[Senate Hearing 107-1070]
[From the U.S. Government Publishing Office]
S. Hrg. 107-1070
S. 2037, S. 2182, HOMELAND SECURITY AND THE TECHNOLOGY SECTOR
=======================================================================
HEARING
before the
SUBCOMMITTEE ON SCIENCE, TECHNOLOGY, AND SPACE
OF THE
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED SEVENTH CONGRESS
SECOND SESSION
__________
APRIL 24, 2002
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
U.S. GOVERNMENT PRINTING OFFICE
90-267 WASHINGTON : DC
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED SEVENTH CONGRESS
SECOND SESSION
ERNEST F. HOLLINGS, South Carolina, Chairman
DANIEL K. INOUYE, Hawaii JOHN McCAIN, Arizona
JOHN D. ROCKEFELLER IV, West TED STEVENS, Alaska
Virginia CONRAD BURNS, Montana
JOHN F. KERRY, Massachusetts TRENT LOTT, Mississippi
JOHN B. BREAUX, Louisiana KAY BAILEY HUTCHISON, Texas
BYRON L. DORGAN, North Dakota OLYMPIA J. SNOWE, Maine
RON WYDEN, Oregon SAM BROWNBACK, Kansas
MAX CLELAND, Georgia GORDON SMITH, Oregon
BARBARA BOXER, California PETER G. FITZGERALD, Illinois
JOHN EDWARDS, North Carolina JOHN ENSIGN, Nevada
JEAN CARNAHAN, Missouri GEORGE ALLEN, Virginia
BILL NELSON, Florida
Kevin D. Kayes, Democratic Staff Director
Moses Boyd, Democratic Chief Counsel
Jeanne Bumpus, Republican Staff Director and General Counsel
------
Subcommittee on Science, Technology, and Space
RON WYDEN, Oregon, Chairman
JOHN D. ROCKEFELLER IV, West GEORGE ALLEN, Virginia
Virginia TED STEVENS, Alaska
JOHN F. KERRY, Massachusetts CONRAD BURNS, Montana
BYRON L. DORGAN, North Dakota TRENT LOTT, Mississippi
MAX CLELAND, Georgia KAY BAILEY HUTCHISON, Texas
JOHN EDWARDS, North Carolina SAM BROWNBACK, Kansas
JEAN CARNAHAN, Missouri PETER G. FITZGERALD, Illinois
BILL NELSON, Florida
C O N T E N T S
----------
Page
Hearing held April 24, 2002...................................... 1
Statement of Senator Allen....................................... 3
Statement of Senator Edwards..................................... 5
Statement of Senator Wyden....................................... 1
Witnesses
Boehlert, Hon. Sherwood, U.S. House of Representatives........... 6
Hira, Ronil, Institute of Electrical and Electronics Engineers
(EEE)-USA...................................................... 21
Prepared statement........................................... 22
Hoffman, Dr. Lance, Department of Computer Science, the George
Washington University.......................................... 13
Prepared statement........................................... 14
Logan, Effrey, Business Development Manager, M/A-COM, Inc.,
Wireless Systems............................................... 24
Prepared statement........................................... 25
Starnes, W. Wyatt, President and Chief Executive Officer,
Tripwire, Inc.................................................. 17
Prepared statement........................................... 19
Strawn, Dr. George, Assistant Director (Acting), Directorate for
Computer Information Science & Engineering (CISE), National
Science Foundation............................................. 9
Prepared statement........................................... 11
Appendix
Response to written questions submitted by Hon. John McCain to:
Dr. George Strawn............................................ 43
Graham, James W., Chief Operating Officer, Emergency Asset
Management Systems, prepared statement......................... 41
Vargo, Franklin J., Vice President, International Economic
Policy, letter dated April 8, 2002, to Hon. Wyden and Hon.
Allen.......................................................... 42
Vargo, Franklin J., Vice President, International Economic
Policy, letter dated April 19, 2002, to Hon. Wyden............. 43
S. 2037, S. 2182, HOMELAND SECURITY AND THE TECHNOLOGY SECTOR
----------
WEDNESDAY, APRIL 24, 2002
U.S. Senate,
Subcommittee on Science, Technology, and Space,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:30 p.m. in
room SR-253, Russell Senate Office Building, Hon. Ron Wyden,
Chairman of the Subcommittee, presiding.
OPENING STATEMENT OF HON. RON WYDEN,
U.S. SENATOR FROM OREGON
Senator Wyden. The Subcommittee will come to order. Today,
the Subcommittee on Science, Technology, and Space convenes the
third in a series of hearings on improving America's homeland
security through technology. We are also going to look in
detail at two pieces of legislation, S. 2037 and S. 2182. It is
my intention, working closely with my friend and colleague,
Senator Allen and, of course, the chairman of the full
committee, Senator Hollings, and the Ranking Minority Member,
Senator McCain--it is our intention to work very closely with
the Administration so that it will be possible at the next
mark-up of the full Commerce Committee on May 16 to process
both pieces of legislation.
I did have a very constructive conversation this morning
with Mitch Daniels, the head of the Office of Management and
Budget. He made it very clear that he wanted to work with our
Committee on a bipartisan basis to address both of these
important pieces of legislation, and I appreciate Director
Daniels' constructive effort. We are going to work closely with
the Administration so it will be possible to move these two
important pieces of legislation, and I believe it will be
possible to do that on May 16.
As this country mobilizes to protect itself from terrorism
and other threats, a key weapon in our defensive arsenal is
this country's great technological prowess. Many of the most
promising technologies for improving security reside outside
the government in the dynamic arena of private sector
entrepreneurship, but the government can supply some key
ingredients to make the technology sector's homeland security
efforts more effective. Therefore, it is important to forge a
strong partnership between the government and the technology
sector in order to provide the best protection and response
possible for the American public from high-tech cyber attacks
to more conventional threats.
Many of the solutions for reducing this country's
vulnerabilities are rooted in technology. Sophisticated hacker
attacks on crucial computer networks must be dealt with by
developing technology that can detect and prevent intrusion.
More conventional low-tech threats like airplane hijacking
likewise demand new technological responses. Better security
screening and biometric devices are key to keeping terrorists
off our planes, but when disasters do happen, technology can
make a huge difference by enabling the first responders to
communicate, by coordinating relief efforts to send resources
where they are needed most, and by helping families locate
loved ones.
Today we will look at two pieces of legislation, S. 2037,
the Science and Technology Emergency Mobilization Act, which I
am proud to have authored with Senator Allen, the
Subcommittee's distinguished Ranking Member. This legislation
seeks to provide an organizational structure to quickly locate
and mobilize private sector scientific and technology expertise
in times of crisis.
One pillar of that structure has been dubbed the National
Emergency Technology Guard, or NET Guard. It would be a central
part of a strategic technology reserve, much like this
country's strategic petroleum reserve. The difference is,
instead of oil the strategic technology reserve would be a deep
well of private sector expertise and technological equipment
that could be available around this country at a moment's
notice.
The country's best scientific minds, technology experts,
and technology companies would be invited to participate, and
these companies, in my view, by helping to assist on a
volunteer basis could make a significant difference. We
envisage these volunteers becoming part of a NET Guard, and
this country would have a central data base where we could
catalogue the company's people and resources such as computers,
software, wireless devices, and biohazard detection equipment,
that would be available on a moment's notice.
The legislation has other objectives. One is to speed the
evaluation of new products from the technology sector so that
they can be matched with particular needs of federal security
and response agencies. This seems to me to be particularly
important, because with the federal government having been
flooded with proposals, or various kinds of technologies, it is
important that the government not buy outdated and antiquated
equipment. This part of the legislation would make that
possible.
The second bill the Subcommittee is going to consider
focuses more on the direct threat to our technology
infrastructures and the dangers posed by cyber terrorism. This
is S. 2182, the Cyber Security Research and Development Act,
which seeks to build a foundation of basic cyber security
research, and grow the ranks of scholars who can devise
innovative security defenses.
Since basic research is the soil out of which future cyber
security advances grow, the government ought to support it.
This legislation does so with a series of grants through the
National Institute of Standards and Technology and the National
Science Foundation. The awards are designed to encourage
cutting-edge research today and to call more of the nation's
brightest scientific minds to study the problem down the road.
We are happy to have the opportunity to followup on our earlier
work by examining and hearing testimony on legislative
proposals with respect to both of these Senate bills.
I would also like to thank all the companies,
organizations, and individuals whose support and input has been
so helpful in moving both pieces of legislation forward. I want
to reiterate my interest in working closely with the
Administration on a bipartisan basis. Senator Allen and I have
done that consistently throughout our service on this
Committee, and I want to welcome my colleague and invite him
for any remarks he would like to make.
STATEMENT OF HON. GEORGE ALLEN,
U.S. SENATOR FROM VIRGINIA
Senator Allen. Thank you, Mr. Chairman. I want to begin by
thanking you so much for calling this hearing on this subject
matter, but in particular the focus on these two bills, S.
2037, the Science and Technology Energy Mobilization Act, and
S. 2182, the Cyber Security Research and Development Act. I
appreciate both your leadership and your cooperative spirit on
these issues, and I look forward to working with you on it, and
we will work with our colleagues--this is a bipartisan effort--
and certainly Chairman Hollings and Ranking Member Senator
McCain, as well as the Bush Administration, in working together
for all of our shared goals in these regards.
I would like to thank all our witnesses for being here
today, and in particular I do want to thank Mr. Jeff Logan from
M/A-COM, Incorporated for testifying at today's hearing, and I
look forward to reading your insights and all of your insights
on both these bills.
Both these bills that will be the main focus of today's
Subcommittee hearing highlight the vital role that technology
plays in our nation, in our war to protect our homeland from
terrorism, as we have highlighted, and I agree wholeheartedly
with every remark that you made, Mr. Chairman.
And Senator Wyden, it's exactly my sentiments and
philosophy in not just this hearing but in so many we have
heard, whether in this Subcommittee, or as chairman of the
Republican Senators High Tech Task Force, that there are so
many technologies that are being developed or are actually
currently developed that could help us in so many ways to save
the lives of fire fighters, rescue workers, police officers,
first responders.
There are technologies being developed, or are developed
that can help us detect chemicals or radiological or biological
agents. They also could improve and protect our communications
systems from attack, and obviously the key from a lot of these
is the interoperability of communications from all of these
various federal, state, and local agencies prior to an attack,
or during an attack, or if, sadly, it befalls us again, after
an attack.
Now, S. 2037, the NET Guard bill, can play in my view a
major role in preventing many of the problems that occurred
during the attacks in New York City and at the Pentagon. The
September 11 attacks taught us two things, one, how many
technological improvements there are to help our security that
are really, truly needed by our state, local, and federal
services, and the second thing we learned from September 11 is
that there is a great depth and reservoir of American goodwill
to provide solutions.
I like the fact that this bill calls upon the ideas of the
best and brightest minds of America's technology work force to
act as an all-volunteer force to help restore communications
and infrastructure operations after a major national disaster.
Like all Americans, we had heard earlier in this Subcommittee
and, indeed, the full Committee, of the heartening volunteer
efforts of companies like Verizon, Intel, Accenture, Cingular,
and others that volunteered both staff and equipment to restore
communications in New York City and in the Washington, D.C.
area, and this bill I think will be a way of helping facilitate
their efforts without dampening any voluntary spirit.
Now, as you said, Mr. Chairman, there are many enterprises
and commercial applications that can be adapted to meet
governmental security or safety, public safety needs. I, along
with Members--and I know Senator Edwards and everyone else has
heard all sorts of ideas about companies, about products, their
ideas, and how they will be able to help us, and every single
one of them seems like a really good idea.
In fact, I was reading in the newspaper and found it
interesting about ideas--this did not have to do with homeland
security, but how to fight this war on terrorism, and there was
one suggestion that the Bush Administration had received about
how to get the Al Qaeda terrorists out of the caves, put in
hives of killer bees, and I was thinking, you know, we have
heard that is not a very high tech idea, but it gives you the
idea of the breadth of ideas and at first you may laugh at that
idea and say, you know, who knows, that might work.
The key, though--and I'm not suggesting we need killer bees
for communication. I'm just trying to show you the breadth of
ideas that we get as Senators, and I am sure the Bush
administration gets, on how we could help.
Now, the key to all of this is to have a method of
accurately testing and evaluating these ideas so that when
procurement is going forward, or if somebody has an idea, there
is a way to have that test bed, and that is something that I
think is vitally important, and an important part of this bill,
and I really look forward to making sure that gets achieved.
Now, the other bill in the Subcommittee that we are
examining today, S. 2182, will address the important issue of
cyber security. I will say that there is another cyber security
bill that is not in this Committee, it is in Senator
Lieberman's committee that Senator Bennett and others are
pushing to make sure that there is the communication as far as
cyber security, and I hope they will have a hearing on it. If
you were in charge of that, we would have a hearing, but
nevertheless, there are many concerns about our critical
infrastructure in our country and the Internet. We have seen it
in the past.
The survey just last year by the Computer Security
Institute and the FBI found that 85 percent of 538 respondents
experience computer intrusions. According to the Computer
Security Institute and FBI survey, the estimated economic loss
in these attacks was $378 million, a 43 percent increase from
the previous year.
This Cyber Security Research and Development Act can, I
believe, as you said, Mr. Chairman, play a major role in
fostering greater research and methods to prevent future cyber
attacks, and design more secure networks. The bill I think can
very well harness and link the intellectual power of the
National Science Foundation, NIST, our universities, and the
private sector to develop new and improved computer
cryptography and authentication, firewalls operations and
control systems management and computer forensics.
I reviewed this bill, and the merits of it, and I would
certainly be proud to join you as a cosponsor of the Cyber
Security Research and Development Act. I think it is very much
needed for our education and for our security, and again I look
forward to hearing the testimony.
I will say, Mr. Chairman, I am on the Foreign Relations
Committee and we are having a Top Secret briefing at 3 p.m.
from Secretary Colin Powell on the Middle East situation, so I
will have to read a lot of the testimony, but nevertheless we
are going to work--although it will not be decided today. This
is just one of those steps in the advancement of these good
causes and good ideas.
Thank you, Mr. Chairman.
Senator Wyden. I thank my colleague for an excellent
statement, for working closely with us, and of course, we were
talking about both these pieces of legislation as recently as
15 minutes ago, we are going to push very hard on a bipartisan
basis with the Administration. I thank you for a fine statement
and your leadership.
Now, I want to recognize Senator Edwards, who has been very
passionate about his interest in science policy. We are so
pleased to have him on this Subcommittee. What is so striking
between the three of us, our states 30 or 40 years ago would
not have had a whole lot of technology. They were largely
agricultural states, and all of them now, in addition to
growing things, something we feel strongly about, have made a
big push in technology. Senator Edwards brings great expertise
to this field, and we are pleased to have you here, and make
whatever statement you choose to.
STATEMENT OF HON. JOHN EDWARDS,
U.S. SENATOR FROM NORTH CAROLINA
Senator Edwards. Thanks, Mr. Chairman. I will be very
brief. I think we are all very proud of the leadership that our
three states have shown in the area of technology, and I am
also proud, Senator Wyden, of the leadership you have shown in
this area. Thank you very much for the work you have done, and
my colleague from Virginia, thank you for the work you have
done.
I think we all know that cyber terrorism and cyber crime
rank among very serious threats to American security and
safety. They are threats that ought to be addressed, need to be
addressed. Last fall, I began working on some proposals to
address these issues. We collected a lot of very good ideas
from leaders in government and academia and the private sector,
and in January I introduced two bills, the Cyber Terrorism
Preparedness Act, and the Cyber Security Research and Education
Act, and my hope, Mr. Chairman, is that we will be able to work
together to make sure that our legislation accomplishes all the
things that we are interested in accomplishing, and I want to
just briefly highlight three points that I think we need to
make sure are included in any legislation.
