beyond those that can be addressed through forms of traditional government sponsored R&D (both DOD and Civilian), privately funded industry R&D, and University R&D. The threats are real and imminent. We cannot afford to engage in politics and territorial disputes over R&D arenas. Furthermore, the magnitude of R&D required to even begin to address this area dictates that we must work together to collaboratively develop solutions and to identify synergies between various communities of R&D.

3.3.1        Solutions to Cyber-Security R&D: Opportunities through Partnerships

We are not proposing incremental approaches, rather we believe that it is imperative for all R&D stakeholders to embrace a completely unprecedented collaboration both in and across CI sectors to assess vulnerabilities today, establish standards, define gaps, and define R&D needs. Furthermore, this unprecedented level of collaboration must continue once research agendas are underway and throughout the full life cycle of R&D. We cannot afford to be less than vigilant in our steps towards understanding and addressing the ever-evolving set of threats in information security. This means that the critical infrastructure research community must become an integral part of steering and tracking information security R&D, in order to ensure that critical infrastructure needs are being articulated and addressed.

At this stage we see three stakeholders that must embrace a radically different approach to R&D and new forms of cooperation, collaboration, and information sharing:

         Federally funded R&D - both across agencies in terms of funding of contracted efforts and between agencies for internally funded and executed R&D.

         Privately funded R&D by Industry - Because most privately funded R&D is focused on next generation products, we should expect to encounter barriers to info sharing and collaboration as corporations strive to protect their intellectual property. We encourage you to explore policy issues and develop new incentives for industry to share information and jointly pursue longer term, less product-oriented R&D. We must be innovative and find ways for corporations to dedicate some of the nation's top brainpower towards solving problems for the greater good. Approaches might include corporate participation in consortia or through temporary assignment of key staff to a virtual think tank addressing these problems.

         University R&D - This group presents a mixed bag of government funded R&D (both state and Federal) and industry and university funded R&D. Here the challenge is not so much sharing of research (the many academic conferences and journals make the research available) but how to capitalize in a timely manner on these research results.

 

Over the past several years, NAI Labs has been a leader in developing new forms of collaboration and partnerships in critical infrastructure protection research. Many of these are fledgling efforts, but they can serve as examples and we should seek opportunities to enhance and duplicate these efforts.

3.3.2        Three Examples of Collaborative Partnerships

Partnership for Critical Infrastructure Security

The Partnership is a collaborative effort of industry and Government to address risks to the Nation's critical infrastructures and assures the delivery of essential services over the nation's critical infrastructures. These infrastructures, identified in PDD-63, include:

        Energy

        Financial Services

        Transportation

        Communications and Information Services

        Vital Human Services, including Health, Safety, and Water

Federal Lead Agencies are currently building partnerships with individual infrastructure sectors in industry. The Partnership will serve as a forum in which to draw these individual efforts together to facilitate a dialogue on cross-sector interdependencies, explore common approaches and experiences, and engage other key professional and business communities that have an interest in infrastructure assurance. By doing so, the Partnership can raise awareness and understanding of, and to serve, when appropriate, as a catalyst for action among the owners and operators of critical infrastructures, risk management and investment communities, and other members of the business community and state and local governments. The mission of the Partnership is to work with the Federal government to promote the critical infrastructure security of the United States by focusing on cross-industry sector issues.

The PCIS has five working groups:

         Interdependency Vulnerability Assessment

         Information Sharing, Awareness and Education

         Legislative and Public Policy Objectives

         R&D and Workforce Development

         Organization Issues/Public Private Cooperation

Many people from industry and government have worked long and hard to bring the Partnership into existence and each of the working groups is actively engaged in addressing requirements, plans and developing road maps. The Partnership is a leading example of the collaboration across a wide range of organizations. However, funding for the partnership is small and the majority of participants do so in a "volunteer" role in addition to their regular responsibilities within their organizations. In order for the Partnership to make substantial progress towards its ambitious goals in this challenging arena, new forms of funding and staffing need to be explored so that dedicated staff and funded projects can support the objectives of the organization.

 

Security Research Alliance (SRA)

The SRA is a professional scientific alliance pursuing advanced research efforts bearing on the future of network security and related technology.

