Questions from House Science Committee - Subcommittee on Technology (Connie Morella)
Based on Ray Kammer's March 9, 2000, Testimony Before the Subcommittee
1. The NIST Board of Assessment's 1999 report included the following observation regarding the Information Technology Laboratory: "NIST's historic culture of openness creates a potentially serious problem when applied to its computer networks. The current firewall situation is inadequate and leaves NIST open to a potentially damaging and embarrassing intrusion. The process of ensuring that the entire organization is protected by a centrally maintained firewall system is proceeding much too slowly; strong managerial action is required to remedy this dangerous situation in an efficient and timely manner." What actions has NIST taken in response to this finding?
Answer: Since the time of the report —which was based on information more than one year old—NIST has completed installation of fully functioning firewalls at both the Gaithersburg and Boulder sites. All appropriate NIST computer networks are now fully protected by firewalls, with backup firewall systems for each site. Intrusion detection systems are used on all NIST networks, and NIST information systems are routinely scanned to detect security vulnerabilities. NIST periodically upgrades security software and hardware to ensure the latest and best technology is used to protect our information systems. In short, NIST computer networks are now protected as much as possible using current computer security technology (no system can ever be made completely secure).
Some NIST computers are purposely placed outside the firewall to enable complex exchanges of data that would be hindered or prevented by the firewalls. These "public" computers are placed outside the firewall only after rigorously ensuring the need for removing firewall protection and that there is no potential for damage to NIST or other systems from possible intrusions to the public systems. The public networks (those not behind the firewall) are also protected by intrusion detection devices and regularly scanned for security vulnerabilities.
Some background on the project to install firewalls at NIST:
NIST approved a central computer security project in March 1998, and funding was allocated in May 1998. The NIST information system at that time consisted of two sites separated by 2,000 miles (Gaithersburg, MD and Boulder, CO) with more than 120 Ethernet subnets and over 5,000 systems connected to the subnets. The project required hiring three additional information technology experts and acquiring substantial new hardware and software through the open and lengthy procurement process.
NIST expedited the firewall installation process as much as possible within the constraints of hiring and procurement regulations. Staff recruitment began in June 1998 and all three new experts were at work by November 1998 despite an extremely tight nationwide labor market for skilled IT professionals. Procurement of necessary hardware and software was accelerated, and all components were delivered by October 1998.
In parallel with the hiring and procurement process, NIST started planning the conversion with NIST staff in July 1998. All information systems had to be reviewed for applications that might need to remain fully accessible to the public without firewall constraints (firewalls inhibit or prevent certain types of complex interactive data exchange required by some NIST customers and staff). Many NIST applications and databases had to be revised to permit continued public access where appropriate while protecting most information and applications behind the firewall.
NIST began migrating information systems behind the firewall in April 1999, moving a few subnets each week, working with users to identify and correct problems that invariably develop in moving a complex and extensive information system behind a firewall. Such processes are always very labor and time-intensive, reflecting the complexity of the problem and the special needs of NIST to support simultaneous public (not firewall protected) and private functions. The migration process was completed in January 2000. Given the complexity and size of the project, NIST believes it implemented firewall protection in an efficient, rapid, and effective manner, and that it continues to follow best computer security practices.
2. NIST is requesting $50 million to establish an Institute for Information Infrastructure Protection. What is the status of planning for the Institute and how will it be structured? What will be NIST's role for conducting and developing a research agenda for the Institute?
Answer: The $50 million NIST request to establish an Institute for Information Infrastructure Protection was the Administration's response to a recommendation made by the President's Committee of Advisors in Science and Technology (PCAST), which called for the establishment of such an Institute to support infrastructure protection R&D that the private sector – which owns and operates most of the nation's information infrastructure -- has no economic incentive to fund. Given the importance of structuring this Institute in a way that will enable it to work most effectively with the private sector and with government, Presidential Science Advisor Neal Lane has asked PCAST to augment itself with additional technology leaders from the private sector and academia to advise him on the Institute's organization, operational expertise, staff expertise, and R&D priorities. NIST has been working with the Office of Science and Technology Policy to support this PCAST study, and we are refining our proposed model to respond to concerns that have been raised by the PCAST panel. We and OSTP expect very shortly to complete a refined public/private partnership model for the Institute that assures that it will be able to:
1) define and execute an R&D portfolio that meets the needs of government as well as the private sector
2) stay abreast of the rapid evolution of information technology
3) produce solutions that can be implemented by the private-sector owners, operators, and vendors of information infrastructure equipment and services, and
4) ensure that the government retains oversight, guidance, and strategic control over the expenditure of public funds.