One, that we promote cyber security best practices. If you
left your house without locking the door, you would expect to
be robbed. Right now, government systems and private systems
basically have a lot of their doors open. We need to change
passwords regularly, but we do not always do it. We need to
turn off certain dangerous computer applications, but we do not
do it.
The legislation that I introduced would first encourage
research and public education to develop and encourage best
practices and, second, require government to adopt these best
practices and move toward requiring them for government
contractors and grantees. This should be a priority in any
legislation that we move.
Second, we need to move some of the grant-making authority
for cyber security research outside of the government.
Government is full of terrific public servants, but the reality
is that too often in this area we do not have the flexibility
or the trust from the private sector that we need to lead in
this area, so in our bill we propose funding a nonprofit, non-
government consortium to do a lot of grant-making. I think that
is an important component of any legislation we move forward.
And third, we want to encourage the development of cyber
security experts in academia. Right now, the prestige in
computer science is too often in other fields than cyber
security. We need to get our best minds doing work that can
protect our country and our economy. Our bill has a range of
grants, fellowships, and sabbaticals for research in this
field. I know that your legislation does the same thing. I
think those are critical components of those bills.
So with that, Mr. Chairman, I would yield back to you, and
thank you for the work you are doing, and the leadership you
and Senator Allen have shown.
Senator Wyden. Well, I thank my colleague, and we are going
to work very closely with you. I think there are a lot of areas
where there is common ground, and between now and May 16 we
will work through the proposals you have, and the
Administration's proposals, and we will move forward, and thank
you very much for coming today.
We are also pleased to have Sherry Boehlert, an individual
who has been a friend of mine for 20 years now, and we
especially like the chance to partner with him. Chairman
Boehlert, you have done a terrific job on the cyber security
effort in the House. We appreciate your willingness to work
with Senator Allen and I on the bill to mobilize volunteers in
the private sector and science and information technology, and
we are going to get both of these bills on the President's desk
by working together and with the Administration, so you proceed
as you choose to, and know that you have our welcome as usual.
STATEMENT OF HON. SHERWOOD BOEHLERT,
U.S. HOUSE OF REPRESENTATIVES
Mr. Boehlert. Thank you very much. It is good to be back
with friends, Senator Allen and you and Senator Edwards. I
greatly appreciate your inviting me to testify today on the
vital issue of cyber security, and I am pleased that our
Committees have been able to work so well together. It is a
critical matter. We are taking a bicameral, bipartisan approach
to cyber security, the only approach that makes sense in
dealing with such a massive, growing, and largely unappreciated
threat.
Indeed, it would be hard to exaggerate our nation's
vulnerability to cyber attacks. We rely more every day on an
open network of computer systems for the most basic activities
of our daily lives, communications, business transactions, and
utility transmissions, to name just a few, and even our more
secure systems have turned out to be porous when tested.
A computer attack by terrorists or common criminals or
malicious teenagers, for that matter, could be monumentally
disruptive and, indeed, life-threatening. So the obvious
question is: What are we doing to prevent and prepare for such
an attack? And, unfortunately the answer is just as obvious:
Not enough.
The Administration deserves enormous credit for the work
Governor Tom Ridge and Dick Clarke are doing to address this
threat, especially in the near term. That is a full-time job to
put it mildly. I think that we in the Congress have to spend
some of our time helping to take the somewhat longer-term steps
to counter cyber terrorism--even though we are not usually
accused around here of long-term thinking. Still, improving
cyber security requires a long-term commitment. Our adversaries
are going to get more and more skilled, and we must get smarter
and smarter to counter them. Like the Cold War, the war against
terrorism must be won in the laboratory as much as in the
battlefield.
With that in mind, I introduced H.R. 3394, the ``Cyber
Security Research and Development Act,'' late last year, and
the House in February passed it by an overwhelming vote of 400
to 12. I am honored, Mr. Chairman, that you have introduced our
bill in the Senate as S. 2182, and we have had some very
promising conversations with other Senators of both parties,
but I especially appreciate your leadership.
This bill directly attacks several problems that we have
uncovered in testimony before the House Science Committee, and
that I am sure you will hear about here today. First, the
nation invests a pitifully small amount in cyber security
research, and that is true of both government and industry.
Government underinvests in part because no single agency has
responsibility for the problem, and industry underinvests
because the market has generally not put a high value on
security compared with speed and price and other attributes of
software.
Second, as a result of the minimal investment, few top
researchers are engaged in cyber security research, and few
students are attracted to the field.
Third, as a result of that minimal focus, our basic
approach to cyber security has not changed in decades, even
though it is known to be riddled with holes. Bill Wulf, the
president of the National Academy of Engineering, and a leading
computer scientist, calls this current cyber security paradigm
a ``Maginot Line'' defense. That is not good enough.
So what does H.R. 3394 offer in response? It sets up
programs at both the National Science Foundation and the
National Institutes of Standards and Technology, two premier
science and technology agencies. These programs will bring
industry and academic experts together, fund new, more daring
research, attract top researchers to the field, and recruit new
students to the field. The legislation also tells NSF that it
has the lead responsibility for eliminating our deficiencies in
cyber security research. It is nice to know someone is going to
be in charge.
In short, the new research grants, education grants, and
fellowships created by H.R. 3394 directly address every problem
we have identified that hampers our ability to develop a long-
term strategy to counter cyber terrorism. As a result, the bill
has been strongly endorsed by such groups as the Information
Technology Association of America, and the National Association
of Manufacturers and, indeed, by just about every leading high
tech industry and academic organization. It has also been
endorsed by the Administration, which I think is important to
know.
The bill is a targeted, thoughtful approach to solve a
problem that endangers our nation, and it reflects the advice
of a range of experts from government, industry, and academia.
I commend it to your attention, and I look forward to working
with you to enact it and get it funded.
I also want to express my support for the thrust of your
bill, Mr. Chairman, S. 2037, popularly known as ``NET Guard.''
We are working on introducing it in the House. The bill
addresses another serious gap in our cyber security
preparedness--ensuring that we have the ability to respond
should an attack actually succeed.
We saw after the World Trade Center attack just how
important it was to get our communications and utilities up and
running again, and Con Ed and Verizon and squadrons of
volunteers did a magnificent job. It was little short of a
miracle that the New York Stock Exchange was back in business
so rapidly. We need to have a system in place to ensure that
recovery can always proceed that quickly. That is the goal of
Netguard, and we have to find the right language to ensure that
we have the pieces in place to allow rapid recovery.
So Mr. Chairman, I look forward to continuing to work with
you and with your colleagues to address this most difficult
problem of cyber security. It is one that remains somewhat
invisible to the public, just as the reliance on computer
systems is somewhat invisible. If we do our jobs now, maybe the
problem can remain invisible forever.
A note was just given me. Senator Allen has announced that
he will cosponsor our bill, and that is a wonderful addition to
the squad.
Senator Wyden. Well, let me just say, Chairman Boehlert,
you have given, as usual, just an excellent statement. I think
you are absolutely right with respect to what you want to
accomplish in S. 2182. I think, as you have stated, the
Administration deserves substantial credit for their work on
the legislation as well, and what it will do, what S. 2182 will
do, is ensure that these two premier agencies, NSF and NIST,
will have a permanent capability that will allow us to find
those cutting edge strategies and technologies to fight
terrorism, and I commend you for all your work. I thank you for
agreeing to work with us on S. 2087, and since, Chairman
Boehlert, you of course had the vote, let me just tell you a
little bit of where we are and just sort of invite you to
participate.
I think it is our desire on May 16, Senator Allen and
myself, working with Chairman Hollings and Senator McCain, to
have, with your input and that of the Administration, the
ability of the Senate to move forward on both of these bills at
the May 16 mark-up. Obviously, there are issues that we need to
work on to ensure that there is no duplication and that we
maximize the efforts to coordinate what is going on in the
private sector with what is going on in government, but I think
the pieces are falling in place.
Mitch Daniels, in my discussions with him this morning, was
very positive in terms of working with us, and so we invite you
and your staff to work with the Commerce Committee leadership
on these issues. With a little luck, we will have both of these
bills moving on May 16, and to a great extent that is possible,
Sherry, because of all that you have done.
Mr. Boehlert. Thank you, Mr. Chairman. It is always a
pleasure to work with you. We have a longstanding relationship.
It is just nice, as the years pass, to get a little extra
seniority and a little extra influence around this town, and we
are putting it to good use.
Senator Wyden. Well, you are using your gavel well, and we
will try to complement what you are doing on this side. Unless
you have anything to add, we will excuse you, but know that we
are very appreciative of all your leadership.
Mr. Boehlert. Thank you very much.
Senator Wyden. Our next panel is Mr. Ronil Hira, Institute
of Electrical and Electronics Engineers; Dr. Lance Hoffman,
Department of Computer Science, George Washington University;
Mr. Jeffrey Logan, Business Development Manager, M/A-COM; and
Mr. Wyatt Starnes, President and Chief Executive Officer of
Tripwire in Portland, Oregon.
Let me also apologize, Dr. Strawn, I was reading from the
wrong column. I apologize. We are very glad that you are here.
Please, all of you, sit down and be comfortable, and we will
make up for the omissions in the introductions, Dr. Strawn, by
starting with you, and we will make all of your prepared
remarks a part of the hearing record in its entirety, and if
you could take 5 minutes or so and summarize your principal
concerns, that would be great.
Dr. Strawn, welcome.
STATEMENT OF DR. GEORGE STRAWN, ASSISTANT DIRECTOR (ACTING),
DIRECTORATE FOR COMPUTER INFORMATION SCIENCE & ENGINEERING
(CISE), NATIONAL SCIENCE
FOUNDATION
Dr. Strawn. Chairman Wyden, thank you for the opportunity
to testify at this hearing on homeland security and the
technology sector, and on the cyber security research and
development Act. I am George Strawn, the Acting Assistant
Director for Computer and Information Science and Engineering
at the National Science Foundation. Prior to coming to NSF, I
was a faculty member in the university computer science
department and the director of an academic computation center.
As such, I have been concerned with issues like cyber security
for a long time.
As you know, the Administration has yet to take a position
on S. 2182, and so I will confine my remarks to the need for
cyber security research and development and provide you with an
overview of NSF's involvement in this important area. The
Administration would appreciate an opportunity to analyze S.
2182 and submit written views on it prior to the Subcommittee's
consideration of the bill. Cyber security is now understood to
be a rather difficult problem. This is true for many reasons,
including the fact that cyber security is the property of the
total system, not system components, and those components
include human and management elements as well as technology
elements. This means that individually secure components and
procedures can be put together and still comprise a system that
is not secure, unless the proper attention is given to system
level security considerations.
Of course, the fact that the Internet makes one big system
out of millions, soon to be billions of IT components is a
major source of complexity and insecurity. As you know, NSF
focuses on long-term fundamental research and education in all
areas of science and engineering. Long-term fundamental
research has as its goal increased understanding of the
subjects under study, and it has been the experience of science
and engineering research that increased understanding leads to
technology developments that are then put to important uses by
a society.
We believe there are important reasons to increase the
emphasis on cyber security research and development, that is,
seeking a better understanding of cyber security, as NSF has
recently been doing. A major problem in developing a robust
cyber security research program is that the number of faculty
members in academe doing research in cyber security has been
quite small.
This is perhaps the most important problem to be solved as
we seek to increase the amount of long-term fundamental
research in cyber security, and unless there is a sufficiently
large-size community of cyber security researchers, there will
never be a sufficient number of graduate students trained in
this field. This translates into a shortage of next generation
cyber security workers and faculty. It also means we will
continue to lack the courses and curricula needed to educate
more students, undergraduates and graduates alike, for the
cyber security work force.
Last September 5, NSF announced a new research program
called Trusted Computing to focus our support for cyber
security research. In addition to the estimated $20 million
that we have been investing in cyber security-related research
projects, we allocated $5 million for our Trusted Computing
program. On December 5, we received about 120 proposals in
response to that announcement requesting over $80 million of
support.
Our expert panelists who reviewed those proposals rated
almost half of them as worthy of funding. We believe that
Trusted Computing program and similar programs will motivate
more faculty to turn their attention and expertise to cyber
security, and that this will help create a vibrant research
community that will attack and ultimately solve many of the
difficult problems associated with cyber security.
NSF also has considerable experience in supporting
curriculum and academic program development and of
administering graduate and undergraduate trainee programs such
as scholarships for service, the Cyber Corps program. This
program has been funded at approximately $11 million for the
past 2 years, and the Administration is requesting $19.2
million in supplemental funding to enhance the program in
fiscal year 2002.
Such activities also help accelerate developments in cyber
security, especially when coupled with vibrant research support
to attract research faculty into the area, as mentioned above.
Thank you again for the opportunity to testify, and I would
be happy to respond to any questions you may have.
[The prepared statement of Dr. Strawn follows:]
Prepared Statement of Dr. George Strawn, Assistant Director (Acting),
Directorate for Computer Information Science & Engineering (CISE),
National Science Foundation
Chairman Wyden, Senator Allen, Members of the Committee, thank you
for the opportunity to testify at this hearing on Homeland Security and
the Technology Sector and the Cyber Security Research and Development
Act. I am George Strawn, acting Assistant Director for Computer and
Information Science and Engineering at the National Science Foundation.
Prior to coming to NSF, I was a faculty member in a University Computer
Science department and the director of an Academic Computation Center.
As such I have been concerned about issues such as cybersecurity for a
long time. As you know, the Administration has yet to take a position
on S. 2182 so I will confine my comments to the need for cybersecurity
R&D and provide you with an overview of NSF involvement in this
important area. The Administration would appreciate an opportunity to
analyze S. 2182 and submit written views on it prior to the
Subcommittee's consideration of the bill.
Although cybersecurity has always been an important part of
information technology (IT), over the last decade its importance has
been greatly magnified. This is so because IT systems and services now
are pervasive throughout society and because the Internet now ties
together so many of our IT systems. While this interconnectedness of IT
systems is enabling great productivity gains for the U.S. economy, it
has also enabled great gains for IT mischief makers and outlaws.
Clearly, there is much understanding yet to be gained if we are to
avoid unpleasant surprises and to foil those who would attack the
internet or use it for illegal purposes.
Although the defense sector has always paid great attention to
cybersecurity, the same cannot be said about many civilian applications
of IT. Until recently, cybersecurity has been considered an ``optional
add-on'' for many IT systems. As recently as two years ago, discussion
at a President's IT Advisory Committee (PITAC) meeting indicated that
the private sector ``was not being rewarded'' for cybersecurity
products and services because they made IT systems more complicated and
slower at a time when customers were wanting more simplicity and speed.
Although these circumstances have begun to change, there is much to do
before we will be able to achieve desired levels of cybersecurity.
Cybersecurity is now understood to be a rather difficult problem.
This is true for many reasons, including that fact that cybersecurity
is a property of the ``total system'', not of the system components
(and those components include human and management elements as well as
technology). This means that individually secure components and/or
procedures can be put together to comprise a system that is not
secure--unless the proper attention is given to system-level security
considerations. Of course, the fact that the Internet makes ``one big
system'' out of millions (soon to be billions) of component IT systems
is a major source of complexity and insecurity.
Early research and development work on the Internet, as with many
IT developments of the past, focused on ``making it work'', not
necessarily on making it secure. And because cybersecurity is a systems
property, trying to add it on as an afterthought is very problematic.
It would be much better to recreate IT systems with cybersecurity as a
major design criteria than to attempt to patch it in after the fact.
Of course, we must and can attend to short-term needs and to long-
term improvements simultaneously. Short-term cybersecurity patches are
not only possible but are in progress throughout the IT world. In fact,
a major challenge is to get cybersecurity services and procedures that
have been developed over the last few years into wide use. Although
there may be useful tactical contributions to cybersecurity that NSF
can make (such as cybersecurity emphases in our Digital Government
program), I would like to focus on longer term issues in cybersecurity
because that is where NSF's contributions can be the greatest.
