Testimony of Robert D. Jamison

Testimony of Robert D. Jamison, Former Under Secretary of the Department of Homeland Security for the National Protection and Programs Directorate Before the U.S. Senate Committee on Homeland Security and Governmental Affairs Hearing on “Protecting Cyberspace as a National Asset: Comprehensive Legislation for the 21st Century”

Chairman Lieberman, Ranking Member Collins, Senator Carper and Members of the Committee, I appreciate the opportunity to testify before the Committee on the issue of Protecting Cyberspace as a National Asset. I also appreciate the Committee’s continued interest and activities in this vital area of national and homeland security.

Today, I will share with you my perspective on some of the key issues surrounding how we secure cyberspace and how I think your legislation can assist the effort. As you may recall, I have a diverse private sector, not‐for‐profit, and government background that impacts the way that I look at the complicated issue of cyber security. I spent over fifteen years at the United Parcel Service and the American Red Cross in senior management roles. This experience in the private and nonprofit sector prepared me to enter government service during the last administration. I began my career in government service with the Federal Transit Administration at the Department of Transportation under the leadership of Secretary Norman Mineta. In addition to my normal duties as Deputy Administrator of FTA, I also had the opportunity to work helping to lead the Department’s recovery efforts in lower Manhattan immediately after the September 11th attacks, as well as lead the Department’s transit security efforts. That work led to my transition to the Transportation Security Administration (TSA) at the Department of Homeland Security (DHS), as the Deputy Assistant Secretary.

I was then confirmed by this Committee to lead the National Protection and Programs Directorate at the Department of Homeland Security. NPPD was a DHS component in transition from Preparedness Directorate to a risk‐based, resiliency organization dealing with the critical issues of identity management, infrastructure
protection, and cybersecurity and communications.

In this capacity, I led the Department’s efforts in the area of cybersecurity and communications. I was the senior Department official who assisted in the drafting of HSPD‐23 and the Department’s implementation of the Comprehensive National Cybersecurity Initiative (CNCI). What I found when I arrived at NPPD in April of
2007 was an organization at a crossroads. The National Cybersecurity Division was staffed with bright hard working people tasked with the mission of securing our Federal government networks and working with the private sector to secure our nation’s critical infrastructure and key resources. The US‐CERT – United States Computer Emergency Readiness Team – had a small government staff and the tools they had deployed to detect malicious activity on our government networks were looking at flow analysis – but only after the fact. This limited capability, deployed on less that 40 of the civilian government’s internet access points, augmented the security efforts of less than 1% of the government’s internet traffic and data
communications.

The Comprehensive National Cybersecurity Initiative had a dramatic impact on this limited DHS role. Not only did it solidify a common government strategy consisting of twelve specific initiatives across government aimed at improving our nation’s cybersecurity and communications posture. It launched an execution plan to put our critical networks in a more defensible posture and initiated the deployment of critical automated monitoring capabilities and the dynamic, real‐time sensors needed to defend against our cyber adversaries. It also, as you know, called for a more robust DHS cybersecurity role similar to its role in other homeland defense areas; outlined education and awareness programs; required supply chain security strategies, and much more.

The CNCI and the subsequent Cyberspace Policy Review ordered by President Obama acknowledge cybersecurity as one of the most pressing national security areas in a generation. And it called on the government, private sector, academia, and our international partners to work cooperatively together to begin to take the necessary steps to enhance the cybersecurity of our nation.

Cyber Landscape
If you scan the cyber landscape today, what you find is a very diverse operating environment for an agency like DHS. An environment composed of operational networks, informational networks, and customer focused organizations with databases full of personal identifiable information.

You need only look to the Federal government to see we have multiple agencies with different missions, networks, authorities, and capabilities. US‐CERT at DHS is primarily focused on operationally securing the dot gov networks. The Department of Justice is not only concerned with the law enforcement aspect but also the legal authorities that any agency has to execute its mission. The Department of Defense and the National Security Agency are focused on protecting our military networks, employing offensive measures, and determining what constitutes an act of war in cyberspace and how our government responds. The Department of State is focused on our international efforts. Department of Commerce is working on several fronts including issuing standards and guidelines through the National Institute of Standards and Technology and working with the National Science Foundation and National Telecommunications and Information Administration on the educational, research, and governance fronts.

