(f/k/a
Federal Document Clearing House, Inc.)
FDCH Political Transcripts
July 22, 2003
Tuesday
TYPE: COMMITTEE HEARING
LENGTH: 16488 words
COMMITTEE: SUBCOMMITTEE ON CYBERSECURITY,
SCIENCE, RESEARCH AND DEVELOPMENT
SUBCOMMITTEE: HOUSE SELECT HOMELAND SECURITY COMMITTEE
HEADLINE: U.S. REPRESENTATIVE CHRISTOPHER COX (R-CA) HOLDS
HEARING ON CYBERSECURITY ISSUES
SPEAKER:
U.S. REPRESENTATIVE CHRISTOPHER COX (R-CA), CHAIRMAN
LOCATION: WASHINGTON, D.C.
WITNESSES:
SHANKAR SASTRY, CHAIRMAN, NEC DISTINGUISHED PROFESSOR OF ELECTRICAL
ENGINEERING, AND COMPUTER SCIENCES AND BIOENGINEERING, DEPARTMENT OF ELECTRICAL
ENGINEERING AND COMPUTER, SCIENCES, UNIVERSITY OF CALIFORNIA, BERKELEY
STEVEN M. BELLOVIN, AT&T LABS RESEARCH MORE
DANIEL G. WOLF, DIRECTOR OF INFORMATION ASSURANCE, NATIONAL SECURITY AGENCY
MORE
BODY:
HOUSE SELECT COMMITTEE ON HOMELAND SECURITY: SUBCOMMITTEE ON
CYBERSECURITY, SCIENCE AND RESEARCH & DEVELOPMENT HOLDS
HEARING
ON PUTTING THE "R" BACK INTO "R&D": THE IMPORTANCE OF
RESEARCH
IN CYBERSECURITY AND WHAT MORE OUR COUNTRY NEEDS TO DO
JULY 22, 2003
SPEAKERS:
U.S. REPRESENTATIVE MAC THORNBERRY (R-TX)
CHAIRMAN
U.S. REPRESENTATIVE PETE SESSIONS (R-TX)
U.S. REPRESENTATIVE SHERWOOD BOEHLERT (R-TX)
U.S. REPRESENTATIVE LAMAR SMITH (R-TX)
U.S. REPRESENTATIVE CURT WELDON (R-PA)
U.S. REPRESENTATIVE DAVE CAMP (R-MI)
U.S. REPRESENTATIVE ROBERT W. GOODLATTE (R-VA)
U.S. REPRESENTATIVE PETER KING (R-NY)
U.S. REPRESENTATIVE JOHN LINDER (R-GA)
U.S. REPRESENTATIVE MARK SOUDER (R-IN)
U.S. REPRESENTATIVE JIM GIBBONS (R-NV)
U.S. REPRESENTATIVE KAY GRANGER (R-TX)
U.S. REPRESENTATIVE CHRISTOPHER COX (R-CA)
EX OFFICIO
U.S. REPRESENTATIVE ZOE LOFGREN (D-CA)
RANKING MEMBER
U.S. REPRESENTATIVE LORETTA SANCHEZ (D-CA)
U.S. REPRESENTATIVE ROBERT E. ANDREWS (D-NY)
U.S. REPRESENTATIVE SHEILA JACKSON-LEE (D-TX)
U.S. DELEGATE DONNA M. CHRISTIAN-CHRISTENSEN (D-VI)
U.S. REPRESENTATIVE BOB ETHERIDGE (D-NC)
U.S. REPRESENTATIVE CHARLES GONZALEZ (D-TX)
U.S. REPRESENTATIVE KEN LUCAS (D-KY)
U.S. REPRESENTATIVE JAMES R. LANGEVIN (D-RI)
U.S. REPRESENTATIVE KENDRICK B. MEEK (D-FL)
U.S. REPRESENTATIVE JIM TURNER (D-TX)
EX OFFICIO
*
THORNBERRY: The hearing will come to order. This oversight hearing of the
Subcommittee on Cybersecurity, Science, Research &
Development will hear today on the topic of Cybersecurity,
getting it right.
This is the next in a series of hearings that this subcommittee has had on cybersecurity.
We have had virtually unanimous recommendations from previous witnesses that
among other things, research & development is a key role for the federal
government and we are here today to hear from some outstanding witnesses to
help guide us in that research & development for the future. Before proceeding
further, let me turn to the distinguished Ranking Member of this subcommittee,
the gentlelady from California for any opening comments she'd like to make.
LOFGREN: Thank you Chairman Thornberry for scheduling this hearing today and
for your wonderful leadership of this subcommittee.
When the subcommittee was formed back in February, Chairman Thornberry and I
met to discuss our common agenda and priorities. And at that meeting, we both
agreed that the subcommittee should spend considerable time studying incredibly
complex sets of issues surrounding cybersecurity. And we
decided to embark on a mission to educate and inform the members of the
subcommittee. We felt the need to establish a knowledge base before we
attempted to tackle any possible policy directives or legislative initiatives.
Soon after our initial meeting, we began this educational process. At our first
meeting we heard from Dr. Charles McQuerry (ph) on the work being done within
the Science and Technology Directorate at the Department of Homeland Security.
Soon after that, we began a series of hearings on the cybersecurity
issue. First we looked into threats, vulnerabilities and possible responses to
cyber attacks. Last week we heard from industry leaders on their experiences.
In addition to these hearings, we have held several briefings on cyber issues,
including a classified briefing on cyber threats.
Chairman Thornberry and I have also had individual meetings with academics,
business leaders and public policy experts. All of these meetings and hearings
have been quite informative and helped the members of this committee to get a
handle on the scope of the issues we face.
I believe that this subcommittee is beginning to have a solid understanding of
the cyber question and I am sure we're going to build on this foundation today.
Today we'll explore the research agenda that will help us to better secure
cyberspace. Our panelists represent academia, the National Security Committee
and industry and all are well versed in cyber issues.
Scientific research and innovative technology may hold some of the most
promising solutions to our IT vulnerabilities and I believe that we can stay
one step ahead of hackers and cyber terrorists if government works in a
coordinated way with the private sector.
I look forward to learning more about the advanced technology programs that
currently exist and the ones that need to receive higher priority and funding.
I want to hear about the current efforts to share information between the
private sector, the government and academia. Government and this subcommittee
in particular should play a role in helping these diverse entities work
together to reduce our vulnerabilities and better secure cyberspace.
I'm looking forward to hearing from all of our witnesses today, but I
especially want to welcome and thank Dr. Shankar Sastry, Chairman of the of
Electrical Engineering and Computer Science Department at UC Berkeley. I've had
the pleasure of discussing these issues with Dr. Sastry before and I appreciate
you coming all the way to be with us here today.
Finally, as I mentioned in my opening statement at last week's hearing, I have
great concerns about the Bush Administration's Cybersecurity
Program. In the last six months, the most senior Bush Administration cyber officials
have left the government. These individuals include Richard Clark, the special
advisor to the president for cybersecurity; Howard Schmidt,
the vice chair of the president's political infrastructure board and Clark's
replacement; Ron Dick, the chairman of the NIPC; and John Tritack, director of
CIAO.
The last two organizations are part of the National Cybersecurity
Division at DHS, which was created on June 6th of this year. To date, no
director has been named for this division. The NCSD is located within the DHS
Information Analysis and Infrastructure Protection Directorate, reporting to
the assistant secretary for infrastructure protection.
Some cybersecurity related R&D activities, however, will
take place within the DHS Science and Technology Directorate. I believe that
this situation, where it's buried within the bureaucracy and is questionable
and that once a person is finally chosen to lead the division he or she may not
receive the high level access to Secretary Ridge and the White House that is
warranted.
The House is going to adjourn at the end of this week for the summer district
work period. And when we return in the fall, I look forward to hearing directly
from the Department of Homeland Security on their cybersecurity
agenda.
I thank Chairman Thornberry for scheduling this hearing and I thank him for his
leadership and for working so well and honestly with me and I thank you too,
our witnesses, for their testimony and finally, to the committee staff for
their outstanding work.
THORNBERRY: Let me thank the gentlelady and express agreement with the concerns
that she has raised. We will be hearing from the Department of Homeland
Security when we return and this committee as well as the full committee I know
will be certainly engaged with them.
The Chair is going to yield his time for an opening statement to the
distinguished Chairman of the full committee, the gentleman from California,
Mr. Cox.
COX: I thank the Chairman and the Ranking Member and I will be brief, because
we have an excellent panel of witnesses today and I, like you, am anxious to
hear from them.
I want to thank you both for organizing today's hearing and for your continued
diligence in examining the cyber threat. And for this subcommittee's focus on
the Department of Homeland Security's mission to counter this new and worrisome
threat. I'd also like formally to thank our witnesses for making the time to be
with us today.
Just as our focus on science, including notably the Manhattan Project
contributed to our victories in World War II and in the Cold War, a similar
comprehensive commitment to scientific inquiry, to basic research and to the
development of innovative technologies is necessary if we are going to win the
current war on terrorism.
For that reason alone, the cyber challenge in particular requires a
mobilization of the American scientific community. As recently reported by the
National Research Council, in the United States, information system
vulnerabilities from the standpoint of both operations and technology are
growing faster than the country's ability, if not willingness, to respond.
This is a critical fault that we have to address because technology is the
center of our economy, our civilian and defense critical infrastructure, our
communication systems and indeed every aspect of our way of life. Superior
technology will therefore be at the heart of our efforts to prevent and to deal
with cyber attacks. We must leverage our superior research community resources
to address risks and harden our critical, physical and electronic
infrastructure.