3. Relative to the major increase for computer security activities, what are the areas of highest priority for computer security research relative to the needs of the public and private components of the national information infrastructure?
Answer: A number of high priority research areas to meet the needs of both public and private components of the national information infrastructure have been identified in the process of planning the Institute for Information Infrastructure Protection. Although we cannot state right now which of these topics the Institute will support when it becomes operational, its initial R&D agenda may include any of the following:
• Robustness, resilience, and behavior of tightly coupled, highly complex, highly nonlinear systems
• Network system interactions and vulnerabilities to cascading effects
• System architecture to ensure survivability; graceful degradation under stress; ease of reconstitution
• Develop fundamental principles, scientific basis, methodologies, and metrics for information assurance as an engineering discipline
• Next-generation intrusion and malicious code detection
• Visualization of system security information
• Self-healing systems
• Security and forensics toolkits
• Increasing resistance to penetration
• Concepts for high-confidence systems and software
• Information assurance for emerging information technologies
• Design of "testbeds" or experimental base that is most appropriate for network security research, including understanding traffic patterns typical of different types of network activities
• Physical/cyber/human interfaces
In addition to the Institute's R&D agenda, there are pressing needs for private sector critical infrastructure protection (CIP) research proposed to be conducted by the Institute for Information Infrastructure Protection, there are pressing needs for computer security activities and research in the areas of cryptography, selection and implementation of best practices, cost-effective security management, and security of supervisory control systems. NIST has world-leading expertise in these areas. In addition, the private sector does not tend to conduct much R&D in these areas because they focus on infrastructure issues with broad benefits to the nation but little opportunity for a single company to capture profits. NIST's FY 2001 budget proposal includes work to be done at NIST in the following CIP areas:
4. Why has NIST been selected to establish an Expert Review Team (ERT) that will help agencies conduct vulnerability analyses and to develop critical infrastructure protection plans? What are NIST's unique capabilities in this area?
Answer: The ERT is designed to assist Federal agencies in identifying computer security vulnerabilities and to help agencies fix the most critical security problems. NIST is a logical home for this important activity because of NIST's expertise in computer security, because of our long and successful history of working with customers of all sorts (public and private sector) to provide impartial advice and information, and because NIST has statutory responsibility for many key roles in national information technology CIP.
For example, NIST is responsible for developing standards and guidelines for Federal information systems. The Computer Security Act also mandates that NIST provide operators of Federal computer systems (as requested) with technical assistance in implementing NIST standards and guidance. The proposed ERT will fulfill this mandate by helping agencies implement NIST standards and guidelines.
The ERT will also enhance NIST's job to develop and provide computer security guidance for all Federal agencies. The ERT's work will give NIST first-hand, detailed knowledge of the needs of Federal agencies for computer security guidance. NIST will thus be able to develop broad guidance for all agencies that may share common challenges and needs.
The ERT will also be able to draw upon the reservoir of technical computer security expertise at NIST for help in identifying and fixing security vulnerabilities. That is, the work of the ERT will be leveraged by the computer security R&D and best practices expertise already existing at NIST.
5. In FY2000, Congress provided the Manufacturing Extension Partnership Program $4.4 million over the budget request. This increase was to improve MEP market penetration that has been a long-standing goal of the MEP program. How does the MEP plan to use these additional funds?
Answer: These additional funds will be used to train MEP field staff in the latest technologies and practices that they can use to help small manufacturers prosper and to establish new field sites in rural and under-served areas. Once established, these new sites will be maintained through the current MEP infrastructure.
6. E-commerce is a rapidly changing field and the challenges facing our small manufacturers are immediate. The MEP program places significant emphasis on the development of assessment kits, which won't be ready to be deployed until well into 2001. I am concerned that by the time these assistance kits are available they will no longer be relevant or timely. How does the MEP e-commerce initiative address these concerns?
Answer: MEP agrees that small manufacturers need eCommerce assistance kits as soon as possible, and thus MEP is beginning a modest effort to design and prototype the assessment kits to be available on the Web this summer. However, additional funding in FY 2001 is critically needed to produce and distribute CD-based kits for all 385,000 small U.S. manufacturers in FY 2001.
7. You state in your testimony that $8.8 million of the request for MEP's proposed e-commerce initiative will provide for approximately 200 information technology experts to be located in your MEP field offices. How do you envision that these 200 additional hires will be geographically dispersed between the 300 centers?