All of the Federal agencies are responsible for the protection of their respective networks and many, like the ones mentioned above, have responsibilities as it relates to our national cybersecurity strategy. Our Federal department and agencies are all on different evolutionary paths of cyber readiness and defense. Yet, they must all work together, cohesively and in partnership, to improve our nation’s ability to prevent, detect, and respond to the cyber threats facing our great nation.

The executive branch must continue to work with Congress to ensure we are on the right path in securing this vital national asset. And together we must ensure that as we proceed in this arena we are taking privacy and civil liberties in account at every step.

The Bill
As Under Secretary of the National Protection and Programs Directorate, I was faced with many challenges and some persistent obstacles. My directorate in many ways did not have sufficient infrastructure in place to sustain the growth mandated by the Comprehensive National Cybersecurity Initiative (CNCI). The bill introduced last week by the Homeland Security and Governmental Affairs Committee directly addresses many of the challenges I faced and has the potential to leave the Department of Homeland Security better positioned with the necessary tools to execute its mission. I believe one of the most important parts of the bill is the clarification of authorities, roles and responsibilities of various departments and agencies. While conducting my duties as the senior official at the Department of Homeland Security on cybersecurity and communications issues, I can honestly tell you that I had authority I needed and the support of the leadership from DHS and the interagency. It may be old school, but I always encouraged my staff to step into the authority as outlined in HSPD‐23 and execute the mission accordingly. However, I found it challenging at times to motivate my staff to embrace this charge. They often told me that they lacked the definitive clarification of authority to execute their mission and this sentiment was often echoed by many of our interagency partners.

Sometimes you need that conviction of authority to drive the necessary actions and acceptance of the responsibility. This seemingly minor nuance of authority and roles is a critical piece that must be addressed to position DHS for continued success. DHS and its partners have critical work to complete. We must ensure that we have the mechanisms in place to ensure that the nation’s strategies are current and effective and ensure the rights of our citizens. However, continued debate of roles and responsibilities and the reevaluation of cyber policy is delaying the execution of the most important issue facing the United States government when it comes to cybersecurity: the continued consolidation of internet access points and ramped up deployment of dynamic, realtime sensors and capabilities that will position government
networks to be more effectively defended. Your legislation goes a long way to putting these authoritative issues to rest. It is clear that Federal civilian departments and agencies must work with the new National Cybersecurity and Communications Center at DHS to secure our government networks.

One of the most important management fundamentals that I have adopted in my professional career is ensuring the implementation an effective performance measurement and management program. Good performance management and the use of quality metrics have the potential to rapidly drive progress in both the private and public sector.

The capabilities that DHS and the government are deploying will result in an improved defensive posture and a much‐improved situational awareness picture across the government domain. Commonly referred to as Einstein 2 and Einstein 3, these systems will also uniquely position DHS to have access to real‐time network
performance data that will be critical to driving compliance, spurring continuous improvement, and detecting anomalous network behavior.

With these systems, DHS will now be able to show Federal departments and agencies another perspective on their networks. DHS will be able to provide them with individual agency data, comparitive data from the dot gov networks, and data from the private sector and our international partners. This comprehensive common operating picture will help to inform the CIOs and CISOs on what network security measures need to be evaluated and taken throughout their enterprise architecture. It significantly raises the baseline of cybersecurity across the Federal government. Having a performance management system to take advantage of that data is the key to success.

The Federal Information Security Management Act (FISMA) requires many practices that are fundamental to good network security such as inventory management, change management protocols, documentation, and testing. However, measuring network performance and security should be continuous and timely. Your bill allows us to move from a delayed audit based approach to the utilization of more timely, operational, and actionable information. It moves us from an annual “snapshot in time” approach to a continuous monitoring approach for the security of our networks with the performance responsibility resting with the cabinet level appointee, Chief Information Officer, and Chief Information Security Officer. Having the ability to look at what you call the “composite state of security” on a daily and ongoing basis will improve our defenses. And knowing and understanding the data will give us an opportunity to measure our improvement and success.

