House Hearing, 111TH Congress - Agency Response To Cyberspace Policy Review

AGENCY RESPONSE TO
CYBERSPACE POLICY REVIEW

JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION

AND THE
SUBCOMMITTEE ON RESEARCH AND SCIENCE

EDUCATION
COMMITTEE ON SCIENCE AND

TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
FIRST SESSION
JUNE 16, 2009
Serial No. 11134
Printed for the use of the Committee on Science and Technology
(
Available via the World Wide Web: http://www.science.house.gov
U.S. GOVERNMENT PRINTING OFFICE

WASHINGTON
50171PDF
2010
For sale by the Superintendent of Documents, U.S. Government Printing Office

Internet: bookstore.gpo.gov Phone: toll free (866) 5121800; DC area (202) 5121800
Fax: (202) 5122104 Mail: Stop IDCC, Washington, DC 204020001
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00001
Fmt 5011
Sfmt 5011
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
COMMITTEE ON SCIENCE AND TECHNOLOGY

HON. BART GORDON, Tennessee, Chair
JERRY F. COSTELLO, Illinois
RALPH M. HALL, Texas
EDDIE BERNICE JOHNSON, Texas
F. JAMES SENSENBRENNER JR.,
LYNN C. WOOLSEY, California
Wisconsin
DAVID WU, Oregon
LAMAR S. SMITH, Texas
BRIAN BAIRD, Washington
DANA ROHRABACHER, California
BRAD MILLER, North Carolina
ROSCOE G. BARTLETT, Maryland
DANIEL LIPINSKI, Illinois
VERNON J. EHLERS, Michigan
GABRIELLE GIFFORDS, Arizona
FRANK D. LUCAS, Oklahoma
DONNA F. EDWARDS, Maryland
JUDY BIGGERT, Illinois
MARCIA L. FUDGE, Ohio
W. TODD AKIN, Missouri
N, New Mexico
BEN R. LUJA
RANDY NEUGEBAUER, Texas
PAUL D. TONKO, New York
BOB INGLIS, South Carolina
PARKER GRIFFITH, Alabama
MICHAEL T. MCCAUL, Texas
STEVEN R. ROTHMAN, New Jersey
MARIO DIAZ-BALART, Florida
JIM MATHESON, Utah
BRIAN P. BILBRAY, California
LINCOLN DAVIS, Tennessee
ADRIAN SMITH, Nebraska
BEN CHANDLER, Kentucky
PAUL C. BROUN, Georgia
RUSS CARNAHAN, Missouri
PETE OLSON, Texas
BARON P. HILL, Indiana
HARRY E. MITCHELL, Arizona
CHARLES A. WILSON, Ohio
KATHLEEN DAHLKEMPER, Pennsylvania
ALAN GRAYSON, Florida
SUZANNE M. KOSMAS, Florida
GARY C. PETERS, Michigan
VACANCY
SUBCOMMITTEE
ON
TECHNOLOGY
AND
INNOVATION
HON. DAVID WU, Oregon, Chair

DONNA F. EDWARDS, Maryland
ADRIAN SMITH, Nebraska
N, New Mexico
BEN R. LUJA
JUDY BIGGERT, Illinois
W. TODD AKIN, Missouri
DANIEL LIPINSKI, Illinois
PAUL C. BROUN, Georgia
HARRY E. MITCHELL, Arizona
GARY C. PETERS, Michigan
BART GORDON, Tennessee
MIKE QUEAR Subcommittee Staff Director
MEGHAN HOUSEWRIGHT Democratic Professional Staff Member
TRAVIS HITE Democratic Professional Staff Member
HOLLY LOGUE PRUTZ Democratic Professional Staff Member
DAN BYERS Republican Professional Staff Member
VICTORIA JOHNSTON Research Assistant
(II)
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00002
Fmt 5904
Sfmt 5904
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
SUBCOMMITTEE
ON
RESEARCH
AND
SCIENCE EDUCATION
HON. DANIEL LIPINSKI, Illinois, Chair

EDDIE BERNICE JOHNSON, Texas
VERNON J. EHLERS, Michigan
BRIAN BAIRD, Washington
RANDY NEUGEBAUER, Texas
MARCIA L. FUDGE, Ohio
BOB INGLIS, South Carolina
BRIAN P. BILBRAY, California
PARKER GRIFFITH, Alabama
RUSS CARNAHAN, Missouri
BART GORDON, Tennessee
DAHLIA SOKOLOV Subcommittee Staff Director
MARCY GALLO Democratic Professional Staff Member
WILLIAMS Republican Professional Staff Member
MELE
BESS CAUGHRAN Research Assistant
(III)
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00003
Fmt 5904
Sfmt 5904
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00004
Fmt 5904
Sfmt 5904
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
CONTENTS
June 16, 2009
Page
Witness List .............................................................................................................

Hearing Charter ......................................................................................................
2
3
Opening Statements
Statement by Representative David Wu, Chairman, Subcommittee on Technology and Innovation, Committee on Science and Technology, U.S. House
of Representatives ................................................................................................
Written Statement ............................................................................................
Statement by Representative Adrian Smith, Ranking Minority Member, Subcommittee on Technology and Innovation, Committee on Science and Technology, U.S. House of Representatives ...............................................................
Statement by Representative Daniel Lipinski, Chairman, Subcommittee on
Research and Science Education, Committee on Science and Technology,
U.S. House of Representatives ............................................................................
Statement by Representative Vernon J. Ehlers, Ranking Minority Member,
Subcommittee on Research and Science Education, Committee on Science
and Technology, U.S. House of Representatives ...............................................
Prepared Statement by Representative Harry E. Mitchell, Member, Subcommittee on Technology and Innovation, Committee on Science and Technology, U.S. House of Representatives ...............................................................
10
10
11
12
12
13
13
14
14
Witnesses:
Ms. Cita M. Furlani, Director, Information Technology Laboratory, National
Institute of Standards and Technology (NIST), U.S. Department of Commerce
Oral Statement .................................................................................................
Biography ..........................................................................................................
Dr. Jeannette M. Wing, Assistant Director, Computer and Information
Science and Engineering Directorate, National Science Foundation (NSF)
Oral Statement .................................................................................................
Biography ..........................................................................................................
Dr. Robert F. Leheny, Acting Director, Defense Advance Research Projects
Agency (DARPA)
Oral Statement .................................................................................................
Biography ..........................................................................................................
Dr. Peter M. Fonash, Acting Deputy Assistant Secretary, Office of
Cybersecurity and Communications, National Protection and Programs Directorate, U.S. Department of Homeland Security (DHS)
Oral Statement .................................................................................................
Biography ..........................................................................................................
Discussion .................................................................................................................
15
16
20
21
23
27
28
30
37
37
40
45
46
(V)
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00005
Fmt 5904
Sfmt 5904
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
VI
Page
Appendix: Answers to Post-Hearing Questions

Ms. Cita M. Furlani, Director, Information Technology Laboratory, National
Institute of Standards and Technology (NIST), U.S. Department of Commerce .....................................................................................................................
Dr. Jeannette M. Wing, Assistant Director, Computer and Information
Science and Engineering Directorate, National Science Foundation (NSF) ...
Dr. Peter M. Fonash, Acting Deputy Assistant Secretary, Office of
Cybersecurity and Communications, National Protection and Programs Directorate, U.S. Department of Homeland Security (DHS) ................................
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00006
Fmt 5904
Sfmt 5904
68
70
74
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
AGENCY RESPONSE TO CYBERSPACE POLICY

REVIEW
TUESDAY, JUNE 16, 2009
SUBCOMMITTEE
HOUSE OF REPRESENTATIVES,
TECHNOLOGY AND INNOVATION,
ON
JOINTLY WITH THE
SUBCOMMITTEE ON RESEARCH AND SCIENCE EDUCATION,

COMMITTEE ON SCIENCE AND TECHNOLOGY,
Washington, DC.
The Subcommittees met, pursuant to call, at 2:47 p.m., in Room
2318 of the Rayburn House Office Building, Hon. David Wu [Chairman of the Subcommittee on Technology and Innovation] presiding.
(1)
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00007
Fmt 6633
Sfmt 6633
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00008
Fmt 6633
Sfmt 6602
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
3
HEARING CHARTER
SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION

JOINTLY WITH THE
SUBCOMMITTEE ON RESEARCH AND SCIENCE
EDUCATION
COMMITTEE ON SCIENCE AND TECHNOLOGY
U.S. HOUSE OF REPRESENTATIVES
Agency Response to
Cyberspace Policy Review
TUESDAY, JUNE 16, 2009
2:00 P.M.4:00 P.M.
2318 RAYBURN HOUSE OFFICE BUILDING
Purpose
On Tuesday, June 16, 2009, the Subcommittee on Technology and Innovation and
the Subcommittee on Research and Science Education will convene a joint hearing
to review the response of the Department of Homeland Security (DHS), the National
Institute of Standards and Technology (NIST), the National Science Foundation
(NSF), and the Defense Advanced Research Projects Agency (DARPA) to the findings and recommendations in the Administrations 60-day Cyberspace Policy Review.
II. Witnesses
Ms. Cita Furlani is the Director of the Information Technology Laboratory at the
National Institute of Standards and Technology.
Dr. Jeannette Wing is the Assistant Director of the Directorate for Computer &
Information Science & Engineering at the National Science Foundation.
Dr. Robert Leheny is the Acting Director of the Defense Advanced Research
Projects Agency at the Department of Defense.
Dr. Peter Fonash is the Acting Deputy Assistant Secretary for the Office of Cyber
Security Communications at the Department of Homeland Security.
III. Overview
In January 2008, the Bush Administration established, through a series of classified executive directives, the Comprehensive National Cybersecurity Initiative
(CNCI). While the details of the CNCI are largely classified, the goal of the multifaceted initiative was to secure federal systems.1 A number of security experts have
expressed concern that the classified nature of the CNCI has inhibited active engagement with the private sector despite the fact that 85 percent of the Nations
critical infrastructure is owned and operated by private entities. While experts are
concerned by the lack of transparency and public-private cooperation under the
CNCI, they have also urged President Obama to build upon the existing structure.
In February 2009, the Obama Administration called for a 60-day review of the national cybersecurity strategy. The Presidents review required the development of a
framework that would ensure that the CNCI was adequately funded, integrated,
and coordinated among federal agencies, the private sector, and State and local authorities.
On May 29, 2009, the Administration released its 60-day review of cyberspace policy. The review team acknowledged the difficult task of addressing cybersecurity
concerns in a comprehensive fashion due to the large number of federal departments
and agencies with cybersecurity responsibilities and overlapping authorities. Accord1 CNCI objectives have been assembled from various media reports. Comprehensive National
Cybersecurity Initiative: Legal Authorities and Policy Considerations, http://apps.crs.gov/products/r/pdf/R40427.pdf
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00009
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
4
ing to the review, cybersecurity leadership must come from the top. To that end,
the President plans to appoint a cyber czar who will oversee the development and
implementation of a national strategy for improving cybersecurity. The appointee
will report to both the National Security Council and the National Economic Council. The report suggests that the appointee should also chair the Information and
Communications Infrastructure Interagency Policy Council (ICIIPC), an existing
policy coordinating body to ensure a reliable, secure and survivable global information and communications infrastructure. The review team also emphasized the
need for the Federal Government to partner with the private sector to guarantee
a secure and reliable infrastructure. Furthermore, it highlighted the need for increased public awareness, the education and expansion of the Information Technology (IT) workforce, and the importance of advancing cybersecurity research and
development.
IV. Issues and Concerns
The Cyberspace Policy Review includes a number of near-term and mid-term action plans that are relevant to the Committees work on the issue. (Please see the
appendix for a complete list.) The review uniformly calls for increased coordination
and integration of current efforts among all federal departments and agencies. The
Committee is interested in how information is shared across the diverse array of
coordinating bodies, which models of coordination are the most effective, and why
the current mechanisms have been inadequate.
Research and Development
In the near-term, the review team recommends the development of a framework
for research and development (R&D) strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and
trustworthiness of the digital infrastructure.
In the mid-term, the review team recommends that the agencies expand support
for R&D to ensure the Nations continued ability to compete in the information age
economy.
Unclassified federal cybersecurity R&D is inventoried under the interagency Networking and Information Technology R&D (NITRD) Program. The NITRD agencies
have requested a total of $343 million for the Cyber Security and Information Assurance (CSIA) R&D in FY 2010. A report2 by the Center for Strategic and International Studies (CSIS) on cybersecurity stated that a $300 million R&D investment is inadequate. Additionally, a 2007 National Research Council (NRC) report3
on cyberspace indicated that cybersecurity research funding was too low for researchers to pursue their promising ideas and sustained funding was necessary to
increase the number of researchers examining cybersecurity topics, however, neither
report offers guidance on the appropriate level of funding.
The task of coordinating unclassified cybersecurity R&D falls to CSIA interagency
working group under NITRD, and to date, there have been no suggestions that another group should assume this responsibility. However, the federal plan for
cybersecurity R&D developed by the working group in 2006 has been heavily criticized. The various reports2,3 and groups indicate that the plan is just an aggregate
of agency R&D activities, and they have called for the development of a set of national research objectives and funding priorities as well as a roadmap to achieve
those objectives. Experts have also expressed concern that the CSIA R&D portfolio
is inappropriately weighted toward short-term projects rather than long-term, potentially transformative research. Additionally, private sector stakeholders, including witnesses at the June 10th hearing, have suggested that NITRD is requesting
input on the R&D agenda too late in the process for the input to be properly considered. The Committee is interested in the development of a national cybersecurity
strategy with clear R&D objectives that is fully informed by academic and industry
stakeholders.
The review team also recommended that the agencies provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions. Some in the research community have expressed concern
that much of the realistic data necessary for the modeling and evaluation of
cybersecurity technologies is classified or proprietary and therefore unavailable to
them. DARPA is in the process of developing a large-scale testbed, the National
2 Securing Cyberspace for the 44th Presidency, Center for Strategic and International Studies,
http://www.csis.org/component/option,comcsispubs/task,view/id,5157/type,0/
3 Toward a Safer and More Secure Cyberspace, National Research Council, http://
www.nap.edu/catalog.php?recordid=11925
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00010
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
5
Cyber Range (NCR), which will provide an environment for realistic, qualitative
and quantitative assessment of potentially revolutionary cyber research and development technologies. According to DARPA officials, the intent is to have the NCR
available for both classified and unclassified research, but it remains to be determined if adequate firewalls can be built into the system to make this a viable goal.
Related to that, the Committee is interested in exploring to what extent the academic research community will be involved in the design of NCR and whether NCR
will meet their needs assuming they are granted access.
Education
There is general agreement that there are significant unmet needs for both public
education and formal education and training for information technology students
and professionals. The Administrations review team called for the evaluation and
possible expansion of existing education programs, and specifically mentioned three
programs: Pathways to Revitalized Undergraduate Education in Computing
(CPATH), Scholarship for Service, and the National Centers for Academic Excellence in Information Assurance Education and Research.
CPATH is an NSF sponsored program that seeks to increase the number of students with computational thinking skills by providing those types of learning opportunities in core computing classes and in other fields of study. The CPATH program
receives $10 million annually.
The Scholarship for Service program is sponsored by NSF and DHS and it provides two-year scholarships to students who are interested in pursuing a degree in
information assurance and computer security. Scholarship recipients are required to
work for two years in the Federal Government upon completion of their degree. The
Scholarship for Service program is funded at $10.3 million for FY 2009, and to date,
970 scholars have been placed in federal agencies.
The National Centers for Academic Excellence in Information Assurance Education and Research, which have been in place since 1998, are sponsored by the National Security Agency (NSA) and DHS. Institutions must meet specific requirements prior to designation as a center for excellence and they must go through recertification every five years. There are currently 94 institutions across 38 states
and the District of Columbia. A number of institutions have expressed concern that
the certification requirements do not accurately reflect the rigorousness of the information assurance or computer security degree offered by the institution, and therefore have chosen to let their certification lapse.
Standards and Metrics
Throughout its recommendations, the review team highlights the need for the increased use of metrics to guide strategies and to make key planning decisions. They
recommend the development of a formal program assessment framework that would
guide departments and agencies in defining the purpose, goal, and success criteria
for each program. This framework could then be used as a basis for implementing
a performance-based budgeting process, setting priorities for research and development initiatives, and assisting in development of the next-generation networks.
The review team also stresses the importance of developing standards for incident
reporting, for both the Federal Government and private industry. Current reporting
policies vary by federal department and agency based on their statutory authorities,
privacy concerns, and historical practices. The consolidation of reporting policies in
the Federal Government and expansion into the private sector would allow for more
reliable and timely responses to cyber attacks.
When developing cybersecurity standards and guidelines, NIST monitors standards from international bodies such as the International Organization for Standardization (ISO). The review team, along with a report4 from the Government Accountability Office (GAO), recommends that the Federal Government not only adopt appropriate standards developed by international bodies, but actively work with them
to develop standards that will provide solidarity across international borders.
Cybersecurity Operations and Information Coordination
The review team calls for assessments of many of the cybersecurity programs in
DHS and for an increased level of coordination among the federal departments and
agencies, as well as the private sector. Although the report highlights coordination
and partnership as a key element in cybersecurity strategy, it concedes that private
industry may be reluctant to give information on cyber attacks due to concerns
4 National Cybersecurity Strategy: Key Improvements Are Needed to Strengthen the Nations
Posture, Government Accountability Office, http://www.gao.gov/new.items/d09432t.pdf
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00011
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
6
about reputational harm and liability. The Federal Government limits shared information based on the need to protect sensitive intelligence sources and the privacy
rights of individuals. For programs like DHSs National Cyber Alert System to function as intended, guidelines must be established to enable all parties to effectively
distribute cyber attack information and respond appropriately.
V. Background
In the current system, responsibilities for the security of federal network systems
fall to many different agencies. NSA is responsible for all classified network systems. The Department of Defense (DOD) is responsible for military network systems
and DHS is responsible for all federal civilian network systems. Additionally, DHS
is responsible for communicating information on cyber attacks to other federal agencies. NIST develops and promulgates standards to help secure the federal civilian
network systems, along with their other roles that will be discussed below. The Office of Management and Budget (OMB) implements and enforces the standards set
by NIST. Three key agencies, NSF, DHS and DOD (specifically DARPA) fund the
majority of cybersecurity R&D.
Department of Homeland Security
As tasked in Homeland Security Presidential Directive (HSPD) 7, DHS, . . .
shall be responsible for coordinating the overall national effort to enhance the protection of the critical infrastructure and key resources of the United States. The Secretary shall serve as the principal federal official to lead, integrate, and coordinate
implementation of efforts among federal departments and agencies, State and local
governments, and the private sector to protect critical infrastructure and key resources. As a response to HSPD7, DHS created the National Cyber Security Division, detailed below. In 2008, HSPD23, which was mostly classified, called for a
central location to gather all of the cybersecurity information on attacks and
vulnerabilities. DHS created the National Cyber Security Center to meet this need.
National Cyber Security Division
The National Cyber Security Division (NCSD) is the operational arm of DHSs
cybersecurity group and handles a host of tasks: they detect and analyze cyber attacks, disseminate cyber attack warnings to other Federal Government agencies,
conduct cybersecurity exercises, and help reduce software vulnerabilities. The budget request for the NCSD is $400 million, an increase of $87 million above FY 2009.
United States Computer Emergency Readiness Team
Within NCSD, the U.S. Computer Emergency Readiness Team (USCERT)
monitors the federal civilian network systems on a 24/7 basis and issues
warnings to both federal agencies and the public through the National Cyber
Alert System when cyber attacks occur.
EINSTEINThe EINSTEIN program is an intrusion detection system which
USCERT uses to monitor the federal civilian network connections for unauthorized traffic.
National Cyber Response Coordination Group
The National Cyber Response Coordination Group (NCRCG), composed of
USCERT and the cybersecurity groups of DOD, Federal Bureau of Investigation (FBI), NSA, and the intelligence community, coordinates the federal response to a cyber attack. Once an attack is detected, a warning is issued
through the NCRCG to all federal agencies and the public.
Cyber Storm
Cyber Storm is a biennial cybersecurity exercise that allows participants to
assess their ability to prepare for, protect from, and respond to cyber attacks
that are occurring on a large-scale and in real-time. Cyber Storm exercises
have taken place in 2006 and 2008, with five countries, 18 federal agencies,
nine U.S. states, and over 40 private sector companies.
Software Assurance Program
The Software Assurance Program maintains a clearinghouse of information
gathered from federal and private industry cybersecurity efforts, as well as
university research, for public use. The Program has established Working
Groups focused on specific software areas and holds regular forums to help
encourage collaboration.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00012
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
7
National Cyber Security Center
The National Cyber Security Center (NCSC) was created in 2008 to act as a coordinating group for consolidating, assessing and disseminating information on
cyber attacks and vulnerabilities gathered from the cybersecurity efforts of DOD,
DHS, NSA, FBI, and the intelligence community. By collecting information from all
of these departments, the NCSC was established to provide a single source of critical cybersecurity information for all public and private stakeholders. Funding for
NCSC in FY 2010 is $4 million.
Cyber Security Research and Development Center
Cybersecurity research within DHS is planned, managed, and coordinated
through the Science and Technology Directorates Cyber Security Research and Development Center. This center supports the research efforts of the Homeland Security Advanced Research Projects Agency (HSARPA), coordinates the testing and
evaluation of technologies, and manages technology transfer efforts. The FY 2010
budget includes $37.2 million for cybersecurity R&D at DHS; this is an increase of
$6.6 million over FY 2009.
National Institute of Standards and Technology
NIST is tasked with protecting the federal information technology network by developing and promulgating cybersecurity standards for federal civilian network systems (Federal Information Processing Standard [FIPS]), identifying methods for assessing effectiveness of security requirements, conducting tests to validate security
in information systems, and conducting outreach exercises. These tasks were appointed to NIST in the Computer Security Act of 1987. In the Federal Information
Security Management Act of 2002, OMB was tasked to develop implementation
plans and enforce the use of the FIPS developed by NIST. Cybersecurity activities
are conducted through NISTs Information Technology Laboratory which has a
budget request of $72 million for FY 2010, including $15 million in support of the
CNCI and $29 million for CSIA R&D.
Computer Security Division
The Computer Security Division (CSD) within the Information Technology Laboratory houses the cybersecurity activities of NIST and is divided into four groups.
Security Technology
The Security Technology group focuses on cryptography and online identity
authentication. These areas enable federal civilian network system users to
access information both in the office and remotely in a secure manner using
technologies such as: cryptographic protocols and interfaces, public key certificate management, biometrics, and smart tokens.
Systems and Network Security
The Systems and Network Security group maintains a number of databases
and checklists that are designed to assist public and private network users
in configuration of more secure systems. The group also conducts research in
all areas of network security technology to develop new standards and transfer technologies to the public.
National Checklist ProgramThis program helps develop and maintain
checklists to guide network users to configure network systems with basic
security settings.
National Vulnerability DatabaseThis database contains information on
known vulnerabilities in software and fixes for these vulnerabilities.
Federal Desktop Core ConfigurationThis program supplies security configurations for all federal civilian network systems using either Microsoft
Windows XP or Vista. By supplying a standard configuration, this program
enables security professionals to default to a known secure configuration for
all new desktop computers and when experiencing a cyber attack.
Security Management and Assistance
This group extends information security training, awareness and education
programs to both public and private parties.
Federal Agency Security Practices (FASP)This web site provides information on cybersecurity best practices for public, private, and academia use.
It contains implementation guides for education programs and a contact list
of FASP staff for consultation.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00013
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
8
Information Security and Privacy Advisory Board (ISPAB)This board advises NIST, the Secretary of Commerce, and OMB on information security
and privacy issues pertaining to federal civilian network systems. They also
review proposed standards and guidelines developed by NIST.
Small Business CornerThis program provides workshops for small business owners to learn how to secure business information on small networks
in a practical and cost-effective manner.
Security Testing and Metrics
The Security Testing and Metrics group develops methods and baselines to
test security products and validate products for government use.
National Science Foundation
NSFs cybersecurity research activities are primarily funded through the Directorate for Computer & Information Science & Engineering (CISE). CISE supports
cybersecurity R&D through a targeted program, Trustworthy Computing, as well as
through a number of its core activities in Computer Systems Research, Computing
Research Infrastructure, and Network and Science Engineering. The cybersecurity
portfolio supports both theoretical and experimental research. NSF cybersecurity research and education activities are funded at $127 million for FY 2010.
Trustworthy Computing Program
The Trustworthy Computing program, funded at $67 million for FY 2010, is
an outgrowth of NSFs Cyber Trust program, which was developed in response to the Cybersecurity R&D Act of 2003. The program supports research
into new models, algorithms, and theories for analyzing the security of computer systems and data components. It also supports investigation into new
security architectures; methodologies that promote usability in conjunction
with protection; and new tools for the evaluation of system confidence and security.
Scholarship for Service
In addition to its basic research activities, NSFs Directorate for Education
& Human Resources (EHR) manages the Scholarship for Service program
which provides funding to colleges and universities for the award of two-year
scholarships in information assurance and computer security fields. Scholarship recipients are required to work for two years in the Federal Government,
upon completion of their degree. EHR also supports the development of
cybersecurity professionals through the Advanced Technological Education
(ATE) program, which focuses on the education of technicians for high-technology fields.
Defense Advanced Research Projects Agency
DARPA is the principal R&D agency of DOD; its mission is to identify and develop high-risk, high-reward technologies of interest to the military. DARPAs
cybersecurity activities are conducted primarily through the Strategic Technology
Office and the Information Assurance and Survivability project, which is tasked
with developing technologies that make emerging information systems such as wireless and mobile systems secure. The budget request for the Information Assurance
and Survivability project is $113.6 million in FY 2010.
Intrinsically Assured Mobile Ad-Hoc Network
The Intrinsically Assured Mobile Ad-Hoc Network (IAMANET) program is
tasked with designing a tactical wireless network that is secure and resilient
to a broad range of threats, including cyber attacks, electronic warfare and
malicious insiders. The budget request for IAMANET is $14.5 million.
Trustworthy Systems & TrUST
The goal of the Trustworthy Systems program, with a budget request of $11.1
million, is to provide foundational trustworthy computer platforms for Defense Department systems. DARPA is also examining potential supply chain
vulnerabilities in the Trusted, Uncompromised Semiconductor Technology
program (TrUST) by developing methods to determine whether a microchip
manufactured through a process that is inherently untrusted (i.e., not
under our control) can be trusted to perform just the design operations and
no more. The budget request for TrUST is $33.5 million.
National Cyber Range
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00014
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
9
The goal of the NCR is to provide a revolutionary environment for research
organizations to test the security of information systems. The budget request
for the NCR is $50 million for FY 2010.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00015
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
10
Chairman WU. This hearing will now come to order. Welcome everyone to this afternoons hearing on the Administrations Cyberspace Policy Review. This is the second of three hearings the
Science and Technology Committee is holding on cybersecurity.
Last week the Research and Science Education Subcommittee held
a hearing on the research needs for improved cybersecurity, and
next week my Technology and Innovation Subcommittee will hold
a hearing on the cybersecurity activities of the National Institute
of Standards and Technology (NIST) and the Department of Homeland Security (DHS).
I have been long concerned by the lack of attention given to
cybersecurity by the Federal Government and by the private sector.
Previously, federal efforts were output oriented-focused on things
like the number of programs, funds spent, or numbers of interagency working groupsrather than outcome driven. I am pleased
that the new Administration has made cybersecurity a top priority
and is focusing efforts on achieving outcomes such as fewer
breaches of federal systems, fewer cases of identity theft, and the
security of smart grid systems and health IT systems.
In order to achieve these very, very important results, it is essential to first conduct a review of our federal cybersecurity structure
and efforts. The Administrations cyberspace review does not make
any brand new recommendations. However, it is valuable as a
frank assessment of current federal activities and a roadmap for
what needs to be fixed. In general, the recommendations suggest
improving interagency coordination and coordination with the private sector, modernizing the research agenda, and enhancing public education on cybersecurity.
By addressing each of these recommendations we are laying the
building blocks for our new, outcomes-based approach to federal
cybersecurity. The four agencies appearing before the Committee
today have a significant role to play in creating that foundation.
During todays hearing, I hope to learn how each agency intends
to improve its current cybersecurity efforts in response to the Administrations review. This information will help guide the Committees ongoing efforts to protect our nations data, computer systems
and its citizens.
[The prepared statement of Chairman Wu follows:]
PREPARED STATEMENT
OF
CHAIRMAN DAVID WU
I want to welcome everyone to this mornings hearing on the administrations

