 |
COMMITTEE ON SCIENCE
U.S. HOUSE OF
REPRESENTATIVES
HEARING CHARTER
Cyber
Security—How Can We Protect American Computer Networks from Attack?
Wednesday, October 10, 2001
10:00am – Noon
2318 Rayburn
House Office Building
1.
Purpose
On
Wednesday, October 10, 2001 at 10:00 a.m. the House Committee on Science will
hold a hearing to examine the vulnerability of our
nation’s computer infrastructure as well as research-related challenges and
opportunities facing the nation’s computer networks.
Testifying
before the committee will be witnesses representing industry, academic,
government and non-profit organizations.
Witnesses will comment on gaps in research and education in the computer
security field. Since most of the
information infrastructure in the United States is owned and controlled by the
private sector, witnesses will also comment on ways to encourage collaborative
approaches to shoring up our ability to predict,
prevent, and mitigate attacks.
2.
Background
The terrorist attacks of September 11, 2001 brought into stark relief the nation’s physical and economic vulnerability to attack within our borders. The relative ease with which terrorists were able to implement their plans serves as a pointed reminder of the need to identify critical ‘soft spots’ in the nation’s defenses. Among the nation’s vulnerabilities are our computer and communications networks, on which the country’s economic and critical infrastructures for finance, transportation, energy and water distribution, and health and emergency services depend. The existence of these vulnerabilities has called into question the extent to which the nation’s technological research programs, educational system, and interconnected operations are able to meet the challenge of cyber warfare in the 21st century. The Los Angeles Times in a recent editorial emphasized the importance of meeting this challenge: "A cyberterrorist attack would not carry the same shock and carnage of September 11. But in this information age…one could be more widespread and just as economically destructive.”
Vulnerabilities of the National Information Infrastructure
The Internet serves as a powerful mechanism for collaboration and interaction between individuals, regardless of geographic location. The Internet has proven to be a tremendous success – connecting more than 100 million computers and growing – far outstripping its designers’ wildest expectations.
The Internet was not
originally designed to control power systems, connect massive databases of
medical records or connect millions of home appliances or automobiles, yet
today it serves these functions. It was
not designed to run critical safety systems but it now does that as well. We now heavily rely on an open network of
networks, so complex that no one person, group or entity can describe it, model
its behavior or predict its reaction to adverse events.
The porous fabric of the nation’s network infrastructure leaves open the constant possibility of cyber attack. Attacks can take several forms, including: defacement of web sites and other electronically stored information in the United States and other countries to spread disinformation and propaganda; distributed denial of service attacks, which use unprotected “zombie” computers anywhere as conduits for wide-scale distribution of destructive worms and viruses throughout the computer network; and unauthorized intrusions and sabotage of systems and networks belonging to the U.S. and allied countries, potentially resulting in critical infrastructure outages and corruption of vital data.
Along with the increase in network usage come more frequent more frequent security problems. Carnegie Mellon University’s CERTŪ Coordination Center, which serves as a reporting center for Internet security problems, received 1,090 vulnerability reports last year, more than double the number of the previous year. In the first half of 2001, CERT received 1,151 reports with at least 2,000 reports expected by the end of the year. Similarly the number of specific incidents reported to CERT has grown from about 1,300 in 1993 to more than 21,000 in 2000. CERT estimates that this may represent only about 20 % of the incidents that actually have occurred.
The recent wide-scale attack by the so-called “Nimda” worm is one example of a technique that modifies web documents and certain executable files found on the systems it infects, and then creates numerous copies of itself under various file names. This followed attacks by “Code Red”, “Code Red II” and “SirCam”, which affected millions of personal, commercial and government computer users, shut down web sites, slowed Internet service, and disrupted business and government operations, causing billions of dollars of damage.
