Statement of

Raymond G. Kammer

Director

National Institute of Standards and Technology

Technology Administration

U.S. Department of Commerce

before the

House Science Committee's

Subcommittee on Technology

September 30, 1999

Good afternoon. Thank you, Madame Chairwoman, for inviting me here today to testify on H.R. 2413, the Computer Security Enhancement Act of 1999. I am Ray Kammer, Director of the National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce's Technology Administration. You may recall that I testified before you in April on the Melissa computer virus and on Web security in June. It is a pleasure to be back again. Your continued attention to computer security issues is most appropriate, given our growing dependence upon technology for more and more of the business of our daily lives -- both personal and professional. Today I would like to start by briefly reviewing our computer security responsibilities and program. Then I propose to share with you our views on how the Computer Security Enhancement Act of 1999 will strengthen our program and the security of Federal agencies.

NIST'S COMPUTER SECURITY RESPONSIBILITIES

In the area of computer security, NIST has specific statutory responsibilities for developing standards and guidelines to assist Federal agencies in the protection of sensitive unclassified systems. This is in addition to our broad mission of strengthening the U.S. economy -- including improving the competitiveness of America's information technology (IT) industry. In support of this mission, we conduct standards and technology work to help industry produce more secure, yet cost-effective, products, which we believe will be more competitive in the marketplace. Having more secure products available in the marketplace will, of course, also benefit agencies, since they will be using commercial products to secure their systems.

NIST's Computer Security Division in our Information Technology Laboratory (ITL) is the focal point of our security program. Our program focuses on a few key areas: cryptographic standards and guidelines; public key infrastructure; security research; agency assistance and the National Information Assurance Partnership, which is jointly managed by NIST and the National Security Agency to focus on increasing the number and quality of IT security products. A few examples of our work include our efforts on the Advanced Encryption Standard (AES), and on emerging technologies for protecting Internet security and interoperability to support public key infrastructure technology. Approximately $5 million of direct Congressional funding supports both the Federal and industry computer security responsibilities that I spoke of earlier. In addition, we work with Federal agencies, receiving approximately $3 million in outside agency funding to provide technical assistance on particular projects.

Our Federal responsibilities, as assigned in the Computer Security Act (P.L. 100-235), focus on "developing technical, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive information in Federal computer systems." For example, NIST has recently published updated guidelines for training employees in computer security. NIST also sets security cryptographic standards for Federal agencies. We support these standards by operating a conformance testing program that enables agencies to have confidence that cryptographic security products meet government standards. NIST's standards, guidelines, and other products and services assist agencies in implementing their computer security programs as required by Office of Management and Budget (OMB) Circular A-130, Appendix III, "Security of Federal Automated Information Resources." Detailed information about our work products is available at our Computer Security Resource Clearinghouse (http://csrc.nist.gov). Among other publications, NIST's Information Technology Laboratory publishes bulletins to provide timely, up-to-date information on significant security issues. We encourage all agencies to make use of the many resources available through our clearinghouse.

NIST also works closely with Federal officials and organizations with related computer security responsibilities. We are engaged with the Chief Information Officers' Security Committee and officials of the Critical Information Assurance Office to offer our perspective and expertise to their efforts. We work closely with the Federal Public Key Infrastructure Steering Committee under the Government Information Technology Services Board, and chair their Technical Working Group to promote the use of public key technology within Federal agencies. We host and chair an informal information sharing group of Federal computer security program managers, to assist in information sharing among agencies and reduce the potential for costly duplication of work. We work closely with computer security educators to improve the quality of security training to Federal agencies. We are engaged with those organizations responsible for the security of classified systems to identify when their technology and solutions may be cost-effectively adapted to protect unclassified systems. NIST supports and serves as Secretariat for the Computer System Security and Privacy Advisory Board, which assists us by providing advice from an outside perspective. And, finally, we work closely with the Office of Management and Budget on issues regarding Federal implementation of OMB Circular A-130, Appendix III, which provides a consistent framework for security among all Federal agencies.

