IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled
Google Ads




COMMITTEE ON SCIENCE

U.S. HOUSE OF REPRESENTATIVES

 

HEARING CHARTER

Cyber Security—How Can We Protect American Computer Networks from Attack?

 

Wednesday, October 10, 2001

10:00am – Noon

2318 Rayburn House Office Building

 

1.      Purpose

 

On Wednesday, October 10, 2001 at 10:00 a.m. the House Committee on Science will hold a hearing to examine the vulnerability of our nation’s computer infrastructure as well as research-related challenges and opportunities facing the nation’s computer networks.

 

Testifying before the committee will be witnesses representing industry, academic, government and non-profit organizations.  Witnesses will comment on gaps in research and education in the computer security field.  Since most of the information infrastructure in the United States is owned and controlled by the private sector, witnesses will also comment on ways to encourage collaborative approaches to shoring up our ability to predict, prevent, and mitigate attacks.

 

2.      Background

 

The terrorist attacks of September 11, 2001 brought into stark relief the nation’s physical and economic vulnerability to attack within our borders.  The relative ease with which terrorists were able to implement their plans serves as a pointed reminder of the need to identify critical ‘soft spots’ in the nation’s defenses. Among the nation’s vulnerabilities are our computer and communications networks, on which the country’s economic and critical infrastructures for finance, transportation, energy and water distribution, and health and emergency services depend.  The existence of these vulnerabilities has called into question the extent to which the nation’s technological research programs, educational system, and interconnected operations are able to meet the challenge of cyber warfare in the 21st century.  The Los Angeles Times in a recent editorial emphasized the importance of meeting this challenge:  "A cyberterrorist attack would not carry the same shock and carnage of September 11.  But in this information age…one could be more widespread and just as economically destructive.”

 

Vulnerabilities of the National Information Infrastructure

 

The Internet serves as a powerful mechanism for collaboration and interaction between individuals, regardless of geographic location.  The Internet has proven to be a tremendous success – connecting more than 100 million computers and growing – far outstripping its designers’ wildest expectations. 

 

The Internet was not originally designed to control power systems, connect massive databases of medical records or connect millions of home appliances or automobiles, yet today it serves these functions.  It was not designed to run critical safety systems but it now does that as well.   We now heavily rely on an open network of networks, so complex that no one person, group or entity can describe it, model its behavior or predict its reaction to adverse events. 

 

The porous fabric of the nation’s network infrastructure leaves open the constant possibility of cyber attack.  Attacks can take several forms, including: defacement of web sites and other electronically stored information in the United States and other countries to spread disinformation and propaganda; distributed denial of service attacks, which use unprotected “zombie” computers anywhere as conduits for wide-scale distribution of destructive worms and viruses throughout the computer network; and unauthorized intrusions and sabotage of systems and networks belonging to the U.S. and allied countries, potentially resulting in critical infrastructure outages and corruption of vital data.

 

Along with the increase in network usage come more frequent more frequent security problems.  Carnegie Mellon University’s CERTŪ Coordination Center, which serves as a reporting center for Internet security problems, received 1,090 vulnerability reports last year, more than double the number of the previous year.  In the first half of 2001, CERT received 1,151 reports with at least 2,000 reports expected by the end of the year.  Similarly the number of specific incidents reported to CERT has grown from about 1,300 in 1993 to more than 21,000 in 2000.  CERT estimates that this may represent only about 20 % of the incidents that actually have occurred.

 

The recent wide-scale attack by the so-called “Nimda” worm is one example of a technique that modifies web documents and certain executable files found on the systems it infects, and then creates numerous copies of itself under various file names.  This followed attacks by “Code Red”, “Code Red II” and “SirCam”, which affected millions of personal, commercial and government computer users, shut down web sites, slowed Internet service, and disrupted business and government operations, causing billions of dollars of damage.

 

Interdependence of Critical Infrastructures

 

The power of the Internet lies not only in its power as a communications tool but also in its ability to link other systems together in ways that vastly improve their productivity and efficiency.   Nowhere has this been more evident than in the linking together of our nation’s critical infrastructures.[1]   Critical infrastructures include electric power, natural gas and petroleum production and distribution, telecommunications (information and communications), transportation, water supply, banking and finance, emergency and government services, agriculture, and other systems and services critical to the security, economic prosperity, and social well being of the nation.  These critical infrastructures are now highly interconnected and mutually dependent in complex ways, both physically and through a host of cyber technologies.