As you know, NSF focuses on long-term fundamental research and
education in all science and engineering disciplines. This long-term
fundamental research has as its goal increased understanding of the
subjects under study. And it has been the experience of science and
engineering research that increased understanding leads to technology
developments that are then put to important uses by society. In many
cases the societal uses that result from scientific understandings were
not apparent at the time the scientific work was being done. For
example, important applications to cybersecurity may arise out of
scientific research in IT systems (or even in other sciences) that
doesn't initially appear to be related to security. Nevertheless, there
are important reasons to increase the emphasis on cybersecurity R&D as
NSF has recently been doing.
NSF has supported cybersecurity research for a number of years,
recently at a level of approximately $20 million. A major problem in
developing a robust cybersecurity research program is that the number
of faculty members doing research in cybersecurity has been quite
small. This is perhaps the most important problem to be solved as we
seek to increase the amount of long term fundamental research in
cybersecurity. Unless there is a sufficiently large-size community of
cybersecurity researchers, there will never be a sufficient number of
positions for graduate students to assist in the conduct of that
research. This translates into a shortage of next-generation
cybersecurity workers and faculty. It also means we will lack the
courses and curricula needed to educate more students--undergraduates
as well as graduates--ready to go into the cybersecurity workforce.
NSF's Scholarships for Service/Cybercorp program is one way we are
trying to address this issue. This program makes awards to qualified
institutions to provide scholarships to undergraduate and graduate
students studying computer security. In exchange, the recipients must
serve in the federal government for at least two years. The program
also provides capacity building grants to improve the quality and
increase the production of computer security professionals. The program
has been funded at approximately $11 million the past two years and the
Administration is requesting $19.3 million in supplemental funding to
enhance this program in FY 2002.
Last September 5th, NSF announced a new research program, Trusted
Computing, to focus our support for cybersecurity research. In addition
to the estimated $20 million that we anticipate as our ongoing
investment in distributed cybersecurity research projects, we allocated
an additional $5 million for the Trusted Computing program. On December
5th, we received about 120 proposals in response to that announcement
requesting over $80 million of support. Our expert panelists who
reviewed those proposals rated about 10 percent of them as ``highly
competitive'' (high praise from the ever-critical research community)
and rated almost half of them as worthy of funding. We will award
funding to the highly competitive proposals. We believe that this
program will motivate more faculty to turn their attention and
expertise to cybersecurity. It will be necessary to focus attention on
programs like Trusted Computing over the next several years if we are
to help create a vibrant research community that will attack, and
ultimately solve, many of the difficult problems associated with
cybersecurity.
In addition to individual research awards, NSF has recently
increased the number of large project interdisciplinary awards it has
made in areas of IT research. Under the Information Technology Research
(ITR) priority area initiated in 2000, NSF began a major invigoration
of its IT research activities, including a focus on large,
interdisciplinary research projects. We believe that this focus has
already begun to show extremely valuable results by enabling computer
scientists and engineers to work collaboratively on problems that
require expertise from many areas to solve. I believe that many
cybersecurity problems will also benefit from interdisciplinary groups
or centers working collaboratively on their solutions. One important
goal of fundamental long term research in cybersecurity will be to
produce agreement on what, in fact, constitutes as secure system. When
such an agreement is in hand, it will be possible to formulate
important cybersecurity standards that, like all important standards,
will facilitate their realization.
NSF also has considerable experience in supporting curriculum and
academic program development and of administering graduate traineeship
programs. Such activities could also help accelerated academic
developments in cybersecurity as long as they are coupled with vibrant
research support to attract the research faculty into the area as
mentioned above.
NSF focuses on people, ideas, and tools as it pursues its goals of
helping to keep the U.S. in a world-leadership position in science and
engineering research and education. Increasingly IT tools and services
are required by all academic disciplines to achieve these goals.
Therefore our efforts to contribute to cybersecurity research and
development are increasingly required for our science and engineering
community as well as by society at large. As IT continues to transform
society, cybersecurity continues to increase in importance and is of
increasing priority on our list of important scientific and engineering
activities.
Thank you again for the opportunity to testify, and I would be
happy to respond to any questions you may have.
Senator Wyden. Very good. Let us move on now to Dr.
Hoffman.
STATEMENT OF DR. LANCE HOFFMAN, DEPARTMENT OF
COMPUTER SCIENCE, THE GEORGE WASHINGTON
UNIVERSITY
Dr. Hoffman. Thank you, Chairman Wyden. It is an honor to
have this opportunity to appear before you today to comment on
S. 2037, the Science and Technology Emergency Mobilization Act,
and S. 2182, the Cyber Security Research and Development Act.
My name is Lance Hoffman. I am professor of computer science at
the George Washington University here in Washington, D.C.,
where I lead the computer security graduate program in computer
science. I am a fellow of the Association for Computing
Machinery, the ACM, an organization of 75,000 computer
professionals with active professional and student chapters in
Oregon, Virginia, and most states throughout the nation.
This statement today has been endorsed by the ACM's
Committee on Computer Security and Privacy and the U.S. Public
Policy Committee of the ACM, the USACM. I will summarize it in
the interest of time. My entire statement has been submitted
for the record.
First, let me address S. 2182. This bill takes important
steps to develop the cadre of scientists, engineers, and
computer specialists who understand current information
assurance problems and can ameliorate them while also
developing long-term solutions based on improved, smarter
technologies. It does this by new research and education
programs at the National Science Foundation and the National
Institutes of Standards and Technology.
Computer security and information assurance have had
trouble in the past competing with more established
disciplines. Students and faculty have been driven by available
funding opportunities to work on problems that are better known
and whose solutions are in some cases more developed, but less
important and critical to the nation than the security of its
infrastructure. This bill will help remedy that situation.
I especially like the inclusion of privacy and
vulnerability assessments, also known as risk analysis, as
important areas of study, since innovative technical solutions
will fail if they do not take into consideration the
surrounding constraints. These constraints include politics,
cost, legal liability, and other technologies like battery
life.
I very much support the bill. The Committee may wish to
consider a few minor improvements. First of all, there is an
intense nation-wide competition for the current small number of
recent Ph.D graduates interested in a faculty position in
computer security and information assurance. Explicitly
allowing funds for faculty recruitment from outside, for
example, from retirees, might provide another source of
qualified people to buildup the training cadre more rapidly.
Second, program managers at NIST and NSF should be allowed
a bit more discretion in funding extraordinary projects with
high risk and high potential. Setting aside a small percentage
of the funds of this bill for innovative projects that address
evolving and emergency research issues will allow researchers
to fund a planning workshop or encourage an add-on specialty
day at an existing conference in a hurry, without encountering
a lot of red tape.
Finally, I respectfully suggest that universities be
allowed to concentrate first on curriculum development and
student recruitment. Later, universities could be required to
collect appropriate placement data from students as they exit
the program. The bill as written I believe currently requires
placement data up front, and I think this competes with getting
these new programs off to a good start.
Let me now turn to S. 2037. S. 2037 establishes pilot
programs aimed at achieving the interoperability of
communications systems used by emergency response agencies. It
is good as far as it goes,but it is incomplete. It is also
necessary to improve the integrity, assurance, and security of
these systems. Standards bodies, including NIST, should work to
develop better wireless standards to ensure security and
utility of such systems.
Also, while this legislation takes necessary steps to
require expertise checks, it lacks similar safeguards requiring
background checks, potentially allowing the introduction of
technically competent, malevolent individuals into the nation's
infrastructure defense. We must verify both the technical
credibility and the personal background of individuals selected
for the National Emergency Technology Guard that is envisioned
in this bill.
A final point. If and when utilized, the virtual technology
reserve data base should only be used, and not misused by those
responsible. The data base must be designed and tested properly
and vetted by experts in data bases, privacy, and security.
A final word on the chilling effects of the Digital
Millennium Copyright Act. I would be remiss if I did not
mention these. The DMCA's restrictions have the potential to
cripple the very security advancements that S. 2037 and S. 2182
are intended to generate, and its limited exemptions have not
provided a safe harbor for researchers. I urge you to reexamine
it and similar laws.
Thank you, Mr. Chairman, for the opportunity to appear
before you today. I would be pleased to answer any questions
you might have.
[The prepared statement of Dr. Hoffman follows:]
Prepared Statement of Dr. Lance Hoffman, Department of Computer
Science, the George Washington University
Thank you, Chairman Wyden, Senator Allen, and other distinguished
members of the Science, Technology, and Space Subcommittee. It is an
honor to have this opportunity to appear before you today and to assist
in your efforts to strengthen our nation's information infrastructure
and improve our capability to respond and recover from terrorist
attacks and other emergencies.
I am Lance J. Hoffman, Professor of Computer Science at the George
Washington University here in Washington, D.C. I lead the computer
security graduate program in computer science and the Computer Security
and Information Assurance Graduate Certificate Program. This academic
year, I taught information policy and information warfare courses to
students of computer science, international affairs, political science,
and other fields. In 1993, I founded the School of Engineering's
Cyberspace Policy Institute to examine the relationship between the
technical and other factors that affect security, privacy, and related
aspects of computer and information systems.
I am a Fellow of the Association for Computing Machinery (ACM), the
nation's oldest and largest professional society of computer
scientists, educators and other computer professionals committed to the
open interchange of information concerning computing and related
disciplines. The ACM has 75,000 individual members, including active
professional and student chapters in Oregon, Virginia, and most states
throughout the nation.
To underscore the importance of today's hearing this statement has
been endorsed by the ACM's Committee on Computer Security and Privacy
and the U.S. Public Policy Committee of the ACM (USACM).
I appreciate this opportunity to comment on S. 2037, the Science
and Technology Emergency Mobilization Act, and S. 2182, the Cyber
Security Research and Development Act, two significant pieces of
legislation designed to address our nation's information assurance
needs.
S. 2182
First, let me address S. 2182. This bill takes important steps to
develop the cadre of scientists, engineers, and computer specialists
who understand current information assurance problems and can
ameliorate them while also developing long-term solutions based on
improved, smarter technologies. To date, despite the fact that an
increasing amount of daily life involves reliance on computer systems
and networks, there is a remarkably small amount of long-term, ongoing
funding available for computer security and information assurance
research and development designed to solve these problems. This bill
may remedy these concerns by providing the incentives and human
resources necessary to meet some of today's security challenges and to
take on tomorrow's. It does this in several ways, notably by the new
research and education programs it calls for at the National Science
Foundation (NSF) and the National Institute of Standards and Technology
(NIST).
These programs will promote more innovative research in information
assurance by attracting technically competent researchers into this
field of national need. The bill is written in such a way that everyone
from a senior faculty member wishing to focus his or her attention on
computer security to a bright undergraduate student will be encouraged
to work in this field. It will help to address the critical shortage of
Ph.Ds and graduates in the security field that limits opportunities for
research and solving the critical challenges we face.
Computer security and information assurance have had trouble in the
past competing with more established disciplines. Students and faculty
have been driven by available funding opportunities to work on problems
that are better known and whose solutions are in some cases more
developed, but less important and critical to the nation than the
security of its infrastructure. This bill will help to remedy that
situation.
I especially like the inclusion of privacy and risk analysis as
important areas of study, in addition to what some might consider more
purely technical areas. Since innovative technical solutions developed
in a vacuum without taking into consideration the surrounding
constraints related to politics, cost, and legal liability will fail,
the inclusion of these areas will guarantee that the pure technological
solutions that come out of the programs that this bill funds will
actually have a good chance of being implemented, working, and
ultimately improving the security of the nation's infrastructure.
I also appreciate the foresight of the bill in recognizing and
supporting not only traditional undergraduate and graduate fields of
study, but also certificate programs in the area. I direct a
certification program where working professionals come in after a full
day at work, and devote an additional five hours toward a certification
in security and information assurance. In the program we have just
started, more than a quarter of the students have been motivated to go
back to school and pursue more advanced master's and doctoral studies
in this area, and to apply the graduate credits earned with their
certificate to those higher degrees.
The bill is excellent as written, but the Committee may wish to
consider a couple of minor changes that would improve it even further.
For instance, it currently provides funds for faculty retraining in
this area. But in many cases, this may not be a viable option since
many universities are stretched thin in trying to properly cover the
currently recognized core areas of computer science. It is hard enough
to get established faculty members in one field to change specialties,
and recruiting across departments is almost impossible.
There are only a limited number of faculty members in the U.S. who
have significant background in security research. As my colleague
Professor Eugene Spafford of Purdue University pointed out in his
testimony last fall to the House Committee on Science, an informal
survey of 23 preeminent U.S. universities with information security
programs found that they graduated a combined total of 20 Ph.Ds in
security over the last three years. As you can imagine, there is an
intense competition for the even smaller number of graduates interested
in a faculty position. Explicitly allowing funds for faculty
recruitment from outside (for example, from retiring federal government
and contractor security experts who have appropriate credentials,
teaching skills, and the motivation to work as part-time or full-time
faculty but would not otherwise have the opportunity) might provide
another solution to this problem of building up the training cadre more
rapidly.
While I am very encouraged with the funds authorized by this
legislation, I would also suggest that program managers at NIST and NSF
be allowed a bit more discretion in funding extraordinary projects with
high risk and high potential. Setting aside a small percentage of the
funds of this bill for small, innovative projects that address evolving
and emerging research issues will allow researchers to, for example,
fund a planning workshop or to encourage an add-on specialty day at an
existing conference without a lot of red tape. These opportunities for
research and information dissemination may lead to new innovative
solutions and other advances in information security.
My final remark on S. 2182 relates to the requirement for placement
data in fields related to computer and network security. A study of
potential enrollment and placement for students enrolled in a proposed
computer and network security program may be hard for many universities
to generate at the same time they are starting these programs and
assimilating the additional students generated by this and other
programs. As a result, the development and growth of these programs
could be unnecessarily impeded. I respectfully suggest that
universities be allowed to concentrate on curriculum development and
student recruitment up front. If you wish, universities could be
required to collect appropriate placement data from students as they go
through and exit the program. But requiring this up front is
counterproductive.
S. 2037
Turning my attention to S. 2037, the Science and Technology
Emergency Mobilization Act, I wish to commend the members of this
Subcommittee for their noble attempt to harness the outstanding
capabilities of our nation's science and technology community,
especially in times of national crisis. Faced with the realities of
September 11, many members of the computing community wished to provide
their technical assistance towards safeguarding our nation's
infrastructure and in recovering from the attacks. S. 2037 would
provide opportunities to match security experts where their services
are most needed.
I wish to offer the following recommendations to build upon the
many fine provisions of S. 2037. First, in establishing pilot programs
aimed at achieving the interoperability of communications systems used
by emergency response agencies, it is also necessary to achieve the
integrity, assurance, and security of the communications. In attempting
to improve emergency communications, it would be shortsighted to
sacrifice security to achieve utility, particularly if it leads to
vulnerable emergency communication systems. Wireless standards, where
they exist, are known to be weak. Standards bodies, including NIST,
should work to develop better wireless standards to ensure security and
utility of such systems.
While the legislation takes necessary steps to require expertise
checks, it lacks similar safeguards requiring background checks. This
vulnerability might allow the introduction of technically competent
malevolent individuals into risk equation. If we don't verify both the
technical credibility and the personal background of individuals, we
risk doing more harm than good.
Authentication precautions and other security mechanisms, combined
with privacy policy guidelines, will be necessary so that if and when
utilized, the ``virtual technology reserve'' database is only used by
those responsible and is not misused (e.g., by an enemy attacking using
a form of information warfare and polluting the database or identifying
and harassing or impeding the responders identified therein).
The database will need to be designed and tested properly; possibly
using competing designs with rapid prototyping. Both database and
security experts should work on system design to insure appropriate
access and security balances, speed of responsiveness, update ability,
and accuracy.
While S. 2037 will help our nation respond to acts of terror and
other emergencies, we must simultaneously engage in a more proactive
approach that focuses on prevention. ``Emergency prevention and
response'' is stated as an objective but it is much easier to
demonstrate response than prevention [it's hard to have a demonstration
if nothing is happening].