Network Associates formed the Security Research Alliance in 1999. It is a vendor-neutral organization of commercial information security vendors, each of whom have significant investments in the area of advanced security research. Charter members of the Alliance are BBN Technologies, Cisco Systems, Entrust Technologies, GTE, Lucent Technologies, Network Associates, and Sun Microsystems.

This group organized to form a true alliance between research laboratories of major information security vendors. Each organization is actively engaged in forward-looking research that explores information security technologies and issues 2-5 years out. Unlike product-focused R&D efforts, advanced security research projects take a broader look at security technologies and looks for better ways to overcome current limitations.

The group's primary objectives are threefold:

1. Better Communication of Research Findings to IT Community

2. Increase Likelihood of Transferring Research Findings into Commercial Solutions

3. Enhance Research Efforts through Collaborative Research and Peer Review

The Alliance seeks to improve communication of advanced security research findings to the IT community in order to provide the IT consumer with a longer-term view of technology. By doing so it is believed that we can move the state of practice from a reactive stance to a more proactive stance. This objective is synergistic with the Alliance's second objective of increasing opportunities for technology transfer. Better-educated consumers will demand increasingly sophisticated solutions. All research suffers to some degree from challenges of technology transfer. Through collaboration, on research projects, the Alliance aims to increase the likelihood that successful research findings will be transferred into commercial products. Alliance membership facilitates this process by sharing research findings, where appropriate. Ultimately, the Alliance believes these efforts will help to improve the overall quality of security products and technologies available to customers worldwide. Finally, the Alliance seeks to bring scientific discipline to the investigation of information security. Many researchers have backgrounds in mathematics and the hard sciences and well understand the value of peer review. However, due to the very early stages of information security research, little in the way of scientific discipline has yet evolved. The Alliance engages in peer review as a means of moving information security from art to a science.

 

Army Research Labs, Collaborative Technology Alliance:

The Army Research Laboratory (ARL) is in the second phase of its innovative Collaborative Technology Alliance program. In its first phase, ARL created a new paradigm for Army research-a "federated laboratory." This new paradigm spanned the combination of government in-house, industry, and academic components striving together for excellence. ARL expanded and improved this concept with the creation of Collaborative Technology Alliances. These new alliances include five new programs focused on those technologies critical to transforming the Army, including aspects of information security and critical infrastructure research. The Army Research Laboratory's strategy is to continue exploiting commercial technology and expertise where it exists through the issuance of cooperative agreements and task order contracts.

The ARL CTA's are a set of programs covering 5 different technology areas: Advanced Sensors, Advanced Decision Architectures, Communications & Networks (C&N), Robotics, and Power & Energy.

NAI Labs is a member of the Communications & Networks (C&N) consortium led by Telcordia with industry teammates BAE Systems, Motorola, Network Associates, and BBN, and academic members University of Maryland, University of Delaware, Princeton University, the City College of New York, the Johns Hopkins University APL, Georgia Tech, Morgan State, and Clark Atlanta. NAI Labs has a lead role in developing efficient security services, including encryption and intrusion detection technologies, for these networks. Despite the military focus, the technology has great potential for transfer to the civilian world. The terms of the alliance recognize this and provide liberal intellectual property rights for consortium members encouraging rapid commercialization of research results.

3.3.3        Future Directions for Enhanced Partnership and Collaboration

Each of these demonstrates a different approach to partnership and collaboration: the PCIS, a true partnership of industry sectors and civilian government agencies; the SRA, an alliance of leading information technology vendors; and the ARL CTA, an alliance of government, industry and academia. Each still faces many challenges, among them funding, dedicated staff, and concerns around intellectual property. However, we believe that these can serve as first case worked examples for R&D information sharing (as opposed to vulnerability and incident information sharing as in the ISACs), partnerships and collaboration. It is vital to recognize though, that as beneficial as these organizations are, they do not go far enough. They are a necessary, but not sufficient, first step towards addressing the national level coordination and collaboration that is required to ensure adequate R&D today, tomorrow, and into the future to protect our critical infrastructure resources.