Under Chairman Thornberry's leadership, this subcommittee has held three
hearings and a productive half-day workshop on this issue. During these
hearings, representatives of industry, government and academia have confirmed
our understanding of the gravity of the cybersecurity threat
and of the importance of the Department of Homeland Security's role in
addressing it.
The workshop held yesterday morning, which was cosponsored by the Congressional
Research staff, not only accentuated the threat, but stressed the importance of
the public/private partnership in developing solutions.
Today's hearing will increase our appreciation for the research being done to
address the cyber threat. Each of our witnesses today represents a different
facet of the cyber research community.
The Department of Homeland Security to be effective in its analytic and policy
mission must have a clear understanding of the best research being done and
where it is going. In exercising oversight, this committee will want to measure
the department's progress over time in coordinating government wide cyber
programs, in advancing research and development efforts, to reduce cyber
vulnerabilities, in improving our capabilities to respond to attacks and in
accelerating our efforts to promote computer security awareness training across
the country.
I look forward to hearing from our witnesses about research priorities, both in
the federal government and in the private sector and in academia and about ways
that the Department of Homeland Security can support and capitalize on your
efforts.
Mr. Chairman, thank you again for your personal commitment and also our Ranking
Member for your personal commitment and for your exemplary performance and the
performance of this subcommittee on this issue. I yield back.
THORNBERRY: The Chair thanks the gentleman and would also join in thanking the
Congressional Research Service, Eric Fisher and his staff and the folks who
participated in yesterday's workshop. It really was an outstanding group.
Now, again, let me thank each of our witnesses for taking time to be with us
today. We will first hear from Dr. Shankar Sastry, Chairman of the Department
of Electrical Engineering and Computer Science from the University of
California at Berkeley. Thank you for being with us today, sir. And you are
recognized for five minutes.
SASTRY: Thank you very much. Honorable Chairman Thornberry, Honorable Ranking
Member Lofgren and distinguished members of the Committee on Cybersecurity,
Science and Research thank you very much for the opportunity to testify today.
I'd like to testify about an investment in cybersecurity
research & development, some priority areas for funding and the role of
university industry venture community and government partnerships in bringing
secure and trusted systems to the marketplace.
By way of background, I should say that I served as Director of the Information
Technology office at DARPA from September '99 through February 2001. My areas
of research are embedded in autonomous software, complex infrastructure systems
and secure network embedded systems.
Let me start with my perceptions of the current funding of cybersecurity
research. The most sustained funding for cybersecurity
research to date has been through the Department of Defense. In DOD the largest
pool for funding for research has been through DARPA, though there has been
some important research initiatives also through the National Security Agency.
The programs have been in three generations. The first generation is to prevent
intrusions and there have been a number of successes that have come out of
this, including several sets of cryptographic tools, access control and
multiple levels of security.
In the second generation, if intrusions happen, how does one detect them and
how does one limit damage? Examples of successful products, which came out of
this, are firewalls, boundary controllers, intrusion detection systems, virtual
private networks and a public key infrastructure.
In the third generation, which we're now in the midst of, the goal is to
operate through attacks and these goals are intrusion tolerance and graceful
degradation. In my opinion, this is the space that we need to be in to be able
to have critical infrastructure systems that can weather attacks.
From its high watermark of close to $100 million of research funding per year
for information assurance and survivability research, IA&S, in 2000, the
funding for unclassified IA&S research has decreased significantly in the
following years.
While it's understandable that there are important other priorities in DOD for
more focused efforts on command and control networks and other sensitive DOD
networks, I feel that given the scope and magnitude of research that remains to
be done, it's critical that the burden of supporting cybersecurity
research be picked up by other agencies.
Of course, I also feel that given the newest generations of manned and unmanned
autonomous systems in the DOD, such as the U-CAV (ph) and future combat systems
and so on, it would also be in the interest of DOD to not scale back its
unclassified programs a great deal.
The National Science Foundation, I feel the NSF has been proactive in taking
steps to boost funding for cybersecurity research by setting
up new programs and trusted computing, secure network embedded systems, which
is under planning, networking research and more recently test beds for cybersecurity.
Department of Homeland Security, it's our understanding that the Science and
Technology Directorate is planning an initiative in cybersecurity
and is organizing program management structures for cybersecurity
research centers. The Congress and the administration should be laundered for
having taking the visionary step of having formed the Homeland Security
Advanced Research Projects Agency, HSARPA, along the DARPA model.
In addition, I feel that the idea of having HSARPA work with procurement and
operational branches of the DHS to evangelize the adoption of new cyber secure
software and systems is a very attractive one. If such a model is successful,
it would be useful in informing possible changes and procurement and
operational concept transformation in DOD as well.
The community has felt a great deal of enthusiasm about this potential outcome.
The outcome we feel would be best achieved if the research centralized in the
S&T Directorate at HSARPA interacted directly with the procurement and
operational needs of the IAIP, Boarder and Transportation Security and the
Emergency Preparedness Directorates.
However, a necessary condition for such an outcome is inadequate outlay of
funds for research & development coupled with acquisitions. In my opinion,
the level of investment needs to be somewhere in the range of $100 to $200
million per year. And we base this number on a roadmap for research and cybersecurity,
which we have developed and is present in the full testimony.
In the interest of time, I'll just talk a little bit about a few highlights of
the funding gaps and research priorities for cybersecurity.
The technology needs may be classed into the following categories. Unsolved
difficult research problems and information assurance and survivability and a
number of these are taken from the so-called Info-Tech Research Council hard
problems list and they're listed in my testimony.
The second one is about technologies for strong security, but strong privacy.
The technology needs for strong privacy are completely compatible for the
technology needs for strong security. So, some examples are selective
revelation, but the goal is to minimize the revelation of personal data while
facilitating analysis through the approach of partial incremental revelation of
data. Others include strong audit and also rule processing technologies for
checking compliance with privacy rules.
In addition, I feel that the emerging infrastructure of the future will be
based on wired and wireless network devices ambiguously embedded in the
environment to provide so-called sensor webs of information for monitoring and
controlling infrastructure. We need to take steps today to start securing them.
And finally, the last step of problems comes in under the title of Validated
Modeling Simulation and Visualization of Critical Infrastructures and their
Interdependencies.
Mr. Chairman, am I out of time or...
THORNBERRY: The gentleman's five minutes has expired. The Chair is somewhat
lenient with time, however. The gentleman may proceed and conclude his remarks.
SASTRY: Thank you very much.
Perhaps in the interest of time, let me just say and go to the last part of my
testimony and talk a little bit about a model for public/private partnerships
for rapid technology transfer in cybersecurity.
I think there is clearly a need for cybersecurity and research
& development, but even more immediate and pressing is the need for
transitioning this. The most common complaints that one hears from vendors and
service providers are as follows, no one pays for security. Will the federal
government play the role of market maker in the early adoption of security
products? Is there sufficient demands to stimulate new companies are new ideas
in cybersecurity? Who will provide roadmaps to help the
investment by established companies and the venture community in cybersecurity
products?
So, a fundamental organizational problem that exists today is a lack of
mechanisms of filling in the gap between the end of successful federal
projects. And I feel that a lot of the federal investment today has indeed been
a success. But, there is a problem in transitioning from the end of a
successful federal project to the venture community and industry in the form of
products.
Research prototypes need to be hardened, tested on large-scale test beds,
informed and customized by the customer base before we get these into the
marketplace. And I feel that the role of public/private partnership and perhaps
the nonprofit sector is in filling this gap between the end of a successful
research program and industry and venture update.
And let me just conclude by saying that there are exemplars of successful such
partnerships which have been formed with congressional money by the legislation
of this Congress. And so those are in the semiconductor industry.
In the semiconductor industry, both the SIA, the Semiconductor Industry
Association, and the SRC, the Semiconductor Research Consortium, have
facilitated both the funding of rapidly transitioned research through the
semiconductor industry and lead the continued development of roadmaps for the
electronics industry.
DOD funding, both from OSD and DARPA, from the earliest days of this research
has been instrumental in maintaining a strategic national component, both for
competitiveness as well as for maintaining U.S. superiority in a vital sector.
My own sense is that nonprofits of the same ilk as the SIA and the SRC, with
the same kind of partnership with DHS and DOD could play an important role in
developing a mechanism for rapid transition of focused research and road
mapping for industry and the investment community.
Thank you very much, Mr. Chairman for your indulgence. Thank you very much for
the opportunity to testify. We are really delighted, as a community, to see
your attention to all of these important issues. Thank you very much.
THORNBERRY: I thank the gentleman.
And I neglected to say at the outset that each of your full statements will be
made part of the record. And also, let me compliment each of you on your full
written statements, because they did a very good job of directly addressing the
questions in which this subcommittee's interested in. I appreciate that very
much.
Let me now turn to our next witness. Dr. Steven Bellovin is a member of the
National Academy of Engineering at the National Research Council. He is also a
technical leader and fellow from AT&T Laboratory.
Dr. Bellovin, thank you for being with us and you're now recognized for five
minutes.
BELLOVIN: Thank you, Mr. Chairman, Ms. Lofgren, members of the committee. I'm
delighted to come to help out.
I should add one of my other roles. I'm Security Area Director for the Internet
Engineering Task Force, which is the group responsible for most of the
standards used on the Internet today.
We face a very serious cybersecurity problem. Usually we can
protect an individual high value system, though it's hard. I run my own
personal computers as tightly as I know how to. In the last two years, probably
there were a dozen different ways that if someone sent me the right message at
the right time they could have taken over this system. And this is run about as
tightly as anything can be and still be connected to public networks.
