On Tuesday January 27th, the Research and Technology Subcommittee of the House Science, Space, & Technology Committee held it’s first hearing of the 114th Congress. The topic was expanding cyber threats and cybersecurity, and the subcommittee heard from experts from both the private sector and government agencies. Assistant Director of CISE, Jim Kurose, testifying for the first time in his new position, told the subcommittee that sustained investment in basic research is need to combat these threats and that it is a socio-technological issue that requires involvement from behavioral researchers as well.
Subcommittee Chairwoman Barbara Comstock (R-VA) opened the hearing making the point that, “advances in technology and the growing nature of every individual’s online presence means cybersecurity needs to become an essential part of our vernacular.” Further elaborating on the threats the country is dealing with, she went on:
Instances of harmful cyber-attacks are reported regularly and expose the very real threats growing in this area. Financial information, medical records, and personal data maintained on computer systems by individuals and organizations continue to be vulnerable. Cyber-attacks on companies like Sony or Target and the U.S. Central Command will not go away and we have to constantly adapt and intercept and stop these threats before they happen and understand where and how they are happening and stay ever vigilant. Utilizing targeted emails, spam, malware, bots and other tools, cyber criminals, “hacktivists” and nation states are attempting to access information technology systems all the time. The defense of these systems relies on professionals who can react to threats and proactively prepare those systems for attack. (Citation)
Ranking Member Daniel Lipinski (D-IL), in his own opening statement, agreed with the chairwoman, saying that, “cybercrimes are ever-increasing. The threats are not only growing in number, but in the level of sophistication.” There was no dissenting opinions from any members of the subcommittee, Democrat or Republican, that cyber threats are real or that the country needs to do more to understand and combat them.
The witnesses for the hearing represented the cybersecurity community quite well. In addition to Dr. Kurose, there was Cheri McGuire , Vice President, Global Government Affairs & Cybersecurity Policy, Symantec Corporation, who shared the insights her company has from their customers and global security network; Charles Romine, Director, Information Technology Laboratory, National Institute of Standards and Technology (NIST), which is the lead agency within the Federal Government in creating standards and distributing best practices throughout the cybersecurity community; Eric A. Fischer, Senior Specialist in Science and Technology, Congressional Research Service, who spoken about the long term challenges and short term needs of the cybersecurity, as well as the Federal role in the field; and Dean Garfield, President and CEO, Information Technology Industry Council, who provided the IT industry perspective of what is going within the industry and how Congress can help. You can read their individual testimony on the Science Committee website.
To sum up, all the witnesses agreed that what was most needed is a sustained investment in basic research for cybersecurity, as well as research into how people interact/use cybersecurity technology. As Dr. Kurose put it, any solutions will be “socio-technical” ones; behavioral research is needed just as much as the physical science research. As well, more interactions between Federal agencies, particularly NIST, and industry is needed in order to get the latest information on threats and best practices. This was brought up, not so much because there is bad or no interaction now (many witnesses stated the opposite; NIST was highly praised by both witnesses and members of the subcommittee) but that the threats change so quickly, necessitating close communication.
Many of the questions asked by committee members showed an interest and a realization of the challenges in cybersecurity. Chairwoman Comstock asked all the witnesses on how Congress should engage their constituents on this matter; the general response being that everyday people need to take this issue seriously and use the security tools that are available. Ranking Member Lipinski asked Mr. Garfield of the IT Industry Council if there is anything different that should be done within the Federal government R&D portfolio; the response was nothing new needs to be done but adequate funding is needed. Rep. Randy Hultgren (R-IL) asked about the status of research to get “beyond the password;” Mr. Garfield pointed out that many new security features and technology is already being deployed into the marketplace. There were even questions about how threats to personal information, such as fraudulent credit card usage, are tracked; this certainly demonstrated the everyday concerns for regular people that can dominate this discussion.
All in all, it was a very informative hearing. One gets the sense that the members of Congress walked away with a good picture of the threats and what is being done about it. And aside from a few off-topic political questions, there was no grandstanding or disagreement (something that is becoming rarer on the committee, sad to say). Hopefully this augurs well for the coming year and this topic specifically.