cyberspace policy review. This is the second of three hearings the Science and Technology Committee is holding on cybersecurity. Last week the Research and Science
Education Subcommittee held a hearing on the research needs for improved
cybersecurity, and next week my Technology and Innovation Subcommittee will hold
a hearing on the cybersecurity activities at the National Institute of Standards and
Technology and the Department of Homeland Security.
I have long been concerned by the lack of attention given to cybersecurity by the
Federal Government. Previously, federal efforts were output oriented-focused on
things like the number of programs, funds spent, or numbers of interagency working
groupsrather than outcome driven. I am pleased that the new Administration has
made cybersecurity a top priority and is focusing efforts on achieving outcomes such
as fewer breaches of federal systems, fewer cases of identity theft, and the security
of smart grid systems and health IT systems.
In order to achieve those important results, it was essential to first conduct a review of our federal cybersecurity structure. The Administrations cyberspace review
does not make any brand new recommendations. However, it is valuable as a frank
assessment of current federal activities and a roadmap for what needs to be fixed.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00016
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
11
In general, the recommendations suggest improving interagency coordination and
coordination with the private sector, modernizing the research agenda, and enhancing public education on cybersecurity.
By addressing each of these recommendations we are laying the building blocks
for our new, outcomes-based approach to federal cybersecurity. The four agencies
appearing before the Committee today have a significant role to play in creating
that foundation. During todays hearing, I hope to learn how each agency intends
to improve their current cybersecurity efforts in response to the Administrations review. This information will help guide the Committees ongoing efforts to protect our
nations data and citizens.
Chairman WU. I want to thank our witnesses for appearing before us today, and now I would like to recognize Representative
Smith for his opening statement.
Mr. SMITH. Thank you, Chairman Wu, and thank you for holding
this hearing today to review the Administrations efforts to
strengthen cybersecurity as outlined specifically in the White
Houses recently released Cyberspace Policy Review. While federal
efforts to increase network security date back several years, they
were brought to the forefront in early 2008 when President Bush
formally established the Comprehensive National Cyber Security
Initiative to deal with widespread and successful cyber attacks on
federal networks. President Obama has committed to fully continue
this effort under his Administration and emphasized its importance
in a recent speech.
It seems the continuity across the Bush and Obama Administrations, as well as the increased attention being given to this issue
in Congress, provide indication of a small but important advantage
of where we were just a couple of years ago. Awareness of this
problem and the need for action is now nearly universal. There is
broad agreement on the seriousness and magnitude of our
cybersecurity vulnerabilities and the complexity of the technical
and policy changes that must be addressed to overcome them.
However, while there is a consensus on the problem, we are still
at the earliest stages of identifying and implementing solutions,
and we are working through relatively unchartered policy territory
as we do so. Accordingly, I hope both Congress and the Administration will work to balance the pressure to act quickly and aggressively on cybersecurity with the need for thorough and deliberate
consideration of all possible courses of action.
To this end, as we hold these hearings and consider legislative
options later this summer, I hope to focus on three broad areas of
cybersecurity policy: (1) R&D. Are we investing enough in R&D
given its importance as the primary driver of increasing security
over the long-term? (2) DHS-led efforts to secure the dot-gov domain. Are we confident that the reported $30 billion price tag of
this initiative is appropriately focused, and is its centerpiece program EINSTEIN going to provide effective and lasting security?
And (3) private sector critical infrastructure. What is the best approach to improving the security of these networks? Do new regulations or liability protections make sense or could they be counterproductive to our security goals?
I hope todays hearing will serve to begin the process of answering these questions. I thank the witnesses for being here, and I certainly look forward to a productive discussion. I yield back.
[The prepared statement of Mr. Smith follows:]
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00017
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
12
PREPARED STATEMENT
OF
REPRESENTATIVE ADRIAN SMITH
Mr. Chairman, thank you for holding this hearing today to review the Administrations efforts to strengthen cybersecurity, as outlined specifically in the White
Houses recently released Cyberspace Policy Review.
While federal efforts to increase network security date back several years, they
were brought to the forefront in early 2008, when President Bush formally established the Comprehensive National Cybersecurity Initiative to deal with widespread
and successful cyberattacks on federal networks. President Obama has committed
to fully continue this effort under his administration and emphasized its importance
in a recent speech.
It seems this continuity across the Bush and Obama Administrationsas well as
the increased attention being given to this issue in Congressprovide indication of
a small but important advantage over where we were just a couple of years ago:
awareness of this problem and the need for action is now nearly universal. There
is broad agreement on the seriousness and magnitude of our cybersecurity
vulnerabilities, and the complexity of the technical and policy challenges that must
be addressed to overcome them.
However, while there is a consensus on the problem, we are still at the earliest
stages of identifying and implementing solutions, and were working through relatively un-chartered policy territory as we do so. Accordingly, I hope both Congress
and the Administration will work to balance the pressure to act quickly and aggressively on cybersecurity with the need for thorough and deliberate consideration of
all possible courses of action.
To this end, as we hold these hearings and consider legislative options later this
summer, I hope to focus on three broad areas of cybersecurity policy: (1) R&DAre
we investing enough in R&D given its importance as the primary driver of increasing security over the long-term?; (2) DHS-led efforts to secure the dot-gov domain
are we confident that the reported $30 billion price tag of this initiative is appropriately focused, and is its centerpiece program EINSTEIN going to provide effective
and lasting security?; and (3) private sector critical infrastructurewhat is the best
approach to improving the security of these networksdo new regulations or liability protections make sense, or could they be counterproductive to our security goals?
I hope todays hearing will serve to begin the process of answering these questions. I thank the witnesses for being here and I look forward to a productive discussion.
Chairman WU. Thank you very much, Mr. Smith. And now I
would like to recognize Representative Lipinski, Chairman of the
Research Subcommittee, for his opening statement.
Chairman LIPINSKI. Good afternoon. I would like to thank Chairman Wu for joining me in holding this hearing. I look forward to
working with him and other Members of this committee on the critical issue of cybersecurity.
Last week my Research and Science Education Subcommittee
held a hearing on the state of cybersecurity R&D, and several of
our witnesses emphasized the need for better partnerships and information sharing between the Federal Government and the private sector. We also discussed the challenges facing incentivizing
agencies, companies, and individuals, especially those that dont
face an immediate or obvious threat to adopt established best practices and to disclose breaches in security, and the expert panel
echoed recent reports regarding concerns over lack of prioritization
in the federal R&D portfolio.
One additional issue we discussed in last weeks hearing was the
importance of education. The panel emphasized that our IT workforce needs to be taught the skills necessary to incorporate security
into software and systems from the beginning. But IT professionals
are not the only ones who need to be better educated. The panel
agreed that increasing the publics awareness of the risks and consequences of poor security practices is also essential. People are the
beneficiaries of IT but also the weakest link in IT security, and
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00018
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
13
computer scientists need to team with social scientists to gain a
better understanding of how humans interact with and utilize technology.
We need a cultural change in the ways that Americans practice
their computer hygiene.
Now, today I look forward to hearing from our witnesses about
their agencys responses to the cyberspace policy review. As I said,
this is a critical issue, and I am very happy that the Administration has focused in on it and we are doing so here on the Committee.
A secure and resilient cyberspace is vital not only for the Federal
Government, but for businesses large and small and for every single American. This goal can only be realized through our combined
efforts and a multi-disciplinary approach to the problem. So all of
our witnesses and their agencies will play a key role in maintaining this vital cyberspace. I want to thank the witnesses for taking
the time to appear before us this afternoon, and I look forward to
your testimony.
[The prepared statement of Chairman Lipinski follows:]
PREPARED STATEMENT
OF
CHAIRMAN DANIEL LIPINSKI
Good afternoon. Id like to thank Chairman Wu for joining me in holding this

hearing, and I look forward to working with him on this critical issue of
cybersecurity.
Last week, my Research & Science Education Subcommittee held a hearing on the
state of cybersecurity R&D. Several of our witnesses emphasized the need for better
partnerships and information sharing between the Federal Government and the private sector. We also discussed the challenges faced in incentivizing agencies, companies, and individualsespecially those that dont face an immediate or obvious
threatto adopt established best practices and to disclose breaches in security. And
the expert panel echoed recent reports regarding concerns over a lack of
prioritization in the federal R&D portfolio.
One additional issue we discussed in last weeks hearing was the importance of
education. The panel emphasized that our IT workforce needs to be taught the skills
necessary to incorporate security into software and systems from the beginning. But
IT professionals are not the only ones who need to be better educated. The panel
agreed that increasing the publics awareness of the risks and consequences of poor
security practices is also essential. People are the beneficiaries of IT but also the
weakest link in IT security, and computer scientists need to team with social scientists to gain a better understanding of how humans interact with and utilize technology. We need a cultural change in the ways that Americans practice computer
hygiene.
I look forward to hearing from our witnesses today about their agencies responses
to the Cyberspace Policy Review. As I said, this is a critical issue. A secure and resilient cyberspace is vital not only for the Federal Government, but for businesses
large and smalland for every single American. This goal can only be realized
through our combined efforts, and a multi-disciplinary approach to the problem. So
all of you and your agencies will play a key role in maintaining a vital cyberspace.
I want to thank the witnesses for taking the time to appear before us this afternoon and I look forward to your testimony.
Chairman WU. Thank you, Chairman Lipinski. And now I would

like to recognize Mr. Ehlers for his opening statement, the Ranking
Member of the Research Subcommittee.
Mr. EHLERS. Thank you, Mr. Chairman. As the last and probably
least, I will try to keep my comments very short.
The security of our information is vitally important to all Federal
Government entities and that includes the House of Representatives. Many of my colleagues are aware that our own networks are
targeted daily by people and governments who would like to do
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00019
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
14
harm to us, our government, or to find out personal information
that has been provided to us by our constituents or other friends
in other countries.
It takes strategic planning and organization to avoid and address
these attacks. When considering the impacts of information security on policy development related to electronic health records, national defense and technology development, for example, it quickly
becomes obvious how important trusted networks are to the public
and to legislators.
All of the federal agencies testifying at the witness table today
play a critical role in protecting the security of our systems while
maintaining the necessary freedom to exchange unfettered communication.
I look forward to your comments on how the agencies are advancing the national cybersecurity efforts, and I expect to learn a great
deal from each one of you today. Thank you very much.
[The prepared statement of Mr. Ehlers follows:]
PREPARED STATEMENT
OF
REPRESENTATIVE VERNON J. EHLERS
The security of our information is vitally important to all Federal Government entities, including the House of Representatives. Many of my colleagues are aware
that our own networks are targeted daily by people who would like to do harm to
our government, and it takes strategic planning and organization to avoid and address these attacks. When considering the impacts of information security on policy
development related to electronic health records, national defense, and technology
development, for example, it quickly becomes obvious how important trusted networks are to the public and to legislators.
All of the federal agencies testifying at the witness table today play a critical role
in protecting the security of our systems while maintaining the necessary freedom
to exchange unfettered communication. I look forward to their comments on how the
agencies are advancing our national cybersecurity efforts.
Chairman WU. Thank you, Dr. Ehlers. If there are other Members who wish to submit opening statements, your statements will
be added to the record at this point.
[The prepared statement of Mr. Mitchell follows:]
PREPARED STATEMENT
OF
REPRESENTATIVE HARRY E. MITCHELL
Thank you, Mr. Chairman.

As the world becomes increasingly connected through the Internet, it is critical
to ensure that we have an effective and secure cyberspace policy.
Today we will discuss the findings and recommendations of the Obama Administrations 60-day Cyberspace Policy Review.
We will also review the response of the Department of Homeland Security (DHS),
the National Institute of Standards and Technology (NIST), the National Science
Foundation (NSF), and the Defense Advanced Research Projects Agency (DARPA)s
response to the Administrations policy review.
I look forward to hearing more from our witnesses on what steps need to be taken
to establish a more comprehensive cyberspace policy that will improve our
cybersecurity.
I yield back.
Chairman WU. And now it is my pleasure to introduce our witnesses. Ms. Cita Furlani is the Director of the Information Technology Laboratory at the National Institute of Standards and Technology. Dr. Jeannette Wing is the Assistant Director at the Directorate for Computer & Information Science & Engineering at the
National Science Foundation. Dr. Robert Leheny is the Acting Director of the Defense Advanced Research Projects Agency, and Dr.
Peter Fonash is the Acting Deputy Assistant Secretary at the Of-
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00020
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
15
fice of Cyber Security Communications at the U.S. Department of
Homeland Security.
The witnesses will have five minutes for spoken testimony, and
your written testimony will be included in the record in their entirety. And when you complete you testimony, we will begin with
questions. Each Member will have five minutes to question the
panel. Ms. Furlani, please proceed.
STATEMENT OF MS. CITA M. FURLANI, DIRECTOR, INFORMATION TECHNOLOGY LABORATORY, NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY (NIST), U.S. DEPARTMENT
OF COMMERCE
Ms. FURLANI. Thank you, Chairman Wu and Chairman Lipinski,

Ranking Members Smith and Ehlers, and Members of the Subcommittees. I appreciate the opportunity to appear before you
today to discuss our role in cybersecurity and our perspective on
the Administrations Cyberspace Policy Review.
Through our work in information technology, NIST accelerates
the development and deployment of information and communication systems that are reliable, usable, inter-operable, and secure. It
advances measurement science through innovations in mathematics, statistics, and computer science and conducts research to
develop the measurements and standards infrastructure for emerging information technologies and applications.
Many of our vital programs impact national security, such as improving the accuracy and inter-operability of biometrics recognition
systems, and facilitating communications among first responders.
Research activities range from innovations in identity management and verification, to metrics for complex systems, to development of practical and secure cryptography in a quantum computing
environment, to automation of discovery and maintenance of system security configurations and status, and to techniques for specification and automation of access authorization in line with many
different kinds of access policies.
As you are aware, beginning in the early 1970s, NIST has developed standards to support federal agencies information assurance
requirements. Through the Federal Information Security Management Act, or FISMA, Congress again reaffirmed NISTs leadership
role in developing standards for cybersecurity. FISMA provides for
the development and promulgation of Federal Information Processing Standards, or FIPS, that are compulsory and binding for
federal computer systems. NISTs mission in cybersecurity is to
work with federal agencies, industries, and academia to research,
develop and deploy information security standards and technology
to protect information systems against threats to the confidentiality, integrity, and availability of information and services.
Consistent with this mission and with the recommendations of
the Presidents Cyberspace Policy Review, NIST is actively engaged
with private industry, academia, non-national security federal departments and agencies, the intelligence community, and other elements of the law enforcement and national security communities in
coordination and prioritization of cybersecurity research, standards
development,
standards
conformance
demonstration,
and
cybersecurity education and outreach.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00021
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
16
The national security community, a number of state governments, and major private sector organizations are also adopting the
risk management framework and cybersecurity controls designed
by NIST for the Federal Government. NIST is engaging industry
to harmonize product assurance requirements to align with industry business models and system development practices.
We play a leading security role in supply chain risk management, health care information technology, the Smart Grid, biometrics and face authentication, next generation voting systems,
and cloud computing. We work with the intelligence and
counterterrorism communities to facilitate cross sector information
sharing among federal, State and local government organizations.
We team with the Department of Justice and the Small Business
Administration in extending cybersecurity education and training
beyond the Federal Government into the private sector.
For the first time, and as part of the ongoing initiative to develop
a unified information security framework for the Federal Government and its contractors, NIST has included security controls in its
catalog for both national security and non-national security systems. The updated security control catalog incorporates best practices in information security from the United States Department of
Defense, the intelligence community, and civil agencies to produce
the most broad-based and comprehensive set of safeguards and
countermeasures ever developed for information systems.
Under the provisions of the National Technology Transfer and
Advancement Act, NIST is also tasked with the key role of encouraging and coordinating federal agency development and use of voluntary consensus standards and coordinating the public-private
sector development of standards and conformity assessment activities through consensus standards organizations. NIST will continue
to conduct the research necessary to enable and provide
cybersecurity specifications, standards, assurance processes, training, and technical expertise needed for securing the U.S. Government and critical infrastructure information systems to mitigate
the growing threat. NIST will continue to closely coordinate with
domestic and international private sector cybersecurity programs
and national security organizations.
Thank you for the opportunity to testify today on NISTs work
in the cybersecurity arena and our views on the Presidents Cyberspace Policy Review. I will be happy to answer any questions you
may have.
[The prepared statement of Ms. Furlani follows:]
PREPARED STATEMENT
OF
CITA M. FURLANI
Introduction
Chairmen Wu and Lipinski, Ranking Members Smith and Ehlers, and Members
of the Subcommittees, I am Cita Furlani, the Director of the Information Technology
Laboratory (ITL) at the Department of Commerces National Institute of Standards
and Technology (NIST). Thank you for the opportunity to appear before you today
to discuss our role in cybersecurity and our perspective on the Administrations 60
Day Cyberspace Policy Review.
As one of the major research components within NIST, our information technology
work accelerates the development and deployment of information and communication systems that are reliable, usable, inter-operable, and secure; advances measurement science through innovations in mathematics, statistics, and computer science;
and conducts research to develop the measurements and standards infrastructure
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00022
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
17
for emerging information technologies and applications. NIST accomplishes these
goals through collaborative partnerships with our customers and stakeholders in industry, government, academia, and consortia. Based on input from these customers
and stakeholders, we have focused our R&D agenda on eight broad program areas:
complex systems; cyber and network security; enabling scientific discovery; identity
management systems; information discovery, use and sharing; pervasive information
technologies; trustworthy information systems; and virtual measurement systems.
Many of our vital programs impact national security, such as improving the accuracy and inter-operability of biometrics recognition systems and facilitating communications among first responders. The combination of our mission and legislation
such as the Federal Information Security Management Act (FISMA) the Computer
Security Research and Development Act, the USA PATRIOT Act, the Enhanced Border Security Act, and the Help America Vote Act lead to rich programmatic diversity.
As you are aware, beginning in the early 1970s with enactment of the Brooks Act,
NIST has developed standards to support federal agencies information assurance
requirements for many years. Through FISMA, Congress again reaffirmed NISTs
leadership role in developing standards for cybersecurity. FISMA provides for the
development and promulgation of Federal Information Processing Standards (FIPS)
that are compulsory and binding for federal computer systems. The responsibility
for the development of FIPS rests with NIST, and the authority to promulgate mandatory FIPS is given to the Secretary of Commerce. Section 303 of FISMA states
that NIST shall:
have the mission of developing standards, guidelines, and associated methods
and techniques for information systems;
develop standards and guidelines, including minimum requirements, for information systems used or operated by an agency or by a contractor of an agency
or other organization on behalf of an agency, other than national security systems; and
develop standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but
such standards and guidelines shall not apply to national security systems.
NISTs mission in cybersecurity is to work with federal agencies, industry, and
academia to research, develop and deploy information security standards and technology to protect information systems against threats to the confidentiality, integrity and availability of information and services. Consistent with this mission and
with the recommendations of the Presidents recent 60 Day Cyberspace Policy Review, NIST is actively engaged with private industry, academia, non-national security federal departments and agencies, the intelligence community, and other elements of the law enforcement and national security communities in coordination
and prioritization of cybersecurity research, standards development, standards conformance demonstration and cybersecurity education and outreach activities. Research activities range from innovations in identity management and verification,
to metrics for complex systems, to development of practical and secure cryptography
in a quantum computing environment, to automation of discovery and maintenance
of system security configurations and status, to techniques for specification and automation of access authorization in line with many different kinds of access policies.
NIST addresses cybersecurity challenges throughout the information and communications infrastructure through its cross-community engagements. Enabled by Congressional funding increases in 2002 and in response to FISMA legislation, NIST
is responsible for establishing and updating, on a recurring basis, the Federal Government risk management framework and cybersecurity controls. The national security community, a number of State governments and major private sector organizations are also adopting the risk management framework and cybersecurity controls
designed by NIST. NIST is engaging industry to harmonize product assurance requirements to align with industry business models and system development practices. NIST is also playing a leading security role in supply chain risk management,
health care information technology (HCIT), the Smart Grid, biometrics/face authentication, next generation voting systems, and cloud computing. NIST is working
with the intelligence and counterterrorism communities to facilitate cross sector information sharing among Federal, State and local government organizations. NIST
teams with the Department of Justice and the Small Business Administration in extending cybersecurity education and training beyond the Federal Government into
the private sector.
Recognizing the importance of security-related standards beyond the Federal Government, NIST leads national and international consensus standards activities in
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00023
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
18
cryptography, biometrics, electronic credentialing, secure network protocols, software and systems reliability, and security conformance testing.
Under the provisions of the National Technology Transfer and Advancement Act
(P.L. 104113) and OMB Circular A119, NIST is tasked with the key role of encouraging and coordinating federal agency use of voluntary consensus standards and
participation in the development of relevant standards, as well as promoting coordination between the public and private sectors in the development of standards and
in conformity assessment activities. NIST works with other agencies to coordinate
standards issues and priorities with the private sector through consensus standards
organizations such as the American National Standards Institute (ANSI), the International Organization for Standardization (ISO), the Institute of Electrical and Electronic Engineers (IEEE), the Internet Engineering Task Force (IETF), and the
International Telecommunication Union (ITU).
Key contributions NIST has made include:
Development of the current federal cryptographic and cybersecurity assurance
standards that have been adopted by many State governments, national governments, and much of industry;
Development of the identity credentialing and management standard for federal employees and contractors (also becoming the de facto national standard);
Development of the standard and conformance test capability for inter-operable multi-vendor fingerprint minutia capture and verification;
Development and demonstration of quantum key distribution;
Establishment of a national cyber vulnerability database; and
Establishment and oversight of an international cryptographic algorithm and
module validation program. (This Cryptographic Module Validation Program
(CMVP) achieved a significant milestone on August 15, 2008, by issuing the
programs 1,000th certificate.)
NIST hosts the Information Security Automation Program (ISAP), which formalizes and advances efforts to enable the automation and standardization of technical
security operations, including automated vulnerability management and policy compliance evaluations. The NIST National Vulnerability Database (NVD) is the United
States Government repository of standards-based vulnerability management reference data. The NVD makes available information on vulnerabilities, impact measurements, detection techniques, and remediation assistance. It provides reference
data that enable the ISAPs security automation capabilities. NISTs security automation program is based on the NIST Security Checklist program and the Security
Content Automation Protocol (SCAP) activity. The SCAP Validation Program performs conformance testing to ensure that products correctly implement SCAP. NVD
also plays a pivotal role in the Payment Card Industry (PCI) in their efforts to mitigate vulnerabilities in credit card systems. The PCI has mandated that NVDs vulnerability severity scores be used for measuring the risk to payment card servers
world-wide and for determining which vulnerabilities must be fixed.
Included in the scope of NIST cybersecurity activities are the usability of systems
such as voting machines and software interfaces; research in mathematical foundations to determine the security of information systems; the National Software Reference Library, computer forensics tool testing, software assurance metrics, tools,
and evaluation; approaches to balancing safety, security, reliability, and performance in SCADA and other Industrial Control Systems used in manufacturing and
other critical infrastructure industries; technologies for detection of anomalous behavior, quarantines; standards, modeling, and measurement to achieve end-to-end
security over heterogeneous, multi-domain networks; biometrics evaluation,
usability, and standards (fingerprint, face, iris, voice/speaker, multi-modal biometrics) and initiating an international competition for a next generation Secure
Hash Algorithm (SHA3). NIST and the National Science Foundation are co-funding
a workshop in July on usability issues associated with security. Among the topics
to be investigated are methods to inform individual users of actions they take that
could imperil their systems also providing informative justifications, methods and
tools to assist administrators of systems in the configuration of their systems to provide secure operation, and forensic tools to help administrators deal with the aftermath of attacks.
Recognizing the value of interagency coordination of research as well as of standards development, NIST actively contributes to the Networking and Information
Technology Research and Development (NITRD) program and the development of
the NITRD five-year strategic plan. Within the past year, as provided in the America COMPETES Act (P.L. 11069), the NITRD Program has assumed expanded re-
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00024
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
19
sponsibilities for coordination of federal cyber R&D and NIST is well represented
in, and leverages, these activities. In addition, NIST collaborates with academia,
e.g., individual institutions such as Purdue, and consortia, such as the Institute for
Information Infrastructure Protection (or I3P).
NIST works with other members of the Cyber Security and Information Assurance Interagency Working Group in establishing priorities for research and development to prevent, resist, detect, respond to, and/or recover from actions that compromise or threaten to compromise the availability, integrity, or confidentiality of
computer- and network-based systems. These systems provide both the basic infrastructure and advanced communications in every sector of the economy, including
critical infrastructures such as power grids, emergency communications systems, financial systems, and air-traffic-control networks. These systems also support national defense, national and homeland security, and other vital federal missions, and
themselves constitute critical elements of the IT infrastructure. Broad areas of concern which NIST research addresses include Internet and network security; confidentiality, availability, and integrity of information and computer-based systems;
new approaches to achieving hardware and software security; testing and assessment of computer-based systems security; and reconstitution and recovery of computer-based systems and data.
60Day Cyberspace Policy Review
We concur in the findings of the 60Day Cyber Review relative to the increasingly
serious and pervasive threat posed by breaches ofor threats toour cyber systems, and relative to the need to strengthen the capability of the Executive Office
of the President to coordinate the Federal Governments response to that threat. We
also concur in the reports observation that it is our total national information infrastructure, not just the federal information infrastructure that is faced with the
aforementioned threat. We agree that a coordinated response is necessary to prevent
catastrophic consequences for those critical infrastructures which integrate information systems into their operations.
While agreeing that it is necessary to integrate the responses of national security
organizations and those of federal organizations that do not have a primarily national security mission, we observe that the intelligence community, the other elements of the national security community, and NIST are, in response to the Federal
Information Security Management Act of 2002, actively coordinating their standards
and processes for cybersecurity. This effort is producing a single set of requirements,
rather than the pasts three independent sets of requirements (Intelligence community, national security systems and NIST) for consumers and providers of information processing and interchanges resources.
On June 3rd, NIST announced the release of the final public draft of Special Publication 80053, Revision 3, Recommended Security Controls for Federal Information
Systems and Organizations. The final public draft of Special Publication 80053, Revision 3, is historic in nature.
For the first time, and as part of the ongoing initiative to develop a unified information security framework for the Federal Government and its contractors, NIST
has included security controls in its catalog for both national security and non-national security systems. The updated security control catalog incorporates best practices in information security from the United States Department of Defense, Intelligence Community, and civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information
systems.
We are encouraged to observe that the 60Day Cyberspace Policy Review recognizes that cybersecurity strategies and solutions must be structured in a manner
that accommodates commerce, economic growth, scientific collaboration, and individual liberties. The report reflects the notion that we are not looking for lockdown
solutions that achieve security at the expense of robust commerce, essential services or civil liberties.
Recognizing the economic impact of cyberspace, NIST is working to provide measurement techniques to facilitate offsetting the cost of both public sector and private
sector security solutions by decreases in losses or cost of insurance or increases in
business due to increases in trust. Meeting the cyber threat to our national infrastructure would be accelerated by both the public and private sectors if new measurement techniques can demonstrate that increased security is good business sense.
We note that not all of these measures need to be technical or regulatory in nature.
Some simple, relatively inexpensive, procedural steps can have a materially positive
effect on security. One example is the financial sectors having introduced a delay
into the conversion of electronically transferred funds into tangible assets, a delay
sufficient to permit invocation of fraud detection processes.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00025
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
20
We were particularly encouraged by the reports recognition of the role of international standards in protecting our information infrastructure. Our infrastructure
is inextricably integrated into a complex of global networks. NISTs role in documentary standards has long been established in law and executive direction. We are actively working with our sister agencies on improving our common understanding of
how we can collectively participate, in cooperation with the private sector, in fostering international standards and protocols that are conducive to a free and safe
information processing and interchange environment.
NIST and the National Telecommunications and Information Administration
(NTIA) are working with the Internet Corporation for Assigned Names and Numbers (ICANN) and VeriSign on an initiative to enhance the security and stability
of the Internet. The parties are working on an interim approach to deployment, by
years end, of a security technologyDomain Name System Security Extensions
(DNSSEC)at the authoritative root zone (i.e., the address book) of the Internet.
There will be further consultations with the Internet technical community as the
testing and implementation plans are developed. In collaboration with the Department of Homeland Security Science and Technology Directorate, NIST has been an
active participant within the international community in developing the DNSSEC
protocols and has collaborated with various U.S. agencies in deploying DNSSEC
within the .gov domain.
We, at the NIST and the larger Department of Commerce, recognize that we have
an essential role to play in realizing the vision set forth in the 60Day Cyberspace
Policy Review. We look forward to working with our Federal Government partners,
with our private sector collaborators, and with our international colleagues to establish a comprehensive set of technical solutions, standards, guidelines, and procedural measures necessary to realizing this vision.
Conclusion
NIST will continue to conduct the research necessary to enable and to provide
cybersecurity specifications, standards, assurance processes, training and technical
expertise needed for securing the U.S. Government and critical infrastructure information systems to mitigate the growing threat. NIST will continue to closely coordinate with domestic and international private sector cybersecurity programs and national security organizations. Finally, consistent with the NIST Three-Year Planning Report, NIST plans to expand its focus on cybersecurity challenges associated
with health care IT, the Smart Grid, automation of federal systems security conformance and status determination, and cybersecurity leap-ahead research.
Thank you for the opportunity to testify today on NISTs work in the
cybersecurity arena and our views on the Presidents 60Day Cyberspace Policy Review. I would be happy to answer any questions you may have.
BIOGRAPHY
FOR
CITA M. FURLANI
Cita M. Furlani is Director of the Information Technology Laboratory (ITL). ITL