We cannot protect all of the machines that we simply don't know how to. We
don't even know what the magnitude of the threat is, even from ordinary
hackers, let along nation states and possible cyber terrorists. The available
data on what kinds of attacks, on the number of attacks is simply lacking. We
need more research to help us understand what is going on. You need different
defenses against cyber terrorists than you do against ordinary hackers.
Most of the security problems we see today are caused by buggy software. Buggy
software is probably the oldest unsolved problem in computer science. I have no
reason to think it's going to be solved in my professional lifetime. If we
design our software correctly though, we can restrict our attention to the
crucial pieces of security and probably get those right. Software reliability
has improved. It's no longer unusual to see a server that's been up for a year
or more. But, we have to design software with that sort of vision in mind. We
know somewhat how to do that, but not nearly enough.
We need new mathematical formal frameworks for assessing and measuring the
security of the system. A locksmith can tell you how long a safe can resist an
attack with certain kinds of tools. A computer scientist can't do the same.
Basic research on cryptography is probably not a priority. It's not that
cryptography's unimportant, I've done a lot of cryptographic research myself,
but we have far more science there than we've currently applied.
We need a great deal of effort on technology transfer from the bureaucratic to
the practitioners and on engineering, taking the cryptographic mechanisms and
actually engineering them to be used on deployed systems.
I would note that open standards are better for this because they promote
diversity. The lack of what's called cyber diversity, like the lack of
biodiversity, leaves us very vulnerable to a single infection vector, a single
attack vector. This is a very serious issue in the computer industry today
because many other trends push towards one source rather than many.
The security technologies are often too hard to use. We need to do a lot of
work on the human factors of computer security. Most people don't configure the
system securely because frankly it's too hard to do so. I find it hard
sometimes myself and I'm a professional in this field. Try to understand some
of the messages and prompts that I get.
We need incentives for vendors to develop more secure systems. That's both
security features and more reliable less buggy software. And we need incentives
for end users to use these secure systems and these secure features.
We need to improve systems in administration. This isn't the sexy area, but
most actual penetrations are caused by failure to apply available patches to
correct known vulnerabilities. It's once the patch comes out that most of the
activity takes place. Not always, but that's the large, the vast majority of
system penetrations.
But, most of the responsible systems administers will patch a production system
without testing it. System administration is not a prime area for research. It
seems too mundane. Nevertheless, if we can have better tools for automating the
administration, for testing systems -- and by the way, for improving the
resources that are available to system administrators, both in government and
in industry, this has the potential for a very large payoff. This is some low hanging
fruit.
Security also depends on authentication. Authentication is a subtle business.
It's hard to get right. If you get it wrong, you may have a system failure. You
also violate individual privacy. It's important to pay attention to both of
these factors when designing systems.
There are no simple answers to the cybersecurity problem.
There's no one technology that's going to solve it for us. There are a number
of areas, however, that if we put in the appropriate resources, I think we can
make a lot of progress and get systems not absolutely secure, there is no such
thing, but markedly more secure than they are today.
Thank you, Mr. Chairman, Ms. Lofgren, members of the committee.
THORNBERRY: Thank you, Doctor. There are several areas that you mentioned we
will certainly come back to in questions.
Finally we have Mr. Dan Wolf, Director of Information Assurance at the National
Security Agency.
Members will remember that Mr. Wolf has helped us before. Really the first
activity of this subcommittee was kind of a "members only" workshop
of cybersecurity, which Mr. Wolf put on for us.
Welcome back and we appreciate you being here. You're now recognized for five
minutes.
WOLF: Thank you, Chairman Thornberry and members of the subcommittee.
My name is Daniel Wolf and I'm NSA's Information Assurance Director. NSA's
Information Assurance Director is responsible for providing information
assurance technologies, services, processes and policies to protect national
security information systems. We are also responsible for conducting research
& development.
In regards to your theme for this hearing: cybersecurity,
getting it right...
THORNBERRY: Excuse me, Mr. Wolf. Would you pull that microphone just a little
closer to you? Some of us are having trouble hearing you, including me. Thank
you.
WOLF: In regards to your theme for this hearing: cybersecurity,
getting it right, I'm not sure that NSA has all the answers or we have always
got it right, but I'm quite confident during our 50 years of deploying
communications and now cybersecurity products, we have learned
quite a few lessons.
Some people want to keep NSA in a box labeled "For Classified Information
Only". They say that NSA's perspective is too narrowly focused on national
security systems. However, I believe quite to the contrary. It's been my
experience that there's little difference between cybersecurity
that is required for a system processing top secret military information and
one that controls a segment to the national critical infrastructure.
The information management principal within the National Security community has
always been the concept of "need to know". But, the fundamental
information principal for homeland security is "need to share".
Because the threat always rolls downhill, that is our adversaries will always
attack the weakest link.
Information must be protected across the entire system. A three- sided castle
is not very safe. The entire community must share the same standards if we are
to protect everyone on all four sides of the castle.
Your invitation for this committee outlined a number of areas where you want
some specific comments and answers. The first was in technical approaches to
optimize cybersecurity. I believe that the highest payoff for
optimizing cybersecurity would be the creation of an
interoperable authentication system deployed widely throughout the federal,
national security, first responder, and critical infrastructure community. This
authentication system also forms the basis for all of the other cybersecurity
services.
It is also important to note here that the most critical infrastructures, like
this PKI, should be build using U.S. technology. I have concerns with foreign
software, unknown trust and quality being integrated in the critical U.S.
systems.
My next priority for cybersecurity is effective border
protection. Just like our national borders or the parameters of our buildings,
we need to protect our cyber borders. Effective border protection includes many
different technologies, including firewalls, virtual private networks, high
assurance guards and of course, intrusion detection.
It has also been estimated that over 90 percent of all successful attacks on
DOD systems are against known vulnerabilities. System operators struggle to
keep up with all the patches that are issued each month. A system left
unpatched soon becomes a target, like an unwatched sports car with the keys in
the ignition. Therefore, we need an automated patch management system.
Your second question dealt with advanced technologies and should they be
pursued outpaced attacks. Today, most of the information coordination during a
cyber attack occurs at the speed of humans. Code Red infected 50,000 machines
in an hour. We need the ability for networks to work together automatically to
weather such an attack.
Another significant research topic is attack attribution. The capability to
gio-locate (ph) and identify the source of attacks without confident knowledge
of who and where an attack was mounted is impossible to decide on the
appropriate response. A rapid and reliable capability that separates nuisance
hackers from a more serious threats that increase the overall effectiveness of
every cybersecurity practitioner in both the government and
the private sector.
Areas needing higher priority and funding, there's little coordinated effort
today to develop tools and techniques to effectively and efficiently examine
either source or executable software in large applications. We need a national
software assurance center to pull together representatives from academia,
industry, federal government, national labs, and national security community
sharing techniques to solve this growing threat. You could liken this to the
Manhattan Project that was mentioned earlier. This is a significant problem, I
believe.
In today's environment, the need is particular acute for ways to
countersecurity vulnerabilities found in popular commercial operating systems.
While many of the vulnerabilities can be fixed by properly configuring the
system, the goal is to configure these systems to be as secure as possible
right out of the box.
I'm happy to learn from your last hearing that some equipment vendors are now
offering the security standards as a default configuration.
NSA, working with DISA, NIS, the NIPC, the former NIPC, the FED CERT, SANS,
CIS, developed a set of consensus benchmark security standards. These standards
provide a sort of -- if you want to call it Preflight Checklist -- of security
settings. The benchmark standards represent an effective model based on
agreement between and among security experts. NSA is proud to be part of this
project and will continue to support the community is establishing security
standards.
The fourth area was in the role of transfer among government, academia, and
industry. NSA requirements for cybersecurity products for
national security uses are identical to requirements found in other mission
critical systems, for example, homeland security and a critical infrastructure
protection.
We have developed a number of programs leveraging commercial information
technology. My written statement provides the details, but let me just
highlight a few of these programs.
The National Information Assurance Partnership, or NIAP, is a U.S. government
initiative designed to meet the security testing evaluation and assessment
needs of both information technologies, producers and consumers.
Another is the NSTISSP 11. This is a national security community policy
requiring the acquisition of information assurance products that have been
validated in accordance with either common criteria of other approved methods.
Another is the Centers of Academic Excellence and Information Assurance
Education. This program promotes higher education and information assurance and
produces a growing number of professionals with IA expertise in various
disciplines. Fifty universities have been designated as Centers of Academic
Excellence to date. We need this type of program for our workforce development.
We must invest in our future, our people's future.
And the next area is in perspective on leveraging national security standards
for homeland security. The key to success for protecting the homeland is secure
interoperability. NSA has created a number of secure interoperability standards
for national security use that are directly applicable for homeland security
and public safety. Some sectors are already adopting these standards. If we're
going to share information, these things are extremely important.
In conclusion, it's been my pleasure to share the work of my agency with the
committee today. I believe that much of the research & development
initiated by NSA for use in the national security community is directly
transferable to the needs of homeland security. We must change our fundamental
assumptions from need to know to need to share. We must share policies and
processes across the community.
Cybersecurity products and technologies have been the focus of
my remarks today, but the technology alone will never be good enough to protect
us. Because ultimately, getting cybersecurity right is more
about what you do than what you buy.
Thank you for the opportunity to speak to you today.
THORNBERRY: I thank the gentleman and all the witnesses for their testimony.
It's a rather remarkable to me how much consistency there is really among all
three of you.
At this time I yield to the gentlelady from California for questions.
