Statement of

Dr. Arden L. Bement, Jr.

Director
National Institute of Standards and Technology
Technology Administration

U.S. Department of Commerce

 

Before the

Committee on Science

House of Representatives
United States Congress

 

“Cybersecurity Research and Development”

May 14, 2003

---

   

     Chairman Boehlert , Mr. Hall and Members of the Committee,  thank you for this opportunity to testify today about the contributions of the National Institute of Standards and Technology (NIST) to strengthen the Nation’s cybersecurity. Let me congratulate you for your tremendous leadership in advancing robust programs to protect our nation’s information infrastructure from attack.  I know that Technology Administration Under Secretary Phil  Bond and I look forward to working very closely with you to turn your visions into reality.  I would like to address the questions you asked in your invitation to testify and tell you about the many important cybersecurity activities currently underway at NIST.

 

     Protecting our Nation’s critical infrastructure is of critical importance to our economy and our well-being.  The terrorist attacks of September 11, 2001 brought to the forefront the Nation’s physical and economic vulnerability to an attack within our borders.  Among the Nation’s vulnerabilities are the computer and communications networks on which the country’s financial, transportation, energy, and water systems and health and emergency services depend. These critical are the underpinning of the Nation’s infrastructure and commerce.  The Los Angeles Times in a recent editorial emphasized the importance of meeting this challenge: ‘‘A cyberterrorist attack would not carry the same shock and carnage of September 11. But in this information age . . . [a cyberterrorist attack] could be more widespread and just as economically destructive.’’  We will not be able to address these vulnerabilities without applied research and development of enabling technologies in cybersecurity. 

 

     The success of the Internet —connecting more than 100 million computers and growing—has far outstripped its designers’ wildest expectations. Although the Internet was not originally designed to control power systems, connect massive databases of medical records or connect millions of homes, today it serves these functions. It was not designed to run critical safety systems but it now does that as well. We rely heavily on an open system of networks, so complex that no one person, group or entity can describe it, model its behavior or predict its reaction to adverse events. The porous nature of the U.S. network infrastructure leaves the Nation, including critical Federal systems, open to the constant possibility of cyber attacks.   Such attacks include the massive distributed denial of service attacks that overwhelm servers with access requests; defacement of web sites and the modification of electronically stored information to spread disinformation and propaganda; ‘‘Zombies’’ that use computers (located anywhere) as conduits for wide-scale distribution of destructive worms and viruses; and, unauthorized intrusions and sabotage of systems and networks, potentially resulting in critical infrastructure outages and corruption of vital data.[1]

 

     Helping to ensure the confidentiality, integrity and availability of civilian information is essential to the functioning of our economy and indeed to our democracy.  And, to this end, NIST has had a long-standing and successful role in working with federal agencies and industry by ensuring the protection of non-national security related cyber and information systems through standards and guidelines development, testing methodologies, conformity assessment and complementary supporting research. 

 

     In 2001, Secretary Evans approved the Advanced Encryption Standard (AES) as a federal security standard.  I am pleased to report that the standard is being actively adopted by voluntary standards bodies and implemented by vendors.  In fact, over 70 commercial implementations of the AES have already been validated through our Cryptographic Module Validation Program.

 

     Enactment of the Cyber Security Research and Development Act (CSRDA) of 2002 and the Federal Information Security Management Act (FISMA) of 2002 has reinforced our long-standing statutory responsibilities for developing Federal cybersecurity standards and guidelines and conducting commensurate security research.   We fully appreciate and are grateful for the trust and support provided by the House Science Committee to NIST in assigning us responsibility for these critical roles.   We see both of these new important laws as a “vote of confidence” in our past work and an expectation of continuing successful achievements in the future. 

 

     Today I would like to review new statutory assignments to NIST, provide you an overview of NIST’s cybersecurity activities, and discuss some of the challenges we continue to confront. 