Answer: $8.8 million will be competitively awarded to centers, based on their plans to make optimal use of the eBusiness specialists in MEP field offices. Factors that will be considered in the competition include the range of eBusiness services the centers plan to offer, availability of matching funds to leverage MEP's direct investment, and the private and public sector partners the centers include in their proposed work.
MEP expects that many of the approximately 200 eBusiness specialists will come from the information technology experts that MEP originally hired on limited-term contracts to support Y2K efforts. As the Y2K effort concludes, and assuming the FY 2001 budget request is approved, MEP hopes to be able to convert many of these professionals -- with substantial experience in the MEP system -- to eBusiness activities, providing continuity and efficiency for MEP in contrast to a major new recruitment, hiring, and training effort.
8. It is my understanding that NIST also proposes creating "adoption" kits as well as "jumpstart" kits to assist small manufacturers in implementing their e-commerce strategies. Can you explain the difference between these two kits? What will be the cost of the federal government for development and distribution of the "adoption" kits?
Answer: The "jumpstart" kits will function as readiness assessment tools, helping companies determine their readiness to adopt eBusiness practices. A company will use the kits to help develop an eBusiness strategy, assess whether the company's information infrastructure will support the new strategy, and assess whether the company's business processes will need to change to support the eBusiness strategy. The kits will include a basic eBusiness Roadmap explaining the stages in the evolution from a traditional business to full participation in an interactive, eCommerce-driven economy.
The "adoption" kits will help guide a company through the process of implementing the best eBusiness strategies for their industry or sector. Several different eBusiness Adoption Kits will be developed, each focusing on the specific eBusiness challenges and opportunities of different major industries and sectors.
The cost of developing eBusiness Adoption Kits will vary from sector to sector, depending upon the maturity of standards development efforts within the particular industry. Our current estimate for developing an industry-specific adoption kit is approximately $1 million to $1.5 million. Most of these resources will be used to develop the appropriate sector-specific content for the kits. About 10 percent to 20 percent of the resources will be required for production and distribution of the kits.
9. A portion of the MEP's FY01 e-commerce request is funded by redirecting $6 million for the MEP base program. What MEP base programs will be affected by this redirection of funds?
Answer: In FY 2000, MEP will establish new field services and sites in rural and under-served areas to fill gaps in the current MEP service delivery system. These gaps are in several states where MEP services are sparse relative to the number of smaller manufacturers in the state. MEP plans continued support of these rural and otherwise underserved areas beyond FY 2000 through the current MEP infrastructure.
In addition, in FY 2000, MEP received $1 million for the dissemination of Center Best Practices. This is being accomplished through: identifying and documenting high priority best practices responding to MEP's criteria for Center Performance Excellence; training center staff in the most effective utilization of center best practices; providing technical assistance to facilitate implementation of best practices at the individual center level; and designing and disseminating best practice materials through printed and electronic means. This activity will increase the ability of centers to share information and expertise about the best tools and techniques for leading-edge technology adoption for smaller firms. This level of effort for disseminating Center Best Practices will be eliminated in FY 2001 and the appropriated funding for this activity will be redirected to e-commerce.
10. This year's request included $10 million for a new initiative in the area of nanotechnology. How will NIST's nanotechnology efforts differ from those of the National Science Foundation?
Answer: NIST's unique and critical role in the National Nanotechnology Initiative (NNI) is to develop new measurements, standards, and data needed for nanotechnology -- the science and technology of the smallest human-made objects. The National Science Foundation and other participants in the multi-agency effort will primarily fund basic nanotechnology research in the private sector. NIST will develop the new measurements and standards that scientists and industry will need to transform nanotechnology discoveries into useful technologies, products, and services that will fuel economic growth and help Americans lead longer, healthier lives. The other NNI agencies, including NSF, have explicitly recognized the critical contributions of NIST measurements and standards to the success of the nanotechnology initiative.
To build things atom by atom, we need a whole new way to make measurements. For example, construction workers carefully measure the placement bricks and beams to a fraction of an inch to erect a building. Scientists will need to measure the placement of atoms to much less than a billionth of an inch to make new nanotechnology devices. Many other new types of measurements will be needed. NIST has been the Nation's expert for measurements and standards of all kinds for one hundred years, and is already working on new nanotechnology measurements. A significant increase in NIST's nanotechnology measurements program is needed to support the work that will be done by universities, industry, and other agencies participating in the initiative.
