14 March 2000
Source: http://www.usia.gov/cgi-bin/washfile/display.pl?p=/products/washfile/latest&f=00031301.glt&t=/products/washfile/newsitem.shtml


US Department of State
International Information Programs

Washington File
_________________________________

13 March 2000

U.S. Official on Computer Security

     (Recommends greater investment to ensure protection)(2190)

     An official with the U.S. National Institute of Standards and
     Technology (NIST) urged Congress March 9 to increase funding for the
     agency's efforts to improve computer security systems in both
     government and the private sector.

     NIST Deputy Director Karen H. Brown said, "Computer security is not a
     narrow, technical concern." Rather, she said, it "has a vital
     influence on our economic health and our nation's security."

     Brown told the House Subcommittee on Government Management,
     Information, and Technology that NIST needs to continue its work and
     research to help bolster the nation's information infrastructure. She
     explained that NIST is working to raise awareness about the
     "vulnerabilities and requirements for protection of information
     systems."

     The agency, part of the Department of Commerce, establishes standards
     for security products, Brown said, and has also been working with the
     "international security community to define security criteria in an
     international standard that can be used to develop security
     specifications for products, such as firewalls or operating systems."

     NIST is working to provide security assistance to the private sector,
     Brown said, but needs further financial backing to improve security
     inside federal government information systems.

     "The security of federal systems must also be improved," Brown said.
     "These systems contain sensitive information about our citizens and
     provide services upon which our citizens' safety and well-being
     depend. The government should exert leadership and set an example for
     the nation in protecting against risks and vulnerabilities."

     The following terms are used in the text:

     R & D - research and development

     DOJ - Department of Justice

     FBI - Federal Bureau of Investigation

     FTE - Full-time employee

     Following is the text of Brown's testimony:

     (begin text)

     Karen H. Brown, Deputy Director, National Institute of Standards and
     Technology
     Technology Administration
     U.S. Department of Commerce
     Before the Committee on Government Reform, Subcommittee on Government
     Management, Information, and Technology

     March 9, 2000

     Mr. Chairman and members of the subcommittee thank you for the
     invitation to speak to you today about computer security issues. I am
     Karen Brown, Deputy Director of the National Institute of Standards
     and Technology of the Department of Commerce's Technology
     Administration.

     Computer security continues to be an ongoing and challenging problem
     that demands the attention of the Congress, the Executive Branch,
     industry, academia, and the public. Computer security is not a narrow,
     technical concern. The explosive growth in Electronic Commerce
     highlights the nation's ever increasing dependence upon the secure and
     reliable operation of our computer systems. Computer security,
     therefore, has a vital influence on our economic health and our
     nation's security and we commend the Committee for your focus on
     security.

     Today I would like to address NIST's computer security activities that
     contribute to improving computer security for the Federal Government
     and the private sector. I also would like to briefly describe for you
     our proposed new program activities for next year as requested in the
     President's budget.

     Under NIST's statutory federal responsibilities, we develop standards
     and guidelines for agencies to help protect their sensitive
     unclassified information systems. Additionally, we work with the
     information technology (IT) industry and IT users in the private
     sector on computer security in support of our broad mission to
     strengthen the U.S. economy, and especially to improve the
     competitiveness of the U.S. information technology industry. As
     awareness of the need for security grows, more secure products will be
     more competitive in the marketplace. Addressing security will also
     help ensure that Electronic Commerce growth is not limited because of
     security concerns.

     In meeting the needs of our customers in both the public and private
     sector, we work closely with industry, Federal agencies, testing
     organizations, standards groups, academia, and private sector users.
     Cooperation and collaboration are essential to tackle many common
     problems facing users throughout the country.