LOFGREN: Thank you, Mr. Chairman. And I have in past hearings, I'm really
struck by how fortunate we are in this subcommittee to be able to really call
on some of the smartest people in the whole country and then they come and
share with us. So, it's a delight to listen to each of you.
I have many questions, but let me just start in with Dr. Sastry, because one of
the concerns I have, you mentioned. HSARPA has an encouraging element of the
new department and one with great promise. Before you were leading the
department at Berkeley, you ran the cyber part for DARPA. And I'm wondering if
you could reach back to that part of your experience and give us some advice on
what we do to actually get HSARPA up and running.
Right now there is, I believe, a recently hired deputy director and that's it.
Last month you couldn't even call the division because there wasn't a phone
number or an office and there's no director. There are no employees. If you
were the czar, what would you do to jumpstart that effort so it could be as
productive for the country as DARPA was?
SASTRY: Thank you very much, the Honorable Ms. Lofgren. I had the good
fortunate to serve under the Deputy Director, Jane Xan Alexander, who's now the
Deputy Director of HSARPA. She was the Deputy Director of DARPA. So, I think
you're fortunate to have some leadership with experience in the DARPA model.
The way I would configure HSARPA is perhaps quite substantially along the lines
of the DARPA model with a few differences. The way DARPA programs are organized
are that they are mission oriented in the sense that the three to five year
programs with very definite outcomes and even in the information assurance and
survivability suite of programs, we had one on secure systems, we had one on
fault tolerant networks, we had one on coalitions and each one of those was
separately organized bite sized piece of research. And in addition, the way
those were informed by the needs of the services and the needs of the service
labs was to have the service labs be the individual cottars of the technical
contractors for executing the contracts.
So, I feel that the IAIP directorate, the border security directorate and the
emergency preparedness directorate could provide staff to be the executors of
the contracts that come out of HSARPA, very much in that model.
Now, the questions about how one ramps up quickly to this is a very important
one and I think it will take some time to hire the right program managers and
to have adequate turnover the way DARPA does so as to keep new ideas coming
into the agency. One suggestion is to actually use existing mechanisms of partnership
with NSF, the way DARPA does or with DARPA itself in the short run to be able
to ramp up to such a state where it has its own program managers.
The one thing I'd do differently from DARPA is because they are sort of short
and intermediate term needs, which have to be met in the other directorates, I
think I would really have a separate office, which concentrates on the
technology transition issue. And the technology transition issue would be about
setting up the correct structures to make sure that as the programs mature and
those get taken up and I alluded to some mechanisms that I thought were useful.
LOFGREN: Mr. Wolf expressed concern about foreign software or software
developed offshore and its reliability. Do you, Dr. Bellovin and Dr. Sastry
share that concern?
BELLOVIN: I'm concerned about all software's reliability and correctness. I'm
not in the position to understand how much greater the (inaudible) coming from
elsewhere. But, we're dealing with a screen door not a vault door on a lot of
software.
I was asked this question leading up to Y2K; a lot of the Y2K radiation work
was done off shore. I was asked if I was concerned about that. And my answer
was, I'm concerned about anybody's patching system regardless of who they are,
because patches have a much higher bug rate and vulnerability rate than base
code.
I think if we had the technology to examine any code, no matter where
(inaudible) for security and assurance or vendor backdoors, which sometimes
they'll put in for maintenance purposes, would be a lot better shape. And I
will leave it to professionals to understand how much greater the threat is
from overseas.
SASTRY: If I could amplify on that, I fully agree with Dr. Bellovin. I think
that one has to be worried about all software. And one of the problems about
these complex systems has been that even though I can trust individual pieces,
when you put them together, the overall systems tend to suffer from all kinds
of problems.
So, I think that there are some glints of hope, but I think that the
technologies for guaranteeing that software, whether it's written overseas or
in the United States, is in fact more or less correct by construction are in
the infancy.
One specific one that has come out of Carnegie-Mellon is called Proof Carrying
Code. And this is the notion of providing codes, which come with its on
certificate so one can independently prove to oneself that it works that right
way. The drawback has been that it's not scalable to large systems.
Now, I think that there is an area of research about how you compose and put
together large systems. And this is perhaps what we have to do on the fly today
to reduce vulnerabilities. So, I guess there's no easy answer.
WOLF: If I could add a comment to that, really there are two pieces to that.
One certainly is the quality of the code, in the reference earlier. Certainly
there are a lot of buggy codes out there, but the other is the trust factor.
And when you think about the globalization of IT and the people that are writing
code offshore now, there's a wide variety. Many of whom you can say that we
trust and there are others that you might not have so much trust in. And
frequently, my organization is asked, for example, by law enforcement to look
at code and say is there a backdoor in this? Is there something luscious in it?
And that's a very difficult problem and the tools aren't necessarily there to
do that right now.
So, that's the reason that we've talked a lot about the idea of a national lab
that looks at software. Certainly the goal would be that you write codes so
that up front the code is good and you have trusted code, trusted modules, but
in many cases we don't have that luxury. And if you think about the critical
infrastructure, Wall Street or the power grid in the East Coast and you look at
who wrote some of that code, you might be a little concerned.
LOFGREN: I'm intrigued by this and I don't know if we'll have time for a second
round, but I'm wondering whether some of the research -- I don't think that's a
function you would want the federal government to provide. And yet, it might
work nicely with the research that's being discussed, maybe the test bed
research that was referenced in the testimony so that you might have -- I mean
the last thing you want is the heavy hand of the federal government on the
creative element. And yet, we might want some way to examine and have a test
bed research component with critical elements of the infrastructure.
Is that sort of what the two doctors are proposing?
SASTRY: I think test bed research is really a lot of what is needed to take
ideas from the research stage into systems that work. So, the specific kinds of
test beds that I alluded to, certainly for network defense, this would be the
denial of service and worm attacks are coming in with an increased frequency.
LOFGREN: Right.
SASTRY: There are a lot of different solutions that the research community is
putting out. But, very few service providers have faith in them, simply because
they haven't been tried out on systems of adequate magnitude. So, also in the
software verification, the question of how much faith you can put in proof
carrying code, which is a piece of code that you add to a piece of software to
check whether it's actually meeting the functions that it was supposed to and
whether or not it has backdoors.
So, I think that a test bed activity is one of the things that's needed to fill
the cesium between research and what comes out of a university or what comes
out of other research groups and products. And then the questions about the
regulations, I think that while it's true that it's not completely clear
whether one ought to be heavy handed in the regulation, I do think that as in
the Y2K case, the federal government had a very, very important role in 1997 by
the SEC asking for companies to file their plans for what they were doing with
Y2K.
LOFGREN: If I may, I don't disagree that the federal government must play some
role. The question is, what is that role. And I think we've discussed many times
and think there seems to be consensus among most of the members of this
subcommittee that a heavy handed regulatory role is probably not the optimal
role for the government to play, but there is a role for the government to
play.
BELLOVIN: There is a need for test beds. The fundamental problem of software is
scale. We can do small things well, both developing and testing. We can't do
large things well. That's where a test bed, an opportunity to try certain
things at scale and a experiment setting would be very, very useful.
There are some things where it's easier than others. Network technology it
works better, software, large software project by definition is very many
people over many years with real users and real changes over the lifespan.
That's hard to put into a test bed.
Nevertheless, an industry, government, academia cooperation is useful because
industry has the software and everybody's relying on it, including the Defense
Department, we're all running commercial off the shelf software for the most
part. And we have to get this right to secure the critical infrastructure.
LOFGREN: I think I've more than used up my time and I would like to thank the
Chairman for his courtesy and yield back.
THORNBERRY: The gentlelady is asking some very good questions.
The Vice Chair of the subcommittee, the gentleman from Texas.
SESSIONS: Thank you, Mr. Chairman. On behalf of this committee, as you have
heard us say, we appreciate all three of you being before us today. I think
this is an important exercise for this subcommittee and for our own knowledge.
Mr. Wolf, I think I'd like to direct my question to you, but I'm not sure it
would be limited to you. You speak very forthrightly and clearly about
effective border protection. And quite honestly, that makes my mind race.
I'm a free trader. I believe in goods and services and information flowing back
and forth between countries and I believe one of the most powerful parts about
the World Wide Web is its availability to people for commerce and other activities.
However, the need of this great nation to protect itself and its intellectual
property, its secrets and other things that emanate from that is important
also. And in my mind, I think I understand border, but I'm not sure that I do.
And it's because I really don't have a concept of where all these nodes are
that bring traffic into this country to where we there share our information
and standards body.
When I was at Bell Labs, we were a part of a standards body organization for
switch manufacturers. I'd like for you if you could to perhaps go through in a
detailed way about what you see as this border, or cyber border and are there
things that we, as this country should be doing, just like trade agreements or
just like customs would be at an airport in a foreign country or visitors
coming to this country, should be place a burden upon knowing who's coming here
and where they came from?
I know this is hard on a real time basis or even if just information that would
travel with that packet that would come about where someone originated. I think
you see where I'm coming from. Can you address that?
WOLF: OK. And I guess let me start by saying when they I talk about border
protection, you're really talking about protecting, if I can start say with
your computer at home, in terms of having a firewall such that you can control
in terms of who comes into your computer, who has access to your computer, the
kinds of things that come and go in and out of your computer. So, that's not
restricting you from going anywhere in the world to look at something on the
Internet. But, it is meant to stop a hacker, for example, from coming into your
computer and stealing your tax information.
So, we talk about firewalls and firewalls have a set of privileges that you can
identify with in terms of how strict and how high up you want to put the walls
up, if I can say it that way.