I would also like to mention the President's very recent request for an additional $39 million in FY 2000 for initiatives proposed to protect critical infrastructure in both the Government and the private sector that is necessary to ensure our national security, national economic security, and public health and safety. A total of $5 million from this request will be provided to NIST. This Critical Infrastructure Protection (CIP) proposal will establish an Expert Review Team at NIST, which will assist Government-wide agencies in adhering to Federal computer security requirements. We will consult with the Office of Management and Budget and the National Security Counsel on the team's plan to protect and enhance computer security for Federal agencies.

Of the additional $5 million requested, $2 million will fund a 15 member team responsible for helping agencies identify vulnerabilities, plan secure systems, and implement CIP plans. The remaining $3 million will establish an operational fund at NIST for computer security projects among federal agencies. Such projects would include independent vulnerability assessments, computer intrusion drill, and emergency funds to cover security fixes for systems identified to have unacceptable risks.

THE COMPUTER SECURITY ENHANCEMENT ACT OF 1999: STRENGTHENING AND UPDATING THE COMPUTER SECURITY ACT OF 1987

Two years ago, at the tenth anniversary of the Computer Security Act of 1987, the Computer System Security and Privacy Advisory Board met to discuss whether changes were needed to be made to the Act. The Board solicited views from the private and public sectors. The Board did not recommend any changes to the Act -- a fact discussed with you in prior testimony. The Board's position supports my view that the Act remains an appropriate overall framework for addressing Federal computer security issues. That said, it is also the case that technology continues to develop, which is reflected in the broad intent and important specific updates proposed in the Computer Security Enhancement Act of 1999, upon which we are focused today.

I would like to commend the Committee and the authors of this bill for recognizing the importance of securing sensitive Federal systems and proposing steps to update the Act to reflect advances in technology since its passage. Introduction of the bill has already served to remind agencies of their responsibilities to provide appropriate, cost-effective security for their sensitive information in computer systems.

In a variety of respects, the bill is consistent with and reinforces our current responsibilities for leadership in developing standards and guidelines for the security of Federal systems. It also reinforces our work with the private sector in developing and implementing voluntary standards, guidelines, and conformity assessment practices and techniques. The bill recognizes the importance that authentication technologies will play in securing our Federal government systems and networks. It also highlights the importance of securing publicly accessible systems, promotes our work with industry to improve the security of commercial products, and further stresses the need for Federal agencies to use these products to meet their security requirements.

We are pleased to see the bill's positive focus on training to improve the number and quality of computer security experts by establishing a computer security fellowship program. NIST, in its continuing efforts to recruit, train, and retain top-notch computer security experts, is keenly aware of the need for increased attention to IT security research and training individuals to conduct research and develop the standards and guidelines needed by Federal agencies. Federal Government support is critical, and we strongly support your efforts to provide for these fellowships. In carrying out this activity, we would consult with the National Science Foundation, which has the lead in graduate study and training in this area.

The bill will help us promote the use of security technologies to secure the nation's information infrastructure by increasing public awareness of information security threats. In many ways, this bill will help us to do a better job of promoting security and strengthening our nation's protection against emerging threats to our systems.

Having put in context how the bill will help our mission and improve the security of Federal systems, let me state our clear desire to work with the Committee and the bill's sponsors to improve the bill's provisions based on the following observations and suggestions. In making these points, I want to divide our comments between the provisions that were drawn from the original Computer Security Enhancement Act, and those that have been incorporated from H.R. 1572, introduced earlier this year. As I just indicated, a number of provisions in this bill are carried over from earlier versions of the Computer Security Enhancement Act. Let me address those.

First, the bill proposes in Section 4 to assign NIST responsibility "to coordinate Federal response efforts related to unauthorized access to Federal computer systems." NIST can certainly play an important role in developing guidance on responding to incidents, including unauthorized intrusions. We do not believe it is appropriate to place NIST in a central operational capacity to coordinate specific agency responses to specific intrusions. Rather, agencies need to have programs and procedures in place, drawing upon NIST guidance, to address such situations, including appropriate coordination with law enforcement personnel.

Second, Section 5 would require NIST to emphasize the development of technology-neutral policy guidelines for computer security practices by Federal agencies. Technology neutrality is consistent with the Government Paperwork Elimination Act, with respect to the legal effect of authentication technologies. That said, specific technologies have differing security strengths, costs, and benefits. They are not interchangeable from a security point of view. We take this into account in our choices of technical work activities. While policy guidelines should be neutral, Federal agencies need to know the benefits and costs of various technologies to facilitate the selection of appropriate security solutions to meet specific agency missions and customer needs. We do not want this section to be misinterpreted to preclude appropriate technical activities and the development and issuance of needed specific technical guidance and standards.