     What does NIST do specifically? To meet these responsibilities and
     customer needs, we first work to improve IT awareness of the need for
     computer security. This helps increase demand for secure and reliable
     products. Additionally, we research new technologies and their
     security implications and vulnerabilities and develop guidance to
     advise users accordingly. We work to develop security standards and
     specifications to help users specify security needs in their
     procurements and establish minimum security requirements for Federal
     systems. We develop and manage security testing programs, in
     cooperation with private sector testing laboratories, to enable users
     to have confidence that a product meets a security specification. We
     also produce security guidance to promote security planning, and
     secure system operations and administration. I will briefly discuss
     the need and benefits of each.

     First, there is a need for timely, relevant, and easily accessible
     information to raise awareness about the risks, vulnerabilities and
     requirements for protection of information systems. This is
     particularly true for new and rapidly emerging technologies, which are
     being delivered with such alacrity by our industry. We host and
     sponsor information sharing among security educators, the Federal
     Computer Security Program Managers' Forum, and industry. We seek
     advice from our advisory board of computer experts (Computer System
     Security and Privacy Advisory Board). We meet regularly with members
     of the Federal computer security community, including the Chief
     Information Officers' Security Committee, and the Critical
     Infrastructure Assurance Office. We actively support information
     sharing through our conferences, workshops, web pages, publications,
     and bulletins. Raising awareness helps ensure appropriate attention is
     accorded security and helps increase the demand for secure products
     and security services.

     A second need is for research on information technology
     vulnerabilities and the development of techniques for the
     cost-effective security. When we identify new technologies that could
     potentially influence our customers' security practices, we research
     the technologies and their potential vulnerabilities. We also work to
     find ways to apply new technologies in a secure manner. The solutions
     that we develop are made available to both public and private users.
     Some examples are methods for authorization management and policy
     management, ways to detect intrusions to systems, and demonstrations
     of mobile agents. Research helps us find more cost-effective ways to
     implement and address security requirements.

     Third is the need for standards, and for ways to test that standards
     are properly implemented in products. For example, cryptographic
     algorithms and techniques are essential for protecting sensitive data
     and electronic transactions. NIST has long been active in developing
     Federal cryptographic standards and working in cooperation with
     private sector voluntary standards organizations in this area.
     Moreover, in the standards area we have been working with the private
     sector in preparing for the future. We are leading a public process to
     develop the Advanced Encryption Standard (AES), which will serve 2lst
     century security needs. Another aspect of our standards activities
     concerns Public Key and Key Management Infrastructures. The use of
     cryptographic services across networks requires the use of
     "certificates" that bind cryptographic keys and other security
     information to specific users or entities in the network. We have been
     actively involved in working with industry and the Federal government
     to promote the security and interoperability of such infrastructures.

     Standards help users to know what security specifications may be
     appropriate for their needs. Testing complements this by helping users
     have confidence that security standards and specifications are
     correctly implemented in the products they buy. Testing also helps
     reduce the potential that products contain vulnerabilities that could
     be used to attack systems.

     For over five years, we have led the Cryptographic Module Validation
     Program, which has now validated about 90 modules with another 50
     expected this year. This successful program utilizes private sector
     accredited laboratories to conduct security conformance testing of
     cryptographic modules against a Federal standard we develop and
     maintain. More recently, we have been working with the international
     security community to define security criteria in an international
     standard that can be used to develop security specifications for
     products, such as firewalls or operating systems. We are actively
     working with industry partners in the smart card, health care, and
     telecommunications fields to accomplish such development of
     specifications.

     Many of these activities are being done in cooperation with the
     Defense Department's National Security Agency in our National
     Information Assurance Partnership. Private sector laboratories are
     being accredited under our National Voluntary Laboratory Accreditation
     program to conduct such testing. The effort involves developing
     testing competencies and a process for accrediting testing
     organizations. The goal is to enable product developers to get their
     products tested easily and voluntarily, and for users to have access
     to information about tested products. Under this program we have also
     led the development of an international mutual recognition arrangement
     whereby the results of testing in the U.S. are recognized by our
     international partners, thus reducing the costs to industry.

