14 March 2000
Source:
http://www.usia.gov/cgi-bin/washfile/display.pl?p=/products/washfile/latest&f=00031301.glt&t=/products/washfile/newsitem.shtml
US Department of State
International Information Programs
Washington File
_________________________________
13 March 2000
(Recommends greater investment to ensure protection)(2190)
An official with the U.S. National Institute of Standards and
Technology (NIST) urged Congress March 9 to increase funding for the
agency's efforts to improve computer security systems in both
government and the private sector.
NIST Deputy Director Karen H. Brown said, "Computer security is not a
narrow, technical concern." Rather, she said, it "has a vital
influence on our economic health and our nation's security."
Brown told the House Subcommittee on Government Management,
Information, and Technology that NIST needs to continue its work and
research to help bolster the nation's information infrastructure. She
explained that NIST is working to raise awareness about the
"vulnerabilities and requirements for protection of information
systems."
The agency, part of the Department of Commerce, establishes standards
for security products, Brown said, and has also been working with the
"international security community to define security criteria in an
international standard that can be used to develop security
specifications for products, such as firewalls or operating systems."
NIST is working to provide security assistance to the private sector,
Brown said, but needs further financial backing to improve security
inside federal government information systems.
"The security of federal systems must also be improved," Brown said.
"These systems contain sensitive information about our citizens and
provide services upon which our citizens' safety and well-being
depend. The government should exert leadership and set an example for
the nation in protecting against risks and vulnerabilities."
The following terms are used in the text:
R & D - research and development
DOJ - Department of Justice
FBI - Federal Bureau of Investigation
FTE - Full-time employee
Following is the text of Brown's testimony:
(begin text)
Karen H. Brown, Deputy Director, National Institute of Standards and
Technology
Technology Administration
U.S. Department of Commerce
Before the Committee on Government Reform, Subcommittee on Government
Management, Information, and Technology
March 9, 2000
Mr. Chairman and members of the subcommittee thank you for the
invitation to speak to you today about computer security issues. I am
Karen Brown, Deputy Director of the National Institute of Standards
and Technology of the Department of Commerce's Technology
Administration.
Computer security continues to be an ongoing and challenging problem
that demands the attention of the Congress, the Executive Branch,
industry, academia, and the public. Computer security is not a narrow,
technical concern. The explosive growth in Electronic Commerce
highlights the nation's ever increasing dependence upon the secure and
reliable operation of our computer systems. Computer security,
therefore, has a vital influence on our economic health and our
nation's security and we commend the Committee for your focus on
security.
Today I would like to address NIST's computer security activities that
contribute to improving computer security for the Federal Government
and the private sector. I also would like to briefly describe for you
our proposed new program activities for next year as requested in the
President's budget.
Under NIST's statutory federal responsibilities, we develop standards
and guidelines for agencies to help protect their sensitive
unclassified information systems. Additionally, we work with the
information technology (IT) industry and IT users in the private
sector on computer security in support of our broad mission to
strengthen the U.S. economy, and especially to improve the
competitiveness of the U.S. information technology industry. As
awareness of the need for security grows, more secure products will be
more competitive in the marketplace. Addressing security will also
help ensure that Electronic Commerce growth is not limited because of
security concerns.
In meeting the needs of our customers in both the public and private
sector, we work closely with industry, Federal agencies, testing
organizations, standards groups, academia, and private sector users.
Cooperation and collaboration are essential to tackle many common
problems facing users throughout the country.
What does NIST do specifically? To meet these responsibilities and
customer needs, we first work to improve IT awareness of the need for
computer security. This helps increase demand for secure and reliable
products. Additionally, we research new technologies and their
security implications and vulnerabilities and develop guidance to
advise users accordingly. We work to develop security standards and
specifications to help users specify security needs in their
procurements and establish minimum security requirements for Federal
systems. We develop and manage security testing programs, in
cooperation with private sector testing laboratories, to enable users
to have confidence that a product meets a security specification. We
also produce security guidance to promote security planning, and
secure system operations and administration. I will briefly discuss
the need and benefits of each.
First, there is a need for timely, relevant, and easily accessible
information to raise awareness about the risks, vulnerabilities and
requirements for protection of information systems. This is
particularly true for new and rapidly emerging technologies, which are
being delivered with such alacrity by our industry. We host and
sponsor information sharing among security educators, the Federal
Computer Security Program Managers' Forum, and industry. We seek
advice from our advisory board of computer experts (Computer System
Security and Privacy Advisory Board). We meet regularly with members
of the Federal computer security community, including the Chief
Information Officers' Security Committee, and the Critical
Infrastructure Assurance Office. We actively support information
sharing through our conferences, workshops, web pages, publications,
and bulletins. Raising awareness helps ensure appropriate attention is
accorded security and helps increase the demand for secure products
and security services.
A second need is for research on information technology
vulnerabilities and the development of techniques for the
cost-effective security. When we identify new technologies that could
potentially influence our customers' security practices, we research
the technologies and their potential vulnerabilities. We also work to
find ways to apply new technologies in a secure manner. The solutions
that we develop are made available to both public and private users.
Some examples are methods for authorization management and policy
management, ways to detect intrusions to systems, and demonstrations
of mobile agents. Research helps us find more cost-effective ways to
implement and address security requirements.
Third is the need for standards, and for ways to test that standards
are properly implemented in products. For example, cryptographic
algorithms and techniques are essential for protecting sensitive data
and electronic transactions. NIST has long been active in developing
Federal cryptographic standards and working in cooperation with
private sector voluntary standards organizations in this area.