I draw particular attention to the improvement of cybersecurity for the Federal government and its systems, because it is difficult to speak with credibility to the private sector when our own systems are significantly vulnerable. The work done under the CNCI and the subsequent Cyberspace Policy Review, coupled with your
legislation lays the foundation to begin a more serious dialogue with the private sector. As the government works to secure its own networks, it will concurrently work cooperatively with the private sector to enhance the cybersecurity of our nation’s critical infrastructure and key resources.

Hiring and procurement authorities
Perhaps the most overwhelming challenge I faced when I moved from the Deputy at TSA to the Under Secretary of NPPD, was being able to quickly identify, recruit, and bring onboard a skilled cybersecurity workforce. While at TSA, I came to appreciate the TSA hiring authorities not only for their flexibility to allow the quick stand up a 60,000 plus workforce around the country to respond to transportation security threats, but for their ability to combine fairness with a more expeditious process.

Similar flexibilities are needed to successfully execute the cybersecurity mission responsibilities at DHS, particularly as they rapidly ramp up their staffing. I can tell you from personal experience that some of my best employees and senior leaders were lured away by not only the private sector, but by other Federal agencies. It was difficult to compete with the compensation flexibility and incentives that other agencies and the private sector were able to offer. Going forward, DHS will need to heavily rely on these hiring flexibilities and incentives you have provided them to successfully execute the additional responsibilities in this bill.

The amount of time it takes to complete the hiring process, particularly the time from selection of a candidate to their first day of work was also a persistent problem. In a competitive environment, many candidates will not wait for the process to be completed. Our government must be able to not only hire the best and the brightest through an effective and efficient hiring process; but we must be able to bring them on board onto our watch floors and into our labs without an extended delay to clear the vetting and security clearance processes. Since the overwhelming majority of these jobs require security clearances, I firmly believe this issue needs to be addressed by this legislation.

The demand for cyber professionals is growing and will continue to grow. The nation must have a comprehensive hiring strategy and understand the changing demands for Federal government workers moving forward. We must get ahead of our workforce challenges and this legislation helps us do that. By asking OPM to investigate, identify and help provide solutions that agencies can use when it comes to internships, training, and part‐time work, we will look to create a new generation of cyber warriors not just in Washington, D.C., but in every school and community in America. As we look at our hiring priorities as a nation, I would also encourage that we prioritize our most pressing needs and that we give the agencies with the most critical missions and staffing needs not only a focused strategy, but the competitive advantages to fill their vacancies.

Infrastructure Protection
While I was at the Department of Transportation and while Deputy at TSA I became familiar with the work of the Office of Infrastructure Protection and its important mission. As the former Under Secretary of NPPD, I more than most understand and appreciate the linkages between the Office of Infrastructure Protection and the cybersecurity mission of the Department of Homeland Security. Through the National Infrastructure Protection Plan, commonly referred to as the NIPP, our government has developed a coordinated process to work with the nation’s eighteen critical sectors. I suggest, as you do in your bill, that we need to continue to support this process and the vital coordination that it brings. The NIPP allows various agency responsibilities and sector needs to be coordinated giving us a comprehensive security plan that minimizes confusion and overlapping requirements and responsibilities.

If we think about the next generation FAA program and the smart grid deployment, we quickly realize that cyber issues permeate our daily lives. Cyber issues are not limited to communications or the information technology industry. They touch nearly every aspect of our lives from the time we wake up until the moment we arrive back home. Given the omnipresence of cyber in our society, DHS should continue to leverage the Office of Infrastructure (OIP) field presence, through their Protective Security Advisors, their important sector relationships – our government and DHS in particular can use years of foundational work to leverage private sector partnership to improve cybersecurity across eighteen sectors. One need only look to the success of the industrial control systems partnership between OIP and the National Cyber Security Division or the Cross‐Sector Cybersecurity Working Group to realize the criticality of the relationship between these two DHS entities. Your committee held a hearing last year about cybercrime where you heard learned that not only are we facing nation state adversaries but organized criminal enterprises who are capable of carrying out large scale cyber intrusions against many sectors including our financial sector and many small and medium sized businesses. It is imperative we work with all sectors to ensure they are improving their cybersecurity baselines to confront the changing nature of the threats.

Your bill also recognizes the important relationship between the National Communications System (NCS) and the US