 

In order to better understand our vulnerabilities to cyber terrorism and understand the potential consequences of cyber attacks, the Internet must no longer be studied solely as separate system but also as one of a network of interdependent critical infrastructures.    While some research is being done to better understand the threats to the Internet itself, little has been done to assess and project the dramatic or subtle impact that these threats may have on other critical infrastructures.    These problems are not hypothetical. While not the result of a cyber attack, the 1998 failure of the Galaxy 4 communications satellite disrupted the use of 90% of the nation’s pagers and disrupted credit card purchases and ATM transactions. The failure also disrupted the communications of health care providers and emergency workers.  

 

Information Warfare Simulations—“Eligible Receiver”

 

In 1997, the U.S. conducted an information warfare exercise that illustrated some of the implications of infrastructure interdependence.  Known as Eligible Receiver, the scenario depicted a rogue state attempting to attack vulnerable U.S. information systems.    A “Red Team” comprised of 35 National Security Agency computer specialists used off-the-shelf technology and software to simulate attacks against power and communications networks in Oahu, Los Angeles, Colorado Springs, St. Louis, Chicago, Detroit, Washington, D.C. Fayetteville, and Tampa.   According to the Congressional Research Service, it is generally believed that government (including unclassified military computer networks) and commercial sites were easily attacked and penetrated.  Air Force Major General John H. Campbell, U.S. Space Command, commander of the DoD Joint Task Force—Computer Network Defense wrote that the exercise “clearly demonstrated our lack of preparation for a coordinated cyber and physical attack on our critical military and civilian infrastructure.”   Officials familiar with the exercise later said that Eligible Receiver showed in “real terms how vulnerable the transportation grid, the electricity grid, and others are to an attack by people using conventional equipment.”

 

Underlying Causes of the Nation’s Vulnerability to Cyber Attack

 

There are several underlying reasons for the national information infrastructure’s vulnerability.  The problems, and therefore the solutions, are not only technical but also involve human factors.  Network users too often fail to implement readily available, relatively simple security precautions:  installation of up-to-date anti-virus software, use of passwords that cannot be easily stolen, and application of intrusion-detection software.  In fact, workplace and user community training in basic security procedures may be the weakest link in the cyber security chain. Even the best technological tools are ineffective if they are not used because they are too difficult to manage or are perceived as overly inconvenient.

 

However, weaknesses in the current state of research and development in the cyber security arena are also a significant factor contributing to the vulnerability of the nation’s information infrastructure.  While a number of information technology companies support R&D on network security,  some inadequacies in our security arsenal cannot be addressed solely through short-term industry-based applied research.  Instead, industry relies on the fundamental research supported by the federal government and the training of future researchers—computer scientists, mathematicians, and many others—that these federally funded research programs support. 

 

Unfortunately, with the possible exception of encryption related research, cyber security research is under-funded and basic research into the fundamental technological cyber security challenges is not robust enough to support the nation’s needs.  Many experts believe that as a result of these historic funding patterns there are only 45 to 75 researchers in the country with the experience and expertise needed to conduct cutting edge research in cyber security.   To put this in perspective, a computer science department at a single research university may have 60 or more faculty members.

 

This shortage of personnel is not merely a problem for the academic and research community.    Federal agencies are finding it increasingly difficult to recruit and hire professional staff with the knowledge and experience needed to analyze risks and manage and secure their own computer networks.   The National Science Foundation, with encouragement from the National Security Council, established in July, 2000 a scholarship for service program designed to increase the number of students becoming part of the Federal Cyber Service of information technology specialists who ensure the protection of the federal information infrastructure.   NASA has requested scholarship for service authority to recruit students with expertise in computer science and other technical fields. Other agencies are pursuing similar authority.