Chilling Effects of the Digital Millennium Copyright Act
One last but critical point that I wish to leave you with is that
laws like the Digital Millennium Copyright Act (DMCA) inhibit the
ability of individuals to engage in critical research in computer
security and related fields. Unfortunately, this has certain
implications for national security. For instance, researchers who study
or teach encryption, computer security, or otherwise reverse engineer
technical measures and who report the results of their research in this
area face new risks of legal liability under the DMCA. As University of
California at Berkeley Law Professor Pamela Samuelson has noted, the
limited exemptions carved-out in the DMCA have been found to be of
little value to the research community. I encourage you to re-examine
laws that prohibit or restrict computing technology instead of
undesirable behavior. DMCA-like restrictions have the potential to
cripple the very security advancements S. 2037 and S. 2182 are intended
to advance.
In summary, I commend the members of the subcommittee for their
legislative efforts to enhance the security of our nation's
infrastructure and our ability to respond to national emergencies.
Thank you for the opportunity to appear before you today. I would be
pleased to answer any questions you might have.
Senator Wyden. Dr. Hoffman, thank you. I think the DMCA
proposal may be a little much for us to get into in legislation
that we would like to have moving in a month or so, but I think
you know we very much value the work you are doing, and your
organization. We will have some questions in a moment. We would
welcome Mr. Starnes, and we are glad once again Oregon is
pioneering in this area, and we welcome you, Wyatt, and you may
proceed.
STATEMENT OF W. WYATT STARNES, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, TRIPWIRE, INC.
Mr. Starnes. Thank you, Mr. Chairman. My name is Wyatt
Starnes, founder and CEO and president of Tripwire,
Incorporated. I would like to start by commending this
Subcommittee, led by Senator Wyden, Senator Allen, and their
staff in directing focus on critical issues of cyber security.
I appreciate the opportunity to testify orally before the
Committee today. I have also submitted expanded written
comments for the record.
For the past decade, the technology that is Tripwire has
focused on data integrity assurance as a means to achieve
higher levels of security, control, availability, and
reliability of computing systems. Our focus has been on
protecting critical computing infrastructure within the
commercial and government sectors.
Tripwire software has been deployed on hundreds of
thousands of critical systems worldwide, including many in this
building. It is as an information security professional and a
business leader, as well as a citizen, that I am here before
you today to discuss the security and control of our nation's
cyber infrastructure, and why I've concluded that both Senate
Bill 2182, the Cyber Security Research and Development Act, as
well as Senate Bill 2037, the Science and Technology Emergency
Mobilization Act, represent very positive steps forward to
safeguard our nation's somewhat fragile digital infrastructure.
The development of Tripwire's technology was supported
entirely with commercial funding as a part of Purdue's center-
based long-term research efforts, which have no federal
support. They are almost entirely funded by corporate
contributions. Recently, market pressures, including the
economic downturn, have put a damper on commercial funding,
reducing the capacity of many academic programs. It may even
threaten the existence of a few at a time when they are just
beginning to realize their full value.
We support Senate Bill 2182 as it provides a means to
address these issues by creating and funding programs to
stimulate new cyber research and development. They should help
to prime the pump, enhancing our ability to stay ahead in the
development of critical cyber protection technologies. The
problem, however, extends beyond federal funding issues. We
must enhance the coordination among the state-federal
government as well as the academic community and private
industry.
As a CEO of a commercial company, I routinely see the
desire and need for government and commercial entities to
enhance their security procedures, in many cases especially
within the government sector. These requirements come months,
or even years before the funding becomes available. It is in
these critical gaps that our cyber vulnerability as a nation is
the greatest. Somehow we need to find ways for the government
to operate in Internet time when faced with bridging these
gaps, and expedite approvals of funding to address them.
Turning my attention to Senate Bill 2037, the Science and
Technology Emergency Mobilization Act, I believe this
legislation can help by establishing a structure within the
national Netguard framework to enable public and private
sectors to work together more effectively when cyber events
threaten our country's electronic infrastructure. This act
intends to create an organized process and control structure to
allow the private sector to provide the appropriate assistance
in times of need, as well as a mechanism for the government to
quickly locate and request assistance from qualified
individuals within the private sector. These capabilities are
useful to enable the country to react quickly and appropriately
to cyber security issues, particularly when they impact our
national infrastructure.
While I am supportive of the concept reflected in Senate
bill 2037, I urge the Committee to think and act carefully in
defining who and how the Netguard members are qualified and
enlisted. We must be certain that the mechanism created to
assist does not introduce new vulnerabilities, competitions or
confusion. The urgency to get this infrastructure in place must
be tempered with the need to get it right.
Within the great State of Oregon, industry and government
are working together to create a consortium called Oregon
RAINS, which stands for the Regional Alliance for Information
and Network Security. I believe this effort could serve as a
model for other states to organize their cyber resources.
Oregon RAINS will be hosting Richard Clarke and other officials
for a review of this important program in Oregon in early June.
In summary, I am in strong support of both these important
acts as they enhance the underpinnings required to address many
of these obstacles and challenges. They will enable us to work
together more effectively to improve our cyber security
capabilities, as well as to ensure we continue to advance the
state-of-the-art development of our cyber capability.
Thank you, Mr. Chairman, and I would welcome any questions.
[ The prepared statement of Mr. Starnes follows:]
Prepared Statement of W. Wyatt Starnes, President and
Chief Executive Officer, Tripwire, Inc.
Good afternoon Mr. Chairman and Members of the Committee. My name
is Wyatt Starnes, a founder, CEO and president of Tripwire, Inc. I have
followed with great interest the activities of the federal government
at this very critical time in our nation's history. I would like to
commend this Subcommittee, led by Senator Wyden and Senator Allen, and
their staff, in directing focus on the critical issues of Cyber-risk
and Cyber-security.
I appreciate the opportunity to present before this Committee
today.
For the past decade, the technology that is Tripwire has focused on
data integrity assurance as a means to achieve higher levels of
security, control, availability, and reliability of computing systems.
Our focus has been on protecting critical computing infrastructure
within the commercial and government sectors. Tripwire software has
been deployed on hundreds of thousands of systems worldwide, including
many inside of this building.
At Tripwire, we understand the importance of being able to rapidly
detect, assess, and appropriately respond to threats, risks and even
accidental changes to critical systems. Intrusions, computer viruses,
logic bombs, hackers, ``worm'' programs, and badly written software can
all lead to compromise, alteration and destruction of crucial
information. Assuring the integrity and control of the ever-expanding
digital infrastructure is crucial to our nation's financial viability
as well as its safety and security. We understand that to fully manage
the risks associated with maintaining information resources requires
exerting positive control: our products enable that level of control.
It is as an information security professional and business leader--
as well as a citizen--that I am here before you today to discuss the
security and control of our nation's cyber-infrastructure, and why I
have concluded that both Senate bill 2182, the ``Cyber Security
Research and Development Act'' and Senate bill 2037, the ``Science and
Technology Emergency Mobilization Act'' represent positive steps
forward to safeguard our nation's somewhat fragile digital
infrastructure.
Relative to Senate bill 2182, our company understands the
importance of supporting and funding research within the university
system. After all, our core technology was initially developed at
Purdue University almost ten years ago under the direction of Professor
Eugene Spafford. We later obtained the commercial rights to the
technology and have built upon the Purdue work to create high-quality,
commercial data integrity assurance solutions that are in wide use
around the world, including prominent usage within most branches of the
U.S. Government. Other fundamental information security technology,
including security scanners, firewalls, VPNs, and intrusion detection
systems all have roots in academic research at Purdue and elsewhere.
It is important to note that a considerable amount of this
technology was developed without federal support, and often without any
external support at all. Research efforts over the last decade
conducted at leading universities such as Purdue have been supported
almost entirely by small corporate contributions. Unfortunately, there
has been no federal support for the kind of long-term and center-based
research that is being conducted. We can only speculate at the
solutions we might have in hand for today's problems had these
researchers been supported at a more appropriate level.
Because of market pressures, including the recent economic
downturn, industry support for leading academic programs with long-term
vision has suffered. This scarcity of dollars has reduced the capacity
of most academic programs, and may even threaten the existence of a few
at a time when we are beginning to realize their importance. The small
quantity of funds available, and their dominance by industry, tends to
cause researchers to focus on ``quick fix'' patches instead of more
fundamental solutions to society's cyber-weaknesses.
Consider:
There are too few students studying cyber-security needs and
issues;
Too little is being spent to drive the technological
research required to fight a war on the cyber-battle ground;
There are too few researchers advancing the state of
technology within the university system.
There are not enough trained professors to develop and teach
the courses to train a new generation of information security
professionals.
Unless something significant changes, these problems may continue
or worsen despite the best efforts of those of us working in cyber-
security.
It is also necessary to provide mechanisms to allow public
universities to accept equity from private industry in order to
effectively capitalize on technology developed with public funding.
Some states, including Oregon, currently limit or prohibit these
transactions. Oregon is moving aggressively to remove these
restrictions with a ballot initiative to change the states
constitution. This effort has been largely driven by the private
sector. We urge other states to begin the important processes to
reverse restrictive provisions relating to technology transfer by and
between public Universities and the private sector.
We support Senate bill 2182 as it provides a means to address these
issues by creating and funding programs to stimulate new cyber-research
and development. This should help to ``prime the pump'' enhancing our
ability as a nation to stay ahead in the development of critical cyber-
protection technologies.
There is no doubt that leading firms such as Tripwire will respond
to immediate security needs by government and society at large. But we
also believe it is vital that government take a role in ensuring that
the creative minds in leading universities such as Purdue have the
resources to work on the solutions we will need a decades from now,
too.
Does this solve all our problems? No. The problem extends beyond
university funding. We must enhance the coordination among state and
federal government, the academic community, and private industry.
From my perspective as the CEO of a commercial company, we
routinely see the desire and need for government and commercial
entities to enhance their security processes. In many cases, especially
within the government sector, the requirements to `upgrade' critical
systems come months or even years before the funding becomes available.
It is in these critical gaps that our cyber-vulnerability as a nation
is the greatest.
I urge the Congress to be aware of these gaps. Somehow, we need to
find ways for government to operate in ``Internet Time'' when faced
with bridging these gaps and expedite approvals and funding to address
them.
Another area I would like to comment on are the issues of National
and local coordination and cooperation. During the aftermath of the
events of September 11, we've all heard stories of companies and
organizations with the desire and expertise to help government
agencies. However, they found there were limited cross-agency
mechanisms to coordinate this interest and well-intended response.
I am convinced we should learn from these experiences as the same
sorts of challenges exist when dealing with threats and incidents of a
``cyber'' nature.
This leads me to offer my comments on Senate bill 2037, the
``Science and Technology Emergency Mobilization Act''. I believe that
this legislation can help by establishing a structure within the
``National NetGuard'' framework to enable the public and private
sectors to work together more effectively when cyber-events threaten
our country's electronic infrastructure.
This act intends to create an organized process and control
structure to allow private sector to provide the appropriate assistance
in times of need, as well as a mechanism for the government to quickly
locate and request assistance from qualified individuals within the
private sector.
These capabilities are useful to enable the country to react
quickly and appropriately to cyber-security issues, particularly when
they impact our national infrastructure.
While I am supportive of the concept reflected in Senate bill 2037
I urge the Committee to think and act carefully in defining who and how
the NetGuard members are qualified and enlisted. We must be certain
that the mechanism created to assist does not introduce new
vulnerabilities, competitions, or confusion. The urgency to get this
infrastructure in place must be tempered by the need to `get it right'.
Within our great state of Oregon the Private Sector is marshaling
its resources to address these gaps at a local level. The Oregon
Regional Alliance for Information and Network Security, or RAINS, is a
consortium of private and public sector organizations and individuals
forming around the following mission:
To contribute to U.S. defense and Homeland Security by
providing solutions to critical cyber-security problems, and
To expand Oregon's cyber-security cluster, creating jobs,
cultivating technical innovation and education, and improving
the state's economy.
I believe that this model can be extended nationally and dovetail
with the initiatives proposed in Senate bill 2037. The Oregon RAINS
project will be hosting Richard Clarke and other federal officials in
Oregon to present this project on June 5-6, 2002.
Comments on Homeland Security
What the Committee is addressing today could be included under the
rubric `Homeland Security'. I think it important to remember that many
of the weaknesses in our infrastructures that we are concerned about
today were identified by experts in academia, industry and government
decades ago. Those warnings were not heeded because they involved
additional appropriations and regulation that were not seen as having
an immediate effect. Thus, we are now faced with an urgent need and
much larger economic and social cost to retrofit solutions--including
some of dubious effectiveness--into everything from communication to
transportation to power distribution.
Experts have likewise been warning for years that our information
infrastructure is at risk and that insufficient investment is being
made in research, education, and deployment of safeguards. I believe
that proactively allocating and expediting significant funding to
enhance our National digital infrastructure before there is a major
breach would be very prudent.
Summary
In summary, I am in strong support of this important legislation as
it enhances the underpinnings required to address many of these
obstacles and challenges. It will enable us to work together more
effectively to improve our cyber-security capabilities, as well as
ensure that we continue to advance the state-of-the-art with regard to
protecting our cyber-infrastructure.
Thank you and I welcome any questions from the Committee.
Senator Wyden. Wyatt, thank you. That is very helpful. I
commend you for all of the innovative work you all have done,
and of course, Oregon RAINS really is a pioneering effort. As
you know, we have worked very closely with them in our efforts
to try to move the legislation we are considering today. We are
glad you are here. We will have some questions.
Mr. Hira, welcome.
STATEMENT OF RONIL HIRA, INSTITUTE OF ELECTRICAL AND
ELECTRONICS ENGINEERS (EEE)-USA
Mr. Hira. Thank you, Mr. Chairman. Good afternoon. I wanted
to thank you, the Ranking Member, and distinguished
Subcommittee Members for inviting me here today. My name is
Ronil Hira, and I am here on behalf of the 235,000 U.S. members
of the Institute of Electrical and Electronics Engineers.
I am the chair of the IEEE-USA, which is our acronym here,
the IEEE-USA's Research and Development Policy Committee. Our
members are electrical, electronics, computer and software
engineers who work in government, industry, as private
consultants, as well as professors and students in
universities.
We at IEEE-USA applaud the Subcommittee's efforts to
address shortfalls in two critical areas related to homeland
security today, disaster response and mobilization, and cyber
security research and development. I think it is pretty
axiomatic that technology is driving society, but it is also
becoming pervasive within society in making things more and
more complex. At the same time, we have an increase in terms of
the threats and vulnerabilities to outside threats.
Fortunately, the United States has the largest and best-
qualified pool of technological experts and the most
sophisticated technology and communications equipment in the
world. The challenge, however, is in coordinating the response,
finding the necessary experts and supplies, and getting them
into play as quickly as possible. For this reason, IEEE-USA
strongly endorses the objectives of S. 2037, the Science and
Technology Emergency Mobilization Act.
Technology evaluation and standards are important elements
in any implementation, but they are really critical elements in
any disaster recovery program, and I am glad to see that is
being addressed here. In addition, interoperability is
obviously critical in those disaster recovery programs. I do
not think you have to be an American politics scholar of Alexis
de Tocqueville to know and recognize the degree to which
volunteerism and voluntary organizations are important in the
U.S., so I am glad that S. 2037 does address that.
In regard to S. 2182, the Cyber Security Research and
Development Act, we were supporters of the legislation when it
was introduced the House, H.R. 3394. A couple of points on
that. It is not the case that cyber security and computer
security has not been going on. Really, the issue is the scale
in which it has been going on. There are clients such as
military, financial services, who are very concerned about it
and have addressed computer security to whatever degrees.
The real issue becomes, to what degree is computer security
impacting all of technology development, software development,
and so on and so forth, and we believe that this bill will help
to address that.
The point is not just to advance the state-of-the-art, but
is to advance the state of the market and the state of the
practice that is out there, and we believe S. 2182 is
comprehensive enough to get us in the right direction moving
toward that. It includes industry, government, and universities
working together. You are going to get incremental gains, but
you are also going to push the frontiers of cyber security. For
those reasons, we are pleased to support S. 2182, and I look
forward to any questions you might have.
