Éditoriaux Défense Sécurité Terrorisme Zones de conflits Logistique Livres de référence Liens
Terre Air Mer Gendarmerie Renseignement Infoguerre Cyber Recherche

NIST Urges Congress To Improve Computer Security Systems

NIST Urges Congress To Improve Computer Security Systems

Testimony of Karen H. Brown, Deputy Director, National Institute of Standards and Technology Technology Administration, U.S. Department of Commerce, Before the Committee on Government Reform, Subcommittee on Government Management, Information, and Technology.

Mrs Brown recommends greater investment to ensure protection and urged Congress March 9 to increase funding for the agency's efforts to improve computer security systems in both government and the private sector. (2190). Source: Washington File, 13 March 2000.

NIST Deputy Director Karen H. Brown said, "Computer security is not a narrow, technical concern." Rather, she said, it "has a vital influence on our economic health and our nation's security."

Brown told the House Subcommittee on Government Management, Information, and Technology that NIST needs to continue its work and research to help bolster the nation's information infrastructure. She explained that NIST is working to raise awareness about the "vulnerabilities and requirements for protection of information systems."

The agency, part of the Department of Commerce, establishes standards for security products, Brown said, and has also been working with the "international security community to define security criteria in an international standard that can be used to develop security specifications for products, such as firewalls or operating systems."

NIST is working to provide security assistance to the private sector, Brown said, but needs further financial backing to improve security inside federal government information systems.

"The security of federal systems must also be improved," Brown said. "These systems contain sensitive information about our citizens and provide services upon which our citizens' safety and well-being depend. The government should exert leadership and set an example for the nation in protecting against risks and vulnerabilities."

The following terms are used in the text: R & D - research and development - DOJ - Department of Justice, FBI - Federal Bureau of Investigation, FTE - Full-time employee

Following is the text of Brown's testimony: (begin text), March 9, 2000.

Mr. Chairman and members of the subcommittee thank you for the invitation to speak to you today about computer security issues. I am Karen Brown, Deputy Director of the National Institute of Standards and Technology of the Department of Commerce's Technology Administration.

Computer security continues to be an ongoing and challenging problem that demands the attention of the Congress, the Executive Branch, industry, academia, and the public. Computer security is not a narrow, technical concern. The explosive growth in Electronic Commerce highlights the nation's ever increasing dependence upon the secure and reliable operation of our computer systems. Computer security, therefore, has a vital influence on our economic health and our nation's security and we commend the Committee for your focus on security.

Today I would like to address NIST's computer security activities that contribute to improving computer security for the Federal Government and the private sector. I also would like to briefly describe for you our proposed new program activities for next year as requested in the President's budget.

Under NIST's statutory federal responsibilities, we develop standards and guidelines for agencies to help protect their sensitive unclassified information systems. Additionally, we work with the information technology (IT) industry and IT users in the private sector on computer security in support of our broad mission to strengthen the U.S. economy, and especially to improve the competitiveness of the U.S. information technology industry. As awareness of the need for security grows, more secure products will be more competitive in the marketplace. Addressing security will also help ensure that Electronic Commerce growth is not limited because of security concerns.

In meeting the needs of our customers in both the public and private sector, we work closely with industry, Federal agencies, testing organizations, standards groups, academia, and private sector users. Cooperation and collaboration are essential to tackle many common problems facing users throughout the country.

What does NIST do specifically? To meet these responsibilities and customer needs, we first work to improve IT awareness of the need for computer security. This helps increase demand for secure and reliable products. Additionally, we research new technologies and their security implications and vulnerabilities and develop guidance to advise users accordingly. We work to develop security standards and specifications to help users specify security needs in their procurements and establish minimum security requirements for Federal systems. We develop and manage security testing programs, in cooperation with private sector testing laboratories, to enable users to have confidence that a product meets a security specification. We also produce security guidance to promote security planning, and secure system operations and administration. I will briefly discuss the need and benefits of each.

First, there is a need for timely, relevant, and easily accessible information to raise awareness about the risks, vulnerabilities and requirements for protection of information systems. This is particularly true for new and rapidly emerging technologies, which are being delivered with such alacrity by our industry. We host and sponsor information sharing among security educators, the Federal Computer Security Program Managers' Forum, and industry. We seek advice from our advisory board of computer experts (Computer System Security and Privacy Advisory Board). We meet regularly with members of the Federal computer security community, including the Chief Information Officers' Security Committee, and the Critical Infrastructure Assurance Office. We actively support information sharing through our conferences, workshops, web pages, publications, and bulletins. Raising awareness helps ensure appropriate attention is accorded security and helps increase the demand for secure products and security services.