 

Federal Responses to Possible Cyber Attack

 

Presidential Decision Directive 63 (PDD 63).  On May 22, 1998, President Clinton issued Presidential Decision Directive 63 (PDD-63), which called for a national effort to assure the security of the increasingly vulnerable and interconnected infrastructure of the United States, especially cyber-based infrastructure.  These infrastructures include telecommunications, banking and finance, energy, transportation, water systems, and essential government services.  The directive required the federal government to immediately assess the vulnerabilities of the nation’s computer-based systems and remedy deficiencies, and to produce a detailed plan to protect critical infrastructures and defend against information warfare. It ordered the federal government to serve as a model to the rest of the country for how infrastructure protection is to be attained, and called for joint public-private action to protect critical infrastructures.  The directive set 2003 as the target date for full implementation of a “reliable, interconnected, and secure information infrastructure.”

 

While largely relying on individual federal agencies and departments to oversee internal critical infrastructure improvement, the directive also created a number of new organizations aimed at improving the nation’s ability to prevent, detect, and respond to breaches of information security.  Among these are the:

 

·        National Coordinator for Security, Critical Infrastructure and Counter Terrorism, which, as part of the White House’s National Security Council, oversees national policy development and implementation for critical infrastructure protection.

·        Critical Infrastructure Assurance Office (CIAO), an interagency office housed at the Department of Commerce that works to integrate assurance plans from each critical infrastructure sector (e.g., energy, telecommunications, finance and banking) into a single national plan, assist agencies in identifying their reliance on critical infrastructures, and coordinate a national education and awareness program.

·        National Infrastructure Protection Center (NIPC), an interagency office at the FBI that serves as a threat assessment center focusing on threat warnings, vulnerabilities, and law enforcement.  The NIPC includes representatives from the FBI, Department of Defense, U.S. Secret Service, intelligence agencies and other government agencies.

·        Information Sharing and Analysis Centers (ISACs), which serve as mechanisms for gathering, analyzing, and, where appropriate, disseminating information to and from infrastructure centers and the NIPC.  The ISACs include industry representatives from sectors such as information and communications; banking and finance; energy; and transportation.

 

However, despite the development of this strategy, a recent General Accounting Office report concluded that PDD-63 has yet to yield significant progress, in part because of funding constraints and because agencies are not yet aware of the applicability of PDD-63 to their own agency security requirements.

 

Information sharing between the government, the private sector and academia on critical infrastructure does occur through other means not originally mandated by PDD-63.  An important example of public-private partnership in the law enforcement sector is the New York Electronic Crimes Task Force, led by the United States Secret Service.  The Task Force includes major stakeholders in the nation’s cyber-infrastructure – industry, academia, law enforcement and government laboratories. According to recent testimony to the House Judiciary Committee, Crime Subcommittee, by Mr. James A. Savage, Jr. of the Secret Service, “[T]he task force provides a productive framework and collaborative crime-fighting environment in which the resources of its participants can be combined to effectively and efficiently make a significant impact on electronic crimes.”

 

Office of Homeland Security.   The attacks of September 11 and the heightened expectation of future terror attacks, whether cyber-mediated or more conventional, have elevated concerns of national security to a new level.  Reflecting this, on September 20, 2001 President Bush announced the creation of an Office of Homeland Security, a cabinet-level organization now headed by former Pennsylvania Governor Tom Ridge.  The office will coordinate 40 federal agencies and departments and oversee everything from the interaction between the FBI and the CIA in developing and using intelligence to the interaction between governors and state agencies to prepare for potential attacks. 

 

While details of its organizational structure and budgetary authority remain unclear, the President yesterday appointed Richard Clarke, formerly the National Coordinator for Security, Infrastructure, Protection, and Counter-terrorism at the National Security Council, Special Advisor for Cyberspace Security.  Dr. Clarke will coordinate interagency efforts to secure information systems and in the event of a disruption, coordinate efforts to restore critical systems. Dr. Clarke will also serve as chairman of a government-wide board that will coordinate the protection of critical information systems.  The President is expected to sign an Executive Order soon establishing the board.

 

The creation of a Homeland Security Office had been recommended by a blue-ribbon panel chartered by Congress and co-chaired by former Senators Gary Hart and Warren Rudman, which reported its recommendations just over two years ago.  The panel, which had been asked to examine national security threats in the post-Cold War world, recommended that a “Homeland Security Agency” be formed with broad powers that would coordinate the efforts of existing agencies such as the Federal Emergency Management Agency, Customs Service, Border Patrol and Coast Guard.  The panel identified cyber security threats as serious and called current efforts to prevent attacks and generate a prompt response to any future attacks “uneven at best.”

