Statement
of
Dr. Arden L. Bement, Jr.
Director
National Institute of Standards and Technology
Technology Administration
Before the
Committee on Science
House of Representatives
“Cybersecurity Research and Development”
Chairman Boehlert
, Mr. Hall and Members of the Committee, thank you for this opportunity to testify
today about the contributions of the National Institute of Standards and
Technology (NIST) to strengthen the Nation’s cybersecurity. Let me congratulate
you for your tremendous leadership in advancing robust programs to protect our
nation’s information infrastructure from attack. I know that Technology Administration Under
Secretary Phil Bond and I look forward
to working very closely with you to turn your visions into reality. I would like to address the questions you
asked in your invitation to testify and tell you about the many important
cybersecurity activities currently underway at NIST.
Protecting our Nation’s
critical infrastructure is of critical importance to our economy and our
well-being. The terrorist attacks of
The
success of the Internet —connecting more than 100 million computers and
growing—has far outstripped its designers’ wildest expectations. Although the
Internet was not originally designed to control power systems, connect massive
databases of medical records or connect millions of homes, today it serves these
functions. It was not designed to run critical safety systems but it now does
that as well. We rely heavily on an open system of networks, so complex that no
one person, group or entity can describe it, model its behavior or predict its
reaction to adverse events. The porous nature of the
Helping
to ensure the confidentiality, integrity and availability of civilian
information is essential to the functioning
of our economy and indeed to our democracy.
And, to this end, NIST has had a long-standing and successful role in
working with federal agencies and industry by ensuring the protection of non-national
security related cyber and information systems through standards and guidelines
development, testing methodologies, conformity assessment and complementary
supporting research.
In
2001, Secretary Evans approved the Advanced Encryption Standard (AES) as a
federal security standard. I am pleased to report that the standard is
being actively adopted by voluntary standards bodies and implemented by
vendors. In fact, over 70 commercial
implementations of the AES have already been validated through our Cryptographic
Module Validation Program.
Enactment
of the Cyber Security Research and Development Act (CSRDA) of 2002 and the
Federal Information Security Management Act (FISMA) of 2002 has reinforced our
long-standing statutory responsibilities for developing Federal cybersecurity
standards and guidelines and conducting commensurate security research. We fully appreciate and are grateful for the
trust and support provided by the House Science Committee to NIST in assigning us
responsibility for these critical roles. We see both of these new important
laws as a “vote of confidence” in our past work and an expectation of
continuing successful achievements in the future.
Today
I would like to review new statutory assignments to NIST, provide you an
overview of NIST’s cybersecurity activities, and discuss some of the challenges
we continue to confront.
NIST
Responsibilities Under the Cyber Security Research and Development Act of 2002
Under
the legislation, NIST is assigned responsibilities to
NIST Responsibilities under the Federal
Information Security Management Act (FISMA) of 2002
Responsibilities
assigned to NIST under FISMA include:
FISMA
also contained a number of specific assignments, including development of:
With
these broad legislative mandates in mind, let me review NIST’s activities and
accomplishments in the area of intramural research, security grants, and a
planned National Research Council study.
Recent
NIST Intramural Cybersecurity Accomplishments
In
addition to the extraordinary success of the Advanced Encryption Standard, NIST
has made a number of major contributions to cybersecurity standards and
guidelines, research, and testing in order to thwart the kinds of economically
disabling attacks noted previously. Here
are but a sampling of numerous successes and ongoing activities:
Security Guidelines and Standards
Our
base program targets the development of standards and guidelines in support of
our Federal responsibilities. In
2002-2003, NIST published 12 security guidelines covering a wide variety of
topics such as email, firewalls, telecommuting and business systems contingency
planning. We have also published 10 draft guidelines for review by Federal
departments and agencies as well as other interested organizations and
individuals concerning such topics as certification and accreditation,
awareness and training, and considerations in Federal Information technology
procurements. The certification and
accreditation guidelines are a key component needed for successful
implementation of the e-government and FISMA mandates for federal
agencies. Additionally, we have issued
numerous NIST Information Technology Laboratory (ITL) Bulletins during the last
year to provide guidance to agencies and others on a broad list of topics. Our guidelines and standards provide
leadership to industry as much of our work is voluntarily adopted in industry. For
example, our Smart Card Interoperability Specification has been adopted by
federal agencies and is now being considered for adoption by an ANSI Standards
committee and eventually as an international standard. All of our work is
posted on our
Security Testing
I
mentioned previously the Cryptographic Module Validation Program through which
a number of new algorithms that use the Advanced Encryption Standard are being
tested. The CMVP as it is known is
operated in conjunction with the Government of Canada’s Communication Security
Establishment. The Cryptographic Module
Validation Program has now validated over 500 modules with another 100 or more
expected within the next year. This successful program utilizes
private-sector accredited laboratories to conduct security conformance testing
of cryptographic modules against the cryptographic Federal standards NIST
develops and maintains. To give you a
sense of the quality improvement that the program achieves, consider that our
statistics from the testing laboratories show that 48 percent of the modules
brought in for voluntary testing had security flaws that were corrected during
testing. In other words, without our program, the Federal government
would have had only a 50/50 chance of buying correctly implemented
cryptography!
