Dr. Jeannette M. Wing
June 16, 2009
Good afternoon, Chairman Wu and Chairman Lipinski, Ranking Members Smith and Ehlers, and members of the Subcommittees. I am Jeannette Wing, and I am the Assistant Director of the Computer and Information Science and Engineering Directorate at the National Science Foundation.
I am delighted to have the opportunity to talk with you today about NSF's support for cyber security research at the frontiers of knowledge investments that capitalize on the intellectual capacity of the best and the brightest in our Nation's colleges and universities, as well as their many partners in the private sector. The research outcomes generated with NSF support will undoubtedly contribute to the security, stability and integrity of our global cyberinfrastructure for many years to come.
To begin, it is essential that I note that many cyber security measures deployed today capitalize on fundamental research outcomes generated decades ago. Thus, as the recent 60-Day Cyberspace Policy Review concludes, a national strategy to secure cyberspace in both the near- and the long-term must include investments in fundamental, unclassified, open, long-term research. Investments in such research will allow our society to continue to benefit from a robust, secure, dependable cyberinfrastructure that supports all application sectors, including those on which our lives depend.
Allow me to share with you just a few important fundamental research contributions made to date by the open research community, many developed with applications other than security in mind and long before situations arose that demanded their use.
The basic research community developed:
- Cryptographic schemes and cryptographic-based authentication, enabling today's internet commerce, supporting secure digital signatures and online credit card transactions, and providing some of the building blocks needed for the safe, secure and private exchange of electronic health records;
- Program analyses and verification techniques, enabling the early detection of software vulnerabilities and flaws, thereby often preventing cyber attacks such as phishing, worms and botnets;
- Innovative machine learning and data mining approaches now used in spam filtering, and methods for detecting attacks such as those involving credit card fraud; and the final example,
- CAPTCHAs, the distorted text that only humans—not machines or bots—can decipher, to ensure that it is indeed a human, and not a bot, who is buying a ticket on-line or setting up an email account.
These research outcomes and many others developed with NSF funding are being used in numerous corporations including Amazon, Apple, e-Bay, Google, Intel, Microsoft, and Yahoo!. Moreover, NSF- funded projects have spawned start-up companies that bring critical technologies to the marketplace, creating new jobs, expanding the economy, and helping to secure cyberspace.Please summarize the current range of National Science Foundation supported cyber security research, including associated funding.
NSF has been investing in cyber security research for many years1 In FY 2009, we will invest almost $137 million in fundamental research in the science of trustworthiness and related trustworthy systems and technologies. This includes $20 million from the American Recovery and Reinvestment Act. Approximately one half of this $137 million is allocated to our interdisciplinary Trustworthy Computing program, which in FY 2009 is funded at a level of $65 million and supports more than 800 principal investigators, co-principal investigators, and graduate students. In addition to the Trustworthy Computing program, we continue to make cyber security investments in the core scientific sub-disciplines of the computing and human sciences, including the foundations of communications and information, networking technology and systems, algorithmic foundations, information integration and informatics, and in the social and economic implications of developing secure, trustworthy systems.
The totality of NSF investments supports a broad range of topics in trustworthy systems and applications. NSF supports foundational research in: cryptography, including key management, conditional and revocable anonymity; defense mechanisms against large-scale attacks such as worms, viruses, and distributed denial of service; formal models and methods for specifying, verifying, and analyzing system security; hardware enhancements for security, such as virtualization and trusted platform modules; metrics, especially for risk-based measurement; privacy, including privacy-preserving data-mining, location privacy, and privacy in RFID networks; network security, including for wireless and sensor networks and pervasive computing; and testbeds to run scalable experiments and to analyze anonymized network traffic data. NSF-funded research also addresses cyber security in the context of many application areas, including critical infrastructure (including the power grid), health records, voice over IP, geospatial databases, digital media, electronic voting, and federated systems.
The relentless pace of innovation in information technology and related services leads inevitably to new research questions, opportunities and challenges. For example, increasing interest in "cloud computing" leads to new opportunities but also raises new research challenges in security and privacy, and innovations in service-oriented architectures raise new research challenges in resiliency and verification. In the longer term, new computing paradigms such as quantum computing will raise new research questions in cryptography and computational complexity.