NIST measurements, while only a small portion of the NNI in terms of funding ($10 million proposed increase compared to total $227 million proposed total multi-agency increase for NNI), will play a crucial role in converting both private and public sector R&D into new discoveries, products, and services. In developing the NNI, the Administration and its scientific advisors from industry, academia, and government research labs recognized that new measurements and standards will be vital to the success of the initiative.
NIST will develop, for example:
11. Encryption is becoming increasingly important in today's world. How will the new Advanced Encryption Standard improve the current Data Encryption Standard? What does this mean to the industry?
Answer: The Advanced Encryption Standard (AES) -- expected to be ready by the summer of 2000 -- will be many times more powerful than the 23-year-old Data Encryption Standard (DES). DES served the public and private sectors very well since 1977, but extraordinary advances in computing power have substantially weakened its protection. The new AES is designed to be so much more powerful that it will resist projected advances in computing power well into the 21st century.
The principal difference between AES and DES is the size of the "key" used to encrypt data. The larger the key size the more computer power is needed to "crack the code." DES was adopted as a Federal Information Processing Standard in 1977 with a key size of 56 bits (meaning 256 or about 7 thousand trillion possible keys). This key size was impenetrable by the world's best supercomputers for about 20 years -- but was recently shown to be vulnerable to the latest generation of world-leading supercomputers.
The AES will support at least 3 key sizes: 128, 192 and 256 bits, meaning that there will be 2128; 2192; 2256 possible keys, enormously large numbers that do not lend themselves to verbal description -- 2256 is roughly equivalent the number 1 followed by 77 zeros, a number comparable to the total number of atoms in the universe. This much larger key size will provide a government-endorsed security algorithm designed for strong protection for many years to come. AES is also designed to be more "user friendly" to industry, because the algorithm was designed with software implementation in mind, and because the design is based upon a 128-bit block size (meaning more data can be processed in a single step than with the smaller block size of DES).
NIST is coordinating the evaluation of several finalist candidates for AES. It is possible that more than one final AES version will be recommended for adoption, providing even more flexibility for users.
Because DES has been shown to be "crackable" in principle, NIST has recommended that agencies use "Triple DES," which provides much greater protection than single DES. Triple DES, however, is inefficient. All of the AES candidates are more efficient than both Triple DES and single DES.
12. As companies extend e-commerce applications to more partners and customers, there is an increasing need for Public Key Infrastructure (PKI) based security platforms that can be rapidly deployed and that can accommodate thousands of users. How is NIST working with industry on PKI issues?
Answer: NIST works closely with industry on PKI in several ways.
13. What role does NIST play on the Federal Public Key Infrastructure Steering Committee? Are agencies taking steps to address interoperability in their use of PKIs?
Answer: NIST is a member of the Federal PKI (FPKI) Steering Committee, chairs the FPKI Technical Working Group, and was instrumental in developing the Federal Bridge Certificate Authority (FBCA) concept. NIST has been a key player in developing and implementing the FBCA. These activities will support interoperability among Federal Agency Public Key Infrastructure (PKI) domains in a peer to peer fashion and identifies four policies that represent four different assurance levels (Rudimentary, Basic, Medium, and High) for agency issued public key digital certificates. The steering committee involves each participating agency in the development of PKI policies, procedures, and architectures. Many agencies are involved in this effort. (See http://gits-sec.treas.gov/oofpkimembers.htm.)
NIST is also working closely with the Office of Science and Technology Policy and with other agencies to ensure that federal PKI R&D programs are closely coordinated across the government. NIST is co-sponsoring a workshop on PKI for Advanced Network Technologies on April 27-28. Further information on the workshop is available at http://www.ciao.gov/MeetingsAndConferences/2000_04-27.htm
14. GAO has advocated that there is a need for federal agencies to develop a common set of data classifications that could be used by all federal agencies to categorize the criticality and sensitivity of the data they generate and maintain. A set of minimum mandatory control requirements for each classification also needs to be developed according to GAO. What role should NIST play in this type of effort?
Answer: NIST is concerned that the GAO data classification proposal is not the best approach for improving security of Federal data. Ensuring security for the enormous range of Federal data in extremely diverse environments is a complex challenge that requires a significantly more flexible response than developing a data classification "check list."