is one of nine research Laboratories within the National Institute of Standards and
Technology (NIST) with an annual budget of $85 million, 335 employees, and about
150 guest researchers from industry, universities, and foreign laboratories.
Furlani oversees a research program designed to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology through research and development in information technology, mathematics,
and statistics. Through its efforts, ITL seeks to enhance productivity and public
safety, facilitate trade, and improve the quality of life.
Furlani has several leadership responsibilities in addition to those at NIST. Currently, she is Co-Chair of the Interagency Working Group on Digital Data, Co-Chair
of the Subcommittee on Quantum Information Science, and Co-Chair for Strategic
Planning for the Subcommittee on Networking and Information Technology Research and Development, all under the auspices of the National Science and Technology Council. She also serves as Co-Chair of the Technology Infrastructure Subcommittee of the Interagency CIO Council.
Furlani has served as the Chief Information Officer (CIO) for NIST. As CIO,
Furlani was the principal adviser to the NIST Director on the planning, execution,
evaluation, and delivery of information technology services and support.
Furlani also served as Director of the National Coordination Office for Networking
and Information Technology Research and Development. This office, reporting to the
White House through the Office of Science and Technology Policy and the National
Science and Technology Council, coordinates the planning, budget, and assessment
activities for the 12-agency Networking and Information Technology R&D Program.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00026
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
21
Previously, Furlani was Director of the Information Technology and Electronics
Office within the Advanced Technology Program (ATP) at NIST. Before joining ATP,
Furlani served as Chief of the Office of Enterprise Integration, ITL, NIST, coordinating Department of Commerce activities in the area of enterprise integration.
Furlani also served as special assistant to the NIST Director in the Directors role
as Chair of the Committee on Applications and Technology of the Administrations
Information Infrastructure Task Force. Previously, Furlani was on detail as technical staff to the Director of NIST in the position of Senior Program Analyst. Prior
to August 1992, she managed research and development programs within the NIST
Manufacturing Engineering Laboratory, applying information technology to manufacturing since 1981.
She earned a Master of Science degree in electronics and computer engineering
from George Mason University and a Bachelor of Arts degree in physics and mathematics from Texas Christian University. She was awarded two Department of Commerce Bronze Medal Awards in 1985 and 1993 and the Department of Commerce
Silver Medal Award, in 1995.
Chairman WU. Thank you, Ms. Furlani. Dr. Wing, please proceed.
STATEMENT OF DR. JEANNETTE M. WING, ASSISTANT DIRECTOR, COMPUTER AND INFORMATION SCIENCE AND ENGINEERING DIRECTORATE, NATIONAL SCIENCE FOUNDATION
(NSF)
Dr. WING. Thank you very much. Good afternoon, Chairman Wu

and Chairman Lipinski, Ranking Members Smith and Ehlers, and
Members of the Subcommittees. I am Jeannette Wing, and I am
the Assistant Director of the Computer and Information Science
and Engineering Directorate at the National Science Foundation.
I am delighted to have the opportunity to speak with you today
about NSFs support for cybersecurity research at the frontiers of
knowledge, investments that capitalize on the intellectual capacity
of the best and the brightest in our nations colleges and universities, as well as their many partners in the private sector. The research outcomes generated with NSF support will undoubtedly contribute to the security, stability and integrity of our global cyber infrastructure for many years to come.
To begin, I would like to emphasize that many cybersecurity
measures deployed today build upon the fundamental research outcomes generated decades ago. Thus, as the recent 60-Day Cyberspace Policy Review concludes, a national strategy to secure cyberspace in both the near- and the long-term must include investments in fundamental, unclassified, long-term research.
Allow me to share with you just a few important fundamental research contributions made to date by the open research community,
many originally developed with applications other than security in
mind.
Cryptographic schemes and cryptographic-based authentication,
enabling todays Internet commerce, such as online banking.
Program analyses and verification techniques, enables early detection of software vulnerabilities, thereby often preventing cyber
attacks such as phishing, worms and botnets.
Machine learning and data mining approaches are now used in
filtering spam and detecting credit card fraud.
CAPTCHAs, the distorted text that only humans, not machines,
can decipher, ensuring that it is indeed a human, not a bot, who
is buying a ticket online.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00027
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
22
These and many other research results developed with NSF
funding are being used routinely in numerous corporations today.
Moreover, NSF-funded projects have spawned start-up companies
that bring critical technologies to the marketplace, creating new
jobs, expanding the economy, and helping to secure cyberspace.
This year, NSF will invest almost $137 million in cutting-edge
research on the science and engineering of trustworthy systems.
Our interdisciplinary Trustworthy Computing Program, is a significant component of this investment and supports more than 800
principal investigators, co-principal investigators, and graduate
students.
We contribute to the Comprehensive National Cyber Security Initiative, CNCI, through this program with the focus on three vital
areas, the scientific foundations of trustworthiness, privacy, and
usability.
NSF coordinates its cybersecurity research and planning activities with other agencies primarily through the Networking and Information Technology Research and Development program, NITRD,
and the InfoSec Research Council. We play a leadership role in
both activities.
NSF and the academic community greatly appreciated the opportunity to contribute to the 60-Day Cyberspace Policy Review. We
are pleased that the review recognizes the importance of investments in both fundamental unclassified cybersecurity research, the
kind of research NSF supports, and cybersecurity education. The
review also recognizes the importance of a strong academia-industry-government partnership in which NSF plays a central enabling
role.
For example, the NSF Science and Technology Center, called
TRUST, and three Cyber TRUST Centers, all work directly with industry partners to speed the transition of research outcomes into
products and services.
Looking ahead, there are several areas ripe for industry-university collaboration. First, industry has data that are otherwise unavailable to academics. Providing access to real data, appropriately
sanitized, anonymized, and scrubbed, based on real adversaries
and real users of operational systems and networks will allow researchers to test their theories and to gain new insights.
Second, industry has problems looming on the horizon that they
just dont have time to solve or they cant even imagine because
they are so focused on the present. These are exactly the kinds of
problems academic researchers can work on, anticipating the
threats of tomorrow so that when they arrive, solutions will be
ready.
In my testimony today, I have provided examples of the ways in
which NSF works with its partners in the Federal Government, the
private sector, and academe to catalyze research advances in
cybersecurity.
With robust sustained support for research in both the executive
and legislative branches, we have a unique opportunity to increase
our nations investments in fundamental, open, long-term
cybersecurity research. Investing now for the future means a more
secure future.
This concludes my remarks. Thank you very much.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00028
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
23
[The prepared statement of Dr. Wing follows:]
PREPARED STATEMENT
OF
JEANNETTE M. WING
Good afternoon, Chairman Wu and Chairman Lipinski, Ranking Members Smith

and Ehlers, and Members of the Subcommittees. I am Jeannette Wing, and I am
the Assistant Director of the Computer and Information Science and Engineering
Directorate at the National Science Foundation.
I am delighted to have the opportunity to talk with you today about NSFs support for cybersecurity research at the frontiers of knowledgeinvestments that capitalize on the intellectual capacity of the best and the brightest in our nations colleges and universities, as well as their many partners in the private sector. The research outcomes generated with NSF support will undoubtedly contribute to the security, stability and integrity of our global cyberinfrastructure for many years to
come.
To begin, it is essential that I note that many cybersecurity measures deployed
today capitalize on fundamental research outcomes generated decades ago. Thus, as
the recent 60-Day Cyberspace Policy Review concludes, a national strategy to secure
cyberspace in both the near- and the long-term must include investments in fundamental, unclassified, open, long-term research. Investments in such research will
allow our society to continue to benefit from a robust, secure, dependable
cyberinfrastructure that supports all application sectors, including those on which
our lives depend.
Allow me to share with you just a few important fundamental research contributions made to date by the open research community, many developed with applications other than security in mind and long before situations arose that demanded
their use.
The basic research community developed:
Cryptographic schemes and cryptographic-based authentication, enabling todays Internet commerce, supporting secure digital signatures and online
credit card transactions, and providing some of the building blocks needed for
the safe, secure and private exchange of electronic health records;
Program analyses and verification techniques, enabling the early detection of
software vulnerabilities and flaws, thereby often preventing cyber attacks
such as phishing, worms and botnets;
Innovative machine learning and data mining approaches now used in spam
filtering, and methods for detecting attacks such as those involving credit
card fraud; and the final example,
CAPTCHAs, the distorted text that only humansnot machines or hotscan
decipher, to ensure that it is indeed a human, and not a bot, who is buying
a ticket online or setting up an e-mail account.
These research outcomes and many others developed with NSF funding are being
used in numerous corporations including Amazon, Apple, e-Bay, Google, Intel,
Microsoft, and Yahoo!. Moreover, NSF-funded projects have spawned start-up companies that bring critical technologies to the marketplace, creating new jobs, expanding the economy, and helping to secure cyberspace.
Please summarize the current range of National Science Foundation supported cybersecurity research, including associated funding.
NSF has been investing in cybersecurity research for many years.1 In FY 2009,
we will invest almost $137 million in fundamental research in the science of trustworthiness and related trustworthy systems and technologies. This includes $20
million from the American Recovery and Reinvestment Act. Approximately one half
of this $137 million is allocated to our interdisciplinary Trustworthy Computing program, which in FY 2009 is funded at a level of $65 million and supports more than
800 principal investigators, co-principal investigators, and graduate students. In addition to the Trustworthy Computing program, we continue to make cybersecurity
investments in the core scientific sub-disciplines of the computing and human
sciences, including the foundations of communications and information, networking
technology and systems, algorithmic foundations, information integration and
informatics, and in the social and economic implications of developing secure, trustworthy systems.
1 FY 2005: $68.81M, FY 2006: $76.73M, FY 2007: $96.70M, FY 2008: $106.90M, FY 2009 estimate: $136.70M (including $20M ARRA), FY 2010 Request: $126.70M
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00029
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
24
The totality of NSF investments supports a broad range of topics in trustworthy
systems and applications. NSF supports foundational research in: cryptography, including key management, conditional and revocable anonymity; defense mechanisms
against large-scale attacks such as worms, viruses, and distributed denial of service;
formal models and methods for specifying, verifying, and analyzing system security;
hardware enhancements for security, such as virtualization and trusted platform
modules; metrics, especially for risk-based measurement; privacy, including privacypreserving data-mining, location privacy, and privacy in RFID networks; network
security, including for wireless and sensor networks and pervasive computing; and
testbeds to run scalable experiments and to analyze anonymized network traffic
data. NSF-funded research also addresses cybersecurity in the context of many application areas, including critical infrastructure (including the power grid), health
records, voice over IP, geospatial databases, digital media, electronic voting, and federated systems.
The relentless pace of innovation in information technology and related services
leads inevitably to new research questions, opportunities and challenges. For example, increasing interest in cloud computing leads to new opportunities but also
raises new research challenges in security and privacy, and innovations in serviceoriented architectures raise new research challenges in resiliency and verification.
In the longer-term, new computing paradigms such as quantum computing will
raise new research questions in cryptography and computational complexity.
As you may know, FY 2009 represents the first full year of the interagency Comprehensive National Cybersecurity InitiativeCNCI. NSFs contributions to the
CNCI include a specific focus on three critical areas:
The scientific foundations of trustworthiness, so that new trustworthy systems, technologies, and tools can be developed and understood from first principles. New models, logics, algorithms, and theories are being explored for
analyzing and reasoning about all aspects of trustworthinesssecurity, privacy, reliability, and usabilityabout all communication, control, and data
components of systems and their composition. Researchers are exploring the
fundamentals of cryptography, inventing new specification and programming
languages and techniques to prevent or detect security vulnerabilities in software and hardware, defining new security architectures for system design,
and exploring new computing models that have potential to improve trustworthiness and our ability to reason with different aspects of trustworthiness.
The essential systems property of protecting privacy. NSF is supporting the
exploration of new scientific and computational models, methods, logics, algorithms, and software tools to define and reason about privacy, to detect and
resolve conflicts among privacy policies, to safeguard information of individuals wherever it may digitally reside, and to explore the interplay among privacy, security and legal policies. One major technical challenge is identity
management, especially for federated systems that may be beyond the control
of any one organization; academic researchers are exploring attack-resistant
methods and protocols for identity management, commensurate with application requirements to preserve privacy and with security and legal requirements to provide accountability.
Usabilitythe methods, tools and techniques that make it easy for people to
use computing systems while protecting both people and systems from unforeseeable attacks on their security and privacy. Users range from individuals
concerned about their home computers to administrators responsible for large
enterprises. Incorporating trustworthiness into a system should not place
undue demands on human users or impact human or system performance.
Since people can be the weakest link in security, striking a balance between
control and convenience is a key challenge. Researchers are developing new
approaches to integrating and balancing different system functionalities, understanding human perception of trust including privacy, informing users of
potential pitfalls, and predicting the impact of user decisions. New methods
are needed, supported by automation, to promote usability and provide users
with security controls they can understand. An especially active area of research is digital forensics, where new automated methods will help all users
respond effectively in the aftermath of a security incident.
How is NSF coordinating its own cybersecurity research and planning activities with other relevant federal agencies?
At NSF, we coordinate our cybersecurity research and planning activities with
other federal agencies, including the Departments of Defense (DOD) and Homeland
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00030
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
25
Security (DHS) and the agencies of the Intelligence Community, through the following mission-bridging activities:
NSF plays a leadership role in the interagency Networking and Information
Technology Research and Development (NITRD) Program. The National
Science and Technology Councils NITRD Sub-Committee, of which I am CoChair, has played a prominent role in the coordination of the Federal Governments cybersecurity research investments. For example,
The NITRD Senior Steering Group (SSG) for Cyber Security is overseeing
the unclassified research and development component of the CNCI. We
recently established the National Cyber Leap Year during which we
asked our research leaders in government, academia, and industry, to
propose game-changing concepts for securing cyberspace. Our next step
is to hold focused meetings with the community to pursue some of the
more promising ideas, toward an integrated private-public approach that
considers technical, social, and economic factors in cybersecurity. This
work is immediately responsive to one of the near-term action recommendations published recently in the 60-Day Cyberspace Policy Review.
The NITRD CyberSecurity and Information Assurance Interagency Working Group (CSIA IWG) coordinates cybersecurity and information assurance research and development across the thirteen member agencies, including DOD, the Department of Energy (DOE) and the National Security
Agency (NSA). In 2006, the CSIA IWG published a national research and
development agenda for strengthening the security of the Nations
cyberinfrastructure. This report continues to inform our investments
today.
NSF also plays a leadership role in the multi-agency Infosec Research Council
(IRC), whose members include the DOD, agencies representing the Intelligence Community and a number of other federal agencies and entities (e.g.,
DOE, National Institute of Standards and Technology, and National Library
of Medicine). The IRC provides a forum for the discussion of critical scientific
and technical issues in cybersecurity, serves as a catalyst for the establishment of new programs and technical emphases, and helps minimize duplication of effort. In the past several years, IRC members have hosted a number
of academic-industry-government workshops, such as the recent workshop on
the Science of Security Workshop, which identified new principles and methodologies in support of a more foundational approach to security. This workshop was co-funded by NSF, the Intelligence Advanced Research Project Activity (IARPA), and NSA.
These and other interagency settings, both formal and informal, provide a range
of opportunities for interagency coordination and collaboration.
In particular, how is NSF coordinating its (unclassified) research and planning activities with Department of Defense or other federal classified research and research infrastructure, including cyber test beds?
Jointly sponsoring workshops, such as the one I just cited, is representative of the
types of interactions that take place between agencies supporting classified and/or
unclassified components of the federal cybersecurity research portfolio. There is, of
course, a rather significant classified component in the CNCI. Coordination between
the larger classified component and the more modest unclassified component is
achieved through the engagement of individuals who participate in both. These individuals share and promulgate knowledge generated in the unclassified component
with those participating in the classified component.
Through some of the coordinating mechanisms I have just described, NSF also
works with its sister agencies in the deployment of cybersecurity testbeds. For example, the cyber-DEfense Technology Experimental Research Environment project
(DETER)a testbed that supports research on next-generation cybersecurity technologieshas been supported jointly by DHS and NSF. In another example, the
Wisconsin Advanced Internet Laboratory (WAIL), which is supported by NSF, the
Defense Advanced Research Project Agency (DARPA)2 and DHS, allows networking
and distributed systems researchers to recreate end-to-end instances of the real
Internet, thereby permitting realistic network testing in support of security. As we
2 DARPA does not provide funding for the Wisconsin Advanced Internet Laboratory as indicated in the written testimony. NSF noted this error on June 19, 2009.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00031
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
26
look to the future, the DARPA National Cyber Range (NCR) is envisioned as a
testbed that will allow researchers to perform qualitative and quantitative assessments of the security of cyber technologies and scenarios. Among the many experimental testbeds that have been developed, DARPA is considering DETER and WAIL
as starting points for the NCRdemonstrating the value of mission-bridging from
NSFs basic research mission to the quite focused application needs of other agencies. If the NCR is opened to unclassified research, then NSF would welcome the
opportunity to coordinate with DARPA to provide academic researchers with an opportunity to run their experiments on this testbed.
What changes, if any, does NSF plan to make to its research portfolio, planning, or interagency coordination efforts in response to the findings and
recommendations in the Administrations 60-day federal cybersecurity review?
NSF and the academic community very much appreciated the opportunity to contribute to the 60-day Cyberspace Policy Review. As I stated in my opening remarks,
the Review clearly recognizes the importance of investments in fundamental, unclassified research, in support of which NSF plays a significant role.
The Review also recognizes the importance of cybersecurity education. Besides our
support of research, NSF plays an increasingly important role in the preparation
of current and future generations of computing professionals and of a scientificallyliterate national workforce. We are grateful that the Review recognizes the important role of several of our education programs, most notably the Pathways to Revitalized Undergraduate Education in Computing, and the Scholarships for Service
programs.
NSFs current portfolio of investments spans the many important topics highlighted in the Review. Further, our interdisciplinary reach to the broad academic
community, and beyond into the private sector, provides an unparalleled opportunity to establish bold, new game-changing directions in long-term cybersecurity
research that are informed both by social and economic needs and by national security requirements. Our aspirations for the Trustworthy Computing program, which
takes a holistic, interdisciplinary approach to establishing the science of trustworthiness and its embodiment in the engineering of trustworthy computing systems and technologies, are consistent with the reviews recommendations.
NSF will continue to support interagency workshops that promote interagency collaboration and coordination. Workshops are planned on how to measure success in
security-related research activities, on developing metrics to assess the security and
privacy of complex systems, and on how to achieve security in the financial infrastructure. This last workshop will be coordinated with the Department of the Treasury.
NSF and its many partners in academe, industry, and government stand ready
to respond to the national imperative to secure cyberspace, both today and for the
foreseeable future. We welcome the opportunity to collaborate with our partners in
creating a comprehensive response to the recommendations expressed in the review.
To what extent is NSFs cybersecurity research portfolio shaped by the
cybersecurity needs and related research priorities of the private sector?
How is NSF soliciting input from the private sector regarding its research
portfolio?
In the academia-industry-government ecosystem, organizations and individuals in
all three sectors bear a responsibility for shaping a future cyberinfrastructure that
is usable, secure, dependable, and resistant to attack, for the benefit of science, our
economy, and our society. The recent Cyberspace Policy Review clearly recognizes
the value of a healthy academia-industry-government ecosystem in strengthening
our nations cybersecurity posture.
At a strategic level, NSFs research investments are shaped by advice provided
by private sector representatives serving on the National Science Board and NSF
Advisory Committees.
NSF also catalyzes the formation of strong partnerships between academia and
the private sector by providing programmatic incentives that encourage both sectors
to work together, thereby speeding the transition of research and education outcomes into products and services. For example, the NSF Team for Research in Ubiquitous Security Technology (TRUST) Science and Technology Center works with a
number of industry partners who 1). help define the Centers strategic intent and
research and education priorities through the Centers External Advisory Board,
and 2). interact directly with faculty and students on individual research projects.
Industry partners include Cisco, Deloitte and Touche, eBay, GE, HP, ING, Intel,
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00032
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
27
Microsoft, Nortel Networks, Oracle, Qualcom, Raytheon, Silicon Valley Bank, Sun
Microsystems, Symantec, and Visa.
NSFs Cyber Trust program also supports three Centers with strong industry
partnerships. For example, the Trustworthy Cyber Infrastructure for the Power grid
(TCIP) center, which also receives support from DHS and DOE, works with its industry partners to create cybersecurity research advances that will make the Nations power grid more secure, reliable and safe. Industry and other partners in this
venture include ABB, Amerren, Areva, California ISO, Cisco, Entergy, EPRI,
Exelon, GE, Gerhrs, Instep, ISIsoft, Kema, Multili, Open Systems International, Pacific Northwest National Laboratory, Power World Corporation, Siemens, and
Starthis.
In addition to academic-industry partnerships encouraged through NSF programmatic incentives, many NSF-supported faculty and students have informal connections with industry, and many students in computing fields do summer internships in industry. Using these informal mechanisms, research results from NSF investments in cybersecurity also often find their way into industry products and services. For example, a team of researchers from UCBerkeley, Stanford, and University of Maryland College Park developed an open source version of their static analysis tools for finding software vulnerabilities. These tools have been adapted by
Microsoft and other large software developers and incorporated into their products.
Looking to our cybersecurity future, there are several areas ripe for industry-university collaboration. First, industry has data that are otherwise unavailable to academics. Providing access to real dataappropriately sanitized, anonymized, and
otherwise scrubbedbased on real adversaries and real users of operational systems
and networks is essential. This access enables researchers to test whether their theoretical ideas play out in practice. Do they scale? What are the edge cases? Furthermore, researchers gain new insights by examining real data. Patterns and anomalies emerge from looking at real data that would not from synthetic data. These discoveries in turn raise new scientific questions. Second, industry has problems looming in the horizon that they just dont have time to solve or problems they cant even
imagine because they are so focused on the present; those are exactly the kinds of
problems academic researchers can work on: anticipating the threats of tomorrow
so that when they arrive, potential solutions will be available. Moreover, academics
are freer to think out of the box and thus may come up with creative solutions that
while impractical today, may be quite practical in the future.
In my testimony today, Ive tried to provide examples of the ways in which NSF
works with its partners in the Federal Government, in the private sector, and in
academe to catalyze long-term research advances in cybersecurity. In his May 29
speech on the roll-out of the 60-day Cyberspace Policy Review, the President stated
that Americas economic prosperity in the 21st century will depend on
cybersecurity and the Administration will continue to invest in the cutting-edge
research and development necessary for the innovation and discovery we need to
meet the digital challenges of our time. Your Subcommittees also clearly recognize
the importance of research advances in cybersecurity to the Nations future.
With robust sustained support for fundamental research in both the executive and
legislative branches, we have a unique opportunity to increase our nations investments in fundamental cybersecurity research, thereby securing our nations future
for many decades to come.
This concludes my remarks. I would be happy to answer any questions at this
time.
BIOGRAPHY
FOR
JEANNETTE M. WING
Dr. Jeannette M. Wing is the Presidents Professor of Computer Science in the