[The prepared statement of Mr. Hira follows:]
Prepared Statement of Ronil Hira, Institute of Electrical and
Electronics Engineers (EEE)-USA
I would like to thank the Chairman, Ranking Member and
distinguished Subcommittee Members for inviting me here today. My name
is Ronil Hira, I am here on behalf of the more than 235,000 U.S.
members of The Institute of Electrical and Electronics Engineers. I am
the chair of IEEE-USA's Research and Development Policy Committee. Our
members are electrical, electronics, computer and software engineers
who work in government and industry, as private consultants and are
professors and students in our universities.
We at IEEE-USA applaud the Subcommittee's efforts to address
shortfalls in two critical areas related to homeland security: disaster
response and mobilization, and cyber security research and development.
As the nation becomes more dependent upon technology in nearly every
aspect of our lives, the level of vulnerability to technological
disruption rises accordingly, as does the potential impact that
disruption has on our lives. As we saw with the problems that became
apparent following the attacks of September 11, the promptness and
quality of the technological response to terrorist attacks or natural
disasters could mean the difference between life and death.
Fortunately, the United States has the largest and best-qualified
pool of technological experts and the most sophisticated technology and
communications equipment in the world. The challenge, however, is in
coordinating the response, finding the necessary experts and supplies
and getting them into place as quickly as possible.
For this reason, IEEE-USA strongly endorses the objectives of the
S. 2037, the Science and Technology Mobilization Act. The concept of
organizing to focus the nation's technology resources to address the
response to terrorist attacks and other emergencies is an important
ingredient in a robust homeland defense. As a result of the attacks,
local governments are renewing their efforts to design disaster-
recovery plans. Many entities have put in place emergency communication
plans and have taken steps to ensure optimal use of other technologies.
For example, uninterruptible power supplies are now coming into common
usage.
We strongly concur with Office of Science and Technology Policy
Director, Dr. John Marburger's recommendation encouraging voluntary
preparedness among organizations, including implementing IT disaster-
recovery procedures as well as promoting standards for coordinating
disaster-recovery responses. This may well fit into the charter of the
National Institute of Standards and Technology; however, IEEE-USA does
not take a position on which governmental agency should be charged with
overseeing the overall program envisioned by the legislation We do feel
that NIST, if designated, and industry can work within the framework of
a center for civilian homeland security technology evaluation as
envisioned by the legislation to develop standards and protocols to
serve as models for local disaster-recovery programs. The standards can
not only enable optimal use of technology within a local environment,
but can allow for sharing of resources to respond to a regional
disaster.
The infrastructure reliability advisory board as described in the
legislation can work with the center to define best practices on how to
make technology and communications infrastructure less vulnerable. This
will enable the board to make recommendations on all aspects of
deployment of emergency response and recovery of technological and
communications systems.
We urge caution in proceeding to establish the National Emergency
Technology Response Teams. It is important to recognize that
communication and other technological systems can be extremely
complicated, requiring not only general knowledge of the technical
factors but also specific knowledge of the system under stress. This
may only be available in the company and its vendors that installed the
system originally. Furthermore, if a local government has a sound
disaster-recovery program, it may not be feasible, and could be
counter-productive, to attempt to bring in teams that have not been
integrated into the established program.
One valuable service that the U.S. government can perform is to
evaluate and critique local disaster-recovery programs. This could
consist of plan review and test observation. The government has many
agencies with expertise in this kind of service.
In regard to S. 2182, the Cyber Security Research and Development
Act, IEEE-USA has been a strong supporter of this legislation since the
companion bill was introduced in the House of Representatives. There
are many excellent provisions in this bill. I would like to highlight
one in particular. The Chairman, and author of the legislation, has
done a remarkable job in understanding the richness of our research
enterprise and symbiotic relationships. Specifically, the bill includes
research that will be conducted in universities, government and
industry. Each of these institutions brings something important to the
table when it comes to research.
In addition, the bill recognizes the importance of training future
professionals. While some of these folks will become cyber security
researchers and professors, many will become cyber security
practitioners. The purpose of research is not only to advance the state
of the art, but also to ultimately advance its application in the
marketplace. Only through all of the mechanisms in this bill will we be
able to achieve both. In order to advance the state of the art and the
state of the market, we need to advance the state of the science in
cyber security. Systematic research is the way in which the cyber
security profession can codify its lessons learned, develop its common
language, and most importantly, advance the practice of cyber security.
IEEE-USA is pleased to support S. 2182, which will pay dividends
not only for protection against cyber terrorism, but also for commerce
and personal privacy.
Thank you very much.
Senator Wyden. Mr. Logan.
STATEMENT OF JEFFREY LOGAN, BUSINESS DEVELOPMENT MANAGER, M/A-
COM, INC., WIRELESS SYSTEMS
Mr. Logan. Thank you, Chairman Wyden, Senator Allen, and
other distinguished members of the Science, Technology, & Space
Subcommittee. It is an honor to have this opportunity to appear
before you today and assist your efforts in strengthening our
nation's information infrastructure and improve our capability
to respond and recover from terrorist attacks and other
emergencies.
I am Jeffrey Logan, business development manager for M/A-
COM Wireless, Incorporated. M/A-COM Wireless Systems is
currently deploying fully interoperable statewide public safety
radio systems in Pennsylvania and Florida. We have recently
been selected to provide county communications systems in the
Oakland County, Michigan, and city communications for San
Antonio and Oklahoma City.
Our company is a world leader in the development and global
manufacture of radio components and network solutions for the
wireless telecommunications industry. I appreciate this
opportunity comment on S. 2037, the Science and Technology
Emergency Mobilization Act, regarding recommendations for
ensuring that emergency officials and first responders have
access to effective and reliable wireless communications
capability, and the establishment of state pilot projects aimed
at achieving interoperability for emergency preparedness.
One of the key concerns for first responders is
interoperability. Lack of interoperability occurs when public
safety personnel respond to the same emergency but cannot
communicate with each other because they have an incompatible
radio system, or they are on different frequencies. Lack of
interoperability wastes time, wastes effort, and it can risk
lives. Safety of life and property can only be assured when
public safety agencies can easily communicate with each other.
All too often the different systems they use would preclude
them from communicating at all.
Agencies must have high-quality communications at their
disposal to ensure effective and timely coordination during a
disaster. Recent high profile incidents, coupled with the
events of September 11, have drawn into sharp focus the need
for voice radio interoperability. Interoperability is both a
technology and management challenge. S. 2037 should include
consideration of training, organization, coverage, funding,
frequency availability, and incident coordination.
It is our recommendation that state pilot projects should
include both technical and nontechnical considerations, as well
as new approaches to policy in the development of interoperable
solutions. A number of states have already made significant
headway toward interoperability. The establishment of state
pilot programs should build on many of the innovative
communication technology advances already achieved in states
such as Pennsylvania, Maryland, and Florida.
What is the best way to achieve interoperability for our
nation's first responders? One solution would be to require
state and local government to replace today's fully functioning
radios and infrastructure with new equipment that would be
based on a single standard. FEMA has estimated the cost to
pursue this course to replace all our nation's public safety
radios to be in excess of $40 billion. Creating a single radio
system standard does not necessarily solve interoperability.
Several operational issues, including sufficient communications
spectrum and channel management, would still be needed to be
resolved.
We do agree, Dr. Hoffman, however, that standards should be
encouraged, particularly in the area of networking standards,
such as established Ethernet and TCIP protocols. An alternate
approach, we feel the best approach to our interoperability is
to connect existing systems into regional, statewide, and
national systems which would provide multiagency
interoperability without requiring different agencies to
purchase new radio equipment. This could be done for a fraction
of the cost.
Interconnecting or networking existing systems is the
quickest and most cost-effective way to deploy. This is because
the network supports all existing radio infrastructure,
allowing agencies to use radios, repeaters, and frequencies
already in place. We think this makes sense in order to
optimize the President's $1.3 billion first responder
interoperability budget, leveraging this money to as many
communities as possible.
A good example of pioneering interoperability is underway
right now in a statewide system in Pennsylvania. In 1995,
Governor Tom Ridge and Lieutenant Governor Mark Schweiker came
into office. They inherited an antiquated radio system. The
existing network was more than 20 years old, and becoming
impossible to maintain. In fact, it really was a patchwork of
several incompatible systems. As a result, Governor Ridge has
replaced this with a fully interoperability statewide
communications system.
In conclusion, I would like to commend to the Members of
the Subcommittee for their legislative efforts to enhance the
security of the nation's infrastructure and our ability to
respond to national emergencies. Lack of communications
interoperability is not a new condition. We have two ways to
address interoperability. One solution would be to replace
today's fully functional radios and infrastructure with a cost-
prohibitive solution. A second and alternate approach would be
to connect existing systems in a way that we could leverage
fully functional systems to our benefit.
Thank you for the opportunity to appear before you today. I
would be pleased to answer any questions you may have.
[The prepared statement of Mr. Logan follows:]
Prepared Statement of Jeffrey Logan, Business Development Manager,
M/A-COM, Inc., Wireless Systems
Thank you, Chairman Wyden, Senator Allen, and other distinguished
Members of the Science, Technology, and Space Subcommittee. It is an
honor to have this opportunity to appear before you today and to assist
in your efforts to strengthen our nation's information infrastructure
and improve our capability to respond and recover from terrorist
attacks and other emergencies.
I am Jeffrey M. Logan, Business Development Manager for M/A-COM
Wireless Systems Inc. M/A-COM Wireless Systems is currently deploying
fully interoperable statewide public safety radio systems in
Pennsylvania and Florida. We have also recently been selected to
provide county communications systems for Oakland County Michigan, and
city communications for San Antonio and Oklahoma City. Our company is a
world leader in the development and global manufacture of radio
components and network solutions for the wireless telecommunications
industry. Additionally, M/A-COM Wireless Systems is supported as a
wholly owned unit of Tyco International, the world's largest
manufacturer and servicer of electrical and electronic components.
I appreciate this opportunity to comment on S. 2037, the Science
and Technology Emergency Mobilization Act, regarding recommendations
for ensuring that emergency officials and first responders have access
to effective and reliable wireless communications capabilities and the
establishment of state pilot projects aimed at achieving
interoperability for emergency preparedness agencies.
The Pursuit of Interoperability
One of the key concerns for the first responders (police, fire,
EMS) is interoperability. Lack of interoperability occurs when public
safety personnel respond to the same emergency but cannot communicate
with each other because they operate on incompatible radio systems or
on different frequency bands. Lack of interoperability wastes time,
wastes effort, and can risk lives. Safety of life and property can only
be assured when public safety agencies can easily communicate with one
another. All too often, the different systems they use preclude them
from communicating at all. Agencies must have high-quality,
interoperable communications at their disposal to ensure effective and
timely coordination of disaster responses. Recent high-profile
incidents, coupled with the events of September 11, have drawn into
sharp focus the need for voice radio interoperability both for routine
day-to-day use and during emergencies.
``So poor were communications that on one side of the trade center
complex, in the city's emergency management headquarters, a city
engineer warned officials that the towers were at risk of ``near
imminent collapse,'' but those he told could not reach the highest-
ranking fire chief by radio. Instead, a messenger was sent across
acres, dodging flaming debris and falling bodies, to deliver this
assessment in person. He arrived with the news less than a minute
before the first tower fell.'' \1\
---------------------------------------------------------------------------
\1\ Jim Dwyer and Kevin Flynn ``Before the Towers Fell, Fire Dept.
Fought Chaos'' The New York Times, January 30, 2002, pp. 1.
---------------------------------------------------------------------------
Achieving Interoperability
Interoperability is both a technology and a management challenge.
Consideration should include training, organization, coverage, funding,
frequency availability and incident coordination. It is our
recommendations that state pilot projects should include both technical
and non-technical considerations, as well as new approaches to policy,
in the development of interoperability solutions. A number of states
have already made significant headway toward interoperability. The
establishment of state pilot programs should build on many of the
innovative communication technology advances already achieved in states
such as Pennsylvania, Maryland and Florida.
What is the best way to achieve interoperability for our nations First
Responders?
One solution would be to require state and local governments to
replace today's fully functional radios and infrastructure with new
equipment that would be based on a single radio system standard. FEMA
has estimated the cost to pursue this course to replace all our
nation's public safety radio systems to be in excess of $40 billion.
Creating a single radio system standard does not necessarily solve
interoperability. Several operational issues including sufficient
communications spectrum and channel management would still be needed to
be resolved. However, networking standards such as established Ethernet
and TCIP protocols should be leveraged to enable network-to-network
communications and voice over IP applications. An alternate approach to
interoperability is to interconnect existing systems into regional,
statewide or national systems, which would provide multi-agency
interoperability without requiring different agencies to purchase new
radio equipment--for a fraction of the cost to replace all in-service
radio systems. Interconnecting or networking existing systems is the
quickest and most cost effective to deploy. This is because the network
supports all existing radio infrastructure, allowing agencies to use
radios, repeaters and frequency allocations that are already in place.
We think this makes sense in order to optimize the President's proposed
$1.3 billion first responder interoperability budget to as many
communities as possible.
Best Practices
A good example of pioneering interoperability is underway right now
on a statewide system in Pennsylvania. Back in 1995, when Governor Tom
Ridge and Lt. Governor Mark Schweiker came to office, they inherited an
antiquated radio system. The existing radio network was more than 20
years old and was becoming impossible to maintain. In fact, it really
was a patchwork of several incompatible networks serving 23 state
agencies. Former Governor Ridge recognized that the outmoded, stand-
alone radio systems limited communications between state agencies and
local government, particularly during emergencies. It also squandered
opportunities for cost savings through shared equipment purchases and
mutual aid agreements.
As a result, in 1996, Governor Ridge launched a multi-year project
to modernize and unify state agencies' two-way radio systems. M/A-COM
was selected to provide the radio equipment for the project utilizing
IP network technology.
This year, when the new system is fully deployed, it will tie
Commonwealth agencies and participating local governments into a
single, more reliable, high-capacity radio network. A key advantage of
the new radio network is that state and local government will be able
to communicate with each other through voice over IP networking
technology. Additionally, system elements, such as radio towers and
transmitters, will be shared across state agencies, thereby holding
down costs. Most importantly, the new system will greatly enhance first
responders' ability to respond to emergencies quickly and in a
coordinated manner. In fact, Pennsylvania's new radio network,
completed under Governor Mark Schweiker, will be the first truly
interoperable statewide voice and data public safety radio system in
the entire country.
Conclusion
In summary, I commend the Members of the Subcommittee for their
legislative efforts to enhance the security of our nation's
infrastructure and our ability to respond to national emergencies. Lack
of communications interoperability is not a new condition. We have two
ways to address lack of interoperability. One solution would be to
replace today's fully functional radios and infrastructure with new
equipment at a prohibitive cost and years of deployment. An alternate
approach is to connect existing systems together using voice over IP
networking technology, immediately and affordably. M/A-COM Wireless
Systems, Inc. stands ready to support government research and
development in this area.
Thank you for the opportunity to appear before you today. I would
be pleased to answer any questions you might have.
Senator Wyden. Thank you, Mr. Logan. Let me start with you,
if I could, Dr. Strawn. Some of the information security
experts today are painting a bleak picture. They paint a dire
picture of the current state of the discipline. They say there
are only about 100 professors. There are only a few centers.
There are only a handful of Ph.D's in information sciences, and
suffice it to say, this is what the Congress is seeking to
address.
Now, you discuss the need for more researchers in the area
of course in your testimony. S. 2182 addresses the problem by
increasing the investments in research and training generally.
This relates to information security. In your view, how long
would it take, with this legislation, to start seeing some
tangible improvements in these numbers?
Dr. Strawn. I think several years would show some pretty
good progress. We have the experience of this first year of our
Trusted Computer program, small as it is, which did show that
the professoriate in computer science responded to turn its
attention increasingly to this area, and so I think additional
support and focus can be a very valuable way of building up the
size of the professoriate and the size of the student body that
will attack these problems.
