Karen H. Brown Deputy Director
Committee on Government Reform
March 9, 2000
Mr. Chairman and members of the subcommittee thank you for the invitation to speak to you today about computer security issues. I am Karen Brown, Deputy Director of the National Institute of Standards and Technology of the Department of Commerce’s Technology Administration.
Computer security continues to be an ongoing and challenging problem that demands the attention of the Congress, the Executive Branch, industry, academia, and the public. Computer security is not a narrow, technical concern. The explosive growth in Electronic Commerce highlights the nation’s ever increasing dependence upon the secure and reliable operation of our computer systems. Computer security, therefore, has a vital influence on our economic health and our nation’s security and we commend the Committee for your focus on security.
Today I would like to address NIST’s computer security activities that contribute to improving computer security for the Federal Government and the private sector. I also would like to briefly describe for you our proposed new program activities for next year as requested in the President’s budget.
Under NIST’s statutory federal responsibilities, we develop standards and guidelines for agencies to help protect their sensitive unclassified information systems. Additionally, we work with the information technology (IT) industry and IT users in the private sector on computer security in support of our broad mission to strengthen the U.S. economy, and especially to improve the competitiveness of the U.S. information technology industry. As awareness of the need for security grows, more secure products will be more competitive in the marketplace. Addressing security will also help ensure that Electronic Commerce growth is not limited because of security concerns.
In meeting the needs of our customers in both the public and private sector, we work closely with industry, Federal agencies, testing organizations, standards groups, academia, and private sector users. Cooperation and collaboration are essential to tackle many common problems facing users throughout the country.
What does NIST do specifically? To meet these responsibilities and customer needs, we first work to improve the awareness of the need for computer security. This helps increase demand for secure and reliable products. Additionally, we research new technologies and their security implications and vulnerabilities and develop guidance to advise users accordingly. We work to develop security standards and specifications to help users specify security needs in their procurements and establish minimum security requirements for Federal systems. We develop and manage security testing programs, in cooperation with private sector testing laboratories, to enable users to have confidence that a product meets a security specification. We also produce security guidance to promote security planning, and secure system operations and administration. I will briefly discuss the need and benefits of each.
First, there is a need for timely, relevant, and easily accessible information to raise awareness about the risks, vulnerabilities and requirements for protection of information systems. This is particularly true for new and rapidly emerging technologies, which are being delivered with such alacrity by our industry. We host and sponsor information sharing among security educators, the Federal Computer Security Program Managers’ Forum, and industry. We seek advice from our advisory board of computer experts (Computer System Security and Privacy Advisory Board). We meet regularly with members of the Federal computer security community, including the Chief Information Officers’ Security Committee, and the Critical Infrastructure Assurance Office. We actively support information sharing through our conferences, workshops, web pages, publications, and bulletins. Raising awareness helps ensure appropriate attention is accorded security and helps increase the demand for secure products and security services.
A second need is for research on information technology vulnerabilities and the development of techniques for the cost-effective security. When we identify new technologies that could potentially influence our customers’ security practices, we research the technologies and their potential vulnerabilities. We also work to find ways to apply new technologies in a secure manner. The solutions that we develop are made available to both public and private users. Some examples are methods for authorization management and policy management, ways to detect intrusions to systems, and demonstrations of mobile agents. Research helps us find more cost-effective ways to implement and address security requirements.
Third is the need for standards, and for ways to test that standards are properly implemented in products. For example, cryptographic algorithms and techniques are essential for protecting sensitive data and electronic transactions. NIST has long been active in developing Federal cryptographic standards and working in cooperation with private sector voluntary standards organizations in this area. Moreover, in the standards area we have been working with the private sector in preparing for the future. We are leading a public process to develop the Advanced Encryption Standard (AES), which will serve 21st century security needs. Another aspect of our standards activities concerns Public Key and Key Management Infrastructures. The use of cryptographic services across networks requires the use of “certificates” that bind cryptographic keys and other security information to specific users or entities in the network. We have been actively involved in working with industry and the Federal government to promote the security and interoperability of such infrastructures.
Standards help users to know what security specifications may be appropriate for their needs. Testing complements this by helping users have confidence that security standards and specifications are correctly implemented in the products they buy. Testing also helps reduce the potential that products contain vulnerabilities that could be used to attack systems.