Computer Science Department at Carnegie Mellon University. She received her S.B.
and S.M. degrees in Electrical Engineering and Computer Science in 1979 and her
Ph.D. degree in Computer Science in 1983, all from the Massachusetts Institute of
Technology. Currently on leave from CMU, she is the Assistant Director of the Computer and Information Science and Engineering Directorate at the National Science
Foundation.
Professor Wings general research interests are in the areas of specification and
verification, concurrent and distributed systems, programming languages, and software engineering. Her current interest is on the foundations of trustworthy computing where by trustworthy she includes reliability, security, privacy, and
usability. Her current projects are on specifying and verifying privacy policies.
She has published extensively in top journals and major conferences and has
given nearly 300 invited, keynote, and distinguished lectures. She was or is on the
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00033
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
28
editorial board of twelve journals, including the Journal of the ACM and the Communications of the ACM.
Professor Wing has been a member of many advisory boards, including: the Networking and Information Technology (NITRD) Technical Advisory Group to the
Presidents Council of Advisors on Science and Technology (PCAST), the National
Academies of Sciencess Computer Science and Telecommunications Board, the
DARPA Information Science and Technology (ISAT) Board, NSFs CISE Advisory
Committee, Microsofts Trustworthy Computing Academic Advisory Board, the Intel
Research Pittsburghs Advisory Board, Dartmouths Institute for Security Technology Studies Advisory Committee, and the Idaho National Laboratory and Homeland Security Strategic Advisory Committee. She was a Member-at-Large on ACM
Council and served on the ACM Kanellakis Award Committee and the ACM
Karlstrom Outstanding Educator Award Committee. She was on the Microsoft New
Faculty Fellowship Selection Committee and the Sloan Research Fellowships Program Committee. She was the Co-Chair of the Technical Symposium of Formal
Methods 99, co-organizer of the UWMSR CMU 2003 Software Security Summer
Institute, and Co-Chair of the First International Symposium on Secure Software
Engineering.
Administratively at Carnegie Mellon, she served as Head of the Computer Science
Department during 20042007, overseeing 90 faculty. She was Associate Dean for
Academic Affairs for five years, overseeing the operations of the educational programs offered by the School of Computer Science, including at the time: ten doctoral
programs or specializations, ten Masters programs, and the Bachelors program.
She also served as Associate Department Head for nine years, running the Ph.D.
Program in Computer Science.
She was on the Computer Science faculty at the University of Southern California
and has worked at Bell Laboratories, USC/Information Sciences Institute, and Xerox
Palo Alto Research Laboratories. She spent sabbaticals at MIT in 1992 and at
Microsoft Research 20022003. She has consulted for Digital Equipment Corporation, the Mellon Institute (Carnegie Mellon Research Institute), System Development Corporation, and the Jet Propulsion Laboratory. She is a member of AAAS,
ACM, IEEE, Sigma Xi, Phi Beta Kappa, Tau Beta Pi, and Eta Kappa Nu. She was
elected an ACM Fellow in 1998, IEEE Fellow in 2003, and AAAS Fellow in 2007.
Chairman WU. Thank you very much, Dr. Wing. Dr. Leheny, I
am going to get you started, and Chairman Lipinski is going to
take over for a while. Dr. Leheny, please proceed.
STATEMENT OF DR. ROBERT F. LEHENY, ACTING DIRECTOR,
DEFENSE ADVANCE RESEARCH PROJECTS AGENCY (DARPA)
Dr. LEHENY. Mr. Chairman, Subcommittee Members and staff,

thank you very much for this opportunity to discuss DARPAs programs, information assurance, and cybersecurity.
As I believe you are already aware, DARPAs mission is to invest
in high-risk, high-reward technologies that create new capabilities
for our military. And information assurance and cybersecurity are
important elements in our current portfolio of programs. Let me
begin today by commenting on the significance of robust secure
self-forming networks to the defense department.
Like many commercial enterprises, the department is transforming to network centric operations, so DARPAs programs are
focused on ensuring that these networks can operate independently
in a robust and secure manner. We are interested in two types of
networks, strategic high-speed optical and satellite based global
networks, networks relying on commercial hardware technologies
for the most part. For these types of networks, our focus is largely
on operations, survivability under attack, and security.
At the other extreme are practical, largely wireless networks,
networks directly supporting the war fighter on the front lines.
Wireless networks present both hardware and software challenges.
They must be agile and adaptive, capable of operating in any envi-
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00034
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
29
ronment, as well as be able to manage, defend, and heal themselves at speeds beyond human capabilities. And they must be selfforming without recourse to the infrastructure or cell towers of the
commercial provider.
As network capabilities become ever more essential to operations,
these networks above all else must be secure. We will spend about
$127 million on information assurance and cybersecurity in the
current fiscal year, and we are requesting an increase of more than
14 percent to $164 million for 2010. While most of these investments are targeted to software architecture and protocol issues, to
ensure networks are secure from the ground up, their underlying
hardware must also be secure. So in what is truly a DARPA hard
problem, we are investing in a program we call TRUST, oddly
enough the same name that the NSF has for one of its programs,
but we are doing something completely different. What we are
doing is investigating methods for detecting malicious features inserted into semiconductor chips during their design, manufacture,
and programming. All of these efforts focus on the department
challenges, but we believe our successes, as has been the case in
the past, will eventually impact commercial network technologies
as well.
At this time, perhaps our most visible program, one of particular
interest to this committee which we took on as part of the Comprehensive National Cyber Initiative, is our program to develop a
National Cyber Range. Recognizing that scientific progress has always been paced by advances in our ability to observe, test and
perform rigorous experiments, we are designing this range to be a
vehicle for a significantly advancing progress in cyber understanding and capabilities, to be a tool for rapid, realistic, and quantitative simulation assessment of cyber technologies. Researchers
will be able to operate at either the classified or unclassified levels
and with many more nodes than current cyber test ranges with
highly automated tools and regiment techniques, they will have access to revolutionary research capabilities, capabilities that will
allow rapid network simulation under real-world conditions, enabling efficient development and testing of information assurance
and cybersecurity strategies.
The program has three phases. In the current first phase, we
began by seeking ideas from multiple sources which after a government panel review resulted in our placing seven teams under contract to develop competing designs for delivery later this summer.
At that time, the government team will evaluate and select the
best among these designs to continue into a Phase II program to
produce a limited number of prototype ranges. In a third phase, the
most capable prototype range will be further developed into the
operational range to be completed in 2012. DARPA is managing the
National Cyber Range development, but we will transition the completed range to another organization for operation. The details are
a work in progress. Presently two government working groups are
studying the issues. One is developing a technical vision and business model for the range operations. The other is focused on security issues for accrediting the range for use by all agencies across
the government. In the end, I believe the range will operate like
other national research assets with a panel to review and prioritize
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00035
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
30
user proposals and an administrator to maintain facilities and facilitate research or access.
Regarding how we coordinate our research with other agencies,
I can assure you that we actively coordinate our efforts. Two specific examples include the multi-agency participation in the development of the National Cyber Range, and our teaming with the
NSF to organize two cybersecurity workshops this summer. But in
general, in the process of developing new programs, our program
managers routinely engage with their counterparts in other agencies to scope out the best way forward to achieve a specific research
goal. Regarding the 60Day Cyberspace Policy Review, this highlevel document ranges over a wide variety of policy issues, but I
note that it specifically recognizes the importance of innovation in
achieving cybersecurity, explicitly calling out the supply chain
threat which our TRUST program is addressing and the importance of modeling and simulation capabilities that the NCR will enable.
In conclusion, as the department expands its net-centric operation, information assurance remains a critical concern. In dealing
with this concern, we are committed to working with organizations
across the government to contribute to the national goals for a secure cyberspace, and when the new DARPA Director is in place, refining our plans, programs and budgets for cybersecurity will be
high on our agenda.
I would be pleased to answer your questions.
[The prepared statement of Dr. Leheny follows:]
PREPARED STATEMENT
OF
ROBERT F. LEHENY
Mr. Chairman, Subcommittee Members and staff: I am Bob Leheny, Acting Director of the Defense Advanced Research Projects Agency (DARPA). I am pleased to
appear before you today to discuss DARPAs ongoing work in cybersecurity, or what
we in the Department of Defense (DOD) call information assurance.
Id like to set the context for my remarks today by briefly describing DARPAs
mission and how we work.
DARPAs mission is to prevent technological surprise for us and to create technological surprise for our adversaries. DARPA conducts this mission by searching for
revolutionary high-payoff ideas and sponsoring research projects that bridge the gap
between fundamental discoveries and their military applications. Stealth aircraft,
developed at DARPA more than 25 years ago, is one among many important examples of how we create technological surprise.
To understand DARPAs role in DODs science and technology (S&T) establishment, consider an investment timeline that runs from near to far, indicative of
the time required for an investment to be incorporated into an acquisition program.
The near side represents investments that characterize much of the work of the
Departments other S&T organizations, which tend to gravitate to the near-term because they emphasize investments in capabilities required to meet todays mission
requirements. These investments are excellent S&T and are crucial to DOD because
they continuously hone U.S. military capabilities, e.g., improving the efficiency of jet
engines and making existing radios more reliable. This S&T is usually focused on
known systems and problems.
At the other end of the investment timelinethe far sideare the smaller basic
research investments made by various federal agencies and the Military Services
that support fundamental discoveries, where new science, ideas, and radical concepts typically first surface. Investigators working on the far side generate ideas for
entirely new types of devices or new ways to put together capabilities in a revolutionary manner, but often find that obtaining funding is difficult, if not impossible.
DARPA was created to bridge the gap between these two groups. The Agency
finds the people and ideas on the far side and accelerates those ideas to the near
side for transition to the DOD S&T and acquisition communities as quickly as possible. DARPAs work is high-risk and high-payoff precisely because it bridges the
gap between fundamental discoveries and their military use.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00036
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
31
DARPAs success depends heavily on the freedom of its program managers to pursue the far side ideas that other S&T organizations overlook or, for a variety of reasons, decide not to consider. DARPA hires program managers for limited terms of
four to six years, which ensures a steady input of new energy and ideas. Given their
relatively short tenure, these program managers focus their time on quickly generating ideas and starting new programs. DARPAs senior leadership provides an
overall technical vision and oversees the organizational coordination and collaboration activities required of any DOD organization, thus freeing the program managers to focus on their programs. This approach has enabled DARPA to pursue the
ideas and programs that have benefited DOD for more than 50 years.
DARPAs strategy for accomplishing its mission is embodied in a set of strategic
thrusts that guide its investments. The current strategic research thrusts that
DARPA emphasizes today are:
Robust, Secure, Self-Forming Networks
Detection, Precision ID, Tracking, and Destruction of Elusive Targets
Urban Area Operations
Advanced Manned and Unmanned Systems
Detection, Characterization, and Assessment of Underground Structures
Space
Increasing the Tooth-to-Tail Ratio
Bio-Revolution
Core Technologies, which span investments in quantum science and technology, bio-info-micro, materials, power and energy, microsystems, information technology, mathematics, manufacturing science and technology, and lasers.
Today, I will discuss DARPAs vision for DODs Robust, Secure, Self-Forming Networks and the investments in information assurance to secure those networks.
Robust, Secure, Self-Forming Networks
DOD is in the middle of a transformation to network-centric operations, which has
as its goal turning information superiority into a distinct advantage so U.S. forces
can operate far more effectively than any adversary. Network-centric operations fuse
the typically separate functions of intelligence and operations to dramatically speed
up the observe-orient-decide-act (OODA) loop.
At the core of this concept are robust, secure, self-forming networks. These networks must be at least as reliable, available, secure, and survivable as the weapons
and forces they connect. They must distribute huge amounts of data quickly and
precisely across a battlefield, a theater, or the globe, delivering the right information
at the right place at the right time. The networks must form, manage, defend and,
when disrupted, heal very quickly.
Military network technology requirements are divided according to their application into either tactical or strategic networks. Tactical networks are largely wireless
and directly support units and their equipment on the front lines. They must be
agile, adaptive and versatile, and connect units and their equipment that are operating together, sometimes with different communication equipment, at local area
ranges in all environments, including urban areas. Strategic networks are largely
optical wired and/or satellite-based, are often operated by commercial suppliers, and
provide broadband links between overseas command centers and the United States.
Strategic networks globally link air, ground, and naval forces for operational maneuver and strategic strike and enable the distribution of knowledge, understanding, and supply throughout the force.
Network-centric operations require connectivity between the strategic and tactical
echelons so they can rapidly and effectively share information. Technology advancements now provide the opportunity to connect these two families of networks.
DARPA is bridging strategic and tactical operations with high-speed, high-capacity
communications networks. The DOD strategic, high-speed fiber optic networkthe
Global Information Grid (GIG)is an integrated network with a data rate of hundreds to thousands of megabits per second. To reach deployed elements, data on the
GIG must be converted into a wireless format for reliable transmission to the various units within theater. This creates problems in the timely delivery of information.
To connect the tactical warrior to the GIG, DARPA is developing high-speed network technology that can robustly disseminate voice, video, text, and situation
awareness information to the various military echelons and coalition forces. To accomplish this, the high data rate capability of optical communications is being com-
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00037
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
32
bined with the high reliability and adverse-weather performance of radio frequency
(RF) communications.
The goal of DARPAs Optical RF Communications Adjunct (ORCA) program is to
create a high data rate backbone network via several airborne assets that nominally
fly at 25,000 feet and up to 200 kilometers apart and provide GIG services to ground
elements up 50 kilometers away from any one node. ORCA provides billions of information bits per second, error-free on an optical link and, at radio frequencies, hundreds of millions of information bits per second when clouds block the optical link.
For applications at sea, DARPA is working to bridge strategic and tactical maritime operations with a revolutionary new capability for submarine communications
based on a blue laser efficient enough to make submarine laser communications at
depth and speed a near-term reality. If successful, it will dramatically change how
submarines communicate and greatly improve their operations and effectiveness,
enabling submarines to become truly persistent nodes for network-centric operations
at sea.
At the tactical ground level, radio inter-operability has plagued DOD for decades.
To connect tactical ground, airborne, and satellite communications platforms and
terminals together, the Network-Centric Radio System (NCRS) program has developed a mobile, self-healing, ad hoc network gateway that provides total radio/network inter-operability among these platforms moving in any terrain. NCRS builds
inter-operability into the network itselfrather than into each radioallowing any
radio to communicate with any other radio. Now, previously incompatible legacy tactical radios can link seamlessly among themselves and to more modern systems, including military and commercial satellite systems. DARPA is taking this technology
and working on commercial components and practices to make NCRS more affordable at low rate initial production quantities. A follow-on program, Mobile Ad hoc
Information Network GATEway (MAINGATE), is focused on providing this capability at a low unit cost ($60,000 each) in small volumes (1,000 units).
Another wireless challenge is frequency spectrum; it is scarce and valuable.
DARPAs NeXt Generation (XG) Communications technology is making up to 10
times more spectrum available by taking advantage of spectrum assigned to others,
but unused at a particular place and time. XG technology senses the spectrum being
used and dynamically makes use of the spectrum that is not busy. Recently, XG conducted a series of successful experiments and demonstrations at several military locations, and various organizations within DOD are planning to transition XG technology broadly into current and existing wireless communication systems.
DARPA is developing communication networks specifically for the kind of urban
environments our troops are encountering today. As is the case for civilian wireless
networks, urban clutter can create multiple signals from diverse reflections
(multipath) of the initial signal, and the result is weak or fading communications.
This problem is being turned into an opportunity through the DARPA Mobile
Networked Multiple-Input/Multiple-Output (MNM) program, which is actually exploiting multipath phenomena to improve communications between moving vehicles
in cities without using a fixed communications infrastructure. MNM has demonstrated reliable non-line-of-sight communications during on-the-move field trials
in urban environments. The program successfully exploited multipath to increase information throughput and reliability while maintaining high data rates. It also demonstrated reliable communications in the face of interference by enabling multiple
signals to simultaneously occupy the same frequency band, resulting in increased
capacity of that channel.
Building on XG, MNM, and other technologies, the Wireless Network after Next
(WNaN) program is developing an affordable communication system for reaching to
the tactical edge. The WNaN low-cost, highly capable radio will allow the military
to communicate with every warfighter and every fielded device at all operational
levels. WNaN technology will exploit high-volume, commercial components and
manufacturing techniques so DOD can affordably evolve the capability. The radio
cost will be low enough so that they can be refreshed after a few years of use with
updated, more capable radiosas are todays commercial cell phones. DARPA is
working with the Army to make a low cost hand-held networking radio for about
$500 apiece a reality. In fact, we recently signed a memorandum of agreement that
could lead to the Army buying large numbers of units for military use.
Information Assurance for DOD Networks
The vision for DODs networks covers great scope and depth, starting with the
building blocks of component hardware and software, ranging from smaller networks for individual systems and tactical use to huge global networks; from wired
to wireless; from mobile to fixed; and many combinations in between. These networks give the U.S. military significant advantages, which make them a very attrac-
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00038
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
33
tive, high value target for any adversary. The United States must assume its adversaries will seek ways to destroy, disrupt, distort, or infiltrate DODs networks.
Those networks must be reliable in any environment for extended periods and
protected against cyber threats. As technologies are developed and deployed to successfully block overt cyber attacks, adversaries will likely attempt to insert malicious code to disrupt the networks. DOD, with some of the most sophisticated and
complex networks and facing the most sophisticated attacks, must rigorously protect
its networks or suffer terrible consequences. The ever-growing sophistication of
these threats has surpassed the ability of current commercial markets to provide
DOD with rapid and robust solutions.
While many threats and problems are common to most types of networksprivate, civilian government, and militaryand many private and non-DOD researchers are addressing them, DARPAs efforts are focused on technologies to solve the
Defense Departments information assurance operational challenges. Funding for
our information assurance research is primarily contained in two places in our
budget: an applied research budget project called Information Assurance and Reliability and a program element called Cyber Security Initiative, which covers the
National Cyber Range. The total in these for FY09 is about $127M, and we are requesting about $164M in FY10. The details on these requests may be found in our
budget, which is available online at www.darpa.mil/budget.html.
Critical to DODs transformation to network-centric operations are the wireless
networks known as Mobile Ad Hoc NETworks (MANETs), which are designed to fluidly and automatically connect moving vehicles and dismounts as needed without
a static network infrastructure. A rough analogy is a cell phone network made up
only of cell phoneswithout cell towers or a telephone company. For example, a television ad for a telecommunications company shows a large crowd of people standing behind its network. MANETs must operate without this support, yet remain
fully functional networks while being vigorously attacked.
The DARPA Intrinsically Assurable Mobile Ad Hoc Network (IAMANET) program
is aimed directly at building DOD MANETs that are secure from the ground up.
IAMANET is developing network architectures and protocols to authenticate and
authorize all traffic on a MANET, quarantine problems so they dont spread, and
prevent data from corruption and unauthorized exfiltration. In contrast, the current
Internet does not deny unauthorized traffic by default and violates the principle
of least privilege, where a user is given no more privilege than required to perform
a given task. Existing protocols are not resistant to malicious acts that can produce
faulty outputs and inconsistent behavior. IAMANET technology will provide a smart
router technology for ad hoc network environments that will not forward malicious
traffic, preventing infections from spreading through the network and securing information within the network.
IAMANET builds on earlier DARPA research from the Dynamic Quarantine of
Worms (DQW) program. DQW technology creates an integrated system that automatically detects and responds to worm-based attacks against military networks,
provides advanced warning to other DOD networks, studies and determines the
worms propagation, and automatically immunizes the network against these
worms. The system quickly quarantines so-called zero-day worms to limit the
number of machines affected and restores the infected machines to an
uncontaminated state in minutes, rather than hours and days. The Marines are now
conducting tests of DQW-protected systems.
MANETs are of such significance to DOD that DARPA is sponsoring basic research to develop Information Theory for Mobile Ad Hoc Networks (ITMANET) to
provide a more powerful theory for mobile wireless networks. The ITMANET program is motivated in part by a major scientific accomplishment of the last century:
Claude Shannons information theory, which provides a mathematical foundation for
understanding information capacity in wired, point-to-point networks. This theory
is an essential foundation for todays information revolution, but is incomplete when
dealing with wireless MANETs. ITMANET is extending Shannons classic description of information capacity to the more complex mobile ad hoc network case. Stanford University and the University of Texas are leading two research teams in this
effort, which involves 24 faculty members from several universities. Important program results are being reported in peer-reviewed professional journals, and, based
on this research, a popular science magazine is planning a tutorial article on
MANETs to popularize the concepts among a wider audience. While this work may
not seem to be strictly information assurance, DARPA researchers believe it will
help us understand the limits of what can and cannot be done in MANETs and inform the design of MANETs that are more secure.
DARPAs information assurance programs for wired networks will likely yield results that could be useful to a wide range of users beyond DOD.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00039
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
34
The Trustworthy Systems program is developing innovative methods to detect unusual traffic in networks. These methods promise to be orders of magnitude more
effective than traditional approaches by leveraging recent advances in statistical
physics, information theory, and thermodynamics. The goal is to detect 99 percent
of attacks launched with no more than a single false alarm per dayall at gateway
speeds, in the gigabits-per-second range.
The Self-Regenerative Systems (SRS) program is developing techniques to allow
networks to work through attacks and automatically adjust themselves to provide
critical functions in the presence of attacks. Over time, SRS will learn their own
vulnerabilities and how to correct them, even protecting against incorrect or improper actions by authorized users. Started in 2004, the SRS program involves several universities and research firms and is advancing four key cyber defense technologies: automated software diversity, scalable redundancy, insider threat mitigation, and self-healing. The current phase of the program will move SRS technologies
from the laboratory to an actual DOD system to show that the system can automatically heal itself from expert attack, while maintaining a viable level of service.
The DARPA Application Communities (AC) program is building an automatic
cyber defense infrastructure for large deployments of similar applications in many
places, for example, the same web browser running simultaneously on many separate computers. As a network comes under attack, continued comparison across the
network permits the online construction of a universal software patch for all affected machines. The core technology for the AC program was developed at MIT and
will be demonstrated in the current phase of the program in conjunction with MITs
commercial partner.
All networks rely on hardware, and to work properly that hardware must be secure. With much of the microelectronics used in DOD and other systems manufactured off-shore, the question naturally arises, How do we know we are getting what
we asked for in the microelectronics and only what we asked for? The integrity of
the hardware components is commonly not addressed when considering
cybersecurity and networks, but it is a key issue in DOD information assurance. To
the extent DOD systems use microelectronics purchased from several vendors, including foreign sources, they are at risk.
DARPAs Trusted, Uncompromised Semiconductor Technology (TRUST) program,
a major information assurance program, is directly tackling this issue. Pursuing a
series of complementary technologies and techniques to ensure that DODs microelectronics will do only what they are supposed to do and nothing more, TRUST program research addresses the full production cycle of microelectronics, including design and fabrication. The program is studying ways to determine whether malicious
features have been inserted during the design or fabrication of application-specific
integrated circuits or during the programming of field programmable gate arrays.
DARPA is at the forefront of research in this area, confronting these issues in a
comprehensive manner for the first time with expected results that will enhance
and ensure the trustworthiness of microelectronicsregardless of where they have
been manufactured.
National Cyber Range
DARPAs most prominent information assurance program is the National Cyber
Range (NCR) project, which is part of the Comprehensive National Cybersecurity
Initiative (CNCI). DARPA was selected to run this program because we have some
experience in the area of cybersecurity testing.
The NCR will result in a testbed on which researchers and developers can simulate and measure technologies and their performance in a realistic environment, allowing cybersecurity technology testing under real-world conditions and across a variety of network types.
DARPA believes the NCR will accelerate the development of leap-ahead
cybersecurity technology for the larger research community. The fundamental idea
underlying the rationale to develop a large-scale cyber test range is the recognition
that scientific progress is often paced by advances in the instrumentation available
to observe and test new phenomena and to run rigorous experiments to verify the
significance of these observations and theoretical insights they stimulate. Just as
developments in microscopes and telescope technologies opened new worlds to scientific exploration and revolutionized our understanding of nature, the NCR, if successful, will provide the same opportunity for the cybersecurity research community.
The design goal for the NCR is to enable researchers to rapidly create network
architectures under a variety of conditions, from high operational demand to aggressive cyber attack, and develop responses based on the collected data. Simulations
conducted with the highly automated cyber range will allow a variety of user and
network behaviors, providing researchers insight and deeper understanding of how
cybersecurity and situational awareness tools function in complex environments.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00040
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
35
When completed, the NCR will allow realistic, quantifiable tests and assessments
of cybersecurity scenarios and defensive technologies, revolutionizing cybersecurity
testing by offering vastly improved cyber testing capabilities in terms of:
Scope. The NCR will allow unclassified and classified testing on the same facilities, including wired and wireless networks, MANETs, supervisory control
and data acquisition systems, and other features to simulate an extremely
large variety of networks. It will allow defensive technologies to be tested
against realistic offensives and greatly improve and accelerate researchers
abilities to produce solutions and rapidly deploy them.
Scale. The NCR will have orders of magnitude more nodes than currently
available test ranges, providing a much more realistic and valid test environment.
Flexibility Through Automation. Under software control, the NCR will be able
to quickly set up a wide variety of test networks and permit multiple, independent experiments on the same infrastructure. A graphical user interface
will allow test directors to use a drag-and-drop feature to quickly lay out a
network architecture, its hosts, system latency, environmental characteristics,
and other pertinent test qualities and requirements. Once this infrastructure
is created, it will be ready for testing immediately; the impact will be to dramatically change the time required to create a test environment from months
to minutes.
Efficiency. The NCRs state-of-the-art instrumentation and forensics technology will enable far better use of test time.
I think that NCR could operate much like other major National research assets
and laboratories. A number of potential operating models exist, including the DODs
High Performance Computing Modernization Program, which has been run by the
DOD since the early 1990s and makes high performance computing facilities available to Defense researchers for both classified and unclassified projects.
I believe, for example, that NCR could have a panel that reviews and prioritizes
proposals submitted by potential users for time on the range. One of their guiding
principles would be to ensure that the portfolio of research fulfills the mission of
the range. Such a panel would then schedule who gets access to the range and
when, and what they can do on the range. An administrator would facilitate users
access and use of the range and ensure their individual research goals on the range
are met. I am sure that other possible operating models exist.
Two primary technical challenges must be tackled to achieve NCRs goals: (1) How
are large-scale, highly heterogeneous networks simulated realistically, and what is
the scale and scope needed for realistic experiments?; and (2) What instruments can
be created to monitor performance during experiments to provide the greatest meaningful understanding of the results, even providing quantitative measures of performance? Real-world cybersecurity events are taking place all the time, but existing
network administration techniques provide little insight into their cause without
considerable effort. The point of the NCR is to incorporate highly sophisticated, fast,
flexible, and efficient instrumentation and administration technologies, in a controlled environment, to enable full understanding of such phenomena rapidly and
with little effort.
In November 2007, DARPA released an unclassified Request for Information
where we solicited the community for ideas to improve cyber testing. In May 2008,
DARPA released a Broad Agency Announcement and conducted a two-day unclassified industry day soliciting solutions from the community and answering questions
posed by the community. A government-wide source selection process selected the
best of breed from those proposed. The NCR program is in its first phase. During
this phase, there are seven teams of defense contractors, universities, small businesses, vendors, and service providers working on competing designs to be completed and delivered this summer. The next phase will be to take several selected
design teams forward to build small-scale prototypes. We expect that selection and
build phase to be completed in fall of next year, and then move on to completion
and operation of the range.
DARPA will not own or operate the NCR when completed. Historically, DARPA
facilities and institutional interests have been held to an absolute minimum, allowing the Agency to be open to new ideas. To remain consistent with this management
philosophy, DARPA will not own or operate the NCR once it is built.
The NCR is an integral part of the CNCI, and within NCR are two key working
groups. The NCR Joint Working Group is a stakeholders panel headed by DARPA
that is developing the technical vision and business model for the NCR. This work
informs the technical capabilities needed and provides options on how the NCR will
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00041
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
36
operate. Many issues are being studied, including who will manage the NCR, how
it will be funded, who will have access, and conditions for use. Working group members represent DOD; the Intelligence Community; Departments of Homeland Security, Energy, and Treasury; National Science Foundation; Federal Bureau of Investigation; National Institute of Standards and Technology; the New York State Governors Office; and the New Jersey State Police. They are invited to participate in
all the steps from concept development to performer selection and periodic program
reviews.
A separate working group focuses on the crucial issue of NCR security requirements. The range will have to be certified to run classified and unclassified testing,
and the various agencies have different security requirements and nomenclatures.
This working group seeks security protocols that will allow the NCR to be properly
accredited by agencies from across the Government.
Coordination of Research
Much of the coordination of DARPA research with other government agencies occurs as a bottom-up process within technical communities. DARPA program managers are hired from government, industry, and academia in large measure because
they are world-class technical experts with extensive knowledge of the research
being done in their technical areas. In the last eight years, roughly one-third of
DARPA program managers have come from industry, one-third from other parts of
DOD, one-quarter from academia, and one-tenth from elsewhere. More than 95 percent of DARPAs program managers have advanced degrees and are subject matter
experts from a wide variety of backgrounds. DARPAs policy of rotating program
managers after four to six years ensures a steady stream of new people bringing
fresh ideas to the Agency.
Because DARPA conducts none of its research in-house, its program managers
look externally for ideas and research performers. During the process of starting
programs, they seek good ideas wherever those ideas can be found, frequently by
hosting workshops attended by researchers and other government experts. Engaging
a wide spectrum of experts in a field through this extensive outreach effort is how
DARPA coordinates ideas and research.
With that overall process in mind, let me give you some examples of how we have
worked with the National Science Foundation (NSF) in information assurance.
DARPA co-funded three projects through the NSF Cybertrust Program (led by
Stanford, University of Texas, and Princeton) dealing with fundamental software
techniques for high assurance and security. NSF administered these grants to university researchers after their selection through the Foundations standard, community-based, merit review process.
This summer, DARPA and NSF will co-sponsor two research workshops related
to cybersecurity. Both workshops will bring together key thought leaders from universities, National Institute of Standards and Technology, Department of Homeland
Security, National Science Foundation, and DARPA. The first workshop is in clean
slate security architectures, which will identify paths to fundamentally redesigning
computers for modern threats. The second workshop is meant to begin re-thinking
the Internet. As you know, DARPA played a key role in developing the Internet,
and our interest in the future Internet design workshop is to identify fundamental
new network concepts that are far more resistant to attack than the current Internet.
60Day Cyberspace Policy Review
The report that came out of the 60-day Cyberspace Policy Review is a high-level
document covering a very wide variety of policy issues, including leadership, organization, legal, education and training, and operations and incident response. With respect to research issues, the area of DARPAs expertise, the review clearly recognizes the centrality of innovation to our national cybersecurity capabilities. In particular, it contains a discussion of the supply chain threats that we are addressing
in our TRUST programa problem that may not be widely appreciated outside the
national security community. It also discusses the need for modeling and simulation,
capabilities that could be provided by the NCR when it is completed. In general, between the game-changing technology we are promoting and the new tools and facilities of the NCR, DARPA will be able to make a significant contribution to the innovation goals of the Cyberspace Policy Review.
We are at the early stages of what will come out of the 60-day review, but having
senior leadership at the White House looking hard at cybersecurity across the Federal Government will keep it high on the national agenda and stimulate progress
throughout the field. As this process moves forward and we get a new Director at
DARPA, we will be sure to continue to evaluate our own plans, programs and budg-
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00042
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
37
ets for cybersecurity. We have been a leader in promoting cybersecurity research,
and we look forward to continuing our role promoting radical innovation for national
security as the implications of 60-day review develop more fully.
The DODs move toward network-centric operations means that information assurance will remain a crucial and long-standing concern. I hope my testimony today
has given you a sense of DARPAs plans and ambitions.
I would be pleased to answer your questions.
BIOGRAPHY
FOR
ROBERT F. LEHENY
Dr. Robert F. Leheny was named Acting Director of the Defense Advanced Research Projects Agency (DARPA) February 20, 2009. He continues to serve as Deputy Director of DARPA, a position he has occupied since June 2, 2003.
DARPA is the principal Agency within the Department of Defense for research,
development, and demonstration of concepts, devices, and systems that provide
highly advanced military capabilities.
Prior to assuming his current positions, Dr. Leheny served as Director of
DARPAs Microsystems Technology Office. He joined DARPA in October 1993 as a
Program Manager in the area of optoelectronics.
Prior to joining DARPA, from 1987 to 1993, Dr. Leheny was an Executive Director
for Network Technology Research in the Applied Research Laboratory of Bell Communications Research, Inc. (Bellcore, now known as Telcordia Technologies, Inc.),
Red Bank, NJ. In this position he was responsible for managing an organization researching materials and device designs for communication systems. From 1984 to
1987, he was Director of the Electronic Device Research Group in the same Laboratory at Bellcore. From 1967 to 1983 he was a member of technical staff in Electronics Research Lab at Bell Laboratories, Inc., Holmdel, NJ. From 1962 to 1967,
he was a graduate student at Columbia University and from 1960 to 1962, he was
employed as a Radar Systems Engineer with the Sperry Gyroscope Co., Great Neck,
NY.
Dr. Leheny received his BS from the University of Connecticut in 1960 and a Doctor of Engineering Science Degree from Columbia University in 1966. In 1983, he
was named a Bell Labs Distinguished Member of Technical Staff and in 1992 he
was named a Distinguished Graduate of the University of Connecticut School of Engineering. In 2003, Dr. Leheny was presented with the DOD Distinguished Civilian
Service Award, the highest award the Department of Defense can give to career civil
servants. He has published over 70 papers, co-edited a book and authored four book
chapters. He is a Fellow of the IEEE and a member of the American Physical Society, American Association for the Advancement of Science, and the New York Academy of Sciences.
Chairman LIPINSKI. [Presiding] Thank you, Dr. Leheny. I now