 

Another panel, the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction, or the “Gilmore Commission,” was chartered in 1998 by the FY 99 National Defense Authorization Act (P.L. 105-261) and is expected to release its latest report on antiterrorism, part of which is expected to address cybersecurity issues.

 

Federal Cyber Security Research Efforts

 

Office of Science and Technology Policy.  PDD-63 made the White House’s Office of Science and Technology Policy, through the National Science and Technology Council, responsible for developing research and development efforts related to national security.  Eight Federal R&D priorities were subsequently identified:

 

·        Establishment of an Institute for Information Infrastructure Protection;

·        Education and training of research personnel;

·        Interdependency analysis;

·        Threat, vulnerability, and risk assessment studies;

·        System protection and information assurance;

·        Reconstitution of damaged or compromised systems;

·        Security of automated infrastructure control systems; and intrusion detection and monitoring.

 

Federal Agencies and Departments.  Federal R&D efforts to enhance cyber security cut across many agencies and tend to give emphasis to traditional agency missions.  For example, the National Science Foundation (NSF) supports research on technical issues that underlie the design, validation, and evolution of software-based systems, and recently announced a new program, “Trusted Computing,” that will provide grants for research aimed at building a scientific foundation and technological basis for managing information security and privacy.  NSF also funds research into cryptography, which is based in mathematics and is a key mechanism for ensuring the security of electronic transmissions. In addition, NSF’s Scholarship for Service program recently awarded grants to six universities in order to help train more computer security and information assurance professionals.

 

The National Institute of Standards and Technology (NIST) within the Department of Commerce provides grants to fund research to develop commercial solutions to IT security problems central to critical infrastructure protection.  NIST recently announced the award of a number of grants under the Critical Infrastructure Protection Grants Program aimed at accelerating efforts to make the computer and telecommunications systems that support essential services more secure.

 

In addition, through its national laboratories, the Department of Energy has supported projects that have developed information security tools for network inspection and workstation protection, and the National Aeronautics and Space Administration develops advanced methods for the specification, design, and verification of complex software systems used in critical aerospace applications

 

The Department of Defense funds a significant amount of information technology R&D, including cyber security-related research.  The Defense Advanced Research Projects Agency (DARPA) alone funds more than 100 individual research projects in this area.  The National Security Agency funds the bulk of the nation’s critical infrastructure protection programs and has “accredited” 23 Academic Centers of Excellence in universities around the country that have developed advanced computer and network security curricula at the graduate and post-graduate level (see Appendix 1 for a list of these universities).   The value of these designations is not primarily financial but organizational.   In order to earn the accreditation, an institution must develop a program that is multidisciplinary and that fully integrates research, education, and training.

 

On a broader scale, the Interagency Working Group on Information Technology Research and Development formed the Networking and Information Technology Research and Development (NITRD) program (see appendix 2), which includes 15 agencies dedicated to advanced IT R&D.  The multiagency approach is intended to leverage the expertise and perspectives of scientists and technology users from agencies, Federal laboratories, universities, and corporations who are working on a broad range of IT research questions.

 

3.      Witnesses

 

The following witnesses will address the subcommittee:

 

William A. Wulf, President, National Academy of Engineering and vice chair of the National Research Council, the principal operating arm of the National Academies of Sciences and Engineering. He is on leave from the University of Virginia, Charlottesville, where he is AT&T Professor of Engineering and Applied Sciences and a nationally recognized expert in computer architecture and network security.

 

Dr. Eugene Spafford, Professor of Computer Sciences, Professor of Philosophy, and Director of the Center for Education and Research in Information Assurance and Security (CERIAS) at

Purdue University, where he is also the interim Information Systems Security Officer.

 

Ms. Terry A. Benzel, Vice President of Advanced Security Research for Network Associates, Inc.  As Director of the Network Associate labs, she is responsible for leading a staff of 100 researchers performing leading-edge research on perceived security issues two-to-five years in the future.

 

Mr. Robert Weaver, Assistant Special-Agent-in-Charge, New York Field Office, United States Secret Service; Head, New York Electronic Crimes Task Force.  The New York Electronic Crimes Task Force is a Secret Service led, 250-member task force with representatives from 45 law enforcement agencies, prosecutors, academe, and 200 experts from the business world in the areas of cybersecurity and related fields.