We also talk about intrusion detection systems. So, now if you go a little
further out from your home computer and you want to develop a profile of what
kind of activities are coming across that boundary, looking for hackers, for
example. That's kind of what we would call border protection.
In terms of looking for malicious activity threats of hackers, whether that's a
terrorist, a nation state, whatever. So, you're, if you will, protecting your
computer environment, protecting cyberspace.
Now, if you take that a little further to the borders of the United States,
that would be a very difficult task to put up, if you will, some sort of protection
around the United States and probably not necessarily a good investment.
But, you certainly would want to put sensors maybe on the periphery of the U.S.
Again, to look at hackers, look at people trying to come in to do malicious
things to you. And to look also at maybe data that's leaving the U.S. And I
talk in my testimony a little bit about the insider. Is there information
leaving a facility that you wouldn't want to leave? Is somebody on the inside
pushing information out to another entity.
So, when we talk about border protection, we're really talking about how do you
protect your enterprise? What kind of protections do you put around it so that
somebody can't come in and do something malicious to your enterprise. So, not
really restricting in terms of the internet as a whole, but it's more the
protections that you want to put in to make sure that somebody isn't doing
something malicious to you.
SESSIONS: So the border could mean any individual computer as opposed to...
WOLF: Right.
SESSIONS: And the border I was describing as the United States of America.
WOLF: Right, but then we start taking geographic. In DOD we have something
called defense and depth and we talk about the enterprise level, the
information backed on, there are several levels that we talk about in terms of
doing protections. So, it's not necessarily a physical boundary in terms of
around the United States, although that may be something in terms of
implementing a network of sensors to look for hackers, to look for kinds of
malicious activity. That may be something that we want to do.
SESSIONS: OK. Do any of the other gentlemen choose to speak?
BELLOVIN: Yes, I'm in favor of border protection to the extent it's possible. I
was the author of the first book on firewalls in 1994, which is a much more
challenging problem today than it was in 1994, because the amount of Internet
connection has increased tremendously.
A modern corporation will have hundreds and thousands of external links that
penetrate each firewall, to outsource functions to its joint venture partners,
to its customers, to its suppliers, all of this is done electronically and all
of this is done by means of mechanisms that bypass the firewall, go through the
border. We have alerts, we have many more border crossing than we do today.
The virtual private network technology that lets me work from my hotel room
exactly as if I was inside my office at AT&T works very well, but if the
same employee who's telecommuting via VPM is using that same computer to surf
the internet individually, we have a problem, because we don't have an
effective border.
We're moving more towards a motel rather than a hotel model. The hotel, there's
one or two entrances and everyone's walking pass the front desk. In a motel, every
room has its own door to the outside. It's a lot harder to secure that and
we're moving more towards that ladder. We have to find a scalable solution to
let us protect all of these doors.
I would note that tracing things when they're coming from outside the country
is a lot harder. The hackers don't use their own computers for the most part.
Because their own computer to hack, an easy target, maybe in a university
someplace or a small company and use those to hack a few more, and five levels
away, that's where they'll launch the attack from. The attack may be coming
from inside or the outside, but you don't know where the controlling messages
came from. And that's what makes it so hard to trace back these things.
Authentication credentials, they're stealing the credential's identity today.
It will be very hard to fundamentally reengineer things to get around that.
SASTRY: I share your sentiments about being open enough to have IT products
come into the country and also for us to be able to sell IT products in other
parts of the world. And so, I think that open standards, which is I think is
one of your concerns, are in fact better than standards where one erects
failures.
But, having said that, I think that one does need to have the sense of being able
to dial up and down security so that even if you did have this motel model
sometimes and (inaudible) security the different threat levels and being able
to dial up and down security depending on your perception of how threatening
the environment around you is. The questions about how do to this are I think
open research issues.
Also, I think that the questions about being able to trust software, I think
it's easy to trust individual pieces of software and to be able to test
individual pieces of software, regardless of where they're written.
On the other hand, the problems are about what happens when you try to compose
them. And the biggest single problem is when you put together complex systems
and people inevitably build complicated systems for reasons of functionality,
that's when we really don't have guarantees, both in security and also in
privacy, because of the kinds of data sharing that occurs across large systems.
So, coming back I think in the earlier parts of our testimony, both Steve Bellovin
and I agreed that really sort of the bottleneck problem is to be able to
compose secure systems so as to guarantee the overall system works. And I think
that the way to do it is not actually to stop people from sending software in
or for us to be able to sell overseas.
WOLF: If I could add one more comment, we talked about border protection and
firewalls; you also need to think about what functions you want to allow
somebody to do on your computer. So, it's not just putting a border up and
protecting it, but it's what do you want them allowed to do. Do you want them
to be able to look web pages? Do you want them to be able to move files around?
So, there's a whole set of things to go along with that. So, it's sort of the
motel model in terms of defining what you can do in the motel.
SESSIONS: I appreciate that, gentlemen. That obviously led me right to what Mr.
Wolf was talking about and that is our own systems is our border. And I
appreciate the discussion.
I yield back.
THORNBERRY: I thank the gentleman.
The gentleman from Rhode Island, Mr. Langevin is recognized.
LANGEVIN: Thank you, Mr. Chairman. I want to thank the members of the panel for
being here.
In your testimony and really, some of the questions I've prepared you've
addressed, but I'd like to give the opportunity to expand on them a little
more. And I'll start with asking if you can tell and discuss whether there is
sufficient information sharing taking place between researchers who discover
most vulnerabilities and the companies who created the products in the DHS and
also, how could the government help to foster an environment where researchers
and companies could better work together. And then, expanding on that point,
what do you see as government's role in terms of increasing security and
standards setting? Should it be fostered through partnerships and purchasing
criteria or should we take a more active role?
I know you've discussed this a bit already, but if you could expand upon that.
And basically, would government-mandated standards, such as the common criteria
have a base hind (ph) or a hindrance for future innovations? If you could take
a crack at those, I'd appreciate it.
BELLOVIN: When it comes to vulnerability reporting, there is pretty good
cooperation between people who find the holes and the vendors. There is
sometimes an unrealistic expectation of how soon a problem can be resolved.
More responsiveness, at least acknowledgement, would certainly help. I often
see cases of people getting frustrated at reports being ignored.
In general, that's a path that works well. Sometimes people have unrealistic
expectations about what can be done. The problems are generally subtle or they
wouldn't be there in the first place.
For standard setting, I would suggest the procurement model; it's much better.
We don't know exactly what we're doing. There's a saying, if we knew what we
were doing, it wouldn't be called research. And to try to mandate certain
things is probably premature, given the state of the art.
The common criteria is a useful step forward. As a NRC report a few years ago
that pointed out, it doesn't really address a lot of the software model we're
dealing with today. It's also extremely expensive to produce software that
meets these criteria and can continue to meet these criteria over the lifecycle
of the hardware and software platform.
This has tended because it makes our systems slower, less modern and much more
expensive than the commercial off the shelf alternatives, which has generally
led people to buy the commercial off the shelf alternatives, because they don't
perceive the threat. There is no particular push back, no incentives, as I said
earlier, for people to install the more secure software in most situations.
SASTRY: I share a lot of the comments made by Dr. Bellovin. Let me talk a
little bit about the information sharing, which was one of your questions.
I think that information sharing is an important step the ISACs are certainly
an attempt to try to get information sharing across industry sectors. My
perception is that there is a lot of concern in industry about sharing this
information, partly because there isn't a lot of sensitivity about how this
information would be protected by FOYER (ph) requests.
Of course there are ways, there are other transactions and authorities and
other procurement mechanisms by which this information could be protected and I
think industry needs to be sensitized to the fact that they can in fact share
this information without it being open to public scrutiny.
My sense also is that there is a certain amount of funding and I think the
federal role in being able to smoot (ph) this information sharing is not to be
underestimated. I think that there's a sense that a lot of, especially small
companies feel that they're doing that on their own dime. And so I think that
if they had a greater sense of feeling protected when they shared the
information and also if they were given some financial help for sharing this, I
think this would go a long ways towards helping the ISACs.
LANGEVIN: Could you expand upon that on how we do that, how we foster that?
SASTRY: I think that there are mechanisms inside DHS and I think there are
questions of appropriation of a certain amount of resources simply for the
ISACs. And the other transactions authority is simply the contractual mechanism
that can be chosen to be exercised by the Department of Homeland Security to
actually protect the information from FOYER (ph) requests.
I do think they have the OTA authority to do so. The telecom folks that we talk
to at Bell South and others were really quite concerned about being sort of
reassured about this. Partly because this OTA is not a well-known contracting
instrument and people don't know all its possibilities, I guess.
WOLF: A major part of my mission, if you looked at mission statement is to
discover vulnerabilities and because my job is to provide secure systems for
the National Security sector. So, we put a lot of effort into discovering
vulnerabilities. And we work very closely with industry. We work very closely
with academics in terms of how do we do that. We have various research
agreements, such that with various companies. They're called CRATUS cooperative
research agreements; so that we get access for example to source code and again
with the idea of how do you improve the source code to improve the security.
When we find a problem, we go back to the company, we explain what the problem
is and in many cases, provide them some of the technology to help improve their
product, because again, we're trying to build product. That's my main goal is
to get product out there fort he National Security sector and of course the
byproduct of that is its duel use technology. So, anything that I provide in
National Security in many cases can be applied other places.
So, I would say there's a very close relationship in term of working with
industry on that and I could probably go through many, many examples of the
successes that we've had in that area.
You mentioned about security settings and benchmarking. I think that's a very,
very important thing and I mentioned that in my testimony in terms of how do
you configure things out of the box so that they're very secure and we're very
active in that particular area.