In
addition, in recent years we have worked to develop the “Common Criteria” which
can be used to specify security requirements. These requirements are then
used by private-sector laboratories, accredited by NIST, for the voluntary
evaluation of commercial products needed for the protection of government
systems and networks. This work is undertaken in cooperation with the Defense
Department’s National Security Agency in our National Information Assurance
Partnership (NIAP). You may be aware
that the National Strategy to Secure Cyberspace calls for a review of
the NIAP. We have begun staff
discussions with NSA to identify ways we might improve the process, through
research, process changes, and to understand the resources needed for NIAP to
fully succeed.
Access Control
One
of the basic tenets of IT security is controlling access to vital IT
resources-- answering the question, “who is allowed to do what?” A NIST research
team created a new approach to controlling user access, called Role-Based
Access Control (RBAC). What is most striking about RBAC is its rapid evolution
from a theoretical model to commercial implementation and deployment. An
independently conducted NIST-sponsored economic impact study, estimated that
RBAC will soon be used by some 30 million users for access to sensitive
information. Further, the study estimated that RBAC technology will save the
And,
there are many, many other activities too numerous to describe here, including
significant efforts in the critical areas of the security of systems
controlling the U.S. Critical Infrastructure, mobile device security, network
security, and security awareness. We
also need to be aware of specific needs of our Federal customers and work
closely with them to achieve our mission.
For example, OMB has asked us to assist in the preparation of
E-Authentication technical guidelines in support of the E-Government
initiatives. And, there are related
areas of research, such as biometrics (under mandates from the USA Patriot Act)
and computer forensics (used to build evidence for court cases against
terrorists) in which NIST is making extraordinary contributions to the nation’s
efforts to secure the critical infrastructure of the country. So, in addition to our $10M base funding for
cyber security, we leverage another $14M to enable the use of technologies that
support the nation’s cyber infrastructure.
But,
even with our very active program and considerable interactions with industry
and federal agencies, the list of critical tools still to be developed is
daunting. The need for trustworthy
computing systems is a theme we hear from various economic sectors on a daily
basis—from financial institutions, from health care professionals, from owners
and operators of utility companies—all are in need of mechanisms by which they
can be assured that the information they exchange is available, confidential
and that its integrity is assured. And,
the complexity of systems is growing as components become smaller, and systems
on a chip become ubiquitous, some of the biggest challenges are in ensuring the
integrity of information as it flows from component to component within a
system. This is a major area of research on our horizon. So, while we move ahead with critical tasks
that already are on our agenda, we will give
new activities priority in our base program as resources are available.
Interaction with Other
Federal Government Agencies
We
accomplish our mission working side by side with our federal partners. NIST understands the Committee’s desire for
greater interagency coordination and collaboration for successful science and
technology initiatives and we have been reaching out to supplement and assist
other Federal agencies. Our
Technology Administration is preparing a Memorandum of Understanding with the
Science and Technology Directorate of the Department of Homeland Security (DHS)
which will be signed by Under Secretary Bond and DHS Under Secretary McQueary. This MOU will establish a formal mechanism
for NIST to cooperate with DHS in fulfilling their many homeland security
responsibilities including cybersecurity R&D. The MOU is being prepared for signature by
the two departmental bureaus on May 19. We
have detailed one NIST senior scientist to the DHS S&T Directorate to
assist with standards efforts and to avoid duplication of effort. Also, we have regular interactions with NSF
and OSTP, for example in the INFOSEC Research Council (IRC). The IRC provides a community-wide forum to
discuss critical information security issues, convey the research needs of
their respective communities, and describe current research initiatives and
proposed courses of action for future research investments. Additionally, we
have also invited NSF representatives to meet with our Information System Security
and Privacy Advisory Board at its June meeting.