Photo by CERDEC
Steven Aftergood, of the always excellent Secrecy News blog, notes the release of a new report by the JASON panel, an influential, independent advisory committee for the Department of Defense that focuses on issues in science and technology, on the “Science of Cyber Security.” Specifically, DOD asked the panel to examine the theory and practice of cyber security, and “evaluate whether there are underlying fundamental principals that would make it possible to adopt a more scientific approach.”
The committee has released their report on the issue (the Federation of American Scientists managed to obtain a copy (pdf)), have concluded that there is a science of cyber security, but it “seems underdeveloped in reporting experimental results, and consequently in the ability to use them.” The primary recommendation of the committee is to have the DOD sponsor “multiple cyber-security science based centers and projects within universities and other research centers.” The programs should have “a long time horizon and periodic reviews of accomplishments.”
Centers, the panel believes, have several attractive features:
- they give the sponsors access to the best ideas and people;
- they give the sponsor a chance to bias the work towards their versions of common problems;
- there is an opportunity for these centers and programs to leverage a unique collection of resources internal to the DOD, including defensive data and experience from running internal networks.
The centers would be different than DARPAs projects in that the centers “would be expected to make steady progress on a broad set of topics, rather than limit themselves to revolutionary ideas or to try to solve the latest cyber-security crisis.”
Centers would also act as connecting points for the software industry, which would accelerate the translation of new ideas into useful tools for developers. The panel believes that this would correct a long-standing deficiency wherein some very sophisticated approaches to assessing and reasoning about the security of current systems are not available in the form of developer tools, perhaps because there’s insufficient market for the private development of the tools.
A number of representatives from academia, industry and government briefed JASON on the issues, including CRA’s Government Affairs Chair Fred Schneider.
JASON reports often form the basis of action within DOD on S&T matters, and there’s no reason to suggest that the recommendations in this report won’t get consideration. Whether the investment in centers actually happens is, of course, also dependent on the DOD’s budget situation, which is in a bit of flux at the moment until Congress hammers out a final agreement on an FY 11 budget and the Administration releases its plan for FY 12. But it wouldn’t be surprising to see an effort to incorporate the reports recommendations in future DOD budgets.
In any case, the report is well-written and well worth a read.
This week the Government Accountability Office (GAO) released a report urging the White House Office of Science and Technology Policy (OSTP) to come up with a clear and comprehensive cybersecurity R & D strategy. The report, prepared by request of the House Committee on Homeland Securty, called upon OSTP to show more leadership in the creation of an R & D plan.
“The report notes that officials within the White House’s Office of Science and Technology Policy’s Subcommittee on Networking and Information Technology (NITRD) are endowed with a leadership role in terms of coordinating cybersecurity R&D efforts, they haven’t taken advantage of that role. Despite GAO recommendations and responsibilities laid out in legislation, NITRD has never prioritized a national or federal R&D agenda.”
“The report recommends that the White House follow the Bush administration’s National Strategy to Secure Cyberspace, which urged the creation of near-term, mid-term and long-term goals for cybersecurity R&D. The report notes that OSTP is only in the beginning stages of creating such an agenda and updating its 5-year plan for cybersecurity R&D.”
These conclusions about NITRD’s role aren’t surprising. The computing research community has had long-standing concerns about the ability of the NITRD NCO to exercise a leadership role in coordinating the federal IT R&D investment. A big part of that inability to lead comes down to the NCO’s lack of budgetary authority, but that’s a reality of the federal budget process — there’s no way federal agencies will cede control of a piece of their budgets to some central coordinating office (other than OMB). As a result, NITRD becomes less about leadership and coordination and more about agencies reporting what they plan to do and the NCO collecting that information.
It will be interesting to see whether the PCAST’s new look at NITRD, now underway and due in late August or September, will address these cyber security concerns. That review is being shepherded by PCAST members Eric Schmidt, CEO of Google, and Shirley Ann Jackson, President of RPI, and driven by a subcommittee led by Ed Lazowska, Chair of CRA’s Computing Community Consortium and professor computer science at University of Washington, and David E. Shaw, head of D.E. Shaw and Co. (We’ll have more on the PCAST study in a later post…).