Common criteria is something that we strongly support. We put a lot of effort
into common criteria. Common criteria, what it does is it's really raising the
bar, if you will, in terms of information assurance. It's not the ultimate
answer. It doesn't make it perfect, but what it does is it does put the
products through a fairly rigorous testing for certification. So, given a set
of functions that the product is supposed to do that you've demonstrated that
it does do those functions under certain conditions.
Now again, that doesn't solve all the problems, but it does raise the bar. And
common criteria probably needs common criteria too some additional things to
common criteria. And I share the comments and I agree that common criteria can
be a little expensive for companies and that's something we're also trying to
work in terms of how we can improve either the timeliness of things getting
through the process or how we can do something in terms of helping in terms of
financially. But, that's a difficult problem to resolve.
We've reached out to homeland security, in particular, Bob Laskowski (ph) in
the IP and have talked to him about working with us in NIAP and how we can
leverage the kinds of things that he needs to do along with the National
Security sector. So, together what we do is we come to the table with a larger,
if you will, market share. If you just look at the National Security sector,
that's not a big a sector in terms of many of these products. So, in terms of
getting things through common criteria through NIAP, if there's homeland
security and national security, that makes it a much larger market and makes it
more cost effective in terms of a company going to go through that and get that
process done.
And I guess the other question was about mandated standards. I don't believe we
should mandate standards. We should establish standards. We should sort of
recommend standards, but I think one of the problems with standards -- and I
certainly see it in my sector -- we have everything from a small military
instillation with a small requirement to some large network like the Cybernet
(ph). And to try to mandate one standard in those two extremes is very, very
difficult for anybody to make.
So, I think you want to establish a set of standards, recommended standards, and
do it that way rather than make it mandatory, because one size does not fit
all.
BELLOVIN: Let me echo that. If it was that simple to ship a secure system,
Microsoft and everyone else would have done it years ago. How you configure a
system or network depends on its purpose.
A laptop that's used for text editing and emails has very different
configuration requirements than a software development, which is very different
than a web server, which is very different than a database server and so on.
There are about as many different uses of computers and configurations as there
are computers and one size does not fit all.
SASTRY: If I may just respond to your question of partnerships and I'll sort of
take the academic. I think the research problems and the development problems
are really too large for just about any group in this nation. So, I think it's
especially important for research groups to work in teams. And at Berkeley,
we've really found it very, very important to collaborate, but large numbers of
research groups across the length and breadth of the nation.
The questions then are about what facilitates this collaboration is really that
at the research level, but we have open standards where we don't use IP
protections inside the universities for protecting the kinds of software and
systems research that we do.
But at the same time, we allow for industry partners to be able to uptake that
information and take it out of the open source development and then take it and
encapsulate it into that product.
And so, for instance, in sort of a research center and trust, which we are
doing with Stanford, Carnegie-Mellon, Cornell and Vanderbilt, we found it very
important that we voluntarily have adopted an open source IP policy amongst
ourselves of making sure that the companies, the industrial partners can
actually take the open source materials that are created with the secure
trusted systems that are created and then go take it into their proprietary
products. And that's something that I think the research sector can do in this
particular space.
WOLF: One of the exciting things that's happening in NSA right now is that
the...
THORNBERRY: The gentleman from Rhode Island listed a host of interesting
responses, which we certainly may want to pursue, but in interest of time, let
me turn to other members, because we have gone well over the five-minute...
LANGEVIN: I thank the Chairman for his latitude in allowing the panel to answer
the questions.
THORNBERRY: I appreciate the gentleman's questions. Excellent questions.
Does Chairman Cox wish to ask questions at this time?
COX: I do. Thank you, Mr. Chairman.
I wonder if I could ask Dr. Sastry and Dr. Wolf whether you agree with a
statement made by Dr. Bellovin in his testimony that when it comes to cyber,
most basic research is being done in our universities. Is that your opinion as
well?
If you cannot hear the question, I'm asking whether you agree with Dr.
Bellovin's assessment that when it comes to cyber, most basic research is being
done in our nation's universities.
SASTRY: I would say so, even though there are pockets of excellence in
industrial research labs as well, such as Dr. Bellovin's group itself.
WOLF: I would disagree. I would say it's done in many places. Cybersecurity
covers many; there are many facets to that. I would point to DARPA. I'd point
to NSF. I would point to some of the things that NSA is doing. I would point to
the National Labs. There's some very interesting work being done in the
National Labs in cybersecurity. And again, some of that's
classified research, so that doesn't necessarily get the view, everybody
doesn't get to see that. And certainly in the academic areas there are lots of
work being done and we partner with the academics.
So, it's being done in many places. I don't think there is one area, one
organization that you could point to, one entity and say that they're doing
most of it.
COX: Well, I ask the question not because I think that Dr. Bellovin would
disagree with anything that you just said, but because I think Dr. Bellovin,
one of the points that you're making is that we know essentially where the
researchers are and that it's difficult to scale up. That we could throw a lot
of money at this, but we also have to spend just as much time thinking about
which direction we're going, because we can't make it up on volume.
We're not going to be able to reproduce all of this instantly. Is that a fair
statement of your point, Dr. Bellovin?
BELLOVIN: Yes, that's basically it. I'm not saying there's no basic research
done. There's certainly a very large need for applied research, which does go
on very many places, but university research can't be scaled up. Basic research
can't be field up by too much, because there aren't the people to do it yet.
And of course, these are the people who are training the future generations of
researchers, so it's very important that we encourage this, because this is not
a problem that's going to go away anytime soon.
COX: Well, taking that point as supplemented and in argument by Mr. Wolf's
comments and we are well aware that we have a federal piece, some of it's not
public, so maybe our estimates of whether majorities here or there might even
be a little soft.
I'm going to infer from this -- and this is the premise of my next question --
that we're going to need to rely on our nation's universities for some of the
big objectives that we're attempting to tackle here. That this is going to be a
partnership and the federal government is going to partner with our universities.
And then that takes me to, Mr. Wolf, your next point and Ranking Member, Ms.
Lofgren also questioned you about this a little bit and that is our need to
focus on U.S. technology and whether this is possible. If we have open
standards, if we have a lot of people participating, if we're using the private
sector as well as universities and it's not all in a black program in the
federal government, is it realistic to assume that this is possible?
WOLF: I think it'd be difficult to say that we would use all U.S. That wasn't
my point. My point was really that there are certainly critical areas where you
want to have a good control of your hardware and your software, maybe in a
critical infrastructure, certainly in the national security sector.
So, if you have a system, you may want to look at certain areas and put better
controls over the -- also the quality and the trustworthiness of the software.
My comment about National Software Assurance Laboratory that may be a way of
taking software, wherever it's written and to be able to validate it and say
yes, this is trusted software.
The world right now where IT is globalizing and lots of work is going offshore,
the U.S. cannot do everything. As I say, it's globalizing. So, it's a matter of
how do you look at a software code? How do you validate it? How do you say that
you trust it? So, whether it's U.S. or it's foreign written, it's really a
question of trust. How do you establish trust in the software to make sure that
it really does what it says it does? So, it's not only the quality but also the
trustworthiness.
COX: To the extent that our focus is on firewalls or at least on that genre of
technology that is meant to help networks resist attacks, an additional reason,
besides our own homeland security that we need to be concerned about theft and
about penetration of these programs is that other nation states who are wary of
the internet and don't want their citizens using it and who are using black
boxes and filters and firewalls to prevent their citizens from having access to
the outside world would be thrilled to lay their hands on the most
sophisticated technology that we've developed at taxpayer expense in order
either to prevent their citizens from having access to the web or to trace the
behavior of their citizens so that when they are doing things on the internet
that the government doesn't approve of they can land them in jail.
What can we do, therefore, to focus on security of the tough measures that
we're trying to develop in our own country and for this purpose I include both cybersecurity
and physical security.
I address that to all three members. My time has expired and I thank the
Chairman.
SASTRY: Your question is really quite interesting. Let me first talk about
security and privacy. So the questions about building in strong privacy with
strong security, my own sense is that the kinds of technology solutions that
help foster strong privacy include things like audit; include things like
watching the watcher to try to determine who is watching what.
Also these questions of selective revelations, which means that credies (ph)
are answered narrowly so as to selectively reveal information little by little,
rather than have access to a lot more than as asked for.
And then finally the questions about being able to understand if certain
privacy standards are being met and there are a host of new technologies such
as encrypted craze, encrypted protocols is what they're called, for being able
to enforce that. So, I think that in terms of taking worldwide leadership, I
think we can really build in strong privacy into our strong security solutions.
And then of course, the question of how this may be used overseas, of course,
those are much more complicated ones, but nonetheless, you will have products,
which have strong privacy safeguards built into it. So, I think that this is
one thing we can do to foster our ideals while providing strong security.
And I think that this message is somehow a little different from a message that
says you have to give up privacy in order to get security, because the
technology indicators are all that, in fact, they're mutually reinforcing
rather than one at the expense of the other.
WOLF: Not necessarily a complete answer to your question, but certainly one of
the things of the National Security sector is that we do have levels of
protecting that you put in to various systems.
So, for example, levels of encryption where you have the high- grade
encryption, which is the most significant and the most sensitive communications
where you may have other levels of encryption that aren't quite as good, yet
are still adequate to protect the information.
So, you can think of that in terms of the products that we're putting out. You
may have a higher level of protection in terms of protecting the power grid in
a product than maybe the general product that would be available that would be
sold overseas. So, there are ways that you can do that.
