On March 19, I had an opportunity to testify before the Senate Committee on on Commerce, Science, and Transportation. The hearing was entitled Cybersecurity -- Assessing Our Vulnerabilities and Developing An Effective Defense.
I was asked to include information on research problems, educational initiatives, and issues regarding the current state of cyber security in the nation. As is usual for such things, the time between the invitation and the due date for written testimony was short. Thus, I didn't have the time to delve deeply into the topic areas, but could only address the things that I already had on hand -- including some posts from this blog that I had written before. The result was a little longer than the other statements, but I think I covered more ground.
One hint for people testifying before Congress on such things: you can't depend on how long you will have for spoken remarks, so be sure any points you want to make are in your written testimony. In this case, the hearing was limited to about 75 minutes because there were several votes scheduled on the Senate floor, and the committee needed to adjourn to allow the Senators to attend the votes. And, as is common for too many hearings, there weren't many of the committee members present; I believe the hearing began with only two of the 25 members present, and some movement of members in and out to reach a maximum of four seated at any one time. In this case, the chair (Senator Jay Rockefeller of West Virginia) apologized to us several times for the low turnout. However, many (all?) of the staff and aides were present, so I'm certain the gist of the testimony presented will be considered.
The Senator made a nice introductory statement.
My written testimony is available on my website as well as the committee site. My oral statement was from rough notes that I modified on the fly as I listened to the other testimony (by Jim Lewis, Eric Weiss and Ed Amoroso). That statement, and the whole hearing, are available via the archived hearing webcast (my remarks start at about 46:30 into the webcast). If I get a transcribed version of those remarks, I will post them along with my written testimony on my website in the "US government" section.
Comments by the other speakers were good overall and I think we collectively covered a lot of ground. The questions from the Senators present indicated that they were listening and knew some of the problems in the area. The comments from Senator Nelson about the intrusions into his systems were surprising: several Senate security staff were present at the hearing and indicated to me that his remarks were the first they had heard of the incidents! So, the hearing apparently set off an incident-response exercise -- separate from responding to my presence in the building, that is.
Will this hearing make a difference? I don't know. I've been testifying and saying the same things for over a dozen years (this was my 8th Congressional hearing testimony) and things haven't gotten that much better...and may even be worse. Senator Rockefeller has indicated he intends to introduce legislation supporting more funding for students studying cyber security issues. There was some good news coverage of all this (e.g., FCW and CNet).
I am told that there will be more hearings by this committee. Some House committees have been holding hearings too, and the President's 60 day review continues apace. The added attention is great, but with the sudden interest by so many, the result may be more confusion rather than resolution.
Stay tuned.
As a reminder, if you want to know about my occasional postings such as this but don't want to subscribe to the RSS feed, you can subscribe to the mailing list.
Also as a reminder, there is my tumble blog on security issues, with links to items on the news and WWW of possible interest to those who find my ramblings and rants of interest.
[tags]interview,certification[/tags]I was recently interviewed by Gary McGraw for his Silver Bullet interview series. He elicited my comments on a number of topics, including security testing, ethical hacking, and why security is difficult.If you like any of my blog postings, you might find the interview of some interest. But if not, you might some of the other interviews of interest – mine was #18 in the series.
[tags]cyber security reseach, PITAC[/tags]
I strongly urge you to read Jim Horning’s blog entry about a recent Congressional hearing on cyber security research—his blog is Nothing is as simple as we hope it will be. (Jim posts lots of interesting items—you should add his blog to your list.)
I have been visiting Federal offices and speaking before Congress for almost 20 years trying to raise some awareness of the importance of addressing information security research. More recently, I was a member of the President’s Information Technology Advisory Committee (PITAC). We studied the current funding of cybersecurity research and the magnitude of the problem. Not only was our report largely ignored by both Congress and the President, the PITAC was disbanded. For whatever reason, the current Administration is markedly unsupportive of cyber security research, and might even be classed as hostile to those who draw attention to this lack of support.
Of course, there are many other such reports from other august groups that state basically the same as the PITAC report. No matter who has issued the reports, Congress and the Executive Branch have largely failed to address the issues.
Thus, it is heartening to read of Chairman Langevin’s comments. However, I’m not going to get my hopes up.
Be sure to also read Dan Geer’s written testimony. It touches on many of the same themes he has spoken about in recent years, including his closing keynote at our annual CERIAS Security Symposium (save the dates—March 19 & 20, 2008—for the next symposium).
Copyright © 2007 by E. H. Spafford
[posted with ecto]