recognize Dr. Fonash for five minutes.
STATEMENT OF DR. PETER M. FONASH, ACTING DEPUTY ASSISTANT SECRETARY, OFFICE OF CYBERSECURITY AND
COMMUNICATIONS, NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND
SECURITY (DHS)
Dr. FONASH. Good afternoon, Chairman Wu, Chairman Lipinski,

and Members of the Subcommittees. Thank you for the opportunity
to discuss the White Houses recently released Cyber Policy Review
as it relates to the Department of Homeland Securitys ongoing efforts to secure the federal, civil, executive branch networks and information systems and to coordinate activities focused on securing
the Nations critical infrastructure.
One of the greatest threats facing our nation is a cyber attack
to the critical infrastructure on which we depend. Our society relies
on technology and telecommunications to support our economy and
critical government functions. The cyber threats to these systems
are real, growing, and evolving. They are large, diverse and range
from independent, unsophisticated, opportunistic hackers to technically competent adversaries and nation states.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00043
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
38
The Nation must be vigilant, proactive and innovative as it addresses and mitigates the service disruptions. The Departments
National Cyber Security Division, or NCSD, serves as the national
focal point for cybersecurity on behalf of DHS. It works with the
private sector and Federal, State, local, tribal and international
governments to assess and mitigate cyber risk and prepare for, prevent, and respond to cyber incidents.
The Cyberspace Policy Review assesses the current state of U.S.
cybersecurity policies and structures. Based on this assessment, future decisions will be made regarding U.S. cybersecurity policy and
appropriate structures to execute it. It is anticipated that those decisions will focus on the following five key areas outlined in the Review which build upon existing programs and activities: (1) developing a new, comprehensive strategy to secure Americas information and communications infrastructure; (2) ensuring an organized
and unified response to future cybersecurity incidents; (3) strengthening public, private, and international partnerships; (4) investing
in cutting-edge research and development; and (5) beginning a national campaign to promote cybersecurity awareness and digital literacy and to build a digital workforce for the 21st century.
Within those areas, a series of near- and mid-term actions are
set forth. DHS and NCSD, working with interagency partners, are
actively engaged in advancing these actions. As many of them align
with current NCSD activities, such as cybersecurity-related information sharing with federal, State, local and private sector partners, supply chain risk management, cyber workforce development,
and the promotion of cybersecurity through national public awareness and education efforts, NCSDs fiscal year 2010 budget request
provides further justification details on how DHS tends to grow
and support these and other cybersecurity activities necessary to
protect the Nation from cyber threats.
Before I address some of NCSDs current initiatives, let me emphasize that privacy and civil liberty considerations are at the center of our efforts. Protecting the privacy of Americans and their
personal information is not just a priority, it is required by law and
we take it very seriously.
DHS leads a multi-agency approach to coordinate the security of
federal, civil, executive branch networks. The United States Computer Emergency Readiness Team, or USCERT, serves as a central federal information security incidence center and is the focal
point for the security of federal civil executive branch networks.
Agencies report instances to USCERT, and it guides agencies on
enhancing detection capabilities and works with them to mitigate
information security incidence. USCERT compiles and analyzes
incident information, shares the information with the operators of
federal information systems. USCERT provides products ranging
from current and potential information security threats to alerts
about vulnerabilities.
In addition, USCERT is improving its capabilities to protect the
federal enterprise in response to growing cyber threats, in large
part to ramp up the current activities due to the Comprehensive
National Cybersecurity Initiative, or CNCI. Over the last year,
DHS has led the CNCI effort to establish a front-line defense for
federal executive branch. As part of this effort, DHS works with
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00044
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
39
the Office of Management and Budget to reduce federal executive
branchs external connections through the Trusted Internet Connection, or TIC, program. Consolidating such connections is the
first step to creating front-line defense. As we reduce external connections, we will deploy EINSTEIN, an intrusion detection system,
at trusted Internet connections which will allow us to more effectively analyze malicious activity across federal executive branch
networks. We also work with federal agencies to develop additional
capabilities to detect and eventually prevent intrusions. Such collaboration will help inform the products necessary to provide actionable information to our critical infrastructure community.
In addition to coordinating the security of federal civil branch
networks, we work with industry and government partners to secure the Nations critical infrastructure networks. The vast majority of the Nations cyber infrastructure is owned by the private sector. As such, cybersecurity is not exclusively a federal responsibility, and the key to our assured success is protecting cyber infrastructures collaboration with the private sector. It is for this reason DHS will continue to strengthen and build upon a public-private partnership framework created under the National Infrastructure Protection Plan, or NIPP. The NIPP was used for one of the
CNCI initiatives whose focus is on improving protection of privately owned critical network infrastructure through public-private
partnership. It is often referred to as Project 12.
State, local, tribal governments and international communities
also play crucial roles in improving cybersecurity. Recognizing the
contributions that can be made by leveraging such partnerships,
DHS works with all levels of government and in the international
community to help them increase awareness. DHS also works with
other agencies to develop a plan for retaining a skilled, trained
workforce. We need to build the next generation of our
cybersecurity workforce that will help us maintain a competitive
advantage. Over the coming years, we will focus resources on the
education and training of our current workforce and developing and
recruiting new talent. DHS is also encouraging university programs and provides scholarships to promising students.
In conclusion, as a nation becomes ever more dependent upon
cyber networks, we must address cybersecurity strategically. Overcoming new cybersecurity challenges is a difficult task requiring a
coordinated, focused approach to better secure the Nations technology communications infrastructure. President Obamas Cyberspace Policy Review reaffirms that cybersecurity is among the most
significant issues facing the Nations economic and national security and it solidifies the priority that the Administration places on
improving cybersecurity.
Thank you for your time today. I appreciate the opportunity to
discuss the Departments efforts in advancing our cybersecurity
posture. I would be happy to answer any questions from the Subcommittee.
[The prepared statement of Dr. Fonash follows:]
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00045
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
40
PREPARED STATEMENT
OF
PETER M. FONASH
Introduction
Good afternoon, Chairman Wu, Chairman Lipinski and Members of the Subcommittees. Thank you for the opportunity to speak about the Department of Homeland Securitys (DHS) ongoing efforts to secure the Federal Executive Branch civilian networks and information systems, the White Houses recently released Cyberspace Policy Review, as well as coordinating activities focused on securing portions
of the Nations critical infrastructure.
One of the greatest threats facing our nation is a cyber attack to our critical infrastructure and key resources (CIKR), on which our nation depends. Our information
communications technology systems are integral to our daily lives. Our society relies
on technology and telecommunications to support our economy and business operations, and also support critical functions of government. An attack could cause disruption to any or all of our key sectors and could jeopardize not only the private
sector, but the governments ability to provide critical services to the public. Such
an attack could also create cascading effects throughout the country due to the integrated and global nature of business today.
The cyber threats to these systems are very real, growing, and evolving. The Nation must be vigilant, proactive, and innovative in its efforts to address and mitigate
disruptions of service. What makes this endeavor ever more challenging is the volume and composition of these threats. They are large and diverse and range from
independent unsophisticated opportunistic hackers to very technically competent adversaries and nation states.
Our adversariesboth criminal and nation stateshave become increasingly sophisticated in their methods and ability to coordinate malicious activities. The
United States Government is aware of, and has responded to, malicious cyber activity directed at its civilian and military systems and networks over the past few
years. We continue to remain concerned that this activity is growing more sophisticated, more targeted, and more prevalent.
I am here to underscore the Departments resolve to collaborate and share actionable information with stakeholders to mitigate known threats. Engagement, however, cannot be a one-way information flow with the goal of simply relaying information. We must create a two-way dialogue and facilitate continuous feedback that
helps us improve notification products, such as informational notices and situational
awareness reports.
Information sharing is an essential part of cybersecurity and we must continue
to increase our current public/private information sharing and coordination efforts
via the National Infrastructure Protection Plan (NIPP) framework. Using the NIPP
framework, DHS has built robust working channels to exchange and integrate information with and among our partners in industry. Our efforts in this area have already begun. Through the Cross-Sector Cyber Security Working Group (CSCSWG),
we have convened an Information Sharing Subgroup to look at ways to facilitate the
bi-directional sharing of cyber information, indications, and warnings through the
operational capabilities within and across the sectors and government. Specifically,
we are looking at how to better share cyber threat and vulnerability information
with those in industry who need it, understanding that some of this information is
very sensitive. We are also developing plans on how to work with industry partners
to obtain greater situational awareness on the status of CIKR networks.
As you know, DHS is the lead agency in a multi-agency approach in coordinating
the security of Federal Executive Branch civilian networks. In large part, activities
currently under way are due to the creation of the Comprehensive National
Cybersecurity Initiative (CNCI), which is designed to further protect federal networks and explore new ways to assist industries in securing their infrastructure.
There is wide agreement that the CNCI moved the ball in the right direction. However, more needs to be done. President Obamas call for, and subsequent completion
of, the White House Cyberspace Policy Review reaffirms that cybersecurity and
cyber threats are among the most significant issues facing the economic and national security of our nation.
At DHS we have been focused on three main areas as part of the CNCI:
1) Establishing a front line of defense;
2) Seeking ways to defend against a full spectrum of threats through intelligence and supply chain security; and
3) Taking cybersecurity to the next level through workforce education.
Over the last year, DHS has been leading the effort to establish a front line of
defense by reducing vulnerabilities and preventing network intrusions in the Fed-
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00046
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
41
eral Executive Branch civilian networks. We are improving our cybersecurity posture in this area by focusing government efforts on reducing external connections
through the Trusted Internet Connection program and deploying EINSTEIN, our intrusion detection system. DHS is also working in close coordination with our interagency partners to develop additional capabilities and capacity to detect and eventually prevent intrusions. Such collaboration with our federal partners will also help
to inform the products necessary to provide actionable information to our CIKR community.
The Department is also seeking ways to better protect Federal Executive Branch
civilian information systems and networks from the full spectrum of threats, such
as from malicious code embedded in hardware or software products. This requires
improving our global supply chain defense through increased awareness of threats,
vulnerabilities, and consequences as well as collaborating with the National Institute of Standards and Technology in the development of standards, policies and best
practices across the federal civilian enterprise. In conjunction with the Department
of Defense (DOD), DHS is working to increase the capabilities of all federal departments and agencies to ensure the protection of their supply chains as well as their
ability to mitigate risks.
A strong workforce is also necessary to ensure the continual advancement of our
cybersecurity posture. Successful detection and mitigation of threats requires us to
maintain a workforce at a high skill level. For the safety of our information systems
and networks, now and in the future, DHS is focusing its resources on building the
next generation cyber workforce by improving workforce training and education, recruiting new talent, and providing funding for college and university scholarships.
In addition, we are working with industry and government partners to secure the
Nations critical infrastructure networks. As you well know, the Federal Government does not own the Nations information technology networks or communication
infrastructures. The vast majority of the Nations cyber infrastructure is in the
hands of the private sector. For this reason, cybersecurity is not exclusively a federal responsibility, and as I mentioned earlier, collaboration with the private sector
is essential.
The Departments National Cyber Security Division (NCSD) serves as the national focal point for cybersecurity on behalf of the Department. The NCSD works
in concert with the DHS Science and Technology Directorate to cohesively develop
technologies that address current and future technology gaps. The NCSD also works
with the private sector and Federal, State, local, tribal and international governments to assess and mitigate cyber risk and prepare for, prevent, and respond to
cyber incidents. The Department maintains a strong and positive relationship with
the National Security Agency (NSA). NSA has provided a number of senior level
detailees to the Office of Cybersecurity and Communication (CS&C) and the National Cyber Security Division (NCSD) within CS&C. These personnel assist in the
execution of CNCI and provide integral technical and operational expertise to the
Department as we build our capacity and capabilities. It is a true team effort. More
broadly, NCSD through United States Computer Emergency Readiness Team (US
CERT) coordinates and shares incident information with law enforcement, the intelligence community, as well as other key stakeholders.
DHS is committed to advancing the resiliency of the governments cyber posture
to better secure Federal Executive Branch civilian systems. DHS has a number of
initiatives under way that I will discuss with you today. Before I move onto the initiatives, let me emphasize, for the record, privacy and civil liberties considerations
are at the center of our efforts. Protecting privacy and ensuring the proper use of
personally identifiable information is not just a priority; it is required by law and
something we take very seriously.
Securing Our Federal Networks
USCERT has been identified by the Office of Management and Budget (OMB)
as the central federal information security incident center required by the Federal
Information Security Management Act of 2002 (FISMA) and serves as the operational center for the security of cyberspace of Federal Executive Branch civilian
networks and CIKR networks. Agencies report incidents to USCERT, including the
identification of malicious code, denial of service, improper usage, as well as incidents that involve Personally Identifiable Information (PII). Operating a 24/7/365
operations center, the USCERT is the lead entity in the national effort to provide
timely technical assistance to operators of agency information systems regarding
cybersecurity incidents. In this capacity the USCERT guides agencies on detecting
and handling information security incidents, compiles and analyzes information
about incidents that threaten information security, and informs operators of agency
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00047
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
42
information systems about current and potential information security threats, and
vulnerabilities.
USCERT, working with OMB, is building additional capacity to fulfill its responsibilities under FISMA, as well as to better protect the Federal Executive Branch
civilian systems and networks or .gov. As a means of securing these networks,
DHS is focused on implementing the Trusted Internet Connection (TIC) Initiative,
which is led by the Office of Management and Budget. In addition, DHS is enhancing its EINSTEIN system, an intrusion detection capability, and deploying it at
TICs across the Federal Government and at Networx Managed Trusted Internet
Protocol Service (MTIPS) locations. Both of these programs support the efforts of the
USCERTour 24/7/365 operations center that provides early watch, warning, and
detection capabilities that enable us to more swiftly to identify and respond to malicious activity and to coordinate with our public and private sector partners.
The TIC initiative is a multi-faceted program which seeks to improve the U.S.
Governments cybersecurity posture and build capacity to respond to incidents by reducing and consolidating the number of external connections which Federal Executive agencies have to the Internet. The multitude of external access points gives our
adversaries too many avenues to seek out vulnerabilities and exploit potential security gaps in our networks. By limiting the number of entranceways into our networks to a smaller number, we can better monitor traffic entering and exiting the
network and more rapidly identify when it is penetrated by an attacker.
During this process, the U.S. Government has learned a great deal about the federal networks. We initially identified more than 4,500 external access points, including Internet points of presence, across the Federal Government. Over the past year,
departments and agencies have reduced that number. While it is important for the
government to reduce external access points, we also must ensure configuration
management of the technical architecture. Through the DHS-led multi-agency TIC
technical working group, comprised of TIC Access Providers, we are working to develop and implement a standard technical architecture for perimeter security which
is tested through the DHS TIC compliance validation process.
Consolidating external connections and configuration management are the first
step to creating a front line of defense. As we reduce external connections, we will
deploy the EINSTEIN system at those TIC locations. This will allow us to more effectively analyze activity across Federal Executive Branch civilian networks. The
EINSTEIN system helps to identify unusual network traffic patterns and trends
that signal unauthorized network activity, allowing USCERT to identify and respond to potential threats. DHS installed the first TIC on its own network and deployed the upgraded EINSTEIN 2 system. We will be using the lessons learned from
our implementation process to assist other departments and agencies as we continue
to build more TIC locations and install more EINSTEIN 2 systems.
In addition to installing the EINSTEIN 2 system on DHSs network, we created
the National Cybersecurity Protection System (NCPS) to create the framework
under which EINSTEN 2 and future upgrades will be developed and deployed.
NCPS is part of the overall formal acquisition program developed to enable the acquisition of technology that supports the NCSD mission including USCERT and
CNCI-related tasking.
NCPS supports the acquisition and deployment of EINSTEIN 2. We have created
a plan for EINSTEIN 2 deployment that includes four phases each with the following status:
Phase 1DHS Deployment: Deployment is complete and operating at initial
operating capability.
Phase 2Deployment at five selected Departments or Agencies: Deployment
has been completed and DHS expects initial operating capability at these locations in June 2009. Technical discussions for deployment and installation
of the EINSTEIN 2 system at the final Phase 2 location are ongoing.
Phase 3Deployment at Networx/MTIPS Vendor Sites: Conducted technical
discussions with each of the Networx/MTIPS contract awarded vendors. As
the vendors complete their technical architectures, DHS is providing the EINSTEIN 2 capability and working with departments and agencies on implementation. DHS has commenced installation activities with one MTIPS
awarded vendor.
Phase 4Deploy to remaining Single Service TIC Access Provider Departments or Agencies: Technical discussions have begun with some of the remaining agencies. Deployments will occur as these agencies become more
technically stable in their TIC implementations.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00048
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
43
In the future, NCPS will provide USCERT analysts with an automated capability to better aggregate, correlate, and visualize information. In addition, DHS envisions developing an Intrusion Prevention System, EINSTEIN 3, for Federal Executive Branch networks and systems. The system once fully deployed will provide the
government with an early warning system and situational awareness, near realtime identification of malicious activity, and a more comprehensive network defense.
Together, TICs reduction of Internet access points and EINSTEINs situational
awareness capabilities are examples of two of DHSs key initiatives designed to secure federal networks. The eventual expansion of the EINSTEIN system, to include
intrusion prevention, will create an environment that will make it more difficult,
more time-consuming, and more expensive for our cyber adversaries to reach our
federal networks.
USCERT is also taking additional steps to improve its capabilities and better
protect the federal enterprise in response to the growing threat. We recently hired
additional personnel to advance USCERTs capacity to improve information sharing and help government and industry analyze and respond to cyber threats and
vulnerabilities. This will further enable us to respond more rapidly and mitigate
damage when attacks do occur. Work is also ongoing to improve collaboration with
federal departments and agencies. For example, USCERT recently developed the
Joint Agency Cyber Knowledge Exchange (JACKE) to improve situational awareness and recommend actions for federal agency security operation centers. We are
actively looking to expand the participation of the JACKE program to include all
26 major departments and agencies.
Working with the National Institute of Standards and Technology, DHS has established the U.S. National Vulnerability Database, the governments repository of
standard reference data on computer vulnerabilities. Its data is built upon the NIST
Security Content Automation Protocol which enables NVD data to be used by commercial products for standardization and automation of vulnerability management,
measurement, and technical policy compliance checking.
Defending Against a Full Spectrum of Threats
Globalization of the commercial information and communications technology marketplace provides increased opportunities for those bent on doing the United States
harm by penetrating our supply chain and poisoning critical software and hardware.
We need to make sure that products do not contain malicious code embedded in
hardware or software that could compromise our systems and help our adversaries
gain valuable national security information or disrupt our networks. Thus, it is imperative that we work towards a stronger supply chain defense to reduce the potential for adversaries to manipulate our information technology and communications
products before they are installed.
Protecting U.S. Government networks through global supply chain risk management requires a multi-pronged approach. DHS and the DOD have formed a partnership to coordinate supply chain risk management (SCRM) activities in the government. DHS has taken responsibility for non-national security related systems, while
DOD is responsible for national security systems. Addressing this risk requires
greater awareness of threats, vulnerabilities, and consequences. It will also require
sound acquisition policies and practices, and will require the adoption of supply
chain and risk managements standards and best practices. We are working with the
National Institute of Standards and Technology and several other agencies towards
the long-term goal of enhancing Federal Government skills and capabilities, and to
provide departments and agencies with the necessary tool sets to better manage and
mitigate supply chain risk.
The DHS SCRM Program will improve our capabilities through conducting SCRM
pilots and establishing formal working groups within the government and private
sector to inform program activities. The program is structured to meet requirements
through testing, counterintelligence risk methodologies, best practices, controls, and
other elements of supply chain risk management. Finally, enhancing our public-private partnership is essential, as the Federal Government cannot by itself ensure the
integrity of the supply chain.
Leveraging/Partnerships
Key to succeeding in protecting our cyber infrastructure is collaboration with the
private sector. As previously noted, most of our critical infrastructure and the Nations cyber networks are owned and operated by private industry. Thus, a comprehensive, holistic cybersecurity strategy cannot be successful without an intensive
engagement and collaboration with the private sector. Both government and private
sectors have much to gain from working and sharing information with one another.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00049
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
44
The creation of a strong partnership between these two sectors will help greatly in
securing our cyber systems.
One of the initiatives under the CNCI was dedicated to improving protection of
privately owned critical network infrastructure through public private partnership
(Project 12). This is one of the ways DHS is trying work with the private sector to
improve and institutionalize information sharing. As a part of this initiative, we are
also looking to increase our public-private information sharing and coordination efforts and are engaging in discussions with the private sector to encourage collaboration with the business community nationwide. These discussions serve as information forums for businesses to better understand the cyber threats identified by government and for government to understand better the private sectors prodigious
cybersecurity capabilities. This bi-directional information flow is crucial. DHS is also
working to leverage the good work that DOD has done with the defense industrial
base sector to increase actionable bi-directional information sharing of real and usable information with other sectors.
State, local, tribal governments and international communities also play crucial
roles in improving the U.S. cybersecurity posture. Recognizing the contributions
that can be made by leveraging such partnerships, DHS is working with all levels
of government across the Nation to help increase awareness regarding cybersecurity
and related preparedness and response issues. Specifically, DHS provides technical
and operational assistance to State cybersecurity partners to assist in planning and
executing cyber exercises. To expand this effort, NCSD is developing a repeatable
cyber exercise assistance program that will be deployed to assist states with their
cyber exercise needs. This program will include background and educational materials, the potential for a train the cyber exercise trainer program, staff and technical assistance with developing and executing exercises, as well as tools and resources to build upon past exercise efforts, and to integrate into future efforts such
as the Cyber Storm Exercise series.
Cyber threats do not stop at traditional physical boundaries, so DHS collaborates
with the international community to manage global cyber risk. In coordination with
the our federal partners, we are engaging both with multilateral organizations and
in multilateral forums, such as the European Union, the Group of 8, and the Meridian Conference, to enhance information sharing and situational awareness, improve
incident response capabilities and coordinate on strategic policy issues.
Cybersecurity Workforce Education: Improving and Maintaining Our Workforce
In addition to being responsible for advances in our cybersecurity posture, DHS
is working with other agencies to develop a plan for the retention of a skilled,
trained workforce. Our adversaries are skilled and motivated, requiring us to constantly stay one step ahead of their actions. In order to address cybersecurity challenges, we need to build the next generation of our cybersecurity workforce that will
help us develop a competitive advantage. Thus, we are focusing our resources on
education and training of our current workforce, as well as recruiting new talent
in order to develop a world-class workforce. DHS is also encouraging university programs and providing scholarships to promising students.
DHS believes that workforce development is critically important to our
cybersecurity mission. DHS is actively recruiting and looking to fill new
cybersecurity positions at NCSD. These positions range from entry level to management. For example, increases to USCERTs staff, as DHSs watch and warning center, greatly enhance its ability and capacity for preparedness and response activities. We are actively recruiting for these open positions in order to improve our capabilities and expand our core leadership team.
Beyond the government domain, DHS is focusing its efforts on providing individuals within the cybersecurity sector of private industry with a baseline set of cyber
skills. To achieve this, DHS worked across the public and private sector to develop
the first Information Technology Security Essential Body of Knowledge to provide
the cybersecurity community with the baseline skills and knowledge all information
technology security professionals should possess to successfully perform their jobs.
Cybersecurity is the responsibility of us all. Thus, we are striving to minimize our
cyber gaps and vulnerabilities through both top-down and bottom-up approaches.
As part of our shared responsibility, we cannot simply focus on the present. We
must also look to the future. This requires us to not only shape the workforce, but
the community of computer users as well. Cybersecurity and cyber safety are
learned behaviors, and we need to teach children how to be secure online. Here we
are building from the ground up. By teaching children skills at a young age, we are
laying the foundation from which our future cybersecurity workforce will come,
while simultaneously improving our cyber defense. DHS is working with the Na-
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00050
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
45
tional Cybersecurity Alliance (NCSA) to make this vision a reality. In addition to
ongoing work with the K12 community, the NCSA recently launched its
Cybersecurity Awareness Volunteer Education (CSAVE) Project. This program encourages security professionals to put their knowledge and expertise to work in their
local schools and help fill a tremendous gap in educating young people to use the
Internet securely and safely. We are very pleased to be working with the NCSA on
this program as this is a crucial endeavor to ensure the continued success and advancement of our cybersecurity mission.
White House Cyberspace Policy Review
On February 17, 2009, President Obama initiated a White House Cyberspace Policy Review of cybersecurity policies and issues affecting the Nation. On May 29,
2009, the results of that review were published by the White House in a report entitled Assuring a Trusted and Resilient Information and Communications Infrastructure. The review solidified the priority that the Administration places on improving
the Nations cybersecurity, and DHS will continue to have a key role as the lead
agency for securing Federal Executive Branch civilian networks and collaborating
with the private sector to enhance the cybersecurity of non-Federal CIKR networks.
DHS will have a significant role in several near-term actions outlined in the report, including updating the national strategy, strengthening international partnerships, increasing public awareness, and preparing a national response plan for cyber
incidents. These near-term actions will enable DHS in collaboration with its government and industry partners to continue to address the growing and evolving cyber
threat. Additionally, the operational goals of the comprehensive national strategy
will include better coordination, response, recovery, and mitigation capacity across
all stakeholder communities.
Conclusion
The cyber threat is rapidly growing and evolving. As the Nation becomes ever
more dependent upon cyber networks, we must address cybersecurity swiftly and
surely. Overcoming new cybersecurity challenges is a difficult task requiring a coordinated, focused approach to better secure the Nations information technology
and communications infrastructures. Accordingly, DHS is actively working with its
federal partners to secure the .gov domain by implementing a holistic strategy for
securing our civilian networks and systems.
Through government-wide programs such as TIC and EINSTEIN, we are enhancing the governments cybersecurity posture by reducing the number of external connections, including connections to the internet, while improving our detection and
response capabilities. We are also striving to create a strong supply chain defense
and develop an enduring, robust workforce.
It cannot be over-emphasized that, while DHS is focused on developing the necessary analytical, response, and technical capabilities to create a comprehensive network defense to secure the Nations CIKR, we are not in this alone. A truly comprehensive cyber strategy requires an open partnership with the private sector, and
it is in this arena that we are continually working to advance our mission. Everyone
plays a role in cybersecurity, from the Federal, State, local, tribal and international
governments to the private sector to the citizens who access computers for personal
use. DHS is committed to its cybersecurity mission and will continue to reach out
to these parties to promote cyber awareness, identify best practices, mitigate risks
and improve its ability to respond to cyber incidents. The Department is also actively pursuing avenues to further collaboration and information sharing with these
partners. The developments DHS has made in strengthening federal systems, enhancing our operational cyber response capabilities, and strengthening the publicprivate partnership have been significant, but we are committed to doing more.
Thank you for your time today. I appreciate the opportunity to discuss the Departments efforts in advancing our cybersecurity posture and increasing our security of federal networks. I will be happy to answer any questions from the Subcommittees.
BIOGRAPHY
FOR
PETER M. FONASH
Dr. Peter M. Fonash is currently the Chief Technology Officer for the Department
of Homeland Securitys Assistant Secretary for CS&C. He assumed the additional
duty of Acting Director of NCSD on 16 March 2009. He has been a member of the
Senior Executive Service since 1998.
Prior to this appointment, Dr. Fonash was Deputy Manager and Director of the
National Communications System (NCS), serving nine months as the acting Deputy
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00051
Fmt 6633
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
46
Manager, and then becoming the full-time Director in April 2005. From 1998 until
July 2004, Dr. Fonash was Chief, NCS Technology and Programs Division. He managed priority communications services technology development, network modeling
and analysis, specialized telecommunications research and development, and priority services standards.
Before arriving at the NCS, Dr. Fonash served as the Chief with the Defense Information Systems Agency Joint Combat Support Applications Division, providing
technical software integration services to the functional communities and guiding
functional applications compliance with the standard common operational environment. He also worked for the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence, and was responsible for Defense