 

 

4.      Questions

 

Panelists will be asked to discuss the following questions in their testimony:

 

  1. What are the current and potential threats to cyber security and how equipped are we to address them?

 

  1.  How can industry, academia, and Federal and State governments work more effectively to improve network security?  What are the barriers to effective cooperation and are their successful models in which these barriers are being overcome?

 

  1. What technological challenges in computer/network security can be addressed through short-term efforts to “push” to the market innovations that are already in the R&D pipeline?  What investments must be made over the long-term to ensure the future security and stability of computer networks?

 

  1. What is the current state of information security education and training?  Is there a sufficient number of well trained researchers and professionals to meet both academic and industry personnel needs?

 

APPENDICES

Appendix 1

 

The 23 universities designated as NSA Centers of Academic Excellence in Information Assurance Education are:

 

·        Carnegie Mellon University

·        Drexel University

·        Florida State University

·        George Mason University

·        Georgia Institute of Technology

·        Idaho State University

·        Information Resources Management College of the National Defense University

·        Iowa State University

·        James Madison University

·        Mississippi State University

·        Naval Postgraduate School

·        Norwich University

·        Purdue University

·        Stanford University

·        Syracuse University

·        University of California at Davis

·        University of Idaho

·        University of Illinois at Urbana-Champaigne

·        University of Maryland, Baltimore County

·        University of North Carolina, Charlotte

·        University of Tulsa

·        U.S. Military Academy, West Point

·         West Virginia University

 

 

Appendix 2

 

NITRD Agencies

 

National Science Foundation                                            National Security Agency

National Institute of Standards and Technology                   Department of Defense

National Oceanic and Atmospheric Administration             General Services Administration

Department of Energy                                                  Agency for Healthcare Research & Quality

DOE National Nuclear Security Administration               Bureau of Labor Statistics

National Aeronautics and Space Administration               Defense Advanced Research Projects Agency

National Institutes of Health                                      Executive Office of the President

Environmental Protection Agency

 

 

 

Appendix 3

 

Table 1

 

Funding for Critical Infrastructure Protection ($millions)

 

 

 

 

 

 

 

Agency

 

FY 98 Actual

 

FY 99 Actual

 

FY 2000 Enacted

 

 

 

 

 

 

 

National Security

 

975

 

1,185

 

1,403

Treasury

 

23

 

49

 

76

Transportation

 

20

 

25

 

51

NASA

 

41

 

43

 

66

Justice

 

26

 

54

 

46

NSF

 

19

 

21

 

27

Commerce

 

9

 

22

 

18

HHS

 

22

 

12

 

13

Other

 

9

 

18

 

37

 

 

 

 

 

 

 

Total

 

             $1,144

 

            $1,429

 

                 $1,737

 

 

 

 

 

 

 

Source:  White House National Plan for Information Systems Protection, 2000

 

Table 2

 

IT R&D Spending ($ millions)

Agency

FY 98

 

FY 99

 

FY 00

 

 

 

 

 

 

DARPA

321.3

 

141

 

195

NSF

284.13

 

301

 

517

DOE

129.26

 

126

 

120

NASA

128.4

 

93

 

174

NIH

91.71

 

103

 

183

NSA

35.8

 

27

 

81

NIST

26.51

 

13

 

18

VA

22

 

n/a

 

n/a

ED

12

 

n/a

 

n/a

NOAA

7.5

 

12

 

18

EPA

5.38

 

4

 

4

AHCPR

5.5

 

8

 

8

 

 

 

 

 

 

Total

 $1,069

 

 $ 828

 

 $1,318

Source:  Supplement to the President’s Budget for FY 2002;

Interagency Working Group on Information Technology Research and Development

 


[1] A Critical Infrastructure is defined as “a network of independent, mostly privately-owned, man-made systems and processes that function collaboratively and synergistically to produce and distribute a continuous flow of essential goods and services.” Critical Foundations: Protecting America’s Infrastructures, the report of the President’s Commission on Critical Infrastructure Protection (PCCIP) 1997.

 

 

IWS Mailing Lists






Mailing Lists Overview