Interdependence of
Critical Infrastructures
The power of the Internet lies not only in its power
as a communications tool but also in its ability to link other systems together
in ways that vastly improve their productivity and efficiency. Nowhere has this been more evident than in
the linking together of our nation’s critical infrastructures.[1] Critical
infrastructures include electric power, natural gas and petroleum production
and distribution, telecommunications (information and communications),
transportation, water supply, banking and finance, emergency and government
services, agriculture, and other systems and services critical to the security,
economic prosperity, and social well being of the nation. These critical infrastructures are now
highly interconnected and mutually dependent in complex ways, both physically
and through a host of cyber technologies.
In order to better understand our vulnerabilities to cyber terrorism and understand the potential consequences of cyber attacks, the Internet must no longer be studied solely as separate system but also as one of a network of interdependent critical infrastructures. While some research is being done to better understand the threats to the Internet itself, little has been done to assess and project the dramatic or subtle impact that these threats may have on other critical infrastructures. These problems are not hypothetical. While not the result of a cyber attack, the 1998 failure of the Galaxy 4 communications satellite disrupted the use of 90% of the nation’s pagers and disrupted credit card purchases and ATM transactions. The failure also disrupted the communications of health care providers and emergency workers.
Information
Warfare Simulations—“Eligible Receiver”
In 1997, the U.S. conducted an information warfare exercise that illustrated some of the implications of infrastructure interdependence. Known as Eligible Receiver, the scenario depicted a rogue state attempting to attack vulnerable U.S. information systems. A “Red Team” comprised of 35 National Security Agency computer specialists used off-the-shelf technology and software to simulate attacks against power and communications networks in Oahu, Los Angeles, Colorado Springs, St. Louis, Chicago, Detroit, Washington, D.C. Fayetteville, and Tampa. According to the Congressional Research Service, it is generally believed that government (including unclassified military computer networks) and commercial sites were easily attacked and penetrated. Air Force Major General John H. Campbell, U.S. Space Command, commander of the DoD Joint Task Force—Computer Network Defense wrote that the exercise “clearly demonstrated our lack of preparation for a coordinated cyber and physical attack on our critical military and civilian infrastructure.” Officials familiar with the exercise later said that Eligible Receiver showed in “real terms how vulnerable the transportation grid, the electricity grid, and others are to an attack by people using conventional equipment.”
Underlying Causes
of the Nation’s Vulnerability to Cyber Attack
There are several underlying reasons for the national information infrastructure’s vulnerability. The problems, and therefore the solutions, are not only technical but also involve human factors. Network users too often fail to implement readily available, relatively simple security precautions: installation of up-to-date anti-virus software, use of passwords that cannot be easily stolen, and application of intrusion-detection software. In fact, workplace and user community training in basic security procedures may be the weakest link in the cyber security chain. Even the best technological tools are ineffective if they are not used because they are too difficult to manage or are perceived as overly inconvenient.
However, weaknesses in the current state of research and development in the cyber security arena are also a significant factor contributing to the vulnerability of the nation’s information infrastructure. While a number of information technology companies support R&D on network security, some inadequacies in our security arsenal cannot be addressed solely through short-term industry-based applied research. Instead, industry relies on the fundamental research supported by the federal government and the training of future researchers—computer scientists, mathematicians, and many others—that these federally funded research programs support.
Unfortunately, with the possible exception of encryption related research, cyber security research is under-funded and basic research into the fundamental technological cyber security challenges is not robust enough to support the nation’s needs. Many experts believe that as a result of these historic funding patterns there are only 45 to 75 researchers in the country with the experience and expertise needed to conduct cutting edge research in cyber security. To put this in perspective, a computer science department at a single research university may have 60 or more faculty members.
This shortage of personnel is not merely a problem for the academic and research community. Federal agencies are finding it increasingly difficult to recruit and hire professional staff with the knowledge and experience needed to analyze risks and manage and secure their own computer networks. The National Science Foundation, with encouragement from the National Security Council, established in July, 2000 a scholarship for service program designed to increase the number of students becoming part of the Federal Cyber Service of information technology specialists who ensure the protection of the federal information infrastructure. NASA has requested scholarship for service authority to recruit students with expertise in computer science and other technical fields. Other agencies are pursuing similar authority.