Moreover, in the standards area we have been working with the private
sector in preparing for the future. We are leading a public process to
develop the Advanced Encryption Standard (AES), which will serve 2lst
century security needs. Another aspect of our standards activities
concerns Public Key and Key Management Infrastructures. The use of
cryptographic services across networks requires the use of
"certificates" that bind cryptographic keys and other security
information to specific users or entities in the network. We have been
actively involved in working with industry and the Federal government
to promote the security and interoperability of such infrastructures.
Standards help users to know what security specifications may be
appropriate for their needs. Testing complements this by helping users
have confidence that security standards and specifications are
correctly implemented in the products they buy. Testing also helps
reduce the potential that products contain vulnerabilities that could
be used to attack systems.
For over five years, we have led the Cryptographic Module Validation
Program, which has now validated about 90 modules with another 50
expected this year. This successful program utilizes private sector
accredited laboratories to conduct security conformance testing of
cryptographic modules against a Federal standard we develop and
maintain. More recently, we have been working with the international
security community to define security criteria in an international
standard that can be used to develop security specifications for
products, such as firewalls or operating systems. We are actively
working with industry partners in the smart card, health care, and
telecommunications fields to accomplish such development of
specifications.
Many of these activities are being done in cooperation with the
Defense Department's National Security Agency in our National
Information Assurance Partnership. Private sector laboratories are
being accredited under our National Voluntary Laboratory Accreditation
program to conduct such testing. The effort involves developing
testing competencies and a process for accrediting testing
organizations. The goal is to enable product developers to get their
products tested easily and voluntarily, and for users to have access
to information about tested products. Under this program we have also
led the development of an international mutual recognition arrangement
whereby the results of testing in the U.S. are recognized by our
international partners, thus reducing the costs to industry.
Advice and technical assistance for both government organizations and
private sector users is the fourth need. For example, we have issued
guidance including telecommuting and security, security concerns
inherent in PBX technology, security requirements in Public Key
Infrastructure (PKI) implementation, use of firewalls, and intrusion
detection in networks. We also provide program guidance to agencies
and are working to complete a document on security program metrics and
self-assessment. The information and guidelines that we have developed
are available to all users free-of-charge via our web site. We also
support agencies on specific security projects on a cost-reimbursable
basis when NIST expertise is required.
While I have given you a few examples of NIST's work, I obviously have
not covered everything. I want to emphasize that there is still much
more to be done to address the continuing challenges of computer
security. To put our program in perspective, please keep in mind that
approximately $6 million of direct Congressional funding supports both
our Federal and industry computer security responsibilities. (In
addition, we receive approximately $2 million in outside agency
funding to provide technical assistance on particular projects.) This
is plainly not enough.
As reflected in the requests made in the President's FY 2001 budget,
NIST needs additional resources to help improve the security posture
of the Federal government. Looking at the critical information
infrastructures of the nation, we also need substantial investments in
security research to find ways to protect our infrastructures.
To address the need for additional research to protect our critical
infrastructures, the White House has proposed establishing a $50
million Institute for Information Infrastructure Protection (IIP),
which was initially recommended by the President's Committee of
Advisors on Science & Technology (PCAST). The IIIP will identify and
fill the gaps not being met by private sector market demands or
Government agency mission objectives in critical infrastructure
protection and provide a strong and secure foundation to protect the
various critical infrastructures upon which the Nation's security and
economy rely. IIIP's R&D, which will aim to help prevent security
problems will include work that can be applied to protect multiple
sectors' infrastructures, and thus will complement sector-specific R&D
underway elsewhere in the government and private sector. This
initiative will help strengthen the focused existing and planned
security architectures within die critical infrastructure sectors and
help prepare the owners/operators of those infrastructures to survive
potential hostile activities. The IIIP will not home any direct role
in support of law enforcement or deterring attacks, but will fund R&D
to develop new generations of IT security solutions that would be made
available for DoJ/FBI, other agencies, and the private sector can use
to prevent and respond to future cyber-threats. The IIIP will be a
partnership among industry, academia and the government (including
both state and local governments). At the cope of the partnership is
IIIP's selection of information infrastructure protection R&D focus
areas, which will rely heavily on advice and guidance obtained from
outside experts.
The security of Federal systems must also be improved. These systems
contain sensitive information about our citizens and provide services
upon which our citizens' safety and well-being depend. The government
should exert leadership and set an example for the nation in
protecting against risks and vulnerabilities. Two of the budget
proposals focus primarily upon the security of Federal systems.
Specifically, we propose to establish an Expert Review Team (comprised
of eight FTE's) to advise agencies of their vulnerabilities, help
prioritize and develop strategies for security fixes, assist agencies
in preparing for future security threats, and help agencies plan for
security in new system developments. This preventative approach will
complement the reporting activities of programs such as FedCIRC.
Secondly, we seek a Five million dollar increase to enable additional
critical activities in the area of cryptography, security management
and best practices guidance, and the protection of supervisory control
systems.
So let me close by again emphasizing that our national commitment to
improve security must be increased. NIST stands ready to play a key
role through supporting the proposed Institute, leading the Expert
Review Team, and conducting additional work to developing needed
security guideline and standards, research in security technology,
leading testing programs, and raising awareness and demand for
security products and services. This will augment the already
important activities we have underway. We look forward to continuing
this work, and believe that your support of the critical new
activities would help us to do so.
I will be pleased to answer any questions.
(end text)
(The Washington File is a product of the Office of International
Information Programs, U.S. Department of State. Web site:
usinfo.state.gov)