We specifically recommend that congress develop new mandates and funding for unprecedented levels of collaboration. Such mandates must be motivated and encouraged through incentives that encourages new kinds of collaboration. All R&D research in the critical infrastructure protection arena should include requirements for developing research alliances and leveraging other research community R&D. All researchers should be directed to take a participatory approach to R&D. Furthermore, we recommend that all information security R&D funding organizations (public and private) and researchers participate in an ongoing national effort to catalog and track their efforts applicable to the critical infrastructure threat. In order to accomplish this, the Federal government must create incentives for broad public/private participation, between and among government agencies and through private collaboration consortia like the Security Research Alliance. This will require direct action to promote the urgent need for new collaboration and new approaches to policy in order to identify and eliminate barriers to collaboration within government and between government and private industry.

 

3.4      CI Information Sharing and Collaboration

 

The need for CI information sharing and collaboration is unprecedented but required in order to address the CI vulnerability issues described in Section 2.2, and to define effective R&D goals to drive the R&D collaboration described in Section 2.3. The need is for security collaboration both within the CI industry and between industry and government.

 

Just as the intelligence and law enforcement communities, after September 11, realized the inadequacy of current approaches to collaboration, CI players are realizing that neither comprehensive improvement in security nor creating an effective preparedness/response capability is possible without collaboration. Yet unlike intelligence and law enforcement, CI players have never had any significant motivation for collaboration-and indeed in many cases are competitors in a field of private for-profit delivery of CI services.

 

The PCIS has started to build some collaborative structures, but is still in the early days of the work. Some degree of R&D gap analysis has been done (as described in Section 2.1.2), but clearly done without any but the most general understanding of the InfoSec needs of actual CI systems as they are operated today. Work on those needs has been primarily focused on gaining a better understanding of the interdependency problems, and considering how working groups can research the needs to address those problems- within the constraints of PCIS operation as public/private consortium.

 

However, a much greater degree of collaboration is needed, as indicated by the following goals of the working group.

        Within and across sectors in the CI industry, perform pilot vulnerability assessments of representative systems.

        Share the results, work to define the specific needs for addressing CI vulnerabilities.

        Determine the extent to which current InfoSec can address those needs, and how to codify recommendations for doing so.

        Determine the extent to which current InfoSec is insufficient, define the specific technical and procedural InfoSec gaps.

        Define R&D needs

        Work honestly to flag unknowns, keep flexible and collaborative, yet strive to define "standards" that useful tools for CI providers to improve security and identify R&D needs.

        The CI community must become integral part of steering and tracking InfoSec R&D, ensure that CI needs are being articulated and addressed in R&D, as defined in Section 2.3 above.

        The CI community must work with homeland defense, to collaborate on requirements for detection, response, and recovery from attacks. This is a broad area with many issues relevant to formation of ISACs, information sharing ISACs and with homeland defense.

 

Public Policy Issues: For many of these goals, there are important public policy issues, ranging from anti-trust concerns to concerns over development of new, unfunded mandates (similar to the decision that commercial airlines should not be compelled to operate heightened security measures without assistance and guidance).

 

4         What Can This Committee Do To Help?

Our call for congressional action falls into two areas in which this Committee's efforts can begin to be effective in the short term.

        Foster highest-impact R&D - spending and set direction

        Promote focus on CI protection - spending and set direction

4.1      Foster Highest-Impact R&D

This Committee can take immediate steps to ensure that R&D spending is focused on efforts of the highest impact in both the near- and long-term. High-impact R&D does not mean only near-term; rather impact should be sought through innovative approaches towards bringing together distinct research teams to focus on common problems and understanding. Some suggested steps that the committee can do to start to help are:

        Work towards mandate and funding for unprecedented collaboration

                                                               i.      Including all InfoSec R&D funders/researchers to catalog and track efforts applicable to CI. Create incentives for broad public/private participation: government agencies and private collaboration consortia like SRA.

                                                             ii.      Promote urgent need for new collaboration

                                                            iii.      Identify and eliminate barriers to collaboration within government and between government and private

        Help accelerate work of public and private organizations including public/private partnerships like PCIS, with groups working on R&D, interdependency, and public policy.

4.2      Focus on CI Protection

This Committee can foster a focus on CI protection by developing public policies that support CI protection:

        Promote Congressional action on public policy issues-both in creating new public policy and in eliminating public policy barriers (e.g., antitrust relief for collaboration with CI sectors).

        Create new agenda for CI InfoSec research, starting with operations research needed for vulnerability assessment and R&D gaps.

        Feed new R&D results into public policy evaluations.