 

NIST Responsibilities Under the Cyber Security Research and Development Act of 2002

 

Under the legislation, NIST is assigned responsibilities to   

 

• Establish a program of assistance to institutions of higher education that enter into partnerships with for-profit entities; 
• Institute a program to award post-doctoral research fellowships to individuals seeking cybersecurity research positions;
• Develop checklists that minimize security risks associated with Federal government computer hardware or software systems;
• Ask the National Research Council of the National Academy of Sciences to study the vulnerabilities of the Nation’s infrastructure and to make recommendations for appropriate improvements;
• Support and consult with the Information System Security and Privacy Advisory Board, which has the mission to identify emerging issues related to computer security, privacy, and cryptography;
• Conduct intramural cybersecurity security research; and
• Coordinate with NSF and OSTP on cybersecurity research. 

 

NIST Responsibilities under the Federal Information Security Management Act (FISMA) of 2002

 

Responsibilities assigned to NIST under FISMA include:

 

• Developing IT standards for Federal systems,
• Conducting research to identify information security vulnerabilities and developing techniques to provide cost-effective security;
• Assessing private-sector policies, practices, and commercially available technologies;
• Assisting the private sector, upon request; and
• Evaluating security policies and practices developed for national security systems to assess potential application for non-national security systems.

 

FISMA also contained a number of specific assignments, including development of:

 

• Standards and guidelines to be used by Federal agencies to categorize levels of information security according risk;
• Minimum information security requirements, such as management, operational, and technical security controls;
• An Incident Handling Guideline and a Guideline to Identifying a System as a National Security System;
• Security performance indicators; and
• An annual public report of our FISMA activities. 

 

With these broad legislative mandates in mind, let me review NIST’s activities and accomplishments in the area of intramural research, security grants, and a planned National Research Council study. 

 

Recent NIST Intramural Cybersecurity Accomplishments

     In addition to the extraordinary success of the Advanced Encryption Standard, NIST has made a number of major contributions to cybersecurity standards and guidelines, research, and testing in order to thwart the kinds of economically disabling attacks noted previously.  Here are but a sampling of numerous successes and ongoing activities:

 

Security Guidelines and Standards

 

     Our base program targets the development of standards and guidelines in support of our Federal responsibilities.  In 2002-2003, NIST published 12 security guidelines covering a wide variety of topics such as email, firewalls, telecommuting and business systems contingency planning. We have also published 10 draft guidelines for review by Federal departments and agencies as well as other interested organizations and individuals concerning such topics as certification and accreditation, awareness and training, and considerations in Federal Information technology procurements.  The certification and accreditation guidelines are a key component needed for successful implementation of the e-government and FISMA mandates for federal agencies.  Additionally, we have issued numerous NIST Information Technology Laboratory (ITL) Bulletins during the last year to provide guidance to agencies and others on a broad list of topics.  Our guidelines and standards provide leadership to industry as much of our work is voluntarily adopted in industry. For example, our Smart Card Interoperability Specification has been adopted by federal agencies and is now being considered for adoption by an ANSI Standards committee and eventually as an international standard. All of our work is posted on our Computer Security Resource Center website.  Hundreds of thousands of copies of our guidelines have been downloaded from this online site.  For example, over 400,000 copies of our Contingency Planning Guide for Information Technology have been downloaded since its publication less than a year ago.   

 

Security Testing

 

     I mentioned previously the Cryptographic Module Validation Program through which a number of new algorithms that use the Advanced Encryption Standard are being tested.  The CMVP as it is known is operated in conjunction with the Government of Canada’s Communication Security Establishment.  The Cryptographic Module Validation Program has now validated over 500 modules with another 100 or more expected within the next year.  This successful program utilizes private-sector accredited laboratories to conduct security conformance testing of cryptographic modules against the cryptographic Federal standards NIST develops and maintains.  To give you a sense of the quality improvement that the program achieves, consider that our statistics from the testing laboratories show that 48 percent of the modules brought in for voluntary testing had security flaws that were corrected during testing.  In other words, without our program, the Federal government would have had only a 50/50 chance of buying correctly implemented cryptography!