Senator Wyden. And how long do you think it will take
before our country sees tangible improvements in the research
that is undertaken in the information security field? There are
two things we have to do here. We have to deal with the
shortage of professors, and we have to beef up the research
that is undertaken in the field. Tell me about tangible
improvements.
Dr. Strawn. I think there are opportunities both for short-
term research benefits and for the long-term research benefits.
As the words express, of course, it will take longer for the
long-term understanding to filter into technologies and
services that I think will ultimately provide the best
solutions, but I think we have observed that already there are
developments in the private sector and by the professoriate
some very good steps, intermediate steps, let us say, to
improve our security; and solutions range all the way from
broader education to train new work force members to putting
into place services and security products and processes that we
already know about but have not had as much success getting
into broad use as we would like.
In a certain sense, that requires a certain amount of
social science research as well to understand better how we can
put what we know into practice more quickly.
Senator Wyden. Tell me what you believe to be the most
important areas that warrant further research and examination,
and why. Take two or three, for example, of the areas that you
think are the most important from the standpoint of research
and information security, tell me what those areas are, and
why.
Dr. Strawn. I will do that with the caveat that NSF's
approach usually is to ask the research professors who we work
with what are the most promising areas they find, and then when
their peers are able to look at those proposals and tell us
that these are the really promising areas, then we feel very
comfortable that, having the smartest friends in the world, we
know what we are talking about.
Some of the things we have already been told and that I
certainly agree with is the importance of looking at the whole
picture. As I said before, secure components do not a secure
system make; and science has very frequently progressed in
great ways by dividing and conquering, looking at small
portions of a subject and knowing more and more about it.
Security is really a different sort of a beast, in that we
must keep a system focus. We must develop the science of the
whole system in order to make sure that secure systems will
result from secure components, and so I think that is probably
one of the most important technical areas.
I think a second is the interdisciplinary problem of
finding how we can more rapidly introduce advances once we have
made them: enabling our organizations to accept beneficial
changes more rapidly. We have been working with our social
scientists quite a bit in the last several years looking at
these types of interdisciplinary problems. I think in the short
term that could be a very valuable step.
Senator Wyden. Any other areas?
Dr. Strawn. Those are the first two that come to mind.
Senator Wyden. Dr. Hoffman, do you want to try that one,
too? What are the most important areas, in your view, for
information security research? Give me, if you would, two or
three, and tell me why you think that is the case.
Dr. Hoffman. Well, you are asking a tough question when you
say limit it to two or three, but I will attempt to limit it to
two or three.
I would agree that absolutely the most important is to have
a big picture, and to look at interdisciplinary research,
because when you are dealing with computer security you are
tying together disciplines of computer science, electrical
engineering, management, forensics, law, and various practices,
and all sorts of other things, so it is not only a
technological solution. Computer security involves a lot of
areas, and they are not only technological, so the
interdisciplinary part, including public acceptance, including
market acceptance, is very important, so that is one, okay.
You said two or three. I will give you two others.
Architecture. I think we have been using the same computer
architecture effectively linked together in networks, for about
50 or 60 years. There may be other architectures that could be
looked at that could help protect--separate data from programs
in a way that would very much enhance security, so computer
architecture is another area.
Finally, as I mentioned in my testimony, wireless. In the
not-too-distant future we are going to have very many more
wireless devices than we do now, and, as usual, utility is
going to trump security the way we are going now.
Unfortunately, this is going to lead to some security problems,
unless we really get a handle on the existing wireless
situation and deal with it whether it is in the wireless
devices or in network protocols, or whatever.
Senator Wyden. So what do you think the wireless issues
are?
Dr. Hoffman. What do I think the wireless issues are? There
are a bunch of them. For one thing, the existing protocols have
been shown to be not sufficient for security. In addition, when
they are connected together you have all sorts of applications
that are going to be developed using wireless. Take one
example, intelligent vehicle systems. If people are driving
along or being transported along in squadrons of intelligent
vehicles, and the vehicles are communicating with each other,
they have to be authenticated, authorized, and at the same time
there are privacy issues involved as well. That is just one
example.
Senator Wyden. Let us return, then, to you Dr. Strawn, and
compare, if you would, the cyber security program that you have
now against S. 2182. The program that you have now, research
includes a scholarship for service program that provides
scholarships to undergraduates and graduate students that study
computer security. Then they have to serve the federal
government, obviously, for a couple of years. What do you see
as the big differences between your current program, the
scholarship for service program, and what is envisaged in the
Senate and House bills?
Dr. Strawn. I would say that what we are doing now has some
great similarities to what is proposed in the bills, and the
major difference is scope and size. The work that we are doing,
as I mentioned in my testimony, is on the order of $10 million
a year investment, and I observe that the bills propose roughly
an order of magnitude increase.
Senator Wyden. Tell me what you think the lessons are with
respect to what science and technology can do in emergency
response and homeland security after September 11. I mean, my
sense, and what has really drawn me into this cause, is that
there is a chance to mobilize a generation, a generation that
was raised on digital technologies that wants to contribute,
wants to help. We have been struck by how many companies and
individuals are willing to come forward and say, as long as the
government does not waste my time, I am going to pitch-in.
People from Intel, for example, do not want to spend a lot
of time standing around, and unfortunately, in the effort to
respond on September 11, some of those private sector efforts
were wasted. So, one of the lessons I have learned from
September 11 is that I think there is a chance to mobilize a
huge number of people with expertise in IT and expertise in
various scientific areas, and harness that energy and talent
and bring it to bear. But, I would like to have you tell me
what you think the lessons with respect to the role of
government can play now in science and technology policy to
both prevent and respond to the kinds of problems we faced on
September 11.
Dr. Strawn. First of all, I agree with everything you have
said in terms of some lessons to be taken away from it, that we
have had a terrible wake-up call, and it focused the energies
of the nation in a way that we now must turn to positive
results.
One of the areas, as I mentioned previously, that we are
concerned about is that not enough faculty have been
specializing in security research. I think this situation has
produced in students and faculty alike more of a focus on the
importance of cyber security, and if we can respond properly to
that increased interest, it will be much to our benefit to do
so.
I would also mention in support of Professor Hoffman's
comment about computer architecture, and as mentioned in my
written testimony, computer security was an add-on to the
original design of information processing systems. We weren't
thinking as much about that in the early fifties as we are now,
50 years later, and many of our researchers have suggested that
a great, fundamental research opportunity would be to go back
and rethink the fundamental design of information processing
systems with security as a design criterion and requirement,
rather than a later add-on to be patched on the side.
Senator Wyden. That is what you would call a big lesson.
That will be a big exercise, but I think you are right. I think
that is really something that the government ought to be
researching, and I think that is a thoughtful answer. Why do we
not just go down the panel at this point, and I would be
interested--we can start with you, Dr. Hoffman, then go to
Wyatt, but tell us, if you would, what you think the experience
of September 11 says in terms of lessons for science and
technology policy as we try to both respond and prevent these
terrorism problems.
Dr. Hoffman. Well, one thing it indicated to me was the
importance of thinking ahead, and the importance of then acting
on the lessons. To give you one example, we routinely teach
exercises, and the George Washington University has about seven
courses in the Computer Science Department, and another seven
or eight in the Engineering Management and Systems Engineering
department dealing with computer security information
assurance, and related topics.
Many of these courses deal with vulnerability assessment,
and we do scenarios. We actually run--one of my favorites is
one developed by the Rand Corporation called The Day After,
where you basically sit up a situation, say, 2 years hence, in
2004. You say, here is the situation on the ground. One bad
thing happens, another bad thing happens, and you expose
students to this, and in essence they cannot deal with it. It
is sort of a classic in-box exercise, although worse, and then
they go back to 2002, to today, and say, okay, what should we
do now, and that is in essence what you are doing.
I think the most important thing learned is, if we had been
able to more put into effect those actions which we had dealt
with in the classroom in real life on September 11, then
September 12 we would have been much better off, so just
getting people to think that way is the first step, and then
getting action plans developed is the next one.
Senator Wyden. Mr. Starnes.
Mr. Starnes. Yes, Mr. Chairman. I think there are a number
of issues that came as a result of learning from September 11.
Speaking to the positive side of technology for a moment, there
were many systems, Internet systems, wireless systems that were
still operable and played a very important role throughout the
unfolding of September 11, even with that as a factor.
Senator Wyden. I think it is striking none of the satellite
systems had problems. All of the satellite systems worked.
Mr. Starnes. And a fair amount of interconnect was still in
place, and for a while the only communication some people had
was via the electronic non-analog infrastructure, which I think
is striking. There were also major vulnerability points, major
hubs of connectivity that even though we thought they were
redundant hubs, we did not plan for the magnitude of the damage
that was done.
But speaking to the broader issue of the short-term issues,
long-term issues, I am coming at this from a commercial angle,
which is a slightly different angle than my colleagues on the
academic side. The way we see spending in cyber security, it is
sort of the spray paint, the moving car problem. In other
words, we are trying to get to a destination, and we are trying
to get their fast, but we have got to get paint on the car
along the way. In other words, we have to protect ourselves
while we are getting there, so we really need to divide our
thinking into two areas.
We have some short-term issues we need to deal with, and
there are evolving technologies in the form of data integrity
assurance and intrusion detection and other technologies that
play a valuable role. At the same time, we need to develop a
longer-term view of how technology should be constructed in a
world where we have the bigger security issues now than we
anticipated when the original designs were done, as Dr. Strawn
said, many years ago.
So I think we have to move in parallel. We have to give
money to government, to commercial industry to protect
themselves now. At the same time, we feed money to universities
to begin to reverse the course of the attrition we have seen in
the cyber research and cyber security arena, and I think both
of those paths have to be moved on in parallel.
Senator Wyden. Mr. Hira.
Mr. Hira. Mr. Chairman, I think the major thing that came
to my mind was really the vulnerability, but also the human
dimensions that are involved in technology and how dependent
that we have, really the average person has become on
technology, and the fact that we open the cell phone and we
expect it to work, and so I really think that the major lesson
there was that the systems were not designed for this kind of
event in mind, and we have to rethink the way we design these
products so that we accommodate new criteria. It has really
changed the criteria to which we have to design these products.
Senator Wyden. Mr. Logan.
Mr. Logan. Mr. Chairman, I believe--three major areas of
lessons learned with regard to wireless. We are also a private
company, and certainly recognize the President's budget that is
being proposed for first responders, as many private companies
do, but we also recognize there is a lot of competition for
that money, and we have to be very smart in how we apply those
funds to curing the problems.
With regard to interoperability, we could certainly apply
money in a way that would maybe have new equipment, but the
equipment in the end still could not talk to each other. We
need to consider how we can interconnect our existing
infrastructures in a way that people can communicate. We have
to look very hard at training and invest in training, because
when these events happen, as all the first responders' reports
have said, training, and preparation upfront, the technology
alone will not provide the answer. It has to work in concert
with the technology.
I guess the third item would be where we have various first
responders showing up to an event, trying to communicate with
each other, not having the ability to have coverage, so I think
as we look at this bill, as we can apply moneys to providing
mobile coverage, bringing communication to the site and the
scene of an incident would go a long way in solving future
problems.
Senator Wyden. Very good points, and we are struck by what
both you and Mr. Hira have talked about, the human dimension of
all of this. I think our hearing where we heard from the head
of the fire fighting effort at the Pentagon, and we had people
hand-carrying messages in to firemen, little snippets of paper,
hand-carrying them in. I am glad you two brought it back to
people, because it is important, and wireless can make a real
difference in that area.
Let me, if I might, turn to this question of how we are
going to mobilize the volunteers, and Dr. Strawn, you are
welcome to participate in this as well. You have heard me
comment on this, that the Administration is being very helpful
in terms of working with us. It has not fully developed a
position, but you are welcome nonetheless to offer your ideas
and thoughts here on the strategic technology reserve. I will
initially direct this to Dr. Hoffman and Mr. Starnes.
What we want to do is say, ``Look, in this country we have
got a strategic petroleum reserve, so that when there is a
crunch with respect to energy, we are in a position to address
that.'' What I envisage is something along the lines of a
strategic technology reserve, so all across this country, when
faced with bioterrorism efforts or other sorts of dire kinds of
threats and problems, it is possible to mobilize people and
equipment fairly readily, and some of this does not strike me
as particularly hard and cumbersome to do.
For example, we were struck how in most communities, for
example, there is not even a list of people who would have some
expertise in these various health agencies. Say that a
community, say Portland, or another community, was hit by a
bioterrorism agent. It ought to be possible to fairly quickly
turn to a list of medical experts and others that you could
call on for help. What we would like to do is develop that kind
of data base of volunteers and experts, and virtually everyone
we have talked to in terms of municipalities, first responders
and others, said absolutely we think it would be very useful to
have that on hand, and this would involve a pretty modest role
for government.
This is essentially making sure that you have this group
available when you face these kinds of calamities. I think the
points that you are making with respect to authentication and
security mechanisms and making sure the data base is not
misused or, as you said, Mr. Starnes, taken over by people with
malevolent intentions--I want to make it clear, I think that is
significant.
I think it is important, but I assume, just so we are clear
for the record, you two do not think those kinds of issues are
insurmountable. What you think is they are issues that Congress
has got to get right. Congress has got to work with the private
sector in order to get them right, but you certainly do not see
this as creating some kind of insurmountable burden that would
keep us from having a data base of technology and expertise and
equipment around the country, do you?
Mr. Starnes. Mr. Chairman, I will take that first.
Absolutely not. One of the things we definitely were struck
with post 9/11 is the amazing spirit and patriotism of the
American people, as well as their just creativity and drive,
and really that is the response that motivated both private and
local government sectors within our State of Oregon to get
together and see if we could organize better and prepare better
in advance, and it was striking to us on the organizing
Committee how poorly prepared we really are in terms of, as you
point out, even knowing who to go to in the case of a potential
cyber terrorism issue, and what the resources are.
So the first set of procedures we are going through is
essentially inventorying our intellectual skills within the
state, and the next part of that exercise will be determining
how we catalyze those and how we interconnect those in a useful
and effective fashion. Absolutely these problems can be taken
care of over the long haul.
I do believe that private industry needs to be heavily
involved in that process. We need to think about issues of data
base redundancy and network vulnerabilities and so on to make
sure that we plan and build the network that has to support the
people involved in advance, and contemplating a number of the
different threats that might be present.
Senator Wyden. Dr. Hoffman.
Dr. Hoffman. Mr. Chairman, I agree with everything Mr.
Starnes has said. I agree that it is not an insurmountable
problem. I also want to point out that we will never solve the
problem perfectly, but if we can get a solution that is 90
percent further along than where we are today, I think we would
have made obviously great progress.
One thing that is important to realize--I take some of this
from my experience serving in my local town where I reside, in
Chevy Chase, Maryland, yet we had a committee for Y2K, which I
served on, and just knowing the local resources and going up to
the county level and so forth on up is very important.
So I think rather than having one grand system defined,
this might be an excellent opportunity to have a number of
local systems deployed, tried out, tried out in the laboratory
of the states or even at a lower level of government, and keep
the communication system flowing between all the levels of
government and the private sector, that would be, I think, a
better way to architect it than put all of your eggs in one
basket.
Senator Wyden. I think those are thoughtful points. We are
going to work with you, because I think you are right. You
cannot come up with any ideal kind of approach that ensures
that you never have a bug anywhere at any time, but I really do
see a strategic technology reserve as an insurance policy for
this country. Given how many people have said they would help,
major companies in this country have said, ``Look, we will get
people and equipment when the country's national security
interest and well-being are affected by these terrorist
attacks.'' It just seems a shame to not try to address some of
these issues I advance and not just have all these well-meaning
people basically in a position of heading to some disaster site
and kind of standing around. That is what some have told us
happened in New York, and it is not because New York did a
crummy job. Quite the opposite. New York City did a terrific
job. How they accomplished so much so quickly is an
extraordinary success story.