Federal Responses
to Possible Cyber Attack
Presidential Decision Directive 63 (PDD 63). On May 22, 1998, President Clinton issued Presidential Decision Directive 63 (PDD-63), which called for a national effort to assure the security of the increasingly vulnerable and interconnected infrastructure of the United States, especially cyber-based infrastructure. These infrastructures include telecommunications, banking and finance, energy, transportation, water systems, and essential government services. The directive required the federal government to immediately assess the vulnerabilities of the nation’s computer-based systems and remedy deficiencies, and to produce a detailed plan to protect critical infrastructures and defend against information warfare. It ordered the federal government to serve as a model to the rest of the country for how infrastructure protection is to be attained, and called for joint public-private action to protect critical infrastructures. The directive set 2003 as the target date for full implementation of a “reliable, interconnected, and secure information infrastructure.”
While largely relying on individual federal agencies and departments to oversee internal critical infrastructure improvement, the directive also created a number of new organizations aimed at improving the nation’s ability to prevent, detect, and respond to breaches of information security. Among these are the:
·
National
Coordinator for Security, Critical Infrastructure and Counter Terrorism,
which, as part of the White House’s National Security Council, oversees
national policy development and implementation for critical infrastructure
protection.
·
Critical
Infrastructure Assurance Office (CIAO), an
interagency office housed at the Department of Commerce that works to integrate
assurance plans from each critical infrastructure sector (e.g., energy,
telecommunications, finance and banking) into a single national plan, assist
agencies in identifying their reliance on critical infrastructures, and
coordinate a national education and awareness program.
· National Infrastructure Protection Center (NIPC), an interagency office at the FBI that serves as a threat assessment center focusing on threat warnings, vulnerabilities, and law enforcement. The NIPC includes representatives from the FBI, Department of Defense, U.S. Secret Service, intelligence agencies and other government agencies.
· Information Sharing and Analysis Centers (ISACs), which serve as mechanisms for gathering, analyzing, and, where appropriate, disseminating information to and from infrastructure centers and the NIPC. The ISACs include industry representatives from sectors such as information and communications; banking and finance; energy; and transportation.
However, despite the development of this strategy, a recent General Accounting Office report concluded that PDD-63 has yet to yield significant progress, in part because of funding constraints and because agencies are not yet aware of the applicability of PDD-63 to their own agency security requirements.
Information sharing between the government, the private sector and academia on critical infrastructure does occur through other means not originally mandated by PDD-63. An important example of public-private partnership in the law enforcement sector is the New York Electronic Crimes Task Force, led by the United States Secret Service. The Task Force includes major stakeholders in the nation’s cyber-infrastructure – industry, academia, law enforcement and government laboratories. According to recent testimony to the House Judiciary Committee, Crime Subcommittee, by Mr. James A. Savage, Jr. of the Secret Service, “[T]he task force provides a productive framework and collaborative crime-fighting environment in which the resources of its participants can be combined to effectively and efficiently make a significant impact on electronic crimes.”
Office of
Homeland Security. The attacks of September 11 and the heightened expectation of
future terror attacks, whether cyber-mediated or more conventional, have
elevated concerns of national security to a new level. Reflecting this, on September 20, 2001
President Bush announced the creation of an Office of Homeland Security, a
cabinet-level organization now headed by former Pennsylvania Governor Tom
Ridge. The office will coordinate 40 federal
agencies and departments and oversee everything from the interaction between
the FBI and the CIA in developing and using intelligence to the interaction
between governors and state agencies to prepare for potential attacks.
While
details of its organizational structure and budgetary authority remain unclear,
the President yesterday appointed Richard Clarke, formerly the National
Coordinator for Security, Infrastructure, Protection, and Counter-terrorism at
the National Security Council, Special Advisor for Cyberspace Security. Dr. Clarke will coordinate interagency
efforts to secure information systems and in the event of a disruption,
coordinate efforts to restore critical systems. Dr. Clarke will also serve as
chairman of a government-wide board that will coordinate the protection of
critical information systems. The
President is expected to sign an Executive Order soon establishing the board.