communications infrastructure policy and program oversight. He was also Chairman
of the Office of the Secretary of Defense Information Technology (IT) Architecture
Council
From 1986 to 1994 Dr. Fonash held various Defense Information Systems Agency
(DISA) technical positions, including Director of Technology, and Chief of the Advanced Technology Office. He wrote DISAs strategic plan and managed the development of the Technical Architecture for Information Managementthe forerunner of
todays Enterprise Architecture.
Before joining the Federal Government, Dr. Fonash worked for AT&T and the
Burroughs Corporation (Unisys).
Dr. Fonash has a Bachelor of Science in Electrical Engineering and a Master of
Science from the University of Pennsylvania, a Master of Business Administration
from the University of Pennsylvania Wharton School, and a Doctor of Philosophy
in Information Technology and Engineering from George Mason University. His
Ph.D. dissertation was on software reuse metrics.
DISCUSSION
Chairman LIPINSKI. Thank you, Dr. Fonash. We will now move
onto questions. Chairman Wu is down there. I am not sure if you
want to take back the Chair here or lead off with questions or shall
I go?
Chairman WU. Go ahead.
Chairman LIPINSKI. Okay. This Chair will recognize himself for
five minutes to lead off with the questions. Dr. Wing, you know,
I was there yesterday at NSF and met with Dr. Bement and the
ADs. Some of these things that I am going to ask about are not
going to be a surprise to you or anyone actually who knows my
background as a social scientist. I brought up in my opening statement that one of the most important things that I think is often
overlooked and probably the weakest link that we have right now
for cybersecurity is the general population.
Now, I want to lead off by asking, what is NSF doing right now
in terms of research? What research is being funded by the NSF
or where are you trying to search out for research that involves social science aspects of cybersecurity and facilitating collaboration
between social scientists and computer scientists?
Dr. WING. Thank you for your question. It gives me an opportunity to speak about the Trustworthy Computing program which
is one of the things I wanted to do when I got to the National
Science Foundation, was to actually broaden the scope of what we
were doing in cybersecurity to make sure to include topics like privacy and usability, which absolutely includes understanding social
science and how humans behave, how organizations behave.
And so one of the things we specifically did was to broaden the
scope of our Cyber TRUST Program to include privacy and
usability, to work with our social science colleagues to make sure
that, for instance, we have reviewers from their communities look-
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00052
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
47
ing at proposals that speak directly to these kinds of issues. In fact,
cybersecurity is of course not just security, reliability, privacy, and
usability. It is not just the technical issues that all of us scientists
and engineers like to address, but there are much broader issues
like legal and ethical which, if you look at the whole problem, we
really need expertise from both the scientific and engineering communities as well as these less-technical communities.
So we are very much keen at the National Science Foundation
in looking at the broader picture.
Chairman LIPINSKI. Thank you, Dr. Wing. I want to throw out
a general question for each one of you actually going along these
lines to tell me what rules do you have at your agency, what type
of education do you do for your employees so that they do not wind
up practicing bad computer hygiene at the agency? So we will start
with Ms. Furlani. Tell me if there is anything that you do along
those lines for your employees.
Ms. FURLANI. Well, of course, because we write the standards for
the Federal Government, we expect our employees to live up to a
higher standard. So we do work very diligently with our Chief Information Officer to ensure the understanding of what needs to be
accomplished to protect the systems and the citizens that are interacting with us are deployed appropriately into the staff. It is something that we pay a lot of attention to in probably a more unique
situation than others.
Chairman LIPINSKI. Actually, I have a friend who works for
NIST who was going around to places where you can get your pictures printed up. He was trying to get to see where he could find
a certainI dont know if it was a virus or what exactly it was,
but he was trying to find places where he could pick that up because he knew that this was going around to just get a better handle on all of this. Thank you. Dr. Wing.
Dr. WING. Yes, at NSF we have a Secure Information Technology
Awareness Program. Every single NSF employee is required to go
through a training every year, and it covers all the topics from how
to choose a good password to shutting down your machine to make
sure that screens with confidential information are not displayed
and so on. And there are policy documents about this thick that everyone is expected to read. So we have a very seriouswe take security very seriously, and everyone goes through this training program.
Chairman LIPINSKI. Dr. Leheny.
Dr. LEHENY. DARPA is a relatively small agency with under 200
government employees. We have a large number of contractors that
work within our environment. We have no formal training program
with regard to computer security, but as an agency within the Defense Department, our computers are a part of a larger enclave
that is monitored very closely. We have a very robust information
resource directorate that is available to help people work their way
through problems they might be having with their computers. And
so far we have been successful in locking large numbersas you
might imagine, our computer system is regularly under attack, and
we have had good success at preventing those attacks from having
any adverse affect on the operations of our computers.
Chairman LIPINSKI. Thank you, Dr. Leheny. Dr. Fonash.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00053
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
48
Dr. FONASH. Yes, sir. Thank you. First of all, we follow all the
FISMA best practices, and we closely follow FISMA. Our CIO is
the person responsible for making sure those things are implemented across our department. We also are very much into security
awareness training, and we annually require people to take security awareness. In fact, I have to take that tonight when I get
home.
We also have to sort of eat our own dog food in the sense of what
we do is again, I mentioned the TRUST Internet connections, and
we actually have two TRUST Internet connections and we are moving to have all our network traffic go through those trusted Internet connections. And we have a close relationship between our security operations center and our USCERT. Thank you.
Chairman LIPINSKI. Thank you. My time is expired. I will now
recognize Mr. Smith.
Mr. SMITH. Thank you, Mr. Chairman. For Dr. Fonash, if we
could maybe discuss a little bit the prioritization of the defenses,
and with the deployment of EINSTEIN I know that approximately
five agencies right now have already been deployed with EINSTEIN, is that correct?
Dr. FONASH. We have deployed. The systems are not operational
yet. We are actually right now in the process ofthere are several
agreements that have to be set up. There is the service-level agreement, there is a memorandum of understanding. So those have to
go through legal reviews, and in particular we have to address privacy issues. So we actually physically have those things established
at those locations, but we are working the legal issues at this point
in time.
Mr. SMITH. And then following will be eventually all agencies?
Dr. FONASH. Well, the idea is we are doing it in phases. What
we are doing, first of all, is we are doing it at DHS, and that is
one of the five agencies I included. And then we are working now
with Justice, Department of Agriculture, and State Department
and NASA in terms of deploying trusted Internet connections, actual, the physical EINSTEIN devices to those locations. We have
also worked with GSA, and we actually put on contract, we actually made contract modifications working with GSA on the networks contract, and now agencies can go to the networks contract
and get those services, trusted Internet connection services, from
the networks contract vehicle. And so we are actually working with
the carriers right now, AT&T, Sprint, Verizon to get them so that
they can provide the capabilities. For example, they have to have
a secure facility to do this trusted Internet connection. So right
now the carriers are working those particular instances of what
equipment they need to put in place so they can offer those services.
So that will be available to any agency that wants to do that.
And then our next phase would deploy at 25 additional agencies
and then the rest at some future point in time.
Mr. SMITH. And so can you speak to the prioritization and perhaps the need to deploy with every single agency?
Dr. FONASH. I think that clearly the larger the agency and the
moreyou know, beauty is in the eye of the beholder, sir. So let
me say that. So each agency has to make its own determination
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00054
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
49
how important it feels its need to get this trusted Internet connection. We clearly at DHS have moved forward and actually have installed trusted Internet connections. In addition to that, we believe
that State and Justice and NASA and Department of Agriculture,
key locations that needed those trusted Internet connections, and
then we have made available to anyone who feels that they have
the need to immediately move to those contract vehicle. Those contract vehicles will be available and actually the services will be offered to use those capabilities through the networks contract, and
that is the determination by those individual agencies as they want
to move toward that capability.
And then we have a list of 25 other agencies that we can provide
to you if you wish in terms of what we feel are the top 25
Mr. SMITH. Okay. Thank you.
Dr. FONASH.beyond that.
Mr. SMITH. Relating to privacy, I appreciate the fact that the
President said, with emphasis, that he would seek not to include
monitoring the private sector networks or Internet traffic. Then in
the New York Times last Saturday stated that senior Administration officials have admitted those assurances may be challenging to
guarantee and practice and that some Administration officials have
begun to discuss whether laws or regulations must be changed to
allow law enforcement, military or intelligence agencies greater access to networks or Internet providers when significant evidence of
a national security threat was found. So I mean, maybe it is easier
said than done to say that no private sector networks or Internet
traffic would be included in this.
How would you respond?
Dr. FONASH. What we do is because of the capabilities that we
have with EINSTEIN we are actually able towe do not track the
individual personal part of the messages. What we do is we drop
that and what we do is we track information, what is called header
information, basically the information, where it came from, where
it is going to, and we also will look atif we also recognize code,
we will have patterns. A particular code, a particular program has
certain pattern, a bit pattern in it, so you are able to actually recognize for example malware. So if you have Conficker traffic or
some type of malicious code going past, you can actually recognize
what is called the signature of that and pick that up. But for example, we wouldnt get into the privacy of a persons e-mail unless
there was some issue, a national security issue, or something like
that. But clearly what you can do is protect the privacy by looking
at the header information, and there will be issues about PKI capture as we go forward, but we will address that. We will make sure
we are doing that linked up with the privacy people, you know,
making sure we are protecting the privacy of the individual.
Mr. SMITH. And do you suggest any legislative or regulatory
changes?
Dr. FONASH. I think that is something that needs to be addressed
as we go forward. At this point in time, I cannot recommend it.
Mr. SMITH. You do not recommend it?
Dr. FONASH. I would not be one to say yes or no at this point
in time. I think that is an issue that needs further study.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00055
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
50
Chairman WU. The gentleman from New Mexico, recognized for
five minutes.
Mr. LUJA N. Mr. Chairman, thank you very much. I know that I
read a lot in the testimonies about the need for coordination. If you
could briefly touch upon how you were together, how the coordinating is working. If it is not working, what suggestions you may
have, and also if any of you worked directly with any of the expertise that we have within any of our NNSA laboratories.
Dr. WING. So let me take that question on coordination. The coordination happens at all levels, and the best coordination happens
in fact at the lowest level or with the technical people, at different
agencies working together, informing each other about what each
agency does in terms of what we fund, what we actually do. So we
have program directors who talk to each other at the different
agencies, and we coordinate things like running joint workshops to
reach the academic community, the private sector jointly, and that
coordination works beautifully from my perspective.
We also have more formal techniques for coordination. For instance, NITRD, Networking Information Technology Research and
Development Program, and specifically we have been overseeing
the senior steering group of the CNCI, the National Cyber Leap
Year that is happening right now, and we are working very well
together on that.
Let me also say as far as NSF goes, in working with other agencies like DHS and DARPA, we are actually working together on deploying cybersecurity testbeds. A couple of the testbeds that we
jointly support with the other agencies, like DHS and DARPA, are
actually starting points for DARPAs cyber range. So I think we coordinate quite well together.
Mr. LUJA N. Dr. Wing, do you work at all with any of the expertise at any of our NSA laboratories, that you are aware?
Dr. WING. They contribute to NITRD.
Mr. LUJA N. To which?
Dr. WING. NITRD.
Mr. LUJA N. And what is NITRD?
Dr. WING. The Networking Information Technology Research and
Development program.
Mr. LUJA N. Okay.
Dr. WING. It is a coordinationan organization that coordinates
over 13 federal agencies on networking information technology and
research and development.
Mr. LUJA N. Okay.
Dr. LEHENY. I would support Dr. Wings comments about how coordination occurs largely at the program manager working level. As
you may be aware, DARPA is an agency that does almost all of its
research activities outside the Agency by contract. Over 90 percent
of our budget goes out as contracts to industry, academia and federal laboratories. Specifically, Sandia, for example, is an active participant in many of our programs including the National Cyber
Range Development that I spoke about in my oral testimony. I
would like to point out that innovation and creativity in research
is an individual property or characteristic of individuals, and it is
not a type of activity that works well when it is driven from above.
I like to characterize DARPA as a bottoms-up organization. It is
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00056
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
51
not the case that I wake up in the morning and come into work
and ask my secretary to send me a program manager to manage
great ideas I had overnight. Rather, it is the case that I arrive at
work, open my e-mail and find that one of my program managers
is trying to get on my calendar to come and tell me about his or
her great idea. And it is in that way that new ideas, new programs,
are created.
Of course, in order to support the argument for creating a program, a program manager has to reach out to other workers in
their particular field in order to be able to put together a case for
why a particular program should be started and executed, relying
solely on their own internal creation of the program idea. It is usually not a good way to make a convincing case. You want to draw
on as wide a body of people familiar with the technology and the
challenges that the program is going to address that you possibly
can in order to make the strongest case that you can.
Mr. LUJA N. Thank you, Mr. Chairman. As my time expires, I
want to see if I may be available, if time permits, for a second
round of questions. I would like to still look a little bit more into
the true collaboration with the NNSA laboratories. Not too long ago
we did include an amendment to NITRD to include our national
laboratories because there was a concern that maybe we werent
using the coordination as much as we should have been in the past.
And so I would like to explore a little bit more and specifically pin
down to the expertise that does exist within NSA with the attacks
that they experience on a regular basis and then a few other questions I may have. So thank you very much, Mr. Chairman.
Chairman WU. Very good. We will come back to the gentleman.
Now, the gentleman from Michigan, Dr. Ehlers, is recognized for
five minutes.
Mr. EHLERS. Thank you, Mr. Chairman. And I have a question
for Dr. Wing, although any of you could try to answer it if you
wish. But I was surprised to discover approximately six months ago
that the number of students in colleges and universities deciding
to major in computer science has gone down dramatically and also
that there is not that much interest in high schools in getting involved. Everyone likes to play with their computer, but not very
many are saying I would like to do this and build a better computer some time in my life. Since you are at NSF, you have access
to all this data. What is happening? Is the enrollment continuing
to be down? I raise this in the context of this hearing because if
we are not producing the right people, we are not going to get anywhere with our discussions on cybersecurity, and particularly implementation of new ideas and new approaches. Could you enlighten me on that?
Dr. WING. Yes, thank you very much for that question. It is a
concern, of course, at the National Science Foundation and my directorate about the decline in enrollments in the computer science
undergraduate level. We had seen a decline for the past few years,
primarily because of the dot-com bust and other worries. But fortunately, this past year we actually saw an uptick, and the community at large is much more optimistic now about seeing the enrollments go back up. So we are crossing our fingers and hoping that
that will be a trend, a positive trend.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00057
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
52
I do share your concern that we are not producing enough
trained and educated students in computing, not just because they
are likely the ones to be designing and building next generation information technology systems that we are all going to enjoy using
on a daily basis, but we are working as a community to try to increase the pipeline to increaseto improve how it is we project
what computer science is so that we can attract the best and
brightest to the field.
Mr. EHLERS. I hope you are successful. It looks like Dr. Leheny
would like to make a comment, too.
Dr. LEHENY. Yes. Thank you very much for this opportunity.
DARPA has no specific charter to advance undergraduate or below
education. However, we have two programs that I would like to inform you about that I think are attempting to overcome some of the
issues that you raise.
The first program is one we call Computer Science Study Group.
It is a program targeted to untenured, young faculty members in
computer science, and it is a three-year program. Over the period
of three years the support level for the individual in the program
could reach as much as a million dollars, and as part of the program, we bring these individuals onto military installations and expose them to specific areas of interest to the Defense Department
in the hope that we can encourage them to think about their research agenda in terms of solving the kinds of problems that the
Defense Department has to deal with.
Currently, with the three-year program, as I mentioned, we
bringing in about ten untenured faculty into the program each
year. We currently have about 30 in the program. As you may be
aware, a few years ago, we ran a series of what we called grand
challenges which were targeted to demonstrate the ability of unmanned automobiles to navigate through difficult terrain. We
found that there was an enormous amount of interest among students in that program and in participating in that program. And
so we asked in our budget last year for a modest amount of funds,
on the order of a couple million dollars, to create a special program
that would reach out to high school students, particularly students
interested in things like robotics in an attempt to stimulate interest among students and the kinds of problems that we have to deal
with. Thank you.
Mr. EHLERS. Also the robotics FIRST program is
Dr. LEHENY. Yes, that is one of the groups that we expect to be
supporting.
Mr. EHLERS. Dr. Wing, you have something else?
Dr. WING. Yes, Mr. Ehlers. I forgot to mention one of the programs that my directorate runs is called CPATH, and it was recognized in fact by the 60-Day Cyberspace Policy Review as a way to
again address a problem that you are concerned about, attracting
the best and the brightest to computer science. And the whole notion of the program is to really revitalize the undergraduate curriculum in computer science. And one of the things I am very keen
on doing is to actually do outreach to the K through 12 level because I do believe that it is increasing the pipe even before they
get to college to explain what computing is all about and to get
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00058
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
53
them into the field. So I wanted to mention the CPATH program.
Thank you.
Mr. EHLERS. Well, that is good. Thank you. And I try to do my
part. As members of Congress, we get invited to speak in schools
regularly, and whenever I speak in high schools I always tell the
students they have to choose their subjects very carefully and they
should not overlook math and science because when they get out
and start looking for a job, they will discover that they will either
be a nerd or work for a nerd and ask which they would prefer
doing. And of course, they dont believe that, and then I simply ask
them who is the richest man in the world? And finally the light
starts to dawn a bit.
But you know, they just havent heard this. They dont realize it.
They dont understand the possibilities. They may love to play with
their computer, even to do esoteric things with it. But the thought
of doing that as a career doesnt always cross their mind, probably
because they dont have a contact with people who do that on a regular basis.
Thank you very much. I yield back.
Chairman WU. Thank you, Dr. Ehlers. The National Science
Foundation has data that indicates you are having success in your
efforts.
The gentleman from New York, recognized for five minutes.
Mr. TONKO. Thank you, Mr. Chair. Dr. Wing, the investments
that are made long-term wise in cybersecurity research by our Federal Government and certainly by the private sector can bear great
benefits. How do you see us or NSF facilitating and encouraging
the transfer of research from academia into that equation?
Dr. WING. Well, this a very good question because it is specifically relevant for cybersecurity, obviously. Academics can do their
research, write their papers, produce students, and so on, but what
really matters in the end is protecting and securing our cyberspace.
And if the private sector owns most of that, then there has to be
this more engagement between the academic community and the
private sector.
NSF, as I mentioned, through the Science and Technology Centers that we run here and the Cyber TRUST Centers that NSF
supports, has direct connections to industry. There are industrial
partners who serve on the advisory boards on all of these centers
and alsoso they are formal mechanisms that we have. Even the
large awards that we grant through the PIs or our normal programs, often those PIs will have connections to industry.
It goes without saying that a lot of the researchers, especially in
cybersecurity, want to see that their research ideas are relevant
and can help. And so they have a personal motivation to actually
work with industry. Some of the techniques just get out there immediately. So for instance, one of the results recently has been in
developing secure web browsers. And so now one of the open source
web browsing companies has picked up those techniques immediately. A part of it is because many of the researchers have personal contacts in industry, and these kinds of things transfer informally but quickly.
Another mechanism that is not formal but very useful is many
of the students, graduate students, that are funded through NSF
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00059
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
54
often take summer internships at companies like Google and Microsoft and Yahoo and so on, and one of the reasons that they do that
is in fact how they can get access to real data. So there is great
incentive to actually do that. Plus it is a very good opportunity for
students to see what it is like to do research in an industrial setting.
So there is a lot of free flow of information in that way, and it
is easy for academics to talk to industry and get ideas out there.
Mr. TONKO. On the flip side, how do you envision the private sector having the greatest influence or impact on creating the research
agenda for NSF? Do they have a way to influence that agenda?
Dr. WING. Well, our agenda is officiallyit is actually very much
like what Dr. Leneny was saying. We are a very bottom-up organization as well, and it is the academic community that speaks to us
as far as where they see the frontiers of research going, where the
frontiers of science going, what the challenging science questions
are, and they come to us with brilliant ideas and say, well, this is
where the field is going. And in those conversations, we are always
engaging industry. So whenever we run these planning workshops,
industry is as invited as the academic community. So even from
the very beginning, we try to engage the private sector in these
kinds of strategic, agenda-setting programs, processes. We of course
have the National Science Board where there is industry input
through the Science Board. That helps the Foundation, helps us set
priorities. And then as I mentioned before, some of the larger centers that we fund, like the TRUST Center, and we actually have
four Cyber TRUST Centers, have industrial members on the advisory boards.
So there are formal and informal mechanisms that industry can
use to provide input into the academic research agenda.
Mr. TONKO. And is there room for a lot more participation from
the private sector or do you think that the awareness is out there
and it has been pretty much heightened in the last couple of years,
or do you think there is room for improvement in that?
Dr. WING. I actually think there is a heightened interest, so I
have gotten specific queries from IBM, AT&T labs, besides the
usual IT companies like Microsoft, Google, and so on. We interact
with them very closely on all sorts of reasons. But specifically, I
have been hearing from some of these companies that they would
like to participate more in telling the academics what the real
problems are and what they should be working on, and the academics, you know, can listen.
The other mechanism I forgot to mention is of course in our review process, through the panel reviews, through the committee of
visitors that we have. We always have industry representatives
there to help with the reviews so that they can give some sanity
check. Well, that is an interesting problem, but it is not relevant
for industry. They can also help in the committee of visitors and
provide input on the portfolio of investments that we make.
So there are a lot of ways in which industry, either informally
or formally, provides input to NSF.
Mr. TONKO. Thank you. Thank you, Chair.
Chairman WU. Thank the gentleman. Mr. Smith, recognized for
five minutes.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00060
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
55
Mr. SMITH. I am inclined to ask about the use and application
of sanity checks, but maybe there is not enough time here. I am
just teasing.
Dr. Fonash, if you wouldnt mind further discussion here, when
it comes to public-private partnerships, I was pleased that the
President did say that the Administration will not dictate security
standards for private companies but will instead collaborate with
industry to find technology solutions. Is that your take on his comments, briefly?
Dr. FONASH. Yes, sir, I believe that is correct. What we need to
do is, you know, our mission right now is predominantly focused on
protecting the Federal Government and protecting the dot-mil domain and then working with our private partners, and in particular, our critical infrastructures and making sure that they are
aware of the situation so we do a lot of information sharing, so we
are working on information sharing programs so they are aware of
the threat and so that they take the appropriate measures to protect the network. And I think it is the issue of theappropriate
level of security for the infrastructure which depends upon if you
are dealing with a critical defense contractor who has critical national security information and is protecting that versus Walmart
protecting the latest sales price on their network. So it is a relative
issue. It is an issue that is somewhat based on the business case,
you know, in terms of what is the risk, and you have to do risk
mitigation.
Mr. SMITH. Right.
Dr. FONASH. And so you put the appropriate investment in based
on risk.
Mr. SMITH. In your testimony you mentioned public-private partnership objectives as being key. Could you elaborate on that and
you know, really maybe define how we go about that? I mean, I
know that we want to take care of government and then the private sector, but I think we need to acknowledge that already there
is a great degree of overlap there and already public-private partnerships do exist, and there is transfer of information across the
Internet between government and the private sector. So how do we
sort through that and especially with the broadened use of the key
objective being public-private partnerships?
Dr. FONASH. So the Federal Government clearly does not operate
in a vacuum. We do our business. You know, the critical infrastructure that we even actually use on our own networks is actually
owned by the ISPs or commercial carriers such as Verizon or
AT&T. So we heavily rely on the public infrastructure to provide
us services, to provide us communications, for us to do our business. And so what we do is we actually have under national infrastructure protection, have set up a process where we work with the
critical infrastructures in terms of protecting those critical infrastructures. And we, the National Cyber Security Division, are actually the sector lead for the IT infrastructure. And then within
cybersecurity and communications is the sector for cybersecurity
and communications is the national communications system, and
that is actually the sector lead for communications. So the two critical communications and IT sectors are within that authority, and
we work closely with industry to develop risk mitigation. We are
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00061
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
56
actually developing right now an IT risk mitigation process, and we
will publish that in the near future so there is actually a process
where they can actually look at the IT sector and determine, you
know, how they do risk mitigation. That is actually a process that
we actually developed with industry.
Going back to the R&D, we actually work with industry. There
is a government sector committee and there is actually a public industry sector community. And within that industry sector committee, there is actually a group that works with us on the R&D
portion. And they actually provide us what they believe are the IT
R&D requirements and the communications R&D requirements
which we then pass on to the R&D community through our S&T
directorate and also through attendance of their appropriate meetings.
So we work that way. We also work from an operational point
of view. We work for the USCERT which provides the information
sharing, and information security center that we run for the Federal Government. But we make that information available to our
private partners in terms of the warnings. And we also are building upon something the Defense Department started was Defense
Industrial Base, if you are familiar with the Defense Industrial
Base. What that is is through the contracting process at DOD
Mr. SMITH. We can maybe get into that. I just have limited time
here, and I was just wondering, you talked a little bit about critical
infrastructure protection. Can you perhaps indicate whether or not
there is any intent to take the critical infrastructure off of the socalled Internet grid as a means of protection?
Dr. FONASH. At this point in time, there are no plans to make
it off the grid because for the most part, there are two reasons.
First of all, the cost in terms of trying to make the government and
private sector a private network. The cost is very large. It wouldnt
be robust in many ways becausefor example, because you have
a separate network, you wouldnt have the robustness of the public
network, and so I dont think there would be anyand then also
from a security point of view, since you are really all using the
same networkwhen you talk about the Internet, you are really
talking about AT&T, Verizon and Sprint. And so everyone uses
those networks. So it is a common carrier perspective here. So it
is very difficult to take it off grid. So what we have to do is work
together with industry in making sure it is secure, and you can
have portions of it that are more secure. So for example looking at
DNSSEC is something that were looking at and going toward and
going on the trusted Internet connection so that certain enclaves
are more secure than others.
Chairman WU. Thank you. Mr. Lujan, recognized for five minutes.
Mr. LUJA N. Thank you very much, Mr. Chairman. Ms. Furlani,
I will begin with you. I have a few questions about the role that
NIST pays with the payment card industry, if you can help me understand that and the coordination with that and what requirements maybe NIST has established for PCI.
Ms. FURLANI. What we have is the national vulnerability database which works with industry and with government to provide
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00062
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
57
data on what the vulnerabilities are. And the PCI, the payment
card industry, decided to use that database as their mechanism to
determine whether their companies meet certain criteria. We dont
tell them what to do, but we provide the resources that they can
measure against and understand whether their criteria are being
met before they issue a payment card.
Mr. LUJA N. So let me see if I understand that correctly. NIST
does not mandate or prescribe any standards if you will that PCI
has to follow? They utilize your database as a tool, but there is no
requirement that NIST provides for them, is that correct?
Ms. FURLANI. We are not a regulatory agency except for the
standards for the Federal Government to use in their cybersecurity.
Mr. LUJA N. Are you aware of any organization that has standards that the credit card industry has to follow in protecting consumer information against cybersecurity crimes?
Ms. FURLANI. I am not.
Mr. LUJA N. And Ms. Furlani, I am not, either. I have looked into
this. I just thought maybe there is something out there. The reason
I bring it up, Mr. Chairman, if there is no objection, I would like
to submit an article from the National Journal 2/7/09, The
Cybercrime Wave, into the record, that maybe we could review
which outlines some of the alarming rates of crime, security
breaches that are increasing year to year, money lost, Mr. Chairman, and I would make this available to the Committee and make
sure we get a copy for the record if there is no objection, Mr. Chairman.
Chairman WU. No objection, so ordered.
[The information follows:]
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00063
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
58
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00064
Fmt 6633
Sfmt 6602
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
59
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00065
Fmt 6633
Sfmt 6602
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
60
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00066
Fmt 6633
Sfmt 6602
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
61
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00067
Fmt 6633
Sfmt 6602
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
62
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00068
Fmt 6633
Sfmt 6602
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
63
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00069
Fmt 6633
Sfmt 6602
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
64
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00070
Fmt 6633
Sfmt 6602
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
65
Mr. LUJA N. The reason I say that, Mr. Chairman, is as we look