 

     In addition, in recent years we have worked to develop the “Common Criteria” which can be used to specify security requirements.  These requirements are then used by private-sector laboratories, accredited by NIST, for the voluntary evaluation of commercial products needed for the protection of government systems and networks. This work is undertaken in cooperation with the Defense Department’s National Security Agency in our National Information Assurance Partnership (NIAP).  You may be aware that the National Strategy to Secure Cyberspace calls for a review of the NIAP.  We have begun staff discussions with NSA to identify ways we might improve the process, through research, process changes, and to understand the resources needed for NIAP to fully succeed.  

 

Access Control

 

     One of the basic tenets of IT security is controlling access to vital IT resources--  answering the question,  “who is allowed to do what?” A NIST research team created a new approach to controlling user access, called Role-Based Access Control (RBAC). What is most striking about RBAC is its rapid evolution from a theoretical model to commercial implementation and deployment. An independently conducted NIST-sponsored economic impact study, estimated that RBAC will soon be used by some 30 million users for access to sensitive information.  Further, the study estimated that RBAC technology will save the U.S. software development industry $671 million, and that NIST was responsible for 44 percent of the savings.

 

     And, there are many, many other activities too numerous to describe here, including significant efforts in the critical areas of the security of systems controlling the U.S. Critical Infrastructure, mobile device security, network security, and security awareness.  We also need to be aware of specific needs of our Federal customers and work closely with them to achieve our mission.  For example, OMB has asked us to assist in the preparation of E-Authentication technical guidelines in support of the E-Government initiatives.  And, there are related areas of research, such as biometrics (under mandates from the USA Patriot Act) and computer forensics (used to build evidence for court cases against terrorists) in which NIST is making extraordinary contributions to the nation’s efforts to secure the critical infrastructure of the country.  So, in addition to our $10M base funding for cyber security, we leverage another $14M to enable the use of technologies that support the nation’s cyber infrastructure.

 

     But, even with our very active program and considerable interactions with industry and federal agencies, the list of critical tools still to be developed is daunting.  The need for trustworthy computing systems is a theme we hear from various economic sectors on a daily basis—from financial institutions, from health care professionals, from owners and operators of utility companies—all are in need of mechanisms by which they can be assured that the information they exchange is available, confidential and that its integrity is assured.  And, the complexity of systems is growing as components become smaller, and systems on a chip become ubiquitous, some of the biggest challenges are in ensuring the integrity of information as it flows from component to component within a system. This is a major area of research on our horizon.  So, while we move ahead with critical tasks that already are on our agenda, we will give new activities priority in our base program as resources are available.

 

Interaction with Other Federal Government Agencies

 

     We accomplish our mission working side by side with our federal partners.  NIST understands the Committee’s desire for greater interagency coordination and collaboration for successful science and technology initiatives and we have been reaching out to supplement and assist other Federal agencies.     Our Technology Administration is preparing a Memorandum of Understanding with the Science and Technology Directorate of the Department of Homeland Security (DHS) which will be signed by Under Secretary Bond and DHS Under Secretary McQueary.  This MOU will establish a formal mechanism for NIST to cooperate with DHS in fulfilling their many homeland security responsibilities including cybersecurity R&D.  The MOU is being prepared for signature by the two departmental bureaus on May 19.  We have detailed one NIST senior scientist to the DHS S&T Directorate to assist with standards efforts and to avoid duplication of effort.  Also, we have regular interactions with NSF and OSTP, for example in the INFOSEC Research Council (IRC).  The IRC provides a community-wide forum to discuss critical information security issues, convey the research needs of their respective communities, and describe current research initiatives and proposed courses of action for future research investments. Additionally, we have also invited NSF representatives to meet with our Information System Security and Privacy Advisory Board at its June meeting.  We have had a long and  successful relationship with DARPA in a number of research areas , particularly in areas of  networks, biometrics and language recognition technologies. 

 

National Research Council Study of Network Vulnerabilities

 

     As mandated by CSRDA, we are also moving forward with a National Research Council study to review the vulnerabilities and inter-dependencies in our critical infrastructure networks and identify appropriate research needs and associated resource requirements.  Working with our NRC colleagues we have already identified a study director and are ready to initiate this study.   