The
creation of a Homeland Security Office had been recommended by a blue-ribbon
panel chartered by Congress and co-chaired by former Senators Gary Hart and
Warren Rudman, which reported its recommendations just over two years ago. The panel, which had been asked to examine
national security threats in the post-Cold War world, recommended that a
“Homeland Security Agency” be formed with broad powers that would coordinate
the efforts of existing agencies such as the Federal Emergency Management
Agency, Customs Service, Border Patrol and Coast Guard. The panel identified cyber security threats
as serious and called current efforts to prevent attacks and generate a prompt
response to any future attacks “uneven at best.”
Another panel, the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction, or the “Gilmore Commission,” was chartered in 1998 by the FY 99 National Defense Authorization Act (P.L. 105-261) and is expected to release its latest report on antiterrorism, part of which is expected to address cybersecurity issues.
Federal Cyber Security Research Efforts
Office of Science and Technology Policy. PDD-63 made the White House’s Office of Science and Technology Policy, through the National Science and Technology Council, responsible for developing research and development efforts related to national security. Eight Federal R&D priorities were subsequently identified:
· Establishment of an Institute for Information Infrastructure Protection;
· Education and training of research personnel;
· Interdependency analysis;
· Threat, vulnerability, and risk assessment studies;
· System protection and information assurance;
· Reconstitution of damaged or compromised systems;
· Security of automated infrastructure control systems; and intrusion detection and monitoring.
Federal Agencies and Departments. Federal R&D efforts to enhance cyber security cut across many agencies and tend to give emphasis to traditional agency missions. For example, the National Science Foundation (NSF) supports research on technical issues that underlie the design, validation, and evolution of software-based systems, and recently announced a new program, “Trusted Computing,” that will provide grants for research aimed at building a scientific foundation and technological basis for managing information security and privacy. NSF also funds research into cryptography, which is based in mathematics and is a key mechanism for ensuring the security of electronic transmissions. In addition, NSF’s Scholarship for Service program recently awarded grants to six universities in order to help train more computer security and information assurance professionals.
The National Institute of Standards and Technology (NIST) within the Department of Commerce provides grants to fund research to develop commercial solutions to IT security problems central to critical infrastructure protection. NIST recently announced the award of a number of grants under the Critical Infrastructure Protection Grants Program aimed at accelerating efforts to make the computer and telecommunications systems that support essential services more secure.
In addition, through its national laboratories, the Department of Energy has supported projects that have developed information security tools for network inspection and workstation protection, and the National Aeronautics and Space Administration develops advanced methods for the specification, design, and verification of complex software systems used in critical aerospace applications
The Department of Defense funds a significant amount of information technology R&D, including cyber security-related research. The Defense Advanced Research Projects Agency (DARPA) alone funds more than 100 individual research projects in this area. The National Security Agency funds the bulk of the nation’s critical infrastructure protection programs and has “accredited” 23 Academic Centers of Excellence in universities around the country that have developed advanced computer and network security curricula at the graduate and post-graduate level (see Appendix 1 for a list of these universities). The value of these designations is not primarily financial but organizational. In order to earn the accreditation, an institution must develop a program that is multidisciplinary and that fully integrates research, education, and training.
On a broader scale, the Interagency Working Group on Information Technology Research and Development formed the Networking and Information Technology Research and Development (NITRD) program (see appendix 2), which includes 15 agencies dedicated to advanced IT R&D. The multiagency approach is intended to leverage the expertise and perspectives of scientists and technology users from agencies, Federal laboratories, universities, and corporations who are working on a broad range of IT research questions.
3.
Witnesses
The
following witnesses will address the subcommittee:
William A. Wulf, President, National Academy
of Engineering and vice chair of the National Research Council, the principal
operating arm of the National Academies of Sciences and Engineering. He is on
leave from the University of Virginia, Charlottesville, where he is AT&T
Professor of Engineering and Applied Sciences and a nationally recognized
expert in computer architecture and network security.
