Chairman Wyden, Senator Allen, Members of the Committee, thank you for the opportunity to testify at this hearing on Homeland Security and the Technology Sector and the Cyber Security Research and Development Act. I am George Strawn, acting Assistant Director for Computer and Information Science and Engineering at the National Science Foundation. Prior to coming to NSF, I was a faculty member in a University Computer Science department and the director of an Academic Computation Center. As such I have been concerned about issues such as cybersecurity for a long time. As you know, the Administration has yet to take a position on S. 2182 so I will confine my comments to the need for cybersecurity R&D and provide you with an overview of NSF involvement in this important area. The Administration would appreciate an opportunity to analyze S.2182 and submit written views on it prior to the subcommittee's consideration of the bill.
Although cybersecurity has always been an important part of information technology (IT), over the last decade its importance has been greatly magnified. This is so because IT systems and services now are pervasive throughout society and because the Internet now ties together so many of our IT systems. While this interconnectedness of IT systems is enabling great productivity gains for the US economy, it has also enabled great gains for IT mischief makers and outlaws. Clearly, there is much understanding yet to be gained if we are to avoid unpleasant surprises and to foil those who would attack the internet or use it for illegal purposes.
Although the defense sector has always paid great attention to cybersecurity, the same cannot be said about many civilian applications of IT. Until recently, cybersecurity has been considered an "optional add-on" for many IT systems. As recently as two years ago, discussion at a President's IT Advisory Committee (PITAC) meeting indicated that the private sector "was not being rewarded" for cybersecurity products and services because they made IT systems more complicated and slower at a time when customers were wanting more simplicity and speed. Although these circumstances have begun to change, there is much to do before we will be able to achieve desired levels of cybersecurity.
Cybersecurity is now understood to be a rather difficult problem. This is true for many reasons, including that fact that cybersecurity is a property of the "total system", not of the system components (and those components include human and management elements as well as technology). This means that individually secure components and/or procedures can be put together to comprise a system that is not secure -- unless the proper attention is given to system-level security considerations. Of course, the fact that the Internet makes "one big system" out of millions (soon to be billions) of component IT systems is a major source of complexity and insecurity.
Early research and development work on the Internet, as with many IT developments of the past, focused on "making it work", not necessarily on making it secure. And because cybersecurity is a systems property, trying to add it on as an afterthought is very problematic. It would be much better to recreate IT systems with cybersecurity as a major design criteria than to attempt to patch it in after the fact.
Of course, we must and can attend to short-term needs and to long-term improvements simultaneously. Short term cybersecurity patches are not only possible but are in progress throughout the IT world. In fact, a major challenge is to get into wide use cybersecurity services and procedures that have been developed over the last few years into wide use. Although there may be useful tactical contributions to cybersecurity that NSF can make (such as cybersecurity emphases in our Digital Government program), I would like to focus, however, on longer term issues in cybersecurity because that is where NSF's contributions can be the greatest.
As you know, NSF focuses on long-term fundamental research and education in all science and engineering disciplines. This long-term fundamental research has as its goal increased understanding of the subjects under study. And it has been the experience of science and engineering research that increased understanding leads to technology developments that are then put to important uses by society. In many cases the societal uses that result from scientific understandings were not apparent at the time the scientific work was being done. For example, important applications to cybersecurity may arise out of scientific research in IT systems (or even in other sciences) that doesn't initially appear to be related to security. Nevertheless, there are important reasons to increase the emphasis on cybersecurity R&D as NSF has recently been doing and as the Cyber Security Research and Development Act proposes to do.
NSF has supported cybersecurity research for a number of years, recently at a level of approximately $20 million annually, a number that I consider to be low compared to importance of the subject. A major problem in developing a robust cybersecurity research program is that the number of faculty members doing research in cybersecurity has been quite small. This is perhaps the most important problem to be solved as we seek to increase the amount of long term fundamental research in cybersecurity. Unless there is a sufficiently large-size community of cybersecurity researchers, there will never be a sufficient number of positions for graduate students to assist in the conduct of that research. This translates into a shortage of next-generation cybersecurity workers and faculty. It also means we will lack the courses and curricula needed to educate more students--undergraduates as well as graduates--ready to go into the cybersecurity workforce.
[NSF's Scholarships for Service/Cybercorp program is one way we are trying to address this issue. This program makes awards to qualified institutions to provide scholarships to undergraduate and graduate students studying computer security. In exchange, the recipients must serve in the Federal Government for at least two years. The program also provides capacity building grants to improve the quality and increase the production of computer security professionals. The program has been funded at approximately $11 million the past two years and the Administration is requesting $19.3 million in supplemental funding to enhance this program in FY 2002. ]
Last September 5th, NSF announced a new research program, Trusted Computing, to focus our support for cybersecurity research. In addition to the estimated $20 million that we anticipated as our ongoing investment in distributed cybersecurity research projects, we allocated an additional $5 million for the Trusted Computing program. On December 5th, we received about 120 proposals in response to that announcement requesting over $80 million of support. Our expert panelists who reviewed those proposals rated about 10 percent of them as "highly competitive" (high praise from the ever-critical research community) and rated almost half of them as worthy of funding. We will award funding to the highly competitive proposals. Due to the funding level for this effort limitations, the number of awards we can make will be closer to 10 percent than to 50 percent. Nevertheless, we believe that this program will motivate more faculty to turn their attention and expertise to cybersecurity. It will be necessary to focus attention on programs like Trusted Computing over the next several years if we are to help create a vibrant research community that will attack, and ultimately solve, many of the difficult problems associated with cybersecurity.
In addition to individual research awards, NSF has recently increased the number of large project interdisciplinary awards it has made in areas of IT research. Under the Information Technology Research (ITR) priority area initiated in 2000, NSF began a major invigoration of its IT research activities, including a focus on large, interdisciplinary research projects. We believe that this focus has already begun to show extremely valuable results by enabling computer scientists and engineers to work collaboratively on problems that require expertise from many areas to solve. I believe that many cybersecurity problems will also benefit from interdisciplinary groups or centers working collaboratively on their solutions. One important goal of fundamental long term research in cybersecurity will be to produce agreement on what, in fact, constitutes as secure system. When such an agreement is in hand, it will be possible to formulate important cybersecurity standards that, like all important standards, will facilitate their realization.
NSF also has considerable experience in supporting curriculum and academic program development and of administering graduate traineeship programs. Such activities could also help accelerated academic developments in cybersecurity as long as they are coupled with vibrant research support to attract the research faculty into the area as mentioned above.
NSF focuses on people, ideas, and tools as it pursues its goals of helping to keep the US in a world-leadership position in science and engineering research and education. Increasingly IT tools and services are required by all academic disciplines to achieve these goals. Therefore our efforts to contribute to cybersecurity research and development are increasingly required for our science and engineering community as well as by society at large. As IT continues to transform society, cybersecurity continues to increase in importance and is of increasing priority on our list of important scientific and engineering activities.
Thank you again for the opportunity to testify, and
I would be happy to respond to any questions you may
See also: Hearing Summary