        Use this evaluation information to set R&D priorities, redirect efforts, begin to set assessment criteria, best practices and priorities for future research. This must be an ongoing effort, as we work to fill the gaps in our knowledge about CI vulnerabilities and InfoSec technology gaps.

        Fostering sharing of information between government/industry/university R&D work - while honoring and protecting legitimate competitive concerns. (Private IP rights important to maintain benefits to customer, rights to developer, and preserve private incentive for R&D.)

 

4.2.1        New Mandate

Perhaps the most basic goal is funding and mandate to accelerate CI vulnerability assessments, resulting R&D gap analysis, and subsequent R&D to fill the gaps. The resulting "standards" are needed for an improved security posture, while the R&D gap information is required to better direct R&D. Both are needed to overcome limits and gaps in current InfoSec, for guidance of government-funded research, and for aid in public/private advocacy of private R&D that is both infrastructure-critical and potentially strategic to company funding the research.

 

Continuing the information security R&D that is currently underway is necessary but not sufficient. Current efforts provide a technology and knowledge base to draw on once a more complete picture of CI vulnerabilities is in process. Thus, more research money (via NSF, NIST, NSA, DARPA, etc. for technical R&D in InfoSec) would be beneficial, but in parallel with this, we must work to assess CI vulnerability to determine needs.

 

 

5         Recommendations for Congressional Action

 

In light of the challenges I have just outlined, I respectfully offer to the Committee suggestions on five steps that this Committee and Congress can take in the area of cyber-security research and development.

1.      Ensure cyber-security is part of Homeland Security

As the new Office of Homeland Security begins to take shape and as the new Cabinet Secretary begins his role, I ask Congress to ensure that cyber-security is a part of our nation's approach to Homeland Security. While the events of September 11th were physical in nature, we must remember that protecting our doors but leaving open a cyber-window makes the American house vulnerable.

2.      Authorize a study of our nation's critical infrastructure vulnerabilities

As I have conveyed throughout this testimony, before we expand our R&D agenda, we must fully understand our critical infrastructure vulnerabilities. I ask this Committee to authorize and Congress to fund a rapid but thorough analysis of our vulnerabilities The study should focus on bringing together the many analyses that already exist, while identifying needs for further study.

3.      Authorize increases in funds for technical R&D to leading departments and agencies

Currently, many departments and agencies throughout the Federal government are engaged in extensive R&D projects. I ask Congress to provide these agencies, such as NIST, DARPA, NSA, NSF and others, with expanded resources to conduct research to meet their own cyber-security needs.

4.      Improve coordination among government-funded R&D projects

While each Federal department and agency certainly needs to pursue projects for its own needs, Congress should work with them to ensure that plans and results are shared widely to avoid duplicative work and fully leverage the knowledge gained. From its oversight role, Congress can ensure that continued coordination takes place.

5.      Develop a new collaborative research mechanism

Within government, industry and academia, a tremendous amount of research is taking place. Yet, much of the results go unshared. I ask Congress to develop a collaborative mechanism to catalog and track efforts applicable to critical infrastructure and to create incentives for broad public/private participation.

6         Conclusion

 

Mr. Chairman, the opportunity to have a real impact on the cyber-security of our nation's critical infrastructures is tremendous. But doing so will require a strong commitment to research and development, for we cannot rely on today's solutions for tomorrow's challenges. We urge your Committee and Congress to continue putting energy into the R&D issues I have outlined. In return, I pledge to you our company's support to continue to work with government to identify our nation's R&D needs and conduct the research essential to ensure our nation's cyber-security.

I thank you again for the opportunity to testify here today, and I look forward to answering any questions the Committee may have.

 



[1]As defined by Presidential Decision Directive PDD-633. Or, see, for example, The National Plan" ver.1, Section 4.A. pp. 22-23

[2] Testimony Before the Committee on Commerce. Science, and Transportation: Aviation Security-Terrorist Acts Demonstrate Urgent Need to Improve Security at the Nation's airports, September 20, 2001, GAO-01-1162T http://www.senate.gov/~commerce/hearings/092001Dillingham.pdf

[3] As defined by Presidential Decision Directive PDD-633. Or, see, for example, The National Plan" ver.1, Section 4.A. pp. 22-23

 


IWS Mailing Lists






Mailing Lists Overview