Dr. Eugene Spafford, Professor of Computer
Sciences, Professor of Philosophy, and Director of the Center for Education and
Research in Information Assurance and Security (CERIAS) at
Purdue University, where he is also the interim Information Systems Security Officer.
Ms. Terry A. Benzel, Vice President of Advanced
Security Research for Network Associates, Inc.
As Director of the Network Associate labs, she is responsible for
leading a staff of 100 researchers performing leading-edge research on
perceived security issues two-to-five years in the future.
Mr. Robert Weaver, Assistant
Special-Agent-in-Charge, New York Field Office, United States Secret Service; Head, New York Electronic Crimes Task
Force. The New York Electronic Crimes
Task Force is a Secret Service led,
250-member task force with representatives from 45 law enforcement agencies,
prosecutors, academe, and 200 experts from the business world in the areas of
cybersecurity and related fields.
4.
Questions
Panelists
will be asked to discuss the following questions in their testimony:
- What are the current and
potential threats to cyber security and how equipped are we to address
them?
- How can industry, academia, and Federal
and State governments work more effectively to improve network
security? What are the barriers to
effective cooperation and are their successful models in which these
barriers are being overcome?
- What technological
challenges in computer/network security can be addressed through
short-term efforts to “push” to the market innovations that are already in
the R&D pipeline? What
investments must be made over the long-term to ensure the future security
and stability of computer networks?
- What is the current
state of information security education and training? Is there a sufficient number of well
trained researchers and professionals to meet both academic and industry
personnel needs?
APPENDICES
Appendix 1
The 23 universities designated as NSA Centers of Academic Excellence in Information Assurance Education are:
·
Georgia Institute of Technology
·
Information Resources Management College of the
National Defense University
·
Mississippi State University
·
University of California at Davis
·
University of Illinois at Urbana-Champaigne
·
University of Maryland, Baltimore County
·
University of North Carolina, Charlotte
·
U.S. Military Academy, West Point
Appendix 2
NITRD
Agencies
National
Science Foundation National Security Agency
National
Institute of Standards and Technology Department of Defense
National
Oceanic and Atmospheric Administration General
Services Administration
Department
of Energy Agency for Healthcare Research & Quality
DOE
National Nuclear Security Administration Bureau of Labor Statistics
National
Aeronautics and Space Administration Defense Advanced Research Projects
Agency
National
Institutes of Health Executive
Office of the President
Environmental
Protection Agency
Appendix 3
Table 1
|
|
Funding for Critical Infrastructure Protection
($millions) |
|||||
|
|
|
|
|
|
|
|
|
Agency |
|
FY 98 Actual |
|
FY 99 Actual |
|
FY 2000 Enacted |
|
|
|
|
|
|
|
|
|
National Security |
|
975 |
|
1,185 |
|
1,403 |
|
Treasury |
|
23 |
|
49 |
|
76 |
|
Transportation |
|
20 |
|
25 |
|
51 |
|
NASA |
|
41 |
|
43 |
|
66 |
|
Justice |
|
26 |
|
54 |
|
46 |
|
NSF |
|
19 |
|
21 |
|
27 |
|
Commerce |
|
9 |
|
22 |
|
18 |
|
HHS |
|
22 |
|
12 |
|
13 |
|
Other |
|
9 |
|
18 |
|
37 |
|
|
|
|
|
|
|
|
|
Total |
|
$1,144 |
|
$1,429 |
|
$1,737 |
|
|
|
|
|
|
|
|
Source: White House National Plan for Information
Systems Protection, 2000
Table 2
|
|
IT R&D Spending ($ millions) |
||||
|
Agency |
FY 98 |
|
FY 99 |
|
FY 00 |
|
|
|
|
|
|
|
|
DARPA |
321.3 |
|
141 |
|
195 |
|
NSF |
284.13 |
|
301 |
|
517 |
|
DOE |
129.26 |
|
126 |
|
120 |
|
NASA |
128.4 |
|
93 |
|
174 |
|
NIH |
91.71 |
|
103 |
|
183 |
|
NSA |
35.8 |
|
27 |
|
81 |
|
NIST |
26.51 |
|
13 |
||