A second need is for research on information technology vulnerabilities and the development of techniques for the cost-effective security. When we identify new technologies that could potentially influence our customers' security practices, we research the technologies and their potential vulnerabilities. We also work to find ways to apply new technologies in a secure manner. The solutions that we develop are made available to both public and private users. Some examples are methods for authorization management and policy management, ways to detect intrusions to systems, and demonstrations of mobile agents. Research helps us find more cost-effective ways to implement and address security requirements.

Third is the need for standards, and for ways to test that standards are properly implemented in products. For example, cryptographic algorithms and techniques are essential for protecting sensitive data and electronic transactions. NIST has long been active in developing Federal cryptographic standards and working in cooperation with private sector voluntary standards organizations in this area. Moreover, in the standards area we have been working with the private sector in preparing for the future. We are leading a public process to develop the Advanced Encryption Standard (AES), which will serve 2lst century security needs. Another aspect of our standards activities concerns Public Key and Key Management Infrastructures. The use of cryptographic services across networks requires the use of "certificates" that bind cryptographic keys and other security information to specific users or entities in the network. We have been actively involved in working with industry and the Federal government to promote the security and interoperability of such infrastructures.

Standards help users to know what security specifications may be appropriate for their needs. Testing complements this by helping users have confidence that security standards and specifications are correctly implemented in the products they buy. Testing also helps reduce the potential that products contain vulnerabilities that could be used to attack systems.

For over five years, we have led the Cryptographic Module Validation Program, which has now validated about 90 modules with another 50 expected this year. This successful program utilizes private sector accredited laboratories to conduct security conformance testing of cryptographic modules against a Federal standard we develop and maintain. More recently, we have been working with the international security community to define security criteria in an international standard that can be used to develop security specifications for products, such as firewalls or operating systems. We are actively working with industry partners in the smart card, health care, and telecommunications fields to accomplish such development of specifications.

Many of these activities are being done in cooperation with the Defense Department's National Security Agency in our National Information Assurance Partnership. Private sector laboratories are being accredited under our National Voluntary Laboratory Accreditation program to conduct such testing. The effort involves developing testing competencies and a process for accrediting testing organizations. The goal is to enable product developers to get their products tested easily and voluntarily, and for users to have access to information about tested products. Under this program we have also led the development of an international mutual recognition arrangement whereby the results of testing in the U.S. are recognized by our international partners, thus reducing the costs to industry.

Advice and technical assistance for both government organizations and private sector users is the fourth need. For example, we have issued guidance including telecommuting and security, security concerns inherent in PBX technology, security requirements in Public Key Infrastructure (PKI) implementation, use of firewalls, and intrusion detection in networks. We also provide program guidance to agencies and are working to complete a document on security program metrics and self-assessment. The information and guidelines that we have developed are available to all users free-of-charge via our web site. We also support agencies on specific security projects on a cost-reimbursable basis when NIST expertise is required.

While I have given you a few examples of NIST's work, I obviously have not covered everything. I want to emphasize that there is still much more to be done to address the continuing challenges of computer security. To put our program in perspective, please keep in mind that approximately $6 million of direct Congressional funding supports both our Federal and industry computer security responsibilities. (In addition, we receive approximately $2 million in outside agency funding to provide technical assistance on particular projects.) This is plainly not enough.

As reflected in the requests made in the President's FY 2001 budget, NIST needs additional resources to help improve the security posture of the Federal government. Looking at the critical information infrastructures of the nation, we also need substantial investments in security research to find ways to protect our infrastructures.

To address the need for additional research to protect our critical infrastructures, the White House has proposed establishing a $50 million Institute for Information Infrastructure Protection (IIP), which was initially recommended by the President's Committee of Advisors on Science & Technology (PCAST). The IIIP will identify and fill the gaps not being met by private sector market demands or Government agency mission objectives in critical infrastructure protection and provide a strong and secure foundation to protect the various critical infrastructures upon which the Nation's security and economy rely. IIIP's R&D, which will aim to help prevent security problems will include work that can be applied to protect multiple sectors' infrastructures, and thus will complement sector-specific R&D underway elsewhere in the government and private sector. This initiative will help strengthen the focused existing and planned security architectures within die critical infrastructure sectors and help prepare the owners/operators of those infrastructures to survive potential hostile activities. The IIIP will not home any direct role in support of law enforcement or deterring attacks, but will fund R&D to develop new generations of IT security solutions that would be made available for DoJ/FBI, other agencies, and the private sector can use to prevent and respond to future cyber-threats. The IIIP will be a partnership among industry, academia and the government (including both state and local governments). At the cope of the partnership is IIIP's selection of information infrastructure protection R&D focus areas, which will rely heavily on advice and guidance obtained from outside experts.

