Sustained investment in research is needed to combat cyber threats, CISE AD tells Congress

On Tuesday January 27th, the Research and Technology Subcommittee of the House Science, Space, & Technology Committee held it’s first hearing of the 114th Congress. The topic was expanding cyber threats and cybersecurity, and the subcommittee heard from experts from both the private sector and government agencies. Assistant Director of CISE, Jim Kurose, testifying for the first time in his new position, told the subcommittee that sustained investment in basic research is need to combat these threats and that it is a socio-technological issue that requires involvement from behavioral researchers as well.

Subcommittee Chairwoman Barbara Comstock (R-VA) opened the hearing making the point that, “advances in technology and the growing nature of every individual’s online presence means cybersecurity needs to become an essential part of our vernacular.” Further elaborating on the threats the country is dealing with, she went on:

Instances of harmful cyber-attacks are reported regularly and expose the very real threats growing in this area. Financial information, medical records, and personal data maintained on computer systems by individuals and organizations continue to be vulnerable. Cyber-attacks on companies like Sony or Target and the U.S. Central Command will not go away and we have to constantly adapt and intercept and stop these threats before they happen and understand where and how they are happening and stay ever vigilant. Utilizing targeted emails, spam, malware, bots and other tools, cyber criminals, “hacktivists” and nation states are attempting to access information technology systems all the time. The defense of these systems relies on professionals who can react to threats and proactively prepare those systems for attack. (Citation)

Ranking Member Daniel Lipinski (D-IL), in his own opening statement, agreed with the chairwoman, saying that, “cybercrimes are ever-increasing. The threats are not only growing in number, but in the level of sophistication.” There was no dissenting opinions from any members of the subcommittee, Democrat or Republican, that cyber threats are real or that the country needs to do more to understand and combat them.

The witnesses for the hearing represented the cybersecurity community quite well. In addition to Dr. Kurose, there was Cheri McGuire , Vice President, Global Government Affairs & Cybersecurity Policy, Symantec Corporation, who shared the insights her company has from their customers and global security network; Charles Romine, Director, Information Technology Laboratory, National Institute of Standards and Technology (NIST), which is the lead agency within the Federal Government in creating standards and distributing best practices throughout the cybersecurity community; Eric A. Fischer, Senior Specialist in Science and Technology, Congressional Research Service, who spoken about the long term challenges and short term needs of the cybersecurity, as well as the Federal role in the field; and Dean Garfield, President and CEO, Information Technology Industry Council, who provided the IT industry perspective of what is going within the industry and how Congress can help. You can read their individual testimony on the Science Committee website.

To sum up, all the witnesses agreed that what was most needed is a sustained investment in basic research for cybersecurity, as well as research into how people interact/use cybersecurity technology. As Dr. Kurose put it, any solutions will be “socio-technical” ones; behavioral research is needed just as much as the physical science research. As well, more interactions between Federal agencies, particularly NIST, and industry is needed in order to get the latest information on threats and best practices. This was brought up, not so much because there is bad or no interaction now (many witnesses stated the opposite; NIST was highly praised by both witnesses and members of the subcommittee) but that the threats change so quickly, necessitating close communication.

Many of the questions asked by committee members showed an interest and a realization of the challenges in cybersecurity. Chairwoman Comstock asked all the witnesses on how Congress should engage their constituents on this matter; the general response being that everyday people need to take this issue seriously and use the security tools that are available. Ranking Member Lipinski asked Mr. Garfield of the IT Industry Council if there is anything different that should be done within the Federal government R&D portfolio; the response was nothing new needs to be done but adequate funding is needed. Rep. Randy Hultgren (R-IL) asked about the status of research to get “beyond the password;” Mr. Garfield pointed out that many new security features and technology is already being deployed into the marketplace. There were even questions about how threats to personal information, such as fraudulent credit card usage, are tracked; this certainly demonstrated the everyday concerns for regular people that can dominate this discussion.

All in all, it was a very informative hearing. One gets the sense that the members of Congress walked away with a good picture of the threats and what is being done about it. And aside from a few off-topic political questions, there was no grandstanding or disagreement (something that is becoming rarer on the committee, sad to say). Hopefully this augurs well for the coming year and this topic specifically.

Photo by CERDEC