We have had a long and successful
relationship with DARPA in a number of research areas , particularly in areas
of networks, biometrics and language
recognition technologies.
National
Research Council Study of Network Vulnerabilities
As
mandated by CSRDA, we are also moving forward with a National Research Council
study to review the vulnerabilities and inter-dependencies in our critical
infrastructure networks and identify appropriate research needs and associated
resource requirements. Working with our
NRC colleagues we have already identified a study director and are ready to
initiate this study.
Cybersecurity
Research Grants
Now,
not all of our work has been accomplished from within the federal government. NIST
has provided twelve cybersecurity research grants in the past: one to the
Critical Infrastructure Protection Project; nine under the NIST 2001 Critical
Infrastructure Protection Grants Program and two to the Institute for
Information Infrastructure Protection (I3P) at
NIST
Critical Infrastructure Protection Grants Program
In
September 2001, NIST awarded $5M to nine grant recipients under the FY 2001
Critical Infrastructure Protection Grants Program (CIPGP) to improve the
robustness, resilience, and security information in all the critical
infrastructures. Under the competitive
grant application process, we received 133 proposals requesting roughly $73M
from applicants in both industry and academia.
We selected proposals in intrusion detection, telecommunications,
wireless security, electric power infrastructure, and compiler security.
Funded
research addresses a variety of topics to include tools and methods for
analyzing security and detecting attacks due to vulnerabilities introduced by
merging of data networks (i.e., the Internet) and voice networks (i.e. the
public switched telephone network). Other topics addressed are attack detection
for wireless and converged networks, the development of security controls for
protecting the North American power grid, and methods for evaluating intrusion
detection systems.
While
results are still preliminary from the Grants program and some projects will
not be completed due to a discontinuation of program funding in FY 2002, we
will still produce important results especially in the wireless area, converged
data/IP networks and security of the electric power infrastructure.
Cybersecurity
Funding Increases
NIST takes its cybersecurity responsibilities very
seriously and we appreciate your confidence in our abilities as witnessed by
passage of the Cyber Security Research and Development Act and the Federal
Information Security Management Act (FISMA). We also appreciate that in FY 2003
Congress provided $1M in funding for operation of our Computer Security Expert
Assist Team capability, and approximately $2M for wireless security and
networks via our Program to Accelerate Critical Information Technologies
initiative.
The
President’s FY 2004 budget request includes increased funding for two existing
NIST program areas related to cybersecurity research:
Biometrics
Standards
The
FY 2004 request includes $1M specifically for standards for biometric
identification in continuing support of the USA PATRIOT Act to develop a
national biometric identification system, using unique physical characteristics
such as fingerprints, facial features, and eye patterns, to accurately identify
people entering the
Quantum
Information Systems
The
FY 2004 $3M requested for work in quantum information science will also have
significant cybersecurity benefits.
Quantum mechanics, the strange behavior of matter on the atomic scale,
provides an entirely new and uniquely powerful way for computing and
communications, potentially replacing the current binary computing and digital
communications based on ones and zeros, and could have enormous impacts in
homeland security. Quantum computers could perform processing tasks that are
currently impossible. They also could solve problems that conventional
computers could not manage given realistic amounts of time, memory, and
processing power.
This
enormous computational power would be particularly valuable in cryptography,
making codes that would be unbreakable by the best supercomputers of tomorrow,
or breaking codes in seconds that could not be cracked in years by the most
powerful binary computers. Quantum information also can be used for remarkably
secure communications. In this
particular area, we are partnering closely with DARPA.
With
the requested funding, NIST will work to develop the measurements and standards
infrastructure (hardware and software) critical to the development of a quantum
communications system. This includes methods to test and verify the actual
performance characteristics of these systems, to determine their security
properties, and to enable integration of such systems into the existing
communications infrastructure
In
conclusion, NIST takes its role in cybersecurity seriously and will work with
the Committee to ensure that we are able to carry out our mandate to work with
industry, academia, and standards development organizations to assure the
secure flow of vital and sensitive information throughout our society. These examples of our work and
accomplishments demonstrate NIST’s commitment to cybersecurity, across the
government and the Nation. They also demonstrate the base upon which NIST
hopes to build our efforts. It is an absolutely critical national need,
and it is fundamental to providing the technical testing, standards and
guidelines needed to protect our information infrastructure.
I
am grateful to Chairman Boehlert for holding this hearing, and for his support
of NIST’s programs.
This
concludes my prepared remarks.
I
will be pleased to answer your questions.