What else could have been done is what I think we want to
look at, and of course, most communities are not in a position
to have the resources you had in New York City. We are going to
work very closely with you to iron out these questions of
authentication and privacy and making sure you do not have a
system that gets hijacked by the very people you are trying to
deal with in terms of the overall effort.
It was interesting you mentioned Y2K, Dr. Hoffman, because
that was an area we wanted to look at, and maybe we can bring
you back into this.
Dr. Strawn, I was very involved in the Y2K efforts that
this Committee tackled under the leadership of Chairman
Hollings and Senator McCain, and obviously, a lot of those paid
off. That concerted effort to have people working together and
preparing for a wide variety of potential threats to this
country paid big dividends. I would be curious if this panel
thinks there were any parallels to be drawn or any lessons
between the Y2K effort and what we are doing now to try to
improve cyber security.
Dr. Strawn. I would be happy to take a crack at that. I had
the good fortune of also being involved in the Y2K efforts at
NSF. I had an interesting assignment. NSF undertook, as part of
its public knowledge and public education of science tasks, to
run a series of surveys, polls of the public to find out what
their knowledge was and what their concerns were about the Y2K
issue as it went forward; I had the good fortune of serving as
NSF's spokesperson during that time on that subject.
We observed that, number one, as Y2K approached, it focused
the attention and the efforts of the country very greatly
toward solving the problem. Number two, the more information
that was made available to the public and the more they
understood what was going on, the less concern they had, and
the more they understood what was happening, and that was a
general, very good benefit of education.
If I may add one other subject relating to a government
analog of the volunteerism that you were discussing a moment
ago. I observed that since September 11, there has been a very
vital and vigorous interaction between the defense community
and the civilian research community, we are working together to
make sure that research results that have been developed in
universities and the civilian sector are available to the
defense and security activities that need advanced research and
development. That is not quite volunteerism, but it has the
same very beneficial effects of propelling these advances
forward.
Senator Wyden. Other panel members, parallels between Y2K
and what we are trying to do here?
Mr. Starnes. I think that is a very interesting and
relevant question. One of the advantages of the Y2K issue is
that we had a specific and imminent date to work toward, and in
the few years ahead of Y2K--the industry estimates range a bit
on this, but the upward estimates are that there was almost
$300 billion spent on Y2K preparedness.
I think it is very interesting to sort of compare that with
the industry spending for security technologies in the last 3
years, the composite industry spending, which has been about,
somewhat under $20 billion, so on a single incident, that was a
very known and measured incident as an industry, as a country
we spent almost $300 billion, and cumulatively over the last 3
years we have spent about $20 billion, so I think that really
points to a gap, still, in the way we need to look at funding
these really important vulnerabilities that we have.
Senator Wyden. Okay. Let's move back to the topic, if we
could, of the strategic technology reserve. Mr. Hira, I would
like to ask you a question, because, of course, your
organization represents a large number of technology experts,
and I think it would be helpful to get your sense of whether
there would be a lot of those individuals and companies that
would be willing to volunteer.
My sense is that they are looking for a chance to help and
participate, and in a situation like this say, if there is a
problem in my area, or a problem in my region of the country,
we are anxious to be there. We will volunteer; we are sending
our name and saying we want to participate in something like
the strategic technology reserve. What is your sense about
whether the people you work with would say if their expertise
is needed emergency officials could know where to find them?
Mr. Hira. I am glad you asked that question, actually,
because we are a volunteer-driven organization. We do not have
industrial membership. Our membership is as individuals. We are
structured along a couple of different dimensions, but the two
important dimensions that are relevant to this are, one, based
on your technical expertise, or your subdiscipline. So, for
example, my area is control systems. Somebody else's is
antennas and propagation, and so on and so forth, and so there
is a technology and technical dimension, but we are also
organized geographically via regions and sections.
I do not see any reason why something like this could not
or should not appeal to many of our members that are out there.
Senator Wyden. Let me turn now to the part of our
legislation that calls for setting up a clearinghouse or test
bed, and maybe we can hear from Mr. Starnes and Mr. Logan, I
think both would be good for this question.
What we are dealing with here is this: the federal
government has received thousands and thousands of ideas and
proposals to fund various technologies and products. In effect,
it is a new deluge. Thousands of them have come from across the
country, and what Senator Allen and I are trying to do is to
make sure that we can perform a service for agencies, help them
to identify new technologies, figure out if the proposed
technologies can meet the specifications needed by the
agencies.
We do not want new mandates, picking winners and losers and
all of this sort of thing, but I think we can begin this round,
Mr. Starnes and Mr. Logan, with whether you think the current
emergency response agencies are doing enough to harness the
potential of new technological developments, and whether we
need to do a better job of trying to be open to new
technologies so that we can use all of this talent.
Mr. Starnes. Mr. Chairman, I will take that one first.
Clearly, I think we can be doing a better job. I think
there are some wonderful agencies, certainly in the area of
security awareness. CERT has done an admirable job for the
amount of funding and support that they have received, but we
are dealing with a really big issue here, and we really have
not, as a nation, been under a coordinated attack. The attacks
that we have seen that get headlines every other day are often
15-year-olds in their basement, so it sort of creates a concern
in our minds that we have a pretty big gap here, so certainly
at Tripwire we have talked about this at a strategic level, and
we are very supportive of, in fact pretty involved already with
a number of governmental agencies in several different areas,
certainly from more of a tactical standpoint in terms of
providing them products and capabilities and services and so
on, but also from a strategic standpoint there is some
extremely good work going on between private industry and
government around digital fingerprinting and understanding the
security and stability of computer systems at a very
fundamental level, and the National Drug Intelligence Agency
and many other agencies have been positively involved in that.
So we are starting to see the kind of activity that is
moving, I think, the nation to a higher level of overall
security, but it worries us that it is not moving as quickly as
it probably could or should, and so we certainly welcome
additional leadership from you and your bills in those areas.
Senator Wyden. Mr. Logan, let us have you comment on this
as well. You have got an innovative technology, a product out
there that you are excited about, that you think makes sense.
You have spent a lot of time toiling away on it, but you are
not exactly sure where in government to bring it. What Senator
Allen and I have said is, you could bring it to a clearinghouse
within NIST. That would be where you would go, and the
clearinghouse would basically share that information with an
agency that expresses a need.
Now, that is our sort of bipartisan thinking about how you
could streamline this and build on something that we think
would not involve a lot of red tape and bureaucracy. Do you by
and large feel that is heading in the right direction?
Mr. Logan. Yes, I do. In fact, our current process of
trying to evaluate new technology standards, the mechanics of
that would be a federal government, state government, local
government. It can be very cumbersome and time-consuming only
to, at the end, to make a decision or arrive at a certain
standards level, and now the technology has passed us by.
I believe that through a clearinghouse as you have
suggested, that would give companies a chance to bring to the
table innovative products, see how do they meet the needs of
the users, today's needs of the users in a way that could help
through enabling grantees to look to these various test beds,
to say, well, it works for them, this is our need, our needs
are aligned with the test beds, and to make that a part, to
enable these grants--I mean, the big concern, obviously, with
the user groups is, what are the mechanics associated with the
grants that will be coming out, and so to the degree that we
can show and demonstrate products and technologies that will
enable first responders to better do their job, I think that is
absolutely the way to go.
Senator Wyden. Well, our hope is that taken together the
test bed and the clearinghouse would really accelerate the
adoption of new technology by government emergency and security
agencies. Again, we would welcome your ideas on some of the
specifics about how to address this, but I would hope that we
could get agreement on those two areas, because I am struck by
how many times private sector companies say, ``Look, I do not
know where to turn.'' Clearly there is a governmental interest
at a minimum in not buying outdated stuff, and making sure that
when you are making these purchases, that you are buying in a
cost-effective way for citizens and taxpayers.
Just a couple of other areas, one for you, Mr. Logan, with
respect to the wireless area, which we do think is especially
important. Our hope is that the pilot program that we envisage
would be a helpful start. Clearly, this is going to require
some very significant expenditures.
There are some exciting things going on around the country,
as Mr. Starnes noted, where he is involved in some of them in
the State of Oregon, in my home state, but our theory is that
we could provide grants to states to at least pioneer some
innovative efforts and communications interoperability, and
these could be shared around the country. We see that as one
way to at least make a start and jump-start the effort to come
up with some good models. Are you comfortable that is headed in
the right direction?
Mr. Logan. Yes. I think that is a very good idea,
especially working with States that may have already made
significant advances in the area of interoperable technology,
communications improvements. In fact, a thought we had was in
working with these test beds, maybe creating a solution whereby
we can not only demonstrate the technologies at that location,
but put those technologies on the road in a mobile setting much
like FEMA and others, first responders.
Usually the event is not going to happen, maybe, right next
door or where they think it is going to happen, but if we can
develop through those test beds the ability to have those
solutions mobile so we can bring them to various communities in
other states, I think that could be very beneficial.
Senator Wyden. Another area, last area that we were
interested in that goes back to S. 2182, and maybe we can start
with you, Dr. Strawn, is, I think the theory of this bill is to
buildup what has been certainly heretofore an underdeveloped
intellectual infrastructure in the cyber security field. Take
your academic hat off for a moment, and give me your thoughts
on what you think the practical effects of underinvestment,
what is happening now, the current underinvestment in cyber
security research and personnel would be.
Dr. Strawn. I think underinvestment has put us in somewhat
of a pickle already, and that the citizens of our country are
right not to have trust in their computing and information
technology systems.
We do not have a high enough level of assurance that our
systems are safe from being hijacked, are safe from being
abused; and now computer hardware and computer software are
going into almost all products and services that society uses
these days. We just have to have a higher level of security and
a higher level of reliability in these systems, and the public
will have to remain doubtful until we take it to a higher
level.
Senator Wyden. Gentlemen, anybody else, practical effects
of underinvestment?
Dr. Hoffman. Following up on those earlier comments, I
would only add that we have a system where the critical
infrastructures are all connected, so in fact what affects
computing does not only affect computing. Computing drives
energy and water and a number of other infrastructures more and
more, so if we do not have secure computing systems, we really
do not have a secure infrastructure at all, and it just gets
worse as a practical effect.
Also, I would like to followup on one comment made a minute
ago. When you talk about a test bed, I think it is important to
realize--and I agree with the observation that these things can
more and more be taken on the road, so you do not need a big
lab with lots of rooms out at NIST or somewhere else. The
people nowadays come and ask at the university, they say, let
us see your lab, and I say, well, where do you want me to bring
it, because often for many systems three laptops and a good
mobile wireless network is all you need to demonstrate
something, and you have much more of an effect when it is there
in the right place.
Senator Wyden. I think that is a very good point. I was
concerned initially when we started talking about the strategic
technology reserve people would think about some gigantic
building, and there you would store all of these laptops, and
they would just be getting dusty and the like, and then you
would have your test bed, which would be a similar sort of
building hooked up to all kinds of jumper cables and
contraptions, and that would be supposed to be in charge of
testing.
I think you are absolutely right. What we are looking at is
trying to use existing laboratories and others to the greatest
extent possible, and we are going to take that counsel to
heart. I am glad you made that point, because I think people
are already starting to envisage how this would work, and it is
helpful to have this kind of testimony on the record.
Others on that, underinvestment?
Mr. Starnes. I cannot resist that one. I think we are
actually seeing first-hand the practical effect of
underinvestment right now. Customers have been taught to buy
based on features, and the number of colors on their screen and
other issues, and have not really been taught to understand the
issues of security and interconnectedness and various other
important areas for infrastructure, so the commercial instincts
kick in, which is a part of our democratic process, so somehow
we have to find a balance, and sort of back to the issue of
test bed clearinghouse again, which is a concept we certainly
endorse.
The key issue, a couple of the key issues that distinguish
the commercial sector from the government sector is speed, so
not only does the funding have to be allocated both in terms of
internal budgets for agencies, but it has to be made available,
and it has to be made available, as I said in my oral
testimony, on a faster basis than we currently have the ability
to do. That certainly does impact commercial entities, because
commercial entities are forced to go out to the venture capital
market, and when the venture capital market is strong, as it
has been over the last few years, that was a viable option.
The fact of the matter is now that the venture capital
markets for the most part are weak, and so you are actually
seeing a decline of commercial innovation, and government
really has not stepped forward in our view to really deal with
that yet.
Senator Wyden. Well, I really do not have any questions in
addition. You all have been excellent, and my hope is that
these two bills can, in effect, provide a very solid response
to what happened on September 11, and really constitute a new
and more targeted effort by government to deal with cyber
security issues and the threats that were presented on
September 11.
It seems to me with the cyber security legislation that
passed the House, we have got a chance to make a very effective
and well-targeted investment in NIST and the National Science
Foundation, and ensuring that we are training tomorrow's
leaders. That is essentially what that legislation is all
about.
I support it strongly, and the Administration's efforts in
that area with respect to S. 2037. I think what we would like
to say is that while government clearly can make a very
significant difference, it would just be a tragedy not to
harness and mobilize all of this energy and talent in the
private sector that wants to help and pitch-in and make a
difference. I am convinced that over the next month, working
closely with the Administration, and with all of you in the
private sector, we can move this forward.
There are not many months left in this session of Congress,
and I think it would be a real shame to go home without passing
these two bills, bills that are going to allow us to maximize
an effective role of tax dollars, particularly in education and
research, and a small amount of additional government money
basically to ensure that the volunteers and people in science
and IT who want to help can have a chance to do so and make a
difference.
So, if there is nothing that any of you would like to add
further, we will adjourn, but I can give each of you the last
crack. Anything that our panel would like to add?
[No response.]
Senator Wyden. All right. We are adjourned.
[Whereupon, at 4:15 p.m., the Subcommittee adjourned.]
APPENDIX
Prepared Statement of James W. Graham, Chief Operating Officer,
Emergency Asset Management Systems
Mr. Chairman, Members of the Committee, thank you for this
opportunity to submit testimony in support of S. 2037, the Science and
Technology Emergency Mobilization Act.
My name is James W. Graham, Chief Operating Officer of Emergency
Asset Management System, a division of GBUCS, LLC. GBUCS is a Chicago-
based developer of web-based software solutions for private industry
and government, specializing in asset management systems.
I am here today to express our strong support for S. 2037.
Overseas, our Armed Forces are unbeatable not only because of their
training, patriotism and bravery, but also because they are equipped
with unsurpassed technological superiority. Here on the home front--
where terrorism must be fought and the safety of our communities and
workplaces ensured--we too must equip ourselves with unsurpassed
homeland security technology.
In recent months, our company has dedicated itself to learning
about the technology needs of emergency managers nationwide. Based on
our experience I must report to you that there are serious and
substantial shortcomings in the technologies now utilized by emergency
management agencies. Much has been said about the need to make
communications systems between emergency response agencies
interoperable. Technology needs on the home front do not stop there.
Emergency managers at every level of government in this country are
certified and dedicated professionals who typically graduate to their
important positions after gaining experience in the military, on police
forces and as firefighters. These federal, state and local agencies
play a critical role in responding to terrorist attacks. They
coordinate and mobilize all available regional, state and federal
assets in times of disaster. These include police, fire, National
Guard, hazardous materials units, public health and infectious disease
professionals, volunteers, donors and many others. Little noticed when
there is no emergency, these emergency response professionals took on
critical importance when terrorists struck Oklahoma City, New York,
Washington and elsewhere. They will play such roles again, and we must
equip them with the best tools and technologies available.
Seven months after September 11, 2001, many of these emergency
managers remain under funded, understaffed and unequipped with the
technology they need. State government budgets took a direct hit when
the economy crashed, and as much as state legislators and governors
wish to invest in homeland security, they often lack the means to do
so.
To illustrate one of the gaps we discovered, consider that
emergency management agencies make little or no use of Internet
technologies even though their central function is to gather critical
information in emergencies and communicate instructions to needed
emergency responders. In other words, although information management
and communications is central to their role, they make almost no use of
the Internet, the greatest information and communications invention of
the past century.