The U.S. Government already has a myriad of labels for various kinds of information that require protection, including: census; tax; financial; proprietary; top secret; secret; confidential; FOIA-exempt; medical; mission critical; investigative; and many others. In addition, there is a very wide range of security risks in different data environments, related as much to the authenticity, availability, and integrity of the information or systems on which it resides as to the sensitivity or criticality of the information. Moreover, the duration of sensitivity often changes quickly and may range from short term sensitivity (e.g., a successful contract bidder's cost proposal remains sensitive only until the contract is awarded) to indefinite sensitivity (e.g., the cost proposal of an unsuccessful contract bidder). For these reasons, a single static set of controls would be inadequate, and would likely result in misapplication of scarce security resources. Adopting the proposed GAO data classification would likely lead to potentially dangerous "checklist security" -- the false sense of security promoted by the mistaken notion that running through a generic checklist can ensure security of data or systems.
NIST believes that a more prudent approach to Federal data security is to develop and promote a wide variety of security guidance, security techniques, and tested security technologies, so that owners and operators of sensitive Federal systems can make appropriate and informed security decisions. Security needs and solutions are complex and diverse, and there is not a "one size fits all" solution.
However, NIST does agree that for basic security requirements in today's highly interconnected information environment, it is desirable that Federal agencies adhere to a common set of basic security requirements. NIST security guidance helps serve this purpose, although wider efforts are needed (please see the discussion in question #3 herein).
15. What role are TA and NIST playing in domain name system (DNS) registration?
Answer: NIST (an agency of TA) and NTIA are both parties and collaborators on the Cooperative Research and Development Agreement (CRADA) with the Internet Corporation for Assigned Names and Numbers (ICANN) for study of Internet root server system security issues. NIST does and will continue to provide NTIA with technical expertise and advice on DNS issues, as necessary. Primary responsibility for overseeing the transition of DNS management functions to the private sector rests with NTIA as directed by the Secretary of Commerce. NTIA staff signed the Memorandum of Understanding (MOU) with ICANN on behalf of the Department.
16. What is NIST's role in developing advanced wireless standards?
Answer: NIST works closely with industry through several standards developing groups to help develop standards for wireless communications. These industry-driven standards are intended to expand the wireless market by ensuring that products and services based on standards can interoperate seamlessly ("talk to each other" without loss of information or interference).
Some of the wireless standards groups in which NIST participates include:
As a trusted neutral organization with extensive technical expertise, NIST provides important advice and technical support to various industry-led standards groups. For example, as a member of the IEEE 802.15 Working Group on Wireless Personal Area Networks, NIST is conducting modeling and simulation of several wireless communication protocols under consideration, including the Bluetooth, Home RF, and 802.11 Wireless LAN proposed standards, which all operate on the same unlicensed 2.4 GHz frequency. The IEEE 802.15 group will use NIST's modeling and simulation information to develop standards and guidance to ensure interoperability of these three different protocols, so that devices using the different technologies can communicate with each other.
17. Did NIST's FY 2001 budget request to OMB include $6 million for a new Emergency Services Advanced Technology (ESAT) Program?
Answer: NIST's 2001 budget request to OMB contained a $1 million increase to develop predictive methods, measurements, and standards to advance technologies for (1) fire detection and alarm systems and (2) fire fighting. Core research of the larger ESAT program were part of this request. However, the President's budget request for FY 2001 does include $6.7 million for fire research at NIST.
17a. How would a program like ESAT provide advanced technologies for use in fighting fires? What are some examples of technologies that a program like ESAT could adapt for emergency services?
Answer: This research would be accomplished by both technical activities of the NIST laboratories and its research partners funded through the NIST grants program. NIST has a long history of working with industry and the fire service to understand the fire environment and to provide technology that can improve the safety and effectiveness of fire fighting. Information gained through NIST research and that of its partners will provide the basis for advances that can be rapidly commercialized and accepted by the fire service. ESAT will convert the fire ground from dangerous information poor working environment to a safer information rich environment consistent with modern technology.
Examples of expected technology from the ESAT program are:
17b. What precludes commercial industry from developing and marketing these
proposals without government involvement? How would ESAT improve that
situation?
Answer: From discussions with fire fighting equipment manufacturers, it is clear that the relatively small size of the fire service market precludes industry from investing in multi-million dollar research efforts to bring emergent technologies to the fire service. As fire departments are funded from municipal budgets, no department can afford research efforts needed to develop or adapt advanced technologies for their response needs. The only way that advanced technology equipment can be provided at prices that are affordable to paid and volunteer fire departments is for the Federal Government to fund and assist in the performance of enabling research and field evaluations of prototype hardware. The ESAT program can move near-mature technologies forward so that they can be commercialized and made available at a price were they can be widely deployed by the nation's fire services.