As you may know, FY 2009 represents the first full year of the interagency Comprehensive National Cybersecurity Initiative – CNCI. NSF's contributions to the CNCI include a specific focus on three critical areas:
- The scientific foundations of trustworthiness, so that new trustworthy systems, technologies, and tools can be developed and understood from first principles. New models, logics, algorithms, and theories are being explored for analyzing and reasoning about all aspects of trustworthiness -- security, privacy, reliability, and usability -- about all communication, control, and data components of systems and their composition. Researchers are exploring the fundamentals of cryptography, inventing new specification and programming languages and techniques to prevent or detect security vulnerabilities in software and hardware, defining new security architectures for system design, and exploring new computing models that have potential to improve trustworthiness and our ability to reason with different aspects of trustworthiness.
- The essential systems property of protecting privacy. NSF is supporting the exploration of new scientific and computational models, methods, logics, algorithms, and software tools to define and reason about privacy, to detect and resolve conflicts among privacy policies, to safeguard information of individuals wherever it may digitally reside, and to explore the interplay among privacy, security and legal policies. One major technical challenge is identity management, especially for federated systems that may be beyond the control of any one organization; academic researchers are exploring attack-resistant methods and protocols for identity management, commensurate with application requirements to preserve privacy and with security and legal requirements to provide accountability.
- Usability - the methods, tools and techniques that make it easy for people to use computing systems while protecting both people and systems from unforeseeable attacks on their security and privacy. Users range from individuals concerned about their home computers to administrators responsible for large enterprises. Incorporating trustworthiness into a system should not place undue demands on human users or impact human or system performance. Since people can be the weakest link in security, striking a balance between control and convenience is a key challenge. Researchers are developing new approaches to integrating and balancing different system functionalities, understanding human perception of trust including privacy, informing users of potential pitfalls, and predicting the impact of user decisions. New methods are needed, supported by automation, to promote usability and provide users with security controls they can understand. An especially active area of research is digital forensics, where new automated methods will help all users respond effectively in the aftermath of a security incident.
How is NSF coordinating its own cyber security research and planning activities with other relevant federal agencies?
At NSF, we coordinate our cyber security research and planning activities with other federal agencies, including the Departments of Defense (DoD) and Homeland Security (DHS) and the agencies of the Intelligence Community, through the following "mission-bridging" activities:
- NSF plays a leadership role in the interagency Networking and Information Technology Research and Development (NITRD) Program. The National Science and Technology Council's NITRD Sub-Committee, of which I am co-chair, has played a prominent role in the coordination of the federal government's cyber security research investments. For example,
- The NITRD Senior Steering Group (SSG) for Cyber Security is overseeing the unclassified research and development component of the CNCI. We recently established the National Cyber Leap Year during which we asked our research leaders in government, academia, and industry, to propose "game-changing" concepts for securing cyberspace. Our next step is to hold focused meetings with the community to pursue some of the more promising ideas, toward an integrated private-public approach that considers technical, social, and economic factors in cyber security. This work is immediately responsive to one of the near-term action recommendations published recently in the 60-Day Cyberspace Policy Review.
- The NITRD CyberSecurity and Information Assurance Interagency Working Group (CSIA IWG) coordinates cyber security and information assurance research and development across the thirteen member agencies, including DoD, the Department of Energy (DOE) and the National Security Agency (NSA). In 2006, the CSIA IWG published a national research and development agenda for strengthening the security of the Nation's cyberinfrastructure. This report continues to inform our investments today.
- NSF also plays a leadership role in the multi-agency Infosec Research Council (IRC), whose members include the DOD, agencies representing the Intelligence Community and a number of other federal agencies and entities (e.g., DOE, National Institute of Standards and Technology, and National Library of Medicine). The IRC provides a forum for the discussion of critical scientific and technical issues in cyber security, serves as a catalyst for the establishment of new programs and technical emphases, and helps minimize duplication of effort. In the past several years, IRC members have hosted a number of academic-industry-government workshops, such as the recent workshop on the Science of Security Workshop, which identified new principles and methodologies in support of a more foundational approach to security. This workshop was co-funded by NSF, the Intelligence Advanced Research Project Activity (IARPA), and NSA.