at this, I couldnt agree more with some of our colleagues. Coordination must take place from a public and private perspective to be
able to protect consumers information when they are getting hit at
enormous rates. I think the average that an individual gets hit
back to 2007 anyway that was measured according to the article
is, depending on the type of crime, between $3,000 and $3,500, but
just depending on what it may hit. We all know that we are trying
to help people out more and more today, Mr. Chairman, that are
sometimes getting taken advantage of. And this is an area where
I think we could truly coordinate to provide some of those needed
protections. One of the things, Mr. Chairman, that vendors, as an
example, are required to do is to actually keep the data and back
it up. And those are some of the areas where the largest breaches
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00071
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
66
occur. The article highlights a breach that most of us are familiar
with, at TJMaxx where I think it was 90 million records were actually taken advantage of. To see truly what the requirement of the
merchants are, vendors are, as we are looking at this cybersecurity
loophole or lapses sometimes that take place to see what we can
learn from there to be able to help individuals out. This is something that we touched on a little bit in our Homeland Security
Committee hearing not too long ago, Mr. Chairman. I thought it
was important to bring up.
Lastly, Mr. Chairman, the reason that I asked the question
about the coordination is the first item in the report says that we
need to improve interagency coordination. And so I know that we
read about this, and what I would ask, Mr. Chairman, if our witnesses today are able to provide us with any thoughts or ideas,
whether they support that point that was brought up or if they
have suggestions on what can be brought up. Ms. Furlani, before
I go, I would just like to highlight the point I was trying to make
earlier, Mr. Chairman, around the expertise that we have within
some of our NNSA laboratories who have to deal with cyber attacks
on a daily basis. Not only do they have the sophistication from a
technological perspective on some of the data sets that they have
compiled with how we can combat some of these attacks, but they
have an interface with the Government and private sector as well,
especially because of the nature of them being classified and also
being civilian organizations because of how they have been created
and that we look to them to see how we could utilize that expertise.
And with the time remaining, Mr. Chairman, I would go to Ms.
Furlani.
Ms. FURLANI. I would like to specifically mention the interagency
coordination that has led to our new draft Special Publication 800
53 which recommends security controls for low-, medium-, or highrisk systems and the agreement with the Director of National Intelligence CIO, the DOD, the Committee on National Security Systems, and of course, NIST, so there is one base line for all the Federal Government which will enable vendors to sell into the government much more easily. Then other agencies that have much higher security requirements than what NIST normally promulgates
can set their standards higher. This was just recently released, and
it is a true outcome of the coordination, particularly in response to
the Cyber Security Review.
Chairman WU. Thank you very much, and I want to thank you
all for appearing before the Committee this afternoon. The record
will remain open for two weeks for additional statements from
Members and for answers to any follow-up questions the Committee may ask of witnesses. The witnesses are excused, and the
hearing is now adjourned.
[Whereupon, at 4:05 p.m., the Subcommittee was adjourned.]
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00072
Fmt 6633
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
Appendix:
ANSWERS
TO
POST-HEARING QUESTIONS
(67)
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00073
Fmt 6601
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
68
ANSWERS
TO
Responses by Cita M. Furlani, Director, Information Technology Laboratory, National Institute of Standards and Technology (NIST), U.S. Department of Commerce
Questions submitted by Chairman David Wu
Q1. The Cyberspace Policy Review recommends an increased collaboration with
international standards bodies and the private sector to foster international
standards and cyber-crime protocols. What are your current international
cybersecurity standards activities and how will you change them to meet this
recommendation?
A1. NIST is actively participating with industry in international standards bodies,
including the Internet Engineering Task Force (IETF), the Institute of Electrical
and Electronics Engineers (IEEE), the International Standards Organization (ISO),
and, in coordination with the State Department, the International Telecommunication Unions Telecommunication Standardization Sector (ITUT). NIST participation includes leadership positions in the IETF, IEEE, and ISO in addition to its
technical contributions. NISTs security standards activities are primarily focused on
preemptive measures to enhance the security of systems and network protocols, but
we are also supporting the development of standards for exchange of information
about security incidents. In response to the recommendations of the Cyberspace Policy Review, NIST will work closely with other agencies, the private sector and international standards bodies to ensure that our leadership and technical efforts focus
on the highest priority activities.
Q2. The Cyberspace Policy Review calls for increased collaboration with the private
sector to create cybersecurity standards and guidelines. Witnesses at the Subcommittees June 25 hearing also specifically recommended that NIST develop
consensus standards for private industry with industry collaboration. How will
you improve your collaborative efforts to implement these recommendations?
A2. While NISTs statutory authority makes Federal Information Processing Standards (FIPS) mandatory only for federal agencies, we always strive for broad, but voluntary, adoption of NIST standards. To promote convergence, NIST works collaboratively with industry in open standards forums (e.g., IETF, IEEE, and ISO) on
many initiatives. We reference consensus standards in NIST publications where possible. In the rare cases where consensus standards are not the foundation, the NIST
standards development process is an open process and always affords opportunities
for public review and comment. Many standards efforts include public workshops to
ensure the public, including industry, is informed about NIST standards activities
and has early opportunities to provide input. In response to the Cyberspace Policy
Review, NIST will work with the private sector to form new national standards bodies (e.g., within ANSI) as needed, to address additional cybersecurity requirements.
In addition, NIST will increase its efforts to work with additional industry associations in the cybersecurity arena.
Q3. The Cyberspace Policy Review also recommends increased interagency coordination. How you will change your current efforts to meet this recommendation?
A3. NIST works closely with many federal agencies both formally and informally.
NIST maintains the Computer Security Resource Center (CSRC) to distribute security standards and guidelines and encourage broad sharing of information security
tools and practices. The Computer Security Program Managers Forum provides a
mechanism for NIST to share information directly with federal agency information
security program managers. As with industry, all agencies are provided the opportunity to review and comment on NIST standards before final publication and are
invited to participate in our public workshops. NIST participates in cross-agency
committees such as the Committee on National Security Systems (CNSS) and the
CIO Council and its Information Security and Identity Management Committee
(ISIMC). NIST is an active participant in the National Science and Technology
Councils (NSTC) Networking and Information Technology Research and Development (NITRD) Subcommittee and the NITRD Cyber Security Information Assurance
Interagency Working Group, as well as in the NSTC Subcommittee on Biometrics
& Identity Management. NIST also participates in the Information and Communications Interagency Policy Committee and related subcommittees to share information
security technical expertise as national security and economic policies are developed
for cyberspace. NIST works actively with State and local governments to promote
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00074
Fmt 6601
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
69
adoption of NISTs security standards. To increase coordination in response to the
Cyberspace Policy Review, NIST will reach out to additional multi-agency working
groups to identify gaps and requirements for new capabilities to benefit all agencies.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00075
Fmt 6601
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
70
ANSWERS
TO
Responses by Jeannette M. Wing, Assistant Director, Computer and Information

Science and Engineering Directorate, National Science Foundation (NSF)
Questions submitted by Chairman Daniel Lipinski
Q1. Witnesses at the June 10th hearing emphasized the importance of understanding
human behavior to improve cybersecurity. What is NSFs current investment in
the social aspects of cybersecurity and how is NSF facilitating collaboration between social scientists and computer scientists? Do we need new models for such
collaborations?
A1. Cybersecurity must be addressed not just from a technical viewpoint, but also
from social, economic, legal, and policy viewpoints. In FY09, NSF deliberately broadened the scope in its Trustworthy Computing Program to include privacy and
usability, encouraging computer scientists to work with social scientists on these
topics. NSF also supports research on economic models, including game theory, for
network security. Here are some examples of projects NSF supports that address
the socio-technical aspects of cybersecurity:
A team from Stanford and New York University composed of computer scientists and social scientists developed a novel Contextual Integrity Model,
which considers social values and legal constraints in characterizing and evaluating the flow of information in organizations. The team has applied the
Contextual Integrity Model to privacy policies such as Health Insurance Portability and Accountability Act (HIPAA), Childrens Online Privacy Protection
Act (COPPA), and Sarbanes-Oxley (SOX).
Behavioral scientists and security researchers from the University of Massachusetts Lowell and Carnegie Mellon are working together to identify the factors that influence a users trust in computer systems in general, and in robot
systems in particular.
Through the multi-disciplinary NSF Team for Research in Ubiquitous Secure
Technology (TRUST), a lawyer, working with computer science colleagues, investigates how technology and the law interact. She spearheaded the California law that requires companies who lose individuals personal information
to disclose to the individuals impacted by the loss.
A team at the NSF Cyber Trust Internet Epidemiology and Defenses Center
at the University of California, San Diego and the University of California,
Berkeley, is modeling the cyber underground economy, a glowing concern because there is significant criminal activity using the Internet. Of particular
interest as a metric is what bots cost on the open market since there is as
entire community that engages in bartering for such machines.
NSF facilitates collaborations between social scientists and computer scientists
through these mechanisms: Direct funding of regular awards and Centers that support multiple principal investigators (PIs) from different disciplines (as in all the
above examples); co-funding of awards between the Computer and Information
Science and Engineering (CISE) Directorate and the Social, Behavioral, and Economics Sciences (SBE) Directorate; joint programs between CISE and SBE (e.g., Social-Computational Systems); Dear Colleague Letters joint with SBE (e.g., Research
on Data Confidentiality) and/or with private foundations such as the Alfred P. Sloan
and the Ewing Marion Kauffman Foundations (e.g., Creating New Cyber-Enabled
Data on Innovation in Organizations, which has a specific focus on privacy); and
workshops that bring together different communities (e.g., the National Academies
July 2009 Usability, Security, Privacy Workshop, co-sponsored by NSF and NIST).
The NSF-wide Cyber-enabled Discovery and Innovation investment also provides an
opportunity for collaboration between computer and social scientists. All these
mechanisms, i.e., models of engagement, are extremely successful ways to foster collaborations between computer scientists and social scientists and they suffice to
achieve the multi-disciplinary challenges of cybersecurity. For the future, we envision strengthening ties between the two communities as both recognize that
cybersecurity is a multi-faceted problem: technical solutions are not sufficient, understanding human behavior is critical, and policy-makers must be informed of what
is or is not technically feasible.
Q2. A major recommendation of the Administrations Cyberspace Policy Review is to
increase cybersecurity education. The review specifically mentioned two NSF
programs, Scholarship for Service and CPATH, in addition to those, how does
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00076
Fmt 6601
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
71
NSF plan to change or expand its programs to address the education needs identified in the review? Specifically, how can NSF address cybersecurity education
at the K12 level?
A2. In FY09, NSF challenged the computing community in its CISE Pathways to
Revitalize Undergraduate Education in Computing (CPATH) Program to focus on
teaching computational thinking, the concepts underlying computer science, not
just computer programming. Concepts such as algorithms, data structures, State
machines, and invariants, which are driven by computational questions of efficiency
and reliability are useful to everyone, regardless of ones field of study and regardless of ones eventual career or profession. To test out this view, the National Academies is conducting two workshops on Computational Thinking for Everyone; the
first workshop was held in February 2009 and the second will be in early 2010. The
focus of these workshops is particular for computational thinking in early grades,
K6.
The CPATH program also reaches out beyond the undergraduate level. Specifically, in the FY09 solicitation, we wrote . . . CISE encourages the exploration of
new models that extend from institutions of higher education into the K12 environment; activities that engage K12 teachers and students to facilitate the seamless
transition of secondary students into Computational Thinking-focused undergraduate programs are particularly encouraged.
NSF is also expanding its Broadening Participation in Computing by supporting
efforts which bring the two thrusts of computational thinking and K12 together.
For example, NSF is working with the College Board to revisit the Computer
Science Advanced Placement course and exam; this multi-year effort will hopefully
result in a novel CS sequence of courses that will stress computational concepts
early and depict a rich and in-depth view of computer science to high school students.
For the future, we intend to promote a focus on computational concepts that
would benefit everyones analytical skills and a focus on outreach to K12, through
programs from across the Foundation.
Specific to cybersecurity, lets consider three populations of people: users of computing technology, developers of computing technology, and deployers of computing
technology. Users of computing technology need to have some basic awareness of security hygiene; for example, not to open e-mail attachments in messages received
from people one does not know. Through our Cyber Trust Centers and the TRUST
Center (cited above), and even through our regular awards, we can leverage the participating institutions reach into local communities to expand cybersecurity hygiene
education. An example of such a project is MySecureCyberspace (https://
www.mysecurecyberspace.com/), developed at Carnegie Mellon and partially funded
by NSF. It is a portal for all age ranges, from children to seniors, who need to know
the basics of safe and secure interaction for oneself and with others on the Internet.
Developers of computing technology are responsible for designing systems, especially software-intensive systems, with security in mind from the very beginning.
They need to understand and be able to apply principles of software engineering,
state-of-the-art tools to support secure coding, advanced programming languages
that avoid entire classes of security vulnerabilities, and security architectures that
derive from threat modeling. These technical topics are already covered in specific
courses at most colleges and universities that offer computer science degree programs. Those who major in computer science will encounter these course offerings;
non-majors who plan a career in software development should be encouraged to take
such courses as well. To highlight the importance of these kinds of courses (for majors and non-majors), NSF is currently engaging the computer science community
in a discussion on cybersecurity education at the undergraduate level.
Deployers of computing technology, for example, system administrators, are the
front line defense in todays cybersecurity battlefield. They benefit most from programs such as Scholarship for Service and certification programs offered by professional organizations and industry. NSFs Education and Human Resources (EHR)
Directorate will continue to support the Scholarship for Service program.
Questions submitted by Representative Ben R. Lujan
Q1. The Cyberspace Policy Review recommends an increased level of interagency coordination and a renewed emphasis on cybersecurity research and development.
Per the Administrations recommendation, what will NSF change in its current
interagency activities? How is NSF leveraging the expertise of the National Labs
and the Federally Funded Research and Development Centers?
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00077
Fmt 6601
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
72
A1. Through leadership positions, NSF already actively engages in interagency
cybersecurity activities through these formal mechanisms:
Networking and Information Technology Research and Development (NITRD)
Program. The NSF CISE Assistant Director serves as the Agency Co-Chair
of NITRD. NITRD has 13 member agencies.
The NITRD Senior Steering Group (SSG) is composed of senior representatives of agencies with national cybersecurity leadership positions.
The NSF CISE AD serves as a co-chair for SSG. The SSG provides overall leadership for cybersecurity research and development (R&D) coordination, serving as a conduit between agencies and budget officials, between classified and unclassified federal R&D, and among government,
academia, and industry. An example activity is the National Cyber Leap
Year, as part of the Comprehensive National Cybersecurity Initiative
(CNCI), which is identifying game-changing concepts for securing cyberspace.
The NITRD Cyber Security and Information Assurance Interagency
Working Group (CSIA IWG) coordinates the efforts of NITRD agencies
cybersecurity programs, ensuring complementary and completeness (to
the extent possible) in coverage of the cybersecurity R&D needs of the
Nation. NSF program directors are active participants in CSIA IWG.
The INFOSEC Research Council (IRC) consists of U.S. Government sponsors
of information security research from the Department of Defense, the Intelligence Community, and Federal Civil Agencies. An NSF program director cochairs the IRC. Discussions are both technical and strategic.
As there is heightened and growing interest by the Federal Government in R&D
for cybersecurity, NSF expects to work in the future with other agencies more closely and in more and more activities, both informal and formal. NSFs deep and broad
reach into the academic computer science community puts NSF in a unique position:
to bring the attention of the academic community to nearer-term and/or mission-specific R&D cybersecurity needs of other federal agencies and to introduce federal
agencies to the problem-solving capability, research results, and trained workforce
of the academic community. As one example of how NSFs interactions have grown
in just FY09, here is a list of cybersecurity workshops NSF has been instrumental
in helping to foster, host, and coordinate with other agencies:
Science of Security Workshop, co-funded by NSF, NSA, and IARPA (November 1618, 2008). Goal: To deliberate on making security into a
science with measurable metrics, inspired by established sciences and
theories, such as biology, control theory, and reliability theory.
Usability, Security, Privacy Workshop, hosted by the National Academies
Computer Science and Telecommunications Board (CSTB), co-funded by
NSF and NIST (July 2122, 2009). Goal: To advance objectives in usable
security and privacy, taking into account the broad class of users, security administrators and services, and explore research opportunities and
potential roles for the Federal Government, academia, and industry and
ways to embed usability considerations in research, design, and development of secure systems.
Workshop on Clean-Slate Security Architecture, hosted by NSF, co-funded by NSF and DARPA. (July 28, 2009). Goal: To frame a new security
architecture that could be the basis for new host, network and applications.
Workshop on Security Research for the Financial Infrastructure. Co-run
with Treasury and co-funded by NSF and DHS (October 2829, 2009).
Goal: By bringing together the financial sector and academia, to gain a
better understanding of the security problems faced by the financial sector and how the research community can help solve those problems.
Looking ahead, a possible outcome of holding such joint workshops is the creation
of one or more joint programs between NSF and other agencies.
Through NITRD, NSF formally coordinates with national laboratories, including
the Department of Energys National Nuclear Security Agency (NNSA). NSF also
participated in a joint workshop with DHS and IARPA, co-organized by MIT and
Sandia National Laboratory in November 2007. This NCDI (National Cyber Defense Initiative) Workshop-grass roots effort towards defining a cyber research agenda for the Nation was a precursor to CNCI. Through the DOE Workshops to Assess the Technology to Cope with Attacks to DOE systems, such as the Power Grid,
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00078
Fmt 6601
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
73
held between 2007 and 2009 and organized by the Pacific Northwest National Laboratory, NSF presented research projects it funds on a more secure power grid,
highlighting the Cyber Trust Trustworthy Computing infrastructure for the Power
Grid (TCIP) Center at the University of Illinois, Urbana-Champaign. Finally, NSF
funds academic researchers who themselves may directly collaborate with National
Labs; for example, we recently funded a CAREER awardee at the University of New
Mexico who collaborates with investigators at Sandia and Los Alamos on developing
quantitative models of Internet censorship.
NSF supports researchers who can tap into the expertise of Federally Funded Research and Development Centers. In particular, NSF funds the Cyber Trust Situational Awareness for Everyone (SAFE) Center at Carnegie Mellon, whose researchers potentially can interact with the Carnegie Mellon Software Engineering Institute (SEI), which is an FFRDC. The SEI houses the Computer Emergency Response
Team (CERT) Coordination Center, which collects data about security
vulnerabilities and coordinates responses to security breaches.
Academic researchers funded by NSF often cannot interact more closely with
members of the National Labs and FFRDCs if the systems of interest are classified,
such as those within National Labs, or data are proprietary, such as that collected
by CERT.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00079
Fmt 6601
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
74
ANSWERS
TO
Responses by Peter M. Fonash, Acting Deputy Assistant Secretary, Office of