 

Cybersecurity Research Grants

 

     Now, not all of our work has been accomplished from within the federal government. NIST has provided twelve cybersecurity research grants in the past: one to the Critical Infrastructure Protection Project; nine under the NIST 2001 Critical Infrastructure Protection Grants Program and two to the Institute for Information Infrastructure Protection (I3P) at Dartmouth College’s Institute for Security and Technology Studies. 

 

 

NIST Critical Infrastructure Protection Grants Program 

 

     In September 2001, NIST awarded $5M to nine grant recipients under the FY 2001 Critical Infrastructure Protection Grants Program (CIPGP) to improve the robustness, resilience, and security information in all the critical infrastructures.  Under the competitive grant application process, we received 133 proposals requesting roughly $73M from applicants in both industry and academia.  We selected proposals in intrusion detection, telecommunications, wireless security, electric power infrastructure, and compiler security.

 

     Funded research addresses a variety of topics to include tools and methods for analyzing security and detecting attacks due to vulnerabilities introduced by merging of data networks (i.e., the Internet) and voice networks (i.e. the public switched telephone network). Other topics addressed are attack detection for wireless and converged networks, the development of security controls for protecting the North American power grid, and methods for evaluating intrusion detection systems.

 

     While results are still preliminary from the Grants program and some projects will not be completed due to a discontinuation of program funding in FY 2002, we will still produce important results especially in the wireless area, converged data/IP networks and security of the electric power infrastructure. 

 

Cybersecurity Funding Increases

 

     NIST takes its cybersecurity responsibilities very seriously and we appreciate your confidence in our abilities as witnessed by passage of the Cyber Security Research and Development Act and the Federal Information Security Management Act (FISMA).   We also appreciate that in FY 2003 Congress provided $1M in funding for operation of our Computer Security Expert Assist Team capability, and approximately $2M for wireless security and networks via our Program to Accelerate Critical Information Technologies initiative.  

 

  The President’s FY 2004 budget request includes increased funding for two existing NIST program areas related to cybersecurity research:

 

Biometrics Standards

 

     The FY 2004 request includes $1M specifically for standards for biometric identification in continuing support of the USA PATRIOT Act to develop a national biometric identification system, using unique physical characteristics such as fingerprints, facial features, and eye patterns, to accurately identify people entering the United States or applying for visas. With the funding requested, NIST will help to develop effective, efficient, and interoperable biometric identifier standards, certification tests, guidelines, and techniques for fingerprint and face recognition and verification. 

 

Quantum Information Systems

 

     The FY 2004 $3M requested for work in quantum information science will also have significant cybersecurity benefits.  Quantum mechanics, the strange behavior of matter on the atomic scale, provides an entirely new and uniquely powerful way for computing and communications, potentially replacing the current binary computing and digital communications based on ones and zeros, and could have enormous impacts in homeland security. Quantum computers could perform processing tasks that are currently impossible. They also could solve problems that conventional computers could not manage given realistic amounts of time, memory, and processing power. 

 

     This enormous computational power would be particularly valuable in cryptography, making codes that would be unbreakable by the best supercomputers of tomorrow, or breaking codes in seconds that could not be cracked in years by the most powerful binary computers. Quantum information also can be used for remarkably secure communications.  In this particular area, we are partnering closely with DARPA.

 

     With the requested funding, NIST will work to develop the measurements and standards infrastructure (hardware and software) critical to the development of a quantum communications system. This includes methods to test and verify the actual performance characteristics of these systems, to determine their security properties, and to enable integration of such systems into the existing communications infrastructure

 

     In conclusion, NIST takes its role in cybersecurity seriously and will work with the Committee to ensure that we are able to carry out our mandate to work with industry, academia, and standards development organizations to assure the secure flow of vital and sensitive information throughout our society.  These examples of our work and accomplishments demonstrate NIST’s commitment to cybersecurity, across the government and the Nation.  They also demonstrate the base upon which NIST hopes to build our efforts.  It is an absolutely critical national need, and it is fundamental to providing the technical testing, standards and guidelines needed to protect our information infrastructure.

 

     I am grateful to Chairman Boehlert for holding this hearing, and for his support of NIST’s programs.

This concludes my prepared remarks.

 

I will be pleased to answer your questions.