These and other interagency settings, both formal and informal, provide a range of opportunities for interagency coordination and collaboration.
In particular, how is NSF coordinating its (unclassified) research and planning activities with Department of Defense or other federal classified research and research infrastructure, including cyber test beds?
Jointly sponsoring workshops, such as the one I just cited, is representative of the types of interactions that take place between agencies supporting classified and/or unclassified components of the federal cyber security research portfolio. There is, of course, a rather significant classified component in the CNCI. Coordination between the larger classified component and the more modest unclassified component is achieved through the engagement of individuals who participate in both. These individuals share and promulgate knowledge generated in the unclassified component with those participating in the classified component.
Through some of the coordinating mechanisms I have just described, NSF also works with its sister agencies in the deployment of cyber security testbeds. For example, the cyber-DEfense Technology Experimental Research Environment project (DETER) – a testbed that supports research on next-generation cyber security technologies – has been supported jointly by DHS and NSF. In another example, the Wisconsin Advanced Internet Laboratory (WAIL), which is supported by NSF, the Defense Advanced Research Project Agency (DARPA) and DHS, allows networking and distributed systems researchers to recreate end-to-end instances of the real Internet, thereby permitting realistic network testing in support of security. As we look to the future, the DARPA National Cyber Range (NCR) is envisioned as a testbed that will allow researchers to perform qualitative and quantitative assessments of the security of cyber technologies and scenarios. Among the many experimental testbeds that have been developed, DARPA is considering DETER and WAIL as starting points for the NCR – demonstrating the value of "mission-bridging" from NSF's basic research mission to the quite focused application needs of other agencies. If the NCR is opened to unclassified research, then NSF would welcome the opportunity to coordinate with DARPA to provide academic researchers with an opportunity to run their experiments on this testbed.
What changes, if any, does NSF plan to make to its research portfolio, planning, or inter-agency coordination efforts in response to the findings and recommendations in the Administration's 60-day federal cyber security review?
NSF and the academic community very much appreciated the opportunity to contribute to the 60-day Cyberspace Policy Review. As I stated in my opening remarks, the Review clearly recognizes the importance of investments in fundamental, unclassified research, in support of which NSF plays a significant role.
The Review also recognizes the importance of cyber security education. Besides our support of research, NSF plays an increasingly important role in the preparation of current and future generations of computing professionals and of a scientifically-literate national workforce. We are grateful that the Review recognizes the important role of several of our education programs, most notably the Pathways to Revitalized Undergraduate Education in Computing, and the Scholarships for Service programs.
NSF's current portfolio of investments spans the many important topics highlighted in the Review. Further, our interdisciplinary reach to the broad academic community, and beyond into the private sector, provides an unparalleled opportunity to establish bold, new "game-changing" directions in long-term cyber security research that are informed both by social and economic needs and by national security requirements. Our aspirations for the Trustworthy Computing program, which takes a holistic, interdisciplinary approach to establishing the science of trustworthiness and its embodiment in the engineering of trustworthy computing systems and technologies, are consistent with the review's recommendations.
NSF will continue to support interagency workshops that promote interagency collaboration and coordination. Workshops are planned on how to measure success in security-related research activities, on developing metrics to assess the security and privacy of complex systems, and on how to achieve security in the financial infrastructure. This last workshop will be coordinated with the Department of the Treasury.
NSF and its many partners in academe, industry, and government stand ready to respond to the national imperative to secure cyberspace, both today and for the foreseeable future. We welcome the opportunity to collaborate with our partners in creating a comprehensive response to the recommendations expressed in the review.
To what extent is NSF's cyber security research portfolio shaped by the cyber security needs and related research priorities of the private sector? How is NSF soliciting input from the private sector regarding its research portfolio?