BELLOVIN: The firewall technology, one of the criticisms of firewalls is that
they assume that everyone on the inside is a good guy and is following the
rules. Now, this is a problem in industry as well, but in terms of the model
you speak of with repressive governments trying to isolate their systems from
the internet, in that case, it's the people on the inside who are actively
trying to get around the firewall technology. And firewalls are not very good
at that. There are some that do better than others.
We're better off with strong firewall technology to protect ourselves with
multiple overlapping layers of defense in depth to prevent people from the
outside getting in using other mechanisms to control insider behavior, ones
that don't scale to, say, a whole country.
Outbound traffic is relatively unrestricted and (inaudible) and that I think
would not pose nearly as much of a threat of being used by repressive
governments to keep their own citizens from accessing the internet. So, I don't
think there's any particular conflict there.
COX: Well, I'm happy to hear that.
Thank you, Mr. Chairman.
THORNBERRY: I thank the Chairman. The gentleman from North Carolina.
ETHERIDGE: Thank you, Mr. Chairman and let me thank you and Ranking Member for
this meeting and for our distinguished guests for being here today. It's been
very interesting thus far and I appreciate that.
Garter Incorporated is a respected IT consultant organization has estimated at
about 90 percent of the cyber intrusions could be avoided if individuals and
companies consistently maintained the security of their computer systems by
monitoring use and installing software patches to identify security flaws.
Number one, do you agree with that and number two, do you believe that software
vendors could make security maintenance a little more user friendly? If each
one of you would just touch on that?
BELLOVIN: I actually would have guessed it was more like 95 to 98 percent than
90 percent.
ETHERIDGE: OK.
BELLOVIN: I very much agree with that statement, but as I indicated in my
written testimony, patching systems, especially production systems, is a much
more challenging thing than it should be. I will not update my PC after about
April 1st until I filed my taxes. I can't take the risk of some unrelated
change disabling the tax preparation software I use. And you have that problem
in spades if you're running a corporate web server or a major corporate
database or government database and so on.
As Dr. Sastry's indicated, the composition of systems, the components of
complex systems working together properly is a very, very difficult and
unsolved problem. We don't know how to do this. This is why patching is so
hard. It's not that the administrators are irresponsible or that the vendors
haven't supplied good tools, it's that we don't know how to do it easily,
reliably and without breaking something else.
SASTRY: Mr. Etheridge, if you were like me when you are installing a computer
and you have all these quarries that say, "will you do this",
"will you do this?" I think everybody's tendency's is to just press
yes, yes, yes or no, no, no randomly. So, I think what you're alluding to is a
big, big hot button item.
People talk about human-computer interaction, so I think the notion of
human-computer interaction for security to make it easier for people to understand
what they're doing and be able to configure their systems I think is a vast and
a rather untapped area of research in cybersecurity and if
anything, that's needed right away. It's one of those the EU and I agree with
you on statistics too.
WOLF: Operationally, my organization does the red teaming, which is an
organization that tries to penetrate networks. So, we have customers in DOD
that asks us to go look at their networks and see if we can get into them. And
I can verify that your 90 percent is probably correct.
It's the networks that haven't been properly patched and configured properly.
We look for those kinds of things and that's usually the door that we get in.
If I look at the statistics that come out of the defense of the DOD networks, that
come out of the JTFCNO, I think their statement is it's about 90 some percent
of the attempts, the hacks are really trying to get at, things that haven't
been patched properly.
In my testimony I talked about automatic patching and that's a significant
research agenda item. I believe that needs to be done. How do you make patching
much easier for the system administrators? They're overwhelmed with the number
of patches and problems and configurations that they have to do every day. And
the idea of having pre-configured systems coming out of the box that are
security conscious in terms of here are the right settings, I think is also
another step forward.
ETHERIDGE: As you noted before and others before us that the government and
universities and the industry, these encourage more students to get into math,
science and all the science areas of technology in order to produce more
graduates who can deal not only with cybersecurity, but this
whole issue of technology that we're dealing with.
Let me go to each one of you on this one, starting with you, Dr. Sastry, the
academic community acting in a way in retaining the number of scientists needed
in the research area, as it relates to cybersecurity as we
look down the road and more specifically, making these systems more user
friendly, because I think that's the key to getting the security.
SASTRY: So it's been recognized that human-computer interactions plus cybersecurity
is something that we need to focus on. The realization has come surprisingly
recently. So, in some ways the work is only now beginning.
The questions about training the workforce, I think these are very, very
important item for us, because security of course depends on making sure that
the entire populous is educated about all the need of cybersecurity,
because of course it's only as strong as the weakest link.
I think that there has been in the last two years a shift in enrollments. I'm
in an electrical engineering computer science department, so there has been a
shift away from computer science to computer engineering, which in some ways is
encouraging, because it does encourage people to now start thinking about
information technology as a technology that's woven into the fiber of our every
day life and into our sizable scale systems.
But, other disturbing trends are that the percentage of women that are coming
into electrical and computer engineering, we've actually given up the advances
that we made in the mid '90s in the last four or five years and that indeed is
subject for concern.
So, also with other segments of the population, so at Berkeley, we've actually
started going out and visiting high schools to try to get them thinking about cybersecurity
already in high school, certainly in Oakland and San Jose and all of the neighboring
schools. So, your remarks are really on target for our priorities.
ETHERIDGE: Thank you, sir.
I see I'm out of time, but I'd be intrigued because I think it's important in
every area, industry as well.
BELLOVIN: I don't have anything to add on that. Thank you.
WOLF: I was just going to comment on our outreach program to educational
institutions. We have the Centers of Excellence, we have 50 universities that
have an IA curriculum, we work with the service academies, we're currently
starting to do some things at the community college level, sort of what you
were saying in terms of kind of moving up through the lower levels up through
the universities.
We clearly need to make more people aware of IA in terms of the things that
need to be done.
THORNBERRY: I thank the gentleman.
The gentlelady from the Virgin Islands, Dr. Christensen.
CHRISTENSEN: Thank you, Mr. Chairman. I want to thank you for this hearing as
well. I'm becoming better informed on the area of cybersecurity,
although I'm still far from being an expert.
My questions are going to be a little different. Dr. Sastry, in your testimony
you talked about whether the federal government would play the role of market
maker and asked was there sufficient demand to stimulate new companies around
ideas.
It would seem to me that a fairly sizable demand would be in the private sector
and in corporation with security for cybersecurity. We
recently did BioShield to encourage and expedite development of countermeasures
for bioterrorism agents, which would involve a significant expenditure on the
federal government's part.
Do you foresee that in the area of cybersecurity that the
federal government would have to provide most of the funding or do you see that
there's really a sufficient demand in the private sector that there would be
more cost sharing on the private side? And also, it would see more diverse use
other than for homeland security for government use in these kinds of products?
And anyone else can answer too.
SASTRY: Thank you very much for your question. I think that the big market of
cost is in the private sector and the big market is in the infrastructures,
which are certainly not owned by the federal government, which are privately
owned.
The question of course has been about jumpstarting this market. So, just to
give you an example, there's been a big buzz in the venture community about
investing in security for the last two years. But, on the other hand, a number
of the portfolio companies that have come out of the venture community actually
have not had a stream of revenue in secure products.
So, our sense is that since the Department of Homeland Security itself is
committed in its border and security directorates, IP directorates and the
emergency protection directorates, to buy secure products, our sense is that
having this as sort of a badge to distinguish this products will actually
jumpstart market in the private sector. And I think my own expectation is that
that is not something that one ought to or perhaps could subsidize.
On the other hand, I think that if one -- when I said market maker, it was just
in the question of jumpstarting the market by adopting certain sets of secure
products in the beginning. And I think the same and the model again is a little
bit like the DOD model, so the internet actually grew from the Arpanet being
used for sending DOD applications and then everybody else jumped on to it and
also for high performance computing, which resulted in PCs. So that's sort of
the market maker analogy that I was using.
BELLOVIN: I would agree that much of the funding and energy has to come from
industry. The government's role is to create the appropriate incentives.
If you look at the history of, say, cryptography, there's 100 to 150 years
worth of experience of people saying, "I've got a really great
cryptographic solution" and then going bankrupt because nobody wanted to
buy because they didn't appreciate that they actually needed this technology.
We're sometimes seeing the same thing in the computer security community today.
There are solutions that have not been adopted by corporations that don't
perceive the threat. It's only in the last few years that more than, say, the
financial community and the military have really begun to realize that there is
a real threat out there and a real market.
I note last year or so, Microsoft has finally gotten religion about security
and it's going to start some very admirable projects and efforts, from what
I've heard, internally, doing a very nice job. But, it's going to take years
for this to have an effect.
But, the real question of the role for government is to create incentives for
corporations and government agencies to start thinking about security when they
design systems and when they procure systems, creating the incentives for them
to do so. That's a difficult problem, but that's a role for government.
WOLF: I'd agree with some of the things that have been said so far, but I would
sort of focus a little bit on the global IT, the amount that's being spent in
the U.S. government on IT, the amount that's being spent on information
assurance kinds of products.
CHRISTENSEN: Can I just interrupt your answer and to just add that I understand
that less than one percent of the science and technology budget or about $80
million is being directed to cybersecurity R&D, is that
adequate? Could you also...
WOLF: I'm sorry, say that again? Pardon?
CHRISTENSEN: I understand that about $80 million is directed to cybersecurity
R&D in the science and technology directorate budget. It seems like you
were going to talk about the amount of government spending. This is in the
Department of Homeland Security and I was wondering...
WOLF: OK. I'm...
CHRISTENSEN: ... could you also respond to whether that is adequate?
WOLF: I think we need to be spending more money in research, really and in cybersecurity.