Cybersecurity and Communications, National Protection and Programs Directorate, U.S. Department of Homeland Security (DHS)
Questions submitted by Chairman David Wu
Q1. The Cyber Space Policy Review calls for increased collaboration with the private
sector. How will you improve your collaboration efforts to implement this recommendation?
A1. The National Cyber Security Division (NCSD) within the Department of Homeland Security (DHS) collaborates closely with the private sector on a wide variety
of initiatives in line with the Cyberspace Policy Review, and has always engaged
in a variety of activities designed to further this collaboration. Specifically, NCSD
engages with public and private-sector partners through the Critical Infrastructure
Partnership Advisory Council (CIPAC) within the National Infrastructure Protection
Plan (NIPP) framework. Since 2007, NCSD and its private-sector partners have cochaired the Cross-Sector Cyber Security Working Group (CSCSWG) under CIPAC.
The CSCSWGs membership includes public and private-sector representatives from
each of the 18 Critical Infrastructure and Key Resources (CIKR) sectors under the
NIPP. The CSCSWG meets monthly and offers a mechanism for public-private collaboration on cybersecurity initiatives, such as improving information sharing, considering private-sector incentives for increased cybersecurity, and developing
cybersecurity metrics that can be used by multiple CIKR sectors. The co-chairs of
the CSCSWG have recently formed a Steering Committee to ensure that the agenda
and work areas undertaken by the group meet the needs of all CIKR sectors.
One area of focus for the CSCSWG in the near future will be development of a
Cyber Incident Response Plan. This plan will be developed in collaboration with industry and government partners and will provide a much needed overall framework
to significantly improve coordination in response to cyber incidents.
Under CIPAC, NCSD will continue to expand its engagement with private-sector
partners to address additional issues necessary to secure the Nations cyber assets,
networks, systems, and functions. Control systems security represents an area of
cyber concern that will see a substantially increased level of collaborative efforts,
including the continued expansion of the Industrial Control Systems Joint Working
Group (ICSJWG) and the Industrial Control Systems Cyber Emergency Response
Team (ICSCERT). Both of these groups are based on a model of public-private
partnership and represent a growing area of collaboration.
NCSD, in conjunction with the National Communications System, can also leverage the National Coordinating Center for Communications (NCC). The NCC is a
joint industry-government operation. It involves the U.S. telecommunications industry and Federal Government organizations that are involved in responding to the
Federal Governments National Security and Emergency Preparedness (NS/EP) communications service requirements and supports planning for a more resilient national and international communications system to satisfy those requirements.
The mission of the National Coordinating Center is to assist in the initiation, coordination, restoration and reconstitution of NS/EP telecommunications services or
facilities. The NCC is the mechanism by which the Federal Government and the
communications industry jointly respond to NS/EP telecommunications service requirements. It provides for the rapid exchange of information and expedites NS/EP
communications responses. While the primary focus of the NCC is the NS/EP telecommunication service requirements of the Federal Government, the NCC also monitors the status of all essential telecommunication facilities including public
switched networks.
In addition, DHS is partnering with the Department of Defense and the Office of
the Director of National Intelligence to engage with senior leadership, at the Chief
Executive Officer level, in the information technology and defense industrial base
sectors, under the Enduring Security Framework. This CIPAC working group recently formed to address the risks and opportunities to the U.S. cyber infrastructure
inherent in globalization.
The Office of Intelligence and Analysis (I&A) has recently increased the production rate of cyber threat intelligence products intended for use by the private sector,
State and local authorities, and federal civilian departments and agencies. These
products are intended to provide awareness of the cyber threats and in some cases
provide warnings so that the appropriate resources and actions can be implemented
to counter these cyber threats.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00080
Fmt 6601
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
75
I&A also, in coordination with NPPD, provides cyber threat briefings (classified
and unclassified) to private sector representatives. In August and September 2009,
I&A has provided or is scheduled to provide cyber threat intelligence briefings to
the American Petroleum Institute (API), the Oil and Natural Gas Sector Coordinating Council (SCC), the Chemical SCC, and the Nuclear SCC.
In the area of cybersecurity research and development (R&D), DHS pursues collaboration with the private sector through participation in the Networking and Information Technology Research and Development (NITRD) program. A representative from the DHS Science and Technology Directorate co-chairs the NITRD Cyber
Security and Information Awareness (CSIA) interagency working group and is a
member of the NITRD Senior Steering Group for Cyber Security. During the past
year, these groups have issued three Requests for Information through the Federal
Register (garnering more than 230 private-sector white paper responses) and held
a National Cyber Leap Year Summit with more than 100 private-sector participants
(participants reports summarizing Summit outcomes are available at
www.nitrd.gov/NCLYSummitIdeas.aspx). The private sector will continue to be engaged in the development of a game-changing cybersecurity R&D strategy.
Finally, we continue to look for new and better ways to enhance our partnership
with the private sector, on both an operational and policy level.
Q2. The Cyber Space Policy Review also recommends increased interagency coordination. How will you change your current efforts to meet this recommendation?
A2. Overall Federal interagency cybersecurity policy coordination occurs through
the Interagency Policy Committee (IPC) framework under the Presidents National
Security Council system. The Information and Communications Infrastructure IPC
serves as a focal point for cybersecurity matters and several Sub-IPCs are used to
consider specific topics, such as incident response and information sharing.
The National Cyber Security Division (NCSD) within the Department of Homeland Security (DHS) continually strives to identify additional methods to facilitate
coordinated responses to cyber threats. NCSD maintains many, often multi-faceted,
relationships with government agency partners to fulfill its cybersecurity mission,
and as we add personnel to meet mission needs, we will enhance not only our effectiveness but our ability to work with other agencies. Our existing relationships include operational coordination, information sharing, and policy formulation. NCSDs
United States Computer Emergency Readiness Team (USCERT) is charged with
providing response support and coordinating the defense against cyber attacks for
the Federal Civil Executive Branch (.gov). USCERT focuses on improved customer
service and improved interagency coordination in a variety of ways. For example,
the Joint Awareness Cyber Knowledge Exchange meets biweekly to provide a classified forum for federal departments and agencies to exchange cyber threat and defense information, with USCERT providing regular briefings and updates on specific ongoing threats.
Other NCSD programs also offer significant opportunities to improve agency coordination, and we continue to look for new and better ways to build partnerships.
Through the Trusted Internet Connection (TIC) Initiative and deployment of the
National Cybersecurity Protection System (NCPS), operationally known as EINSTEIN, NCSD has the ability to work with all federal civilian departments and
agencies in a coordinated approach to reduce and consolidate external connections
(access points) and implement or acquire security services. DHS coordinated with
departments and agencies to create and refine TIC technical requirements and architecture, bringing technical expertise and issue awareness from early deployments
to bear as additional departments and agencies are added to the program. DHS also
meets quarterly with the TIC Interagency Working Group to address specific implementation challenges and provide definitions and clarification, as well as formal recommendations for TIC policy to the Office of Management and Budget. NCSD will
continue to work with these groups to track TIC implementation progress, lessons
learned, and recommendations for improvement. In addition, planned enhancements
to NCPS will improve USCERTs ability to share information about cyber incidents
across the departments and agencies, thereby increasing interagency cybersecurity
situational awareness.
NCSD also engages with public and private-sector partners through the Critical
Infrastructure Partnership Advisory Council (CIPAC) process within the National
Infrastructure Protection Plan framework. Since 2007, NCSD and its private-sector
partners have co-chaired the Cross-Sector Cyber Security Working Group
(CSCSWG) under CIPAC. One area of focus for the CSCSWG in the near future will
be development of a Cyber Incident Response Plan. This plan will be developed in
collaboration with industry and government partners and will provide a much-needed overall frameworksupported by sub-frameworks, concepts of operations, and op-
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00081
Fmt 6601
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
76
erating proceduresto enable significantly improved coordination in response to
cyber incidents. Under the CIPAC engagement framework, NCSD will continue to
expand its engagement with private-sector partners to address additional issues
necessary to secure the Nations cyber assets, networks, systems, and functions.
In light of the Cyber Space Policy Review recommendations for increased interagency coordination, the Office of Intelligence and Analysis (I&A) will continue to
strengthen its established relationships with the members of the Intelligence Community, the cyber intelligence elements of the Department of Defense, and law enforcement entities. I&A coordinates with interagency partners on its cyber products
and participates in the interagency development of national level intelligence products. In the near-term, I&A will be striving to increase our interactions with the
intelligence components of the Non-Title 50 and Title 10 departments and agencies.
I&A continues to participate in intelligence community interagency coordination and
working groups to ensure effective intelligence information sharing on cyber threat
actors and will seek out additional partnership opportunities to include embedding
I&A analysts in sister intelligence community elements. I&A plays an active role
in developing all-source collection requirements and information needs through
interagency coordination and working groups across the community. To ensure increased coordination I&A will seek to further involve DHS component organizations
Federal, State, local and Tribal (FSTL) governments and critical infrastructure and
key resource (CIKR) partners both public and private with cyber or infrastructure
protection missions into the requirements development process to insure information deemed relevant to the operational components is collected by the intelligence
community and disseminated to FSTL and CIKR partners.
In the area of cybersecurity research and development (R&D), DHS pursues collaboration across the federal landscape through participation in the Networking and
Information Technology Research and Development (NITRD) program. A representative from the DHS Science and Technology Directorate co-chairs the NITRD Cyber
Security and Information Awareness (CSIA) interagency working group and is a
member of the NITRD Senior Steering Group for Cyber Security.
Questions submitted by Representative Adrian Smith
Q1. You stated in your testimony that when this effort began, the Federal Government had more than 4,500 access points to the Internet. I understand that the
original plan was to reduce this number to below 100 to enable manageable deployment of EINSTEIN. Is this still the objective? If not, why not, and what is
the new target number of TICS? How much does a change in the target number
of TICS change the expected costs of the TIC initiative?
A1. The Comprehensive National Cybersecurity Initiatives Initiative 1 (the Trusted
Internet Connection [TIC] Initiative) currently has the following objectives: to reduce and consolidate external access points across the federal enterprise; to manage
the security requirements for Network and Security Operations Centers (NOCs/
SOCs); and to establish a compliance program to monitor department and agency
(D/A) adherence to TIC policy. Working together, DHS and OMB are making
progress towards meeting this initiative.
NCSD, OMB, and the other Federal Department and Agencies, are constantly assessing the appropriate number of TICS required for the .gov domain.
The primary cost driver in this initiative is the number of physical locations
where sensors need to be deployed. Multiple access connections can go through a
single location. Therefore, changes in the number of access connections would not
greatly affect cost.
Q2. Due to the geographical distribution of existing TICS, efforts to dramatically reduce Federal Government access points to the Internet presumably require a significant re-routing of traffic, which presumably adds additional cost to agencies
Internet Service Providers (ISPs). Is this correct, and if so, how (a) how significant are re-routing costs; and (b) how will this additional expense be paid for?
Are these additional costs accounted for in agency budgets and planning?
A2. The geographic distribution of Trusted Internet Connections (TICs), in general,
is not a cost factor. The TIC program is a consolidation of agencies connections to
external networks, not new connections. The Internet Service Providers (ISPs) can
automatically reroute traffic on their network to a designated location. Pricing for
traffic on an ISP backbone is not distance sensitive. The price sensitivity is the
number of connections and the bandwidth of the connection to the ISP by the agency. Consolidation has a long-term financial benefitnamely, the larger the connec-
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00082
Fmt 6601
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
77
tion bandwidth, the lower the cost per unit of traffic. In general, there are additional charges for access lines in rural or remote locations.
An agency connection to an ISP has two cost elements: the cost of the dedicated
access circuit and a service enabling device (SED) at the agency location (e.g., gateway router). The TIC program introduces the following additional access costs: capital cost and maintenance costs for the TIC equipment and facilities.
There may be additional costs for rerouting traffic within an agencys enterprise
network; however, those costs largely depend on how each agency chooses to implement the TIC initiative. Agencies designated as TIC Access Providers (TICAPs) that
are building their own TIC locations may incur additional costs for rerouting circuits, but that will depend on the outcome of negotiation efforts with the carriers.
An option for TICAP agencies is to use a hybrid approach combining a subscription to the Networx Managed Trusted IP Service (MTIPS) with agency-specific TICs
to reduce rerouting circuit costs. Agencies not designated as TICAPs, or those considered as seeking service, may comply with the TIC mandate by subscribing to the
Networx MTIPS directly.
The MTIPS pricing contains three primary elements: a local dedicated access circuit, a SED at the agency location (e.g., a router), and the MTIPS Port. Only the
local dedicated access circuit cost may be distance sensitive. If agencies are already
using a Networx provider, there should not be a change to the cost per unit of traffic
for the local circuit. If the agency chooses separate Networx contractors or MTIPS
contractors, or has other agency-specific requirements, a new local dedicated access
circuit or new SEDs may be required, increasing the cost.
The guidance from the Office of Management and Budget was for agencies to
cover any additional costs out of existing funding.
Q3. What performance measures are associated with EINSTEIN and how will they
be used to assess effectiveness and improve performance?
A3. The National Cyber Security Division (NCSD) within the Department of Homeland Security (DHS) has created performance goals under the Government Performance Reporting Act (GPRA) and applies Key Performance Parameter (KPP) performance measures to the National Cybersecurity Protection System (NCPS), operationally known as EINSTEIN.
Consistent with our GPRA goals, NCSD measures the percentage of Trusted
Internet Connections (TICs) covered by NCPS. This measure tracks the percentage
of TICS where NCPS sensors are deployed. Tracking this coverage of approved
Internet access points for the Federal Government demonstrates the extent of coverage of .gov traffic that NCPS is providing at any given time.
KPPs are developed as part of the DHS acquisition review process. KPPs demonstrate the performance capabilities that will be purchased with requested funding.
The KPPs are broken out by the Block capabilitiesto match NCPS deployment
plansand each builds on the previous Blocks capability. Additionally, each measure contains both a threshold and objective target. The threshold is the baseline
what-must-be-achieved measure; the objective is what the NCPS is attempting to
achieve. The table below contains the Block KPPs and their thresholds and objectives:
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00083
Fmt 6601
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
78
Q4. What if any traffic volume or throughput limitations exist associated with
EINSTIEN? Are you confident that this system can provide the processing power
necessary to effectively analyze traffic and ensure against significant network
delays, especially as online communications (including those on government networks) increasingly transition to more data and video intensive applications?
Has the systems capability been validated in practice?
A4. Capacity challenges were identified as a risk; however, a mitigation approach
was built into its development. There are two steps to the mitigation approach.
First, initial deployment meets immediate and near-term bandwidth requirements
as reported by the Department and/or Agency receiving EINSTEIN. Second, the
commercially scalable platform and collection of technologies that make up EINSTEIN, as designed, allow for the seamless expansion of available computing resources as needs arise. This flexibility is best suited to meet todays bandwidth requirements and provides the ability to rapidly accommodate future increases.
Developmental, integration, and operational testing have been successfully conducted and validated to ensure that EINSTEINs processing power scalability meets
the increasing bandwidth demands of the federal network enterprise. Such testing
and evaluation are part of a continual process as the Department of Homeland Securitys National Cyber Security Division implements a phased deployment of EINSTEIN.
Q5. Given that cybersecurity is a cat-and-mouse problem where network defenders
and attackers are both constantly changing their technologies and methods, how
confident are you that the EINSTEIN system can remain effective over the
medium- and long-term? Is it possible (or plausible) that, three to four years
from now, our adversaries will be employing completely different technological
means of penetrating networks that could render EINSTEIN obsolete? In other
words, how adaptable is the EINSTEIN system to changing threats, technologies, and methods?
A5. We agree that attackers are constantly changing their technologies and methods, and therefore network defenders must quickly evolve their capabilities through
continuous technology insertion and evolution. DHS is necessarily concerned both
with todays threats and those unknown threats that are certain to surface and
evolve. With the goal of addressing current and future threats firmly in mind, the
National Cyber Security Division (NCSD) recently issued a Request for Information
to identify new capabilities from industry. NCSDs goal is to deploy and operate todays cybersecurity technology while implementing the processes to ensure that
EINSTEIN can address medium and long-term threat technologies and methods.
The Departments Science and Technology Directorate (S&T) has substantial efforts,
coordinated with NCSD, to identify and fund research and development (R&D) that
would enable NCSDs future EINSTEIN capability to adopt to changing threats,
technologies and methods. Additionally, the Office of Intelligence and Analysis continues to work with its intelligence community partners to understand the tactics,
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00084
Fmt 6601
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
79
techniques and procedures of threat actors as they evolve. The Department believes
we can achieve this goal and meet future cybersecurity challenges.
Q6. You note in your testimony that EINSTEIN deployment has been completed at
five agencies. Is it correct that the EINSTEIN system was originally intended
to be deployed at all agencies? Is this still the case? If not, how is agency participation being determined-voluntarily by agencies or through a government-wide
prioritization effort? Does the lack of participation by some agencies notably increase the vulnerability of intrusions and information breeches at participating
agencies?
A6. The EINSTEIN program is designed under the Comprehensive National
Cybersecurity Initiative to provide coverage to the federal civil agencies. The Administration is requiring all federal civil agencies to participate. Success of the program
depends upon full participation. Lack of participation by some agencies could increase risk to all the othersincluding those that have deployed EINSTEINby
slowing the identification of vulnerabilities and breaches and thereby increasing the
likelihood of cascading effects within the .gov space.
Q7. In response to a question about the privacy of data collected through EINSTEIN
at the hearing, you stated that we wouldnt get into the privacy or a persons
e-mail unless there was some issue, a national security issue, or something like
that. How is national security defined in this context? What agency or official
is responsible for making a national security determination that would authorize
inspection of content traveling across federal networks, and what is the associated process for doing so?
A7. EINSTEIN 2 supports the Department of Homeland Securitys (DHSs) critical
information infrastructure protection mission as established by the Homeland Security Act, the Federal Information Security Management Act (FISMA), Homeland Security Presidential Directive 7 (HSPD7), National Security Presidential Directive
54/Homeland Security Presidential Directive 23, and related authorities. FISMA requires the Office of Management and Budget (OMB) to oversee and ensure the operation of a central federal information security incident center that provides departments and agencies with cyber detection, analysis, warning, and mitigation support.
In 2004, OMB identified the United States Computer Emergency Readiness Team
(USCERT), which is the operational branch of DHSs National Cyber Security Division, to carry out these responsibilities.
Under HSPD7, DHS is responsible for coordinating the overall national effort
to enhance the protection of the critical infrastructure and key resources of the
United States. Critical Infrastructure is specifically defined in the USA PATRIOT
Act to mean systems and assets, whether physical or virtual, so vital to the United
States that the incapacity or destruction of such systems and assets would have a
debilitating impact on security, national economic security, national public health
or safety, or any combination of those matters. Malicious cyber activity that threatens one or more of these elements establishes the context under which EINSTEIN
2 is used by USCERT.
EINSTEIN 2 passively observes network traffic to and from participating Federal
Civilian Executive Branch department and agency networks. No human being reviews any of this data via EINSTEIN 2 unless and until specific pre-defined signatures designed to detect identified patterns of network traffic that may affect the
integrity, confidentiality, or availability of computer networks or information are
triggered. Only if such risk factors are identified within the data will USCERT be
alerted of potential malicious network activity. Thus, USCERT does not obtain the
content of all electronic communications passing over the protected networks but
rather receives the network traffic relevant to a specific signature, along with the
network traffic that is reasonably related to, and associated with, the network connection that caused the alert. Moreover, when an alert does occur, USCERT has
adopted procedures for reviewing signatures and handling information collected to
ensure that the privacy of individuals is protected.
As discussed in greater detail in the DHS Privacy Impact Assessment (PIA) prepared for EINSTEIN 2,1 EINSTEIN is not programmed to specifically collect or locate PII. While future signatures might be developed in response to threats that use
what appears to be PII, the purpose of these signatures is to prevent malicious activity from reaching federal networks, not to collect or locate PII. USCERT also follows procedures to remove any personal information from its products so that only
USCERT would see the full details of any personal information in the flow records,
1 Available
VerDate 11-MAY-2000
11:39 Jan 29, 2010
at http://www.dhs.gov/xlibrary/assets/privacy/privacypiaeinstein2.pdf
Jkt 050171
PO 00000
Frm 00085
Fmt 6601
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
80
alerts, and related network traffic. The PIA provides additional details on the minimization process and related USCERT analyst training.
If it comes to DHSs attention that there may be a computer network event or
incident that has national security implications, the proper entity with responsibility over that event would be notified in accordance with laws and policies.
Q8. What oversight and accountability mechanisms are in place to ensure that only
data traveling to and from federal networks is routed off of Internet Service Provider (ISP) systems and through to EINSTEIN?
A8. Internet traffic flows to an EINSTEIN sensor either through the use of a Managed Trusted Internet Protocol Service (MTIPS) provided by an Internet Service
Provider (ISP) or to the EINSTEIN sensor located at a department or agencys
Internet access point, referred to as a Trusted Internet Connection (TIC). Safety
mechanisms are in place under either EINSTEIN option to ensure that only data
traveling to and from federal networks is routed off of ISP systems and through to
EINSTEIN. Both options require the relevant department or agency to work with
its ISP to ensure that only data traveling to and from federal networks is routed
through to EINSTEIN based on Internet Protocol (IP) ranges assigned to the department or agency. Because federal networks do not allow non-agency, commercial traffic to traverse their infrastructure, the restriction of EINSTEIN monitoring to these
IP ranges should limit monitoring to traffic directed to or originating from government systems.
MTIPS
With respect to a department or agency that contracts with an ISP for MTIPS,
the contract contains a provision requiring the ISP to ensure that only data routed
to or from the department or agencys IP addresses is routed to the EINSTEIN sensor. Specifically, the ISPs General Services Administration Networx MTIPS Statement of Work provides that:
traffic collection and distribution supports the transport of government-only IP
traffic between Agency Enterprise WANs [Wide Area Networks] and TIC Portals . . .. The TIC Portal . . . monitoring and management systems shall be
dedicated to the management and monitoring of the subscribing agencies hosted
by the contractors portal and shall be isolated from commercial customers.
The ISP further confirms its responsibility to isolate government traffic from that
of its commercial customers through a memorandum of agreement (MOA) executed
with the Department of Homeland Security (DHS), which references the Statement
of Work provisions. A department or agency that is using MTIPS also executes an
MOA with DHS. Pursuant to this MOA, the department or agency is responsible
for ensuring, in conjunction with the MTIPS provider, that only department or agency IP traffic is routed through the TIC portal where the EINSTEIN sensor is located.
TIC
A department or agency using a TIC would already have a contractual relationship in place with its ISP. Pursuant to that relationship, the ISP, in its ordinary
course of business, would use routing tables to ensure that only traffic intended for
the department or agencys IP addresses is routed to the department or agencys
networks. In addition, a department or agency with an EINSTEIN sensor placed at
a TIC also must sign an MOA with DHS. Pursuant to that MOA, the department
or agency is responsible for ensuring that only traffic intended for, or originating
from, that department or agency is routed through the EINSTEIN sensor.
Because EINSTEIN collects net flow information for all traffic traversing a sensor,
in the rare case that the contractual routing protections fail, net flow information
would be collected. A USCERT analyst may detect the error by doing flow analysis,
but the volumes of traffic make this unlikely. EINSTEINs intrusion detection system (IDS) would only alert an analyst if the mis-routed traffic triggers an EINSTEIN signature. In the event of an IDS alert, and upon further inspection and investigation with the department or agency receiving the incorrectly routed traffic,
a USCERT analyst would be able to identify an incorrectly routed traffic error.
USCERT would then work with the National Cyber Security Divisions Network
Security Deployment and Federal Network Security branches, the relevant department or agency, the ISP and, if necessary, the MTIPS vendor to remedy the routing
problem. In the unlikely event that an ISPs routing tables mistakenly assign a government IP address to a commercial client, a routing loop would result and would
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00086
Fmt 6601
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
81
be detected by the ISP in its ordinary course of business. This would signal to the
ISP a need to correct the routing table.
Q9. What performance measures or other assessment tools have been developed for
the CNCI? What are the primary risks to the success of the initiative going forward?
A9. The Department of Homeland Securitys (DHSs) National Cyber Security Division (NCSD) is the lead or co-lead for six of the 12 initiatives within the Comprehensive National Cybersecurity Initiative (CNCI).
Currently, DHS reports both weekly and quarterly to the Joint Interagency
Cybersecurity Taskforce. This reporting includes both activities and performance
metrics. Performance information is reported quarterly to the Executive Office of the
President. In addition, we work closely with the Office of Management and Budget
on Initiatives 13.
Q10. Some organizations are calling for using liability protection (such as that provided by the SAFETY Act) as a tool for incentivizing greater private efforts to
address cybersecurity. Is this being discussed and considered as part of your
effort to collaborate with the private sector?
A10. Yes, the National Cyber Security Division (NCSD) within the Department of
Homeland Security (DHS) collaborates closely with the private sector on a wide variety of initiatives and has always engaged in a variety of activities designed to further this collaboration. Specifically with respect to incentives, NCSD has engaged
with public and private-sector partners through the Critical Infrastructure Partnership Advisory Council (CIPAC) process within the National Infrastructure Protection Plan (NIPP) partnership framework. Since 2007, NCSD and its private-sector
partners have co-chaired the Cross-Sector Cyber Security Working Group
(CSCSWG) under CIPAC. The CSCSWGs membership includes public and privatesector representatives from each of the 18 critical infrastructure and key resources
(CIKR) sectors under the NIPP. The CSCSWG, which meets monthly, offers a mechanism for public-private collaboration on cybersecurity initiatives, such as improving
information sharing, considering private-sector incentives for increased
cybersecurity, and developing cybersecurity metrics that can be used by multiple
CIKR sectors. The co-chairs of the CSCSWG have recently formed a steering committee to ensure that the agenda and work areas undertaken by the group meet the
needs of all CIKR sectors.
Leveraging this public-private partnership, DHS solicited recommendations and
advice from industry partners on a wide range of incentivesfrom leveraging federal procurement power, to cyber insurance, to ensuring inclusion of cyber investments in the utility rate basefor increased cybersecurity. One incentive considered
by the working group concerns increased use of the SAFETY Act to address
cybersecurity, including the issue of liability protection. The SAFETY Act Office is
receiving and approving applications for cybersecurity technologies. These recommendations will be reviewed and considered by the appropriate members of the
interagency and taken into consideration in light of the significant differences in
business models and perspectives across the sectors.
Q11. As an alternative to regulatory- or liability-based tools to address private sector
critical infrastructure, some have proposed simply taking critical infrastructure
off the Internet gridthat is making the networks necessary for managing infrastructure such as the electricity grid completely closed, similar to how we operate our classified networks. Is this something the administration is looking
at, and do you think it could help to eliminate the security vulnerabilities inherent to being connected to the Internet?
A11. The strategy of taking critical infrastructure off the Internet grid is not an
option the Department of Homeland Security is pursuing due to the inherent complexities and feasibility problems associated with the concept. The Nations critical
infrastructure and related information technology systems and networks are interconnected, diverse, and unique, such that taking them off of the global Internet grid
would generate a wide range of problems that make the task unfeasible on both
strategic and practical levels. Many critical infrastructure networks were built with
a specific architecture designed for Internet access. Their day-to-day communications and business operations require this access for functions ranging from inventory management to customer communications. Sequestering these networks behind
barriers, in a manner similar to how classified networks operate, would result in
multiple problems and logistical difficulties. This would require a complete revision
of the design and function of critical infrastructure and key resources (CIKR) sector
networks, as well as changes to the operations and business models of CIKR sector
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00087
Fmt 6601
Sfmt 6621
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1
82
members. An example of this is the Financial Services Sector, which depends on the
Internet to provide real-time communications and transfer of electronic payments
and account information. Additionally, several other government agencies outside of
the Department of Homeland Security have responsibilities or regulatory authorities
related to CIKR sectors and would have their own views on this subject.
VerDate 11-MAY-2000
11:39 Jan 29, 2010
Jkt 050171
PO 00000
Frm 00088
Fmt 6601
Sfmt 6601
C:\DWORK\T&I09\061609\50171
SCIENCE1
PsN: SCIENCE1

House Hearing, 111TH Congress - Agency Response To Cyberspace Policy Review

Uploaded by

Copyright:

Available Formats

House Hearing, 111TH Congress - Agency Response To Cyberspace Policy Review

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

House Hearing, 111TH Congress - Agency Response To Cyberspace Policy Review

Uploaded by

Copyright:

Available Formats

AGENCY RESPONSE TO

CYBERSPACE POLICY REVIEW

SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION

SUBCOMMITTEE ON RESEARCH AND SCIENCE

COMMITTEE ON SCIENCE AND

Serial No. 11134

Printed for the use of the Committee on Science and Technology

U.S. GOVERNMENT PRINTING OFFICE

For sale by the Superintendent of Documents, U.S. Government Printing Office

11:39 Jan 29, 2010

COMMITTEE ON SCIENCE AND TECHNOLOGY

HON. DAVID WU, Oregon, Chair

11:39 Jan 29, 2010

HON. DANIEL LIPINSKI, Illinois, Chair

11:39 Jan 29, 2010

11:39 Jan 29, 2010

Witness List .............................................................................................................

11:39 Jan 29, 2010

Appendix: Answers to Post-Hearing Questions

11:39 Jan 29, 2010

AGENCY RESPONSE TO CYBERSPACE POLICY

JOINTLY WITH THE

SUBCOMMITTEE ON RESEARCH AND SCIENCE EDUCATION,

11:39 Jan 29, 2010

11:39 Jan 29, 2010

SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION

11:39 Jan 29, 2010

11:39 Jan 29, 2010

11:39 Jan 29, 2010

11:39 Jan 29, 2010

11:39 Jan 29, 2010

11:39 Jan 29, 2010

11:39 Jan 29, 2010

I want to welcome everyone to this mornings hearing on the administrations

11:39 Jan 29, 2010

11:39 Jan 29, 2010

REPRESENTATIVE ADRIAN SMITH

11:39 Jan 29, 2010

CHAIRMAN DANIEL LIPINSKI

Good afternoon. Id like to thank Chairman Wu for joining me in holding this

Chairman WU. Thank you, Chairman Lipinski. And now I would

11:39 Jan 29, 2010

REPRESENTATIVE VERNON J. EHLERS

REPRESENTATIVE HARRY E. MITCHELL

Thank you, Mr. Chairman.

11:39 Jan 29, 2010

Ms. FURLANI. Thank you, Chairman Wu and Chairman Lipinski,

11:39 Jan 29, 2010

11:39 Jan 29, 2010

11:39 Jan 29, 2010

11:39 Jan 29, 2010

11:39 Jan 29, 2010

Cita M. Furlani is Director of the Information Technology Laboratory (ITL). ITL

11:39 Jan 29, 2010

Dr. WING. Thank you very much. Good afternoon, Chairman Wu

11:39 Jan 29, 2010

11:39 Jan 29, 2010

Good afternoon, Chairman Wu and Chairman Lipinski, Ranking Members Smith