Third, Section 6, as currently written would require NIST to solicit recommendations of the Computer System Security and Privacy Advisory Board before submitting a proposed Federal standard to the Secretary, and to submit the Board's recommendation along with the proposed standard to the Secretary. We currently inform the Board of proposed standards during our public comment process, solicit their comments and welcome their recommendations and views. Of course, we cannot compel the Board to make a recommendation on any particular matter. As currently drafted, this provision could delay the approval of a needed standard. For example, from time to time, a serious flaw may be found in a standard, requiring immediate corrective action, and sometimes we issue non-controversial standards that raise no significant technical or policy issues. We agree with the intent of this section, however, and we would be happy to work with the Committee to develop language that would enable NIST and the Board to continue to work together in a timely and productive fashion.

Fourth, Section 7, "Limitation on Participating in Requiring Encryption Standards" would prohibit NIST from promulgating, enforcing, or otherwise adopting standards for the Federal establishment of encryption standards required for use in computer systems other than Federal Government computer systems. Although NIST does not have any authority -- and no desire -- to impose encryption standards on the private sector, we are concerned that this language might be misunderstood to preclude NIST from collaborating with the private sector on standards that are likely to be used by both the private and public sector. For instance, NIST works closely with the American National Standards Institute's (ANSI) banking standards community on voluntary security for use by the financial services industry. We would not want such productive work to be precluded. Again, we would be happy to work with the Committee to develop clearer language.

Let me now turn to provisions that appear to be drawn from H.R. 1572, introduced earlier this year.

As this Committee knows, the Administration has articulated a workable policy in this area that promotes market-driven, industry approaches to the issue of authentication. In many respects, the private sector is moving to examine the issues related to authentication and implement appropriate technologies and models to meet real needs. Likewise, our government agencies -- at both Federal and state levels -- are developing the experience and testing models for how best to provide authentication mechanisms that work, provide confidence, and meet specific needs of both users and agencies.

The Administration is committed to using the new information technologies to enable electronic transactions between government agencies and their customers. That is why we supported the Government Paperwork Elimination Act, which the President signed into law last year. As directed by that statute, the Office of Management and Budget has issued draft implementing guidance on electronic signatures, and is now in the process of formulating final guidance -- based on public comments -- to meet that law's April 2000 deadline.

Section 13(a)-(d) call for NIST to develop guidelines specifying how agencies would implement various authentication methods, minimum interoperability specifications, and validation criteria for testing, as well as minimum technical criteria for the use of electronic certification and management systems. We would like to work with the Committee to address a number of implications of these provisions.

To the extent that more detailed guidelines, criteria, and evaluations are desirable, it would be appropriate to tie them to the guidance required by existing law. Thus, following issuance of the final guidance, it might be appropriate for the Director of NIST to convene government and industry representatives to discuss the merits of developing more detailed guidance that, for example, linked the OMB criteria more clearly to the specific characteristics of products available in the commercial marketplace. That might enable government agencies to make more informed purchasing decisions.

Turning to Section 11, we believe that the NRC study described in that provision would develop useful information concerning the use of public key infrastructures by individuals, business, and government. That would supply a valuable baseline for future action in this area.

Finally, Section 13(e) establishes a "National Policy Panel for Digital Signatures" in the Office of the Under Secretary. We would like to work with the Committee on this proposal, keeping in mind Administration policy that standards and practices in the area of electronic commerce should be industry and market driven. The Panel would be empowered to develop model practices and procedures, guidelines and standards, and audit procedures. We have concerns that this could be interpreted as the Government writing and publishing standards for the private sector. We would like to work with private sector organizations already involved in this effort and who are focusing the product of their effort on specific industry needs. The NRC study could provide important input for this determination.

Thank you again for the opportunity to testify today on the Computer Security Enhancement Act of 1999. We look forward to working with the Committee and accomplishing our mutual goal of strengthening the security of Federal systems. At this time I would be happy to answer any questions that the Committee might have.