The security of Federal systems must also be improved. These systems contain sensitive information about our citizens and provide services upon which our citizens' safety and well-being depend. The government should exert leadership and set an example for the nation in protecting against risks and vulnerabilities. Two of the budget proposals focus primarily upon the security of Federal systems. Specifically, we propose to establish an Expert Review Team (comprised of eight FTE's) to advise agencies of their vulnerabilities, help prioritize and develop strategies for security fixes, assist agencies in preparing for future security threats, and help agencies plan for security in new system developments. This preventative approach will complement the reporting activities of programs such as FedCIRC. Secondly, we seek a Five million dollar increase to enable additional critical activities in the area of cryptography, security management and best practices guidance, and the protection of supervisory control systems.

So let me close by again emphasizing that our national commitment to improve security must be increased. NIST stands ready to play a key role through supporting the proposed Institute, leading the Expert Review Team, and conducting additional work to developing needed security guideline and standards, research in security technology, leading testing programs, and raising awareness and demand for security products and services. This will augment the already important activities we have underway. We look forward to continuing this work, and believe that your support of the critical new activities would help us to do so.

I will be pleased to answer any questions.

(end text)


Derniers articles

Verdun 2016 : La légende de la « tranchée des baïonnettes »
Eyes in the Dark: Navy Dive Helmet Display Emerges as Game-Changer
OIR Official: Captured Info Describes ISIL Operations in Manbij
Cyber, Space, Middle East Join Nuclear Triad Topics at Deterrence Meeting
Carter Opens Second DoD Innovation Hub in Boston
Triomphe de St-Cyr : le Vietnam sur les rangs
Dwight D. Eisenhower Conducts First OIR Missions from Arabian Gulf
L’amiral Prazuck prend la manœuvre de la Marine
Airmen Practice Rescuing Downed Pilots in Pacific Thunder 16-2
On ne lutte pas contre les moustiques avec une Kalachnikov...
Enemy Mine: Underwater Drones Hunt Buried Targets, Save Lives
Daesh Publications Are Translated Into Eleven Languages
Opération Chammal : 10 000 heures de vol en opération pour les Mirage 2000 basés en Jordanie
Le Drian : Daech : une réponse à plusieurs niveaux
Carter: Defense Ministers Agree on Next Steps in Counter-ISIL Fight
Carter Convenes Counter-ISIL Coalition Meeting at Andrews
Carter Welcomes France’s Increased Counter-ISIL Support
100-Plus Aircraft Fly in for Exercise Red Flag 16-3
Growlers Soar With B-1s Around Ellsworth AFB
A-10s Deploy to Slovakia for Cross-Border Training
We Don’t Fight Against Mosquitoes With a Kalashnikov
Bug-Hunting Computers to Compete in DARPA Cyber Grand Challenge
Chiefs of US and Chinese Navies Agree on Need for Cooperation
DoD Cyber Strategy Defines How Officials Discern Cyber Incidents from Armed Attacks
Vice Adm. Tighe Takes Charge of Information Warfare, Naval Intelligence
Truman Strike Group Completes Eight-Month Deployment
KC-46 Completes Milestone by Refueling Fighter Jet, Cargo Plane
Air Dominance and the Critical Role of Fifth Generation Fighters
Une nation est une âme
The Challenges of Ungoverned Spaces
Carter Salutes Iraqi Forces, Announces 560 U.S. Troops to Deploy to Iraq
Obama: U.S. Commitment to European Security is Unwavering in Pivotal Time for NATO
International Court to Decide Sovereignty Issue in South China Sea
La SPA 75 est centenaire !
U.S. to Deploy THAAD Missile Battery to South Korea
Maintien en condition des matériels : reprendre l’initiative
La veste « léopard », premier uniforme militaire de camouflage
Océan Indien 2016 : Opérations & Coopération
Truman Transits Strait of Gibraltar
Navy Unveils National Museum of the American Sailor
New Navy, Old Tar
Marcel Dassault parrain de la nouvelle promotion d’officiers de l’École de l’Air
RIMPAC 2016 : Ravitaillement à la mer pour le Prairial avant l’arrivée à Hawaii
Bataille de la Somme, l’oubliée
U.S., Iceland Sign Security Cooperation Agreement
Cléopatra : la frégate Jean Bart entre dans l’histoire du BPC Gamal Abdel Nasser
Surveiller l’espace maritime français aussi par satellite
America's Navy-Marine Corps Team Fuse for RIMPAC 2016
Stratégie France : Plaidoyer pour une véritable coopération franco-allemande
La lumière du Droit rayonne au bout du chemin

Directeur de la publication : Joël-François Dumont
Comité de rédaction : Jacques de Lestapis, Hugues Dumont, François de Vries (Bruxelles), Hans-Ulrich Helfer (Suisse), Michael Hellerforth (Allemagne).
Comité militaire : VAE Guy Labouérie (†), GAA François Mermet (2S), CF Patrice Théry (Asie).