In the academia-industry-government ecosystem, organizations and individuals in all three sectors bear a responsibility for shaping a future cyberinfrastructure that is usable, secure, dependable, and resistant to attack, for the benefit of science, our economy, and our society. The recent Cyberspace Policy Review clearly recognizes the value of a healthy academia-industry-government ecosystem in strengthening our Nation’s cyber security posture.
At a strategic level, NSF's research investments are shaped by advice provided by private sector representatives serving on the National Science Board and NSF Advisory Committees.
NSF also catalyzes the formation of strong partnerships between academia and the private sector by providing programmatic incentives that encourage both sectors to work together, thereby speeding the transition of research and education outcomes into products and services. For example, the NSF Team for Research in Ubiquitous Security Technology (TRUST) Science and Technology Center works with a number of industry partners who 1). help define the Center's strategic intent and research and education priorities through the Center's External Advisory Board, and 2). interact directly with faculty and students on individual research projects. Industry partners include Cisco, Deloitte and Touche, eBay, GE, HP, ING, Intel, Microsoft, Nortel Networks, Oracle, Qualcom, Raytheon, Silicon Valley Bank, Sun Microsystems, Symantec, and Visa.
NSF's Cyber Trust program also supports three Centers with strong industry partnerships. For example, the Trustworthy Cyber Infrastructure for the Power grid (TCIP) center, which also receives support from DHS and DOE, works with its industry partners to create cyber security research advances that will make the Nation's power grid more secure, reliable and safe. Industry and other partners in this venture include ABB, Amerren, Areva, California ISO, Cisco, Entergy, EPRI, Exelon, GE, Gerhrs, Instep, ISIsoft, Kema, Multili, Open Systems International, Pacific Northwest National Laboratory, Power World Corporation, Siemens, and Starthis.
In addition to academic-industry partnerships encouraged through NSF programmatic incentives, many NSF-supported faculty and students have informal connections with industry, and many students in computing fields do summer internships in industry. Using these informal mechanisms, research results from NSF investments in cyber security also often find their way into industry products and services. For example, a team of researchers from UC Berkeley, Stanford, and University of Maryland College Park developed an open source version of their static analysis tools for finding software vulnerabilities. These tools have been adapted by Microsoft and other large software developers and incorporated into their products.
Looking to our cyber security future, there are several areas ripe for industry-university collaboration. First, industry has data that are otherwise unavailable to academics. Providing access to real data—appropriately sanitized, anonymized, and otherwise scrubbed—based on real adversaries and real users of operational systems and networks is essential. This access enables researchers to test whether their theoretical ideas play out in practice. Do they scale? What are the edge cases? Furthermore, researchers gain new insights by examining real data. Patterns and anomalies emerge from looking at real data that would not from synthetic data. These discoveries in turn raise new scientific questions. Second, industry has problems looming in the horizon that they just don't have time to solve or problems they can't even imagine because they are so focused on the present; those are exactly the kinds of problems academic researchers can work on: anticipating the threats of tomorrow so that when they arrive, potential solutions will be available. Moreover, academics are freer to think out of the box and thus may come up with creative solutions that while impractical today, may be quite practical in the future.
In my testimony today, I've tried to provide examples of the ways in which NSF works with its partners in the federal government, in the private sector, and in academe to catalyze long-term research advances in cyber security. In his May 29 speech on the roll-out of the 60-day Cyberspace Policy Review, the President stated that "America's economic prosperity in the 21st century will depend on cybersecurity" and the Administration "will continue to invest in the cutting-edge research and development necessary for the innovation and discovery we need to meet the digital challenges of our time." Your Subcommittees also clearly recognize the importance of research advances in cybersecurity to the Nation's future.
With robust sustained support for fundamental research in both the executive and legislative branches, we have a unique opportunity to increase our Nation's investments in fundamental cyber security research, thereby securing our Nation’s future for many decades to come.
This concludes my remarks. I would be happy to answer any questions at this time.
1. FY2005: $68.81M, FY2006: $76.73M, FY2007: $96.70M, FY2008: $106.90M, FY2009 estimate: $136.70M (including $20M ARRA), FY2010 Request: $126.70M
Return to speech.