In several disasters of the past decade, people by the thousands
who wanted to volunteer had to try to get through on the phone; there
were no web sites to visit with instructions and information gathering
capabilities. On September 11th, 15,000 unsolicited volunteers showed
up in Manhattan, forcing authorities to help feed and shelter them. In
other disasters, people who wanted to donate filled truckloads and even
jumbo jets with unneeded goods, leaving emergency responders with the
added burden of sorting through or disposing of inappropriate
donations. No web site told donors what was needed nor was the web used
to facilitate the logistics of moving and warehousing donations. Public
confidence in the official disaster response was thus undermined. No
private business facing similar logistical challenges would think of
doing so without Internet tools of some kind.
A National Emergency Technology Guard would be an important and
useful added force in guarding against terrorist attacks here at home.
Technology professionals across the country will be willing to
volunteer in an emergency. We ourselves volunteered and donated our own
donations management software to the Manhattan Chamber of Commerce for
use after September 11th. They have found it useful as they help
businesses recover from that disaster.
A Center for Civilian Homeland Security Technology Evaluation would
help identify needs and solutions such as those I have pointed out here
today.
But state and local emergency managers need help now. If the
federal government is to lend that helping hand, let there be money in
the palm of that hand. Volunteer programs like a NET Guard and Citizen
Corps can do great good, but they must be managed at the local and
state level. That costs money and it requires logistical management
tools they do not now have.
In times like these, the states lack the financial might of the
federal government. But the strength of our defense against domestic
terrorism depends upon the might of state and local emergency managers.
They need new technology to be effective, and they need financial
backing to acquire those technologies.
We support S. 2037, but we also call upon you to do more for those
who are at the front line of terrorism defense at the state and local
level. Thank you.
______
April 8, 2002
Hon. Ron Wyden,
Chairman,
Hon. George Allen,
Ranking Minority Member,
Senate Committee on Commerce, Science, and Transportation,
Subcommittee on Science, Technology, and Space,
Washington, DC.
Dear Chairman Wyden and Senator Allen:
The National Association of Manufacturers (NAM) writes to support
your new legislation, S. 2037, the Science and Technology Emergency
Mobilization Act (or NETGuard bill). The NAM is the nation's largest
industrial trade association and represents 14,000 members (including
10,000 small and mid-sized companies) and 350 member associations
serving manufacturers and employees in every industrial sector and all
50 states.
Homeland security is an area of significant new endeavor for the
NAM in 2002. Governor Ridge, General Magaw and Representative Chambliss
have addressed NAM audiences, including the NAM Board of Directors.
Furthermore, the NAM has dedicated a major new segment of its Web site
to the issue.
Your legislation would afford an organized way for industry to
express its support, and to channel its involvement, in the homeland
security effort. Even without such legislation, many U.S. firms,
including many NAM-member companies, rushed to offer assistance in
numerous ways following the terrorist attacks of September 11th. As
encouraging as that response was, a greater degree of organization in
the future can be expected to make industry contributions even more
effective.
Among other provisions, the bill also would create a new unit at
the National Institute of Standards and Technology to evaluate new
technologies for their applications to homeland security and to serve
as a clearinghouse. The NAM recently wrote to the director of NIST to
call attention to a NIST project that we believe has higher homeland
security-relevance than was previously appreciated. Our experience
suggests, again, that a formal structure for such evaluations is a
worthwhile idea.
David Peyton would be pleased to provide further information at
(202) 637-3147.
Sincerely,
Franklin J. Vargo,
Vice President, International Economic Policy.
______
April 19, 2002
Hon. Ron Wyden,
Chairman,
Senate Commerce, Science, and Transportation Committee,
Science, Technology and Space Subcommittee,
Washington, DC.
Dear Mr. Chairman:
The National Association of Manufacturers wishes to express its
support for S. 2182, your cyber security research legislation. We
strongly supported the counterpart legislation, H.R. 3394, as passed by
the House of Representatives with 400 votes. The National Association
of Manufacturers (NAM) is the nation's largest industrial trade
association. The NAM represents 14,000 members (including 10,000 small
and mid-sized companies) and 350 member associations serving
manufacturers and employees in every industrial sector and all 50
states.
Since 1998, the NAM has led the effort to increase industry support
for science funding generally, given the need to maintain the flow of
new discoveries upon which industry can carry out product and process
development, the need to produce more U.S. graduates in technical
fields, and the need to defend the country against attack, including
cyber attack. The NAM supported the broad research authorization bills
issuing from this subcommittee (S. 2217, S. 296, S. 2046) that the
Senate passed three times by unanimous consent starting in 1998. Today,
the NAM is pleased to support the new specific bill, S. 2182, which
addresses the most important topic not included in previous
legislation: computer security.
The sobering hearing held by the House Science Committee last
October 10, to be supplemented by your hearing on April 24, afforded
evidence for the need for the legislation. Too little money is going
into computer security research, too few graduates are being produced,
and too little progress is being made. Computer users remain almost
totally reliant on passive defenses such as virus filters and firewalls
that afford no meaningful defense against distributed denial of service
(DDOS) attacks. At Carnegie-Mellon University, the Computer Emergency
Response Team's statistics on reported attacks show that malicious
attacks are doubling annually, to a rate of over 50,000. Even the NAM
itself, as a small business, receives about ten attempts at penetration
each day.
The NAM views S. 2182 as one important piece of an evolving
strategy to bring together the joint strengths of government, industry,
and academe to meet the undeniable shared threat of cyber attack, along
with the pending Critical Infrastructure Information Security Act, S.
1456. S. 2182 will have our support as it moves forward.
Sincerely,
Franklin J. Vargo,
Vice President, International Economic Policy.
______
Response to Written Questions Submitted by Hon. John McCain to
Dr. George Strawn
Question 1. One concern that has been raised about S. 2182 is that
many of the grants established by this program will be used to develop
evolutionary technologies, such as a next generation firewall. How does
NSF plan to ensure that it funds research programs that are truly
revolutionary?
Answer. ``Evolutionary'' and ``revolutionary'' are terms often
associated with research proposals. They can be thought of as the ends
of a spectrum of research contributions ranging from ``pure''
evolutionary (only a modest or incremental increase in understanding is
likely to occur from undertaking the proposed research) through various
blends of ``part evolutionary, part revolutionary'', to ``pure
revolutionary'' (a very large increase in understanding, often in
unexpected directions, is proposed). The other side of the same coin is
proposal risk. If only incremental understanding is sought, reviewers
can be relatively sure that the proposer will be successful (i.e., the
proposal is of lower risk). On the other hand, if large increases in
understanding are sought, the reviewers will be less sure that the
proposer will succeed (i.e., the proposal is of higher risk). When
scientists speak of ``the quality'' of a proposed research project,
part of the determination of quality is how revolutionary the proposed
project appears to be.
NSF selects proposals for funding by merit review. Usually this
merit review includes proposal review by scientific experts familiar
with the subject material of the proposal. The review focuses on two
questions: what is the scientific merit of the proposed research? And
what are the broader implications of the proposed research? The NSF
program officer in charge of the review then makes awards as possible,
utilizing the advice of the expert reviewers. At all stages of the NSF
proposal process, revolutionary research is sought. Proposers are told
that NSF is interested in funding revolutionary research; reviewers are
encouraged by NSF to regard revolutionary proposals highly during the
peer review; and program officers are encouraged by NSF to ``take the
chance'' on higher risk, revolutionary proposals while making their
funding decisions. All of these steps are intended to counter
tendencies along the process to lower risks by settling for more
evolutionary proposals with higher probabilities of success. One
implication of this is that if some proposals funded by NSF don't fail,
we aren't taking big enough risks.
Question 2. A number of different federal agencies, include the
NSF, NIST, and DoD all fund cyber security projects. Is there a guiding
organization or established working group that shares information about
federal cyber security research and will ensure that the grant and
research programs established by this bill will not fund duplicative
research?
Answer. There is an interagency organization, the Networking and
Information Technology Research and Development working group (NITRD),
which includes the federal agencies supporting IT research. This
working group has been in existence for more the ten years and has a
history of providing excellent coordination among the various federal
IT research programs. NITRD is under the auspices of OSTP and OMB.
Question 3. You have testified that ``the most important problem''
in cyber security research is that there is such a small number of
faculty doing research in this field.
a) What created this shortage?
b) Do you believe S. 2182 will reduce this shortage and
increase the number of faculty involved in this field?
c) Is the shortage of Ph.D's and graduates in the cyber
security research area any worse than in other engineering and
science fields?
Answer. It is a matter of speculation as to why the cohort of
researchers working in the cybersecurity area is so small. One clear
cause is that until very recently (coinciding with the rise in the use
of the Internet) very few organizations worried about cybersecurity. In
the absence of identification of serious, challenging problems, hardly
any faculty chose to work in the area, meaning that almost no new
researchers were produced.
Researchers choose their areas of study based on personal interest,
funding availability, and various other reasons. Perhaps the academic
values that include ``free and open access to information'' have been
at odds with the ``secure and controlled access to information''
requirements of cybersecurity research. Perhaps there just hasn't been
enough funding available. For example, NSF funding levels in various
areas are often determined in a bottom up fashion (by so-called
``proposal pressure''). In any event, increasing the amount of research
funding is an important and usually successful way increasing the
number of researchers working in an area.
Additional disincentives to working in security include the fact
that until recently the only employer was the Department of Defense, so
it is likely that many academic advisors did not encourage their
students to go into this area. In the private sector, employers are
interested in program features, not security.
In FY02, NSF initiated a program in cybersecurity (called ``Trusted
Computing'') and one result has been an increase in the number of
cybersecurity proposals received by NSF. The shortage of computer
scientists working and trained in high-demand areas such as
cybersecurity and networking is greater than in some traditional areas
such as programming languages and operating systems. Other areas of
science and engineering exhibit a similar variation between high-demand
and lower-demand sub areas.
Question 4. You stated that cyber security is a property of the
``total system,'' not of the system components, which includes human
and management elements.
Do you believe that the bill, S. 2182, as introduced, does an
adequate job of providing funding for this ``total system'' approach?
Is there a need for additional multi-disciplinary research in this
area?
Answer. Cybersecurity is a system characteristic, not a component
characteristic. This means that researchers have to study the
interrelationships among system components as well as the components
themselves. Since, broadly speaking, some of the system components are
humans and organizations interdisciplinary research arises naturally in
this area. S. 2182 addresses these needs because the researchers (and
NSF and other federal agencies) are well aware of these
characteristics. NSF strives to be as general as possible in its
program announcements and solicitations because many of the best
proposal ideas ``bubble up'' from the research community itself as
opposed to being specified in the announcement. Once an area such as
cybersecurity is marked for additional support, over specification can
deter, rather than enhance community proposal response.
Question 5. You mentioned the research and other education programs
that NSF is currently conducting. Can NSF conduct the type of research
and education activities called for in the Cyber Security Research and
Development Act within their existing statutory authority?
Answer. We believe that the research and education called for in S.
2182 can be supported (and indeed is already being supported) within
NSF's current statutory authority.
Question 6. Your written testimony highlighted the NSF's Cybercorps
program, which provides scholarships to undergraduate and graduate
students studying computer security and in return the students will
serve in the federal government for a least two years. Have you had any
problems placing students of the Cybercorps program into summer
internships positions within the federal government?
Answer. The Federal Cyber Service: Scholarship for Service (SFS)
program has placed more than 24 students in internships in various
federal agencies this past summer--the first such opportunity provided
for students within the program. As in any new undertaking, there have
been challenges associated with (a) moving awareness that SFS students
are available for internships beyond agency personnel offices to
various agencies, (b) achieving understanding that though these
students are available for less than 640 hours of employment in a
summer, they may be still be incorporated within existing agency
provisions for Federal Student Career Experience Program, and (c)
overcoming agency concerns that though they may go through a very
expensive clearance process, students are not committed to service only
within the federal agency within which they have served their
internship. The Office of Personnel Management is the lead agency
addressing these issues and is working with the hiring agencies, and
the grantees institutions to resolve these issues.
Question 7. On April 22, Matt Bishop, a computer science professor
at the University of California--Davis, and Blaine Burnham, founding
director of the Nebraska University Consortium on Information
Assurance, detailed concerns about the Cybercorps program at the
Infotec 2002 Conference.
One criticism raised by these speakers is that government salaries
are so low that students prefer to apply for student loans and repay
them with private industry jobs instead of joining the Cybercorps
program. Another critique of other science-targeted scholarship
programs is that students with federal scholarships are able to get out
of service requirements, because private companies will re-pay the
scholarship as part of their employment package. What has NSF done with
the Cybercorps program to attract students to the program and ensure
that students that receive scholarships under the program will actually
perform the required government service?
Another criticism that was raised by the speakers is that graduates
of the Cybercorps program are required to only work for civilian
agencies. The speakers recommended that graduates of the program be
allowed to work for the Department of Defense and its research
agencies. What is NSF's position on this recommendation?
Answer. Working through its grantees, NSF has been very active in
increasing awareness of the program and its requirements. We have been
gratified by the level of press attention devoted to the program and
the student interest as demonstrated by direct inquiries to NSF. The
program's requirements are explicitly communicated to our grantee
institutions and, through them, to participating students. Although the
criticisms about low government salaries and private industry options
may be valid, they are not widespread. In fact, we have noted an
enthusiastic response on the part of participating students. The main
deterrence here is in the recruitment of students with the proper
mindset and attitude about federal service.
The vast majority of students currently enrolled in SFS are not
planning to make a lot of money in private industry job by abusing a
government scholarship program. On the contrary, they are in SFS
because they sincerely want to give back to America and contribute to
the ongoing war on terrorism. They are motivated by patriotism and a
desire to serve in much the same way that young people volunteer for
military service. This is the attitude frequently expressed by the
student participants, drawn from among all grantee institutions, at the
recent Cybercorps Symposium held July 20-24, 2002 at the University of
Tulsa.
In order to avoid unnecessary duplication with a similar program
being run by the National Security Agency (NSA) which provides
placement in Department of Defense agencies, NSF would like to see its
SFS graduates be placed at federal civilian agencies. However, we do
currently permit SFS graduates to be placed at DoD agencies and have
done so. NSA and the U.S. Air Force--Rome Laboratory already have SFS
graduates placed there and the Defense Computer Forensic Laboratory is
scheduled to receive an intern.
Question 8. In your written testimony, you stated that ``one
important goal of fundamental long term research in cyber security will
be to produce an agreement on what . . . constitutes a secure system.''
Could you please discuss why it so hard to reach an agreement on this
issue, and what factors are involved in determining a ``secure system''
Answer. The definition of a ``secure system'' depends on ``how
big'' a system is being considered (see answer to question 4). That is,
if the personnel who operate the computers and networks are thought of
as part of the system, then cybersecurity melds with physical security,
and issues of insider crime, etc, must be considered. And as with any
discussion of security, perfection is not available and we must come to
terms with levels of risk. Measuring risk in the computers and networks
of a big system is a newer challenge, and less well understood than
risk in pre-cyber systems.
Question 9. In your view, how vulnerable is the United States to
the threat of cyber attack? Do we currently have the resources to
prevent and respond to a cyber attack?
Answer. Research organizations such as NSF may not be in the best
position to evaluate the current threat levels or response and
prevention capabilities of the U.S. to cyber attack. Nevertheless, it
can be said that today's cybersystems are poorly understood and poorly
constructed relative to desired scientific and engineering standards.
It is the goal of research to achieve better understanding of
cybersystems and to create better engineering approaches for
constructing such systems
Question 10. Would you consider America as a leader in cyber
security research? If not, which countries are?
Answer. The U.S. remains the world leader in IT research and
development, including cybersecurity. In cybersecurity, however, there
is much to be learned and to be applied to a society increasingly
dependent on computer technology. In some areas of cybersecurity,
Israel is very advanced and may actually lead the U.S., due, perhaps,
to their long-time need for security.