     Advice and technical assistance for both government organizations and
     private sector users is the fourth need. For example, we have issued
     guidance including telecommuting and security, security concerns
     inherent in PBX technology, security requirements in Public Key
     Infrastructure (PKI) implementation, use of firewalls, and intrusion
     detection in networks. We also provide program guidance to agencies
     and are working to complete a document on security program metrics and
     self-assessment. The information and guidelines that we have developed
     are available to all users free-of-charge via our web site. We also
     support agencies on specific security projects on a cost-reimbursable
     basis when NIST expertise is required.

     While I have given you a few examples of NIST's work, I obviously have
     not covered everything. I want to emphasize that there is still much
     more to be done to address the continuing challenges of computer
     security. To put our program in perspective, please keep in mind that
     approximately $6 million of direct Congressional funding supports both
     our Federal and industry computer security responsibilities. (In
     addition, we receive approximately $2 million in outside agency
     funding to provide technical assistance on particular projects.) This
     is plainly not enough.

     As reflected in the requests made in the President's FY 2001 budget,
     NIST needs additional resources to help improve the security posture
     of the Federal government. Looking at the critical information
     infrastructures of the nation, we also need substantial investments in
     security research to find ways to protect our infrastructures.

     To address the need for additional research to protect our critical
     infrastructures, the White House has proposed establishing a $50
     million Institute for Information Infrastructure Protection (IIP),
     which was initially recommended by the President's Committee of
     Advisors on Science & Technology (PCAST). The IIIP will identify and
     fill the gaps not being met by private sector market demands or
     Government agency mission objectives in critical infrastructure
     protection and provide a strong and secure foundation to protect the
     various critical infrastructures upon which the Nation's security and
     economy rely. IIIP's R&D, which will aim to help prevent security
     problems will include work that can be applied to protect multiple
     sectors' infrastructures, and thus will complement sector-specific R&D
     underway elsewhere in the government and private sector. This
     initiative will help strengthen the focused existing and planned
     security architectures within die critical infrastructure sectors and
     help prepare the owners/operators of those infrastructures to survive
     potential hostile activities. The IIIP will not home any direct role
     in support of law enforcement or deterring attacks, but will fund R&D
     to develop new generations of IT security solutions that would be made
     available for DoJ/FBI, other agencies, and the private sector can use
     to prevent and respond to future cyber-threats. The IIIP will be a
     partnership among industry, academia and the government (including
     both state and local governments). At the cope of the partnership is
     IIIP's selection of information infrastructure protection R&D focus
     areas, which will rely heavily on advice and guidance obtained from
     outside experts.

     The security of Federal systems must also be improved. These systems
     contain sensitive information about our citizens and provide services
     upon which our citizens' safety and well-being depend. The government
     should exert leadership and set an example for the nation in
     protecting against risks and vulnerabilities. Two of the budget
     proposals focus primarily upon the security of Federal systems.
     Specifically, we propose to establish an Expert Review Team (comprised
     of eight FTE's) to advise agencies of their vulnerabilities, help
     prioritize and develop strategies for security fixes, assist agencies
     in preparing for future security threats, and help agencies plan for
     security in new system developments. This preventative approach will
     complement the reporting activities of programs such as FedCIRC.
     Secondly, we seek a Five million dollar increase to enable additional
     critical activities in the area of cryptography, security management
     and best practices guidance, and the protection of supervisory control
     systems.

     So let me close by again emphasizing that our national commitment to
     improve security must be increased. NIST stands ready to play a key
     role through supporting the proposed Institute, leading the Expert
     Review Team, and conducting additional work to developing needed
     security guideline and standards, research in security technology,
     leading testing programs, and raising awareness and demand for
     security products and services. This will augment the already
     important activities we have underway. We look forward to continuing
     this work, and believe that your support of the critical new
     activities would help us to do so.

     I will be pleased to answer any questions.

     (end text)

     (The Washington File is a product of the Office of International
     Information Programs, U.S. Department of State. Web site:
     usinfo.state.gov)