For over five years, we have led the Cryptographic Module Validation Program, which has now validated about 90 modules with another 50 expected this year. This successful program utilizes private sector accredited laboratories to conduct security conformance testing of cryptographic modules against a Federal standard we develop and maintain. More recently, we have been working with the international security community to define security criteria in an international standard that can be used to develop security specifications for products, such as firewalls or operating systems. We are actively working with industry partners in the smart card, health care, and telecommunications fields to accomplish such development of specifications.
Many of these activities are being done in cooperation with the Defense Department’s National Security Agency in our National Information Assurance Partnership. Private sector laboratories are being accredited under our National Voluntary Laboratory Accreditation program to conduct such testing. The effort involves developing testing competencies and a process for accrediting testing organizations. The goal is to enable product developers to get their products tested easily and voluntarily, and for users to have access to information about tested products. Under this program we have also led the development of an international mutual recognition arrangement whereby the results of testing in the U.S. are recognized by our international partners, thus reducing the costs to industry.
Advice and technical assistance for both government organizations and private sector users is the fourth need. For example, we have issued guidance including telecommuting and security, security concerns inherent in PBX technology, security requirements in Public Key Infrastructure (PKI) implementation, use of firewalls, and intrusion detection in networks. We also provide program guidance to agencies and are working to complete a document on security program metrics and self-assessment. The information and guidelines that we have developed are available to all users free-of-charge via our web site. We also support agencies on specific security projects on a cost-reimbursable basis when NIST expertise is required.
While I have given you a few examples of NIST’s work, I obviously have not covered everything. I want to emphasize that there is still much more to be done to address the continuing challenges of computer security. To put our program in perspective, please keep in mind that approximately $6 million of direct Congressional funding supports both our Federal and industry computer security responsibilities. (In addition, we receive approximately $2 million in outside agency funding to provide technical assistance on particular projects.) This is plainly not enough.
As reflected in the requests made in the President’s FY 2001 budget, NIST needs additional resources to help improve the security posture of the Federal government. Looking at the critical information infrastructures of the nation, we also need substantial investments in security research to find ways to protect our infrastructures.
To address the need for additional research to protect our critical infrastructures, the White House has proposed establishing a $50 million Institute for Information Infrastructure Protection (IIIP), which was initially recommended by the President's Committee of Advisors on Science & Technology (PCAST). The IIIP will identify and fill the gaps not being met by private sector market demands or Government agency mission objectives in critical infrastructure protection and provide a strong and secure foundation to protect the various critical infrastructures upon which the Nation’s security and economy rely. IIIP’s R&D, which will aim to help prevent security problems will include work that can be applied to protect multiple sectors’ infrastructures, and thus will complement sector-specific R&D underway elsewhere in the government and private sector. This initiative will help strengthen the focused existing and planned security architectures within the critical infrastructure sectors and help prepare the owners/operators of those infrastructures to survive potential hostile activities. The IIIP will not have any direct role in support of law enforcement or deterring attacks, but will fund R&D to develop new generations of IT security solutions that would be made available for DoJ/FBI, other agencies, and the private sector can use to prevent and respond to future cyber-threats. The IIIP will be a partnership among industry, academia and the government (including both state and local governments). At the core of the partnership is IIIP’s selection of information infrastructure protection R&D focus areas, which will rely heavily on advice and guidance obtained from outside experts.
The security of Federal systems must also be improved. These systems contain sensitive information about our citizens and provide services upon which our citizens’ safety and well-being depend. The government should exert leadership and set an example for the nation in protecting against risks and vulnerabilities. Two of the budget proposals focus primarily upon the security of Federal systems. Specifically, we propose to establish an Expert Review Team (comprised of eight FTE’s) to advise agencies of their vulnerabilities, help prioritize and develop strategies for security fixes, assist agencies in preparing for future security threats, and help agencies plan for security in new system developments. This preventative approach will complement the reporting activities of programs such as FedCIRC. Secondly, we seek a five million dollar increase to enable additional critical activities in the area of cryptography, security management and best practices guidance, and the protection of supervisory control systems.
So let me close by again emphasizing that our national commitment to improve security must be increased. NIST stands ready to play a key role through supporting the proposed Institute, leading the Expert Review Team, and conducting additional work to developing needed security guideline and standards, research in security technology, leading testing programs, and raising awareness and demand for security products and services. This will augment the already important activities we have underway. We look forward to continuing this work, and believe that your support of the critical new activities would help us to do so.
I will be pleased to answer any questions.