I think there are a lot more things. I think we're under funded in many areas.
The comment that I was going to make is that we try to move from a supply side
to a demand that customers are educated in terms of information assurance, in
terms of the cybersecurity and they're looking for products
and demanding products that they actually need them. And that's one piece.
The other piece is the idea of maybe looking at insurance. If you look at a
facility in terms if you evaluate it, is it certified and then there's an
insurance break that goes along with the corporation that quote, "has good
system administrators". They've gone through some certification process; you
have a reasonable architecture. And that's the way in terms of rather than over
regulating or enforcing standards that indirectly you can create more of a
demand for the products.
CHRISTENSEN: Thank you.
Thank you, Mr. Chairman.
THORNBERRY: I thank the gentlelady.
The gentleman from Kentucky, Mr. Lucas.
LUCAS: Thank you, Mr. Chairman.
This is a hypothetical sort of a holistic big picture question I'd ask each of
you to comment on this.
Let's assume for the moment that you've been put in charge of cybersecurity
for the federal government, homeland security and you've been asked to prepare
a budget for that job to do an adequate job. And that you submit this budget
and you get a third of that budget, one third of the money that you think you need.
I would ask you, how would you prioritize what you would spend that money on if
you only got a third of the resources that you felt you needed to do the job.
I'd like for each of you to answer that.
BELLOVIN: Well, if you're talking about operational networks, I would first put
money to systems administration, because, as we said, 90 percent of attacks are
from known holes that haven't been patched. That would be my first priority to
improve the systems administration and what they need to do the job.
Past that, research funding, you have to focus on the composition to secure
system development.
SASTRY: I understood your question to be about research money. Of course, for
the operational aspects, I'd fully agree with getting system administration to
the four empowering systems administrators to be more involved in decision
making.
For the research money, the way I see it, it's sort of a world of networks and
systems. One has to protect the systems of the computers, the networks on top
of it and then finally, collations of systems on top of it. So, I think that if
the research money was cut in a third, I would make sure that there was
coverage at every one of these three levels, at the level of individual
systems, at the level of networks and of course, and the collations of groups
of users.
Having said that, I think then the question about a few areas to invest in, I
think there was a notion of how do you build complicated systems which are
trustable from the pieces can be trusted which is the composition that keeps
coming back to needs to cut across all of these layers.
Then I think the human-computer interaction question that Mr. Etheridge raised;
I think that's equally important to me.
And finally, the third thing I'd do would be the test beds to make sure that
the research got out to companies that could then produce products.
So, those are sort of the matrix. I'd make sure those network systems all
populated and those would be my three pet areas.
WOLF: I agree with the operational aspects to make sure that your operational
pieces were secure so it's the system administrators, it's the patches, and
it's the kinds of things that we talked about so far.
The second area that I think I would look at would be, I'll call it my
infrastructure. Given that I only have a third of the budget that I need, I
would look at my infrastructure and try to build an infrastructure that I could
then build on in the future. So, as you get your funding for the following
years, if you want to call it, maybe it's the -- I won't say the key management
infrastructure, but it's the PKI, it's the kinds of things that you then could
build tools and techniques and products and services on in future years. That
would be my second area.
In the third, I think I would take a step back and I would look at all of my
systems, my networks, whatever my operation is and I would try to identify what
are the most critical areas and apply the dollars to those, as maybe the third
venture there.
And of course I would also put a piece to research, because I think a lot of
times they're very short sighted when funds are cut. I've worked for the
government for many years and we tend to cut the research piece. You tend to
favor the operational piece, but the research piece is your investment in the
future and if you don't put dollars towards that, then five years from now
you'll be dead in the water.
LUCAS: Thank you very much.
Mr. Chairman, we have a vote coming up, so I'll stop there.
THORNBERRY: I sure appreciate the gentleman.
Does the gentlelady from Texas have questions she'd like to ask? The
gentlelady's recognized.
JACKSON-LEE: Thank you very much to the Chairman and the Ranking Member for
holding this hearing. Mr. Chairman I ask unanimous consent that my statement be
submitted into the record.
THORNBERRY: Without objection.
JACKSON-LEE: I appreciate the testimony of the witnesses and their indulgence.
I am in a science committee markup that is going on simultaneously so I thank
you very much for your patience.
I just want to focus in one area very quickly -- we do have votes on -- and
that is the need for the prominence of cybersecurity issues
under the Department of Homeland Security. And what we have noted is that the
funding has not been where we would like it to be. A director has not yet been
appointed. They all suggest that we need to refocus our attention on this area.
So, if you would answer these questions quickly, I'd appreciate it.
One, my understanding is or my sense that as we were going into the 21st
Century, Y2K, we were all focused on what technology, Internet could do this
nation. Literally we were in a panic about it being able to stop us in our
tracks.
After 9/11 we began to focus on some very real concerns about security. I don't
know where we placed the need and the focus of security in this instance, cybersecurity
in as much as we're still in the same boat. The attack on our security
infrastructure, our technology infrastructure could bring this nation to its
knees.
So, my question to you, have we focused enough? The second part of it, with
respect to research, have we expanded it enough? I believe we should start
expanding our reach to universities around the nation, research entities around
the nation and as well, make sure we include Hispanic serving institutions,
historically Black institutions, Native American focus institutions and others
in areas that can address the questions of urban and rural security as it
relates to technology.
And if you would answer those questions, I'd appreciate it very much. And I
thank the gentlemen for their testimony.
SASTRY: You've certainly hit the issues that are most important to the research
community. Our sense too is that it would be useful to have a focused federal
effort in cybersecurity research and a focused effort, which
in fact involves groups of institutions across the length and breadth of the
nation.
There's a very, very substantial educational agenda and the educational agenda
does in deed need to reach out to every corner, as you've correctly pointed
out. I'm in complete agreement.
I do believe that DHS and HSARPA could be the place where cybersecurity
research could be given marquee status and then be adequately funded and
adequately managed. I felt that the DARPA model was actually a pretty effective
model for doing this.
JACKSON-LEE: Which model?
SASTRY: The DARPA. The Defense Advanced Research Projects Agency. The DARPA
model was an effective model for managing this in HSARPA.
JACKSON-LEE: You would encourage the creation of consortiums with working
relationships with universities around the nation?
SASTRY: Right. And the coalitions of course could be created by the
institutions themselves or in the form of research programs in the DARPA model
that you actually bring institutions together and a program manager, a federal
program manager then sort of builds the bridges between those institutions.
JACKSON-LEE: Do you see the need also for enhancing experts within the minority
communities? Because we are certainly limited in the PH.D candidates and PH.D
graduates from those communities.
SASTRY: That's absolutely true and that's true all the way from the high school
level up all the way through the graduate programs and the faculty as well.
JACKSON-LEE: Anyone else? Thank you, Doctor.
BELLOVIN: A National Research Council panel I was on noted that including that
today there probably could not be a massive disaster caused by a pure cyber
attack, something close to the scale of 9/11. It doesn't mean it can't happen
in the future. As we become more networked, as industrial processes, so called
skata (ph) systems, control the power lines and industrial processes and so on.
As things become more networked, the danger will increase. We have a few years
before we're there. We need to take precautions right now. And I don't know
that everybody's computers can be used for leverage for launching attacks.
There have been reports in the papers in the last few weeks about personal
computers being hacked to serve spammers and pornographers and so on. It's
anybody's computer every sector of the society. We need to learn how to secure;
individuals need to learn how to protect things too.
WOLF: There's a long list of research topics that need to be done and clearly
we need to leverage everybody in terms of working on those topics. So, the idea
of having some sort of coordinated effort in terms of where research and who's
doing what, I think is needed.
I know we've done a lot of outreach recently with DARPA, NSF, academics, et
cetera to try to understand where research is being done to leverage all of
that.
Second, we are going out to the academic institutions with our list to try to
get some help in terms of doing research and that's all universities out there.
And your other comment about the threat and I'm not sure we really understand
the threat in terms of how serious an attack on the infrastructure of the U.S.
could be. I think there needs to be some focus on that.
JACKSON-LEE: Thank you. Thank you to the witnesses, thank you, Mr. Chairman.
THORNBERRY: I thank the gentlelady.
As the witnesses know, we do have votes on. I'm not going to ask you to say
during these votes, so with each of your permission, what I'd like to do is
submit some additional questions in writing to you.
I think there are a number of areas that you have touched on that I want to
follow up, including this whole software verification issue, this issue of
translating research into the real world, which I think is a major important
issue, the whole human factors thing that you all have talked about, about
government research and how it effects the private market.
You don't have to write those down, we'll send them to you in writing. But,
needless to say, you all have touched on a number of things that have been very
helpful to us.
I want to thank each of you for taking the time to be here and be with us
today. And with that, this hearing stands adjourned.
END
NOTES:
[????] - Indicates Speaker Unknown
[--] - Indicates could not make out what was being said.[off
mike] - Indicates could not make out what was being said.
PERSON: CHRISTOPHER COX (92%); MAC
THORNBERRY (57%); LAMAR SMITH (56%); SHERWOOD
BOEHLERT (56%); CURT WELDON (55%); ROBERT W
GOODLATTE (55%); DAVE CAMP (55%); JOHN LINDER (54%); PETER
T KING (54%); MARK E SOUDER (54%); KAY
GRANGER (53%); LORETTA SANCHEZ (52%); ZOE
LOFGREN (52%); SHEILA JACKSON-LEE (51%); ROBERT E
ANDREWS (51%); BOB ETHERIDGE (50%); CHARLES
GONZALEZ (50%);
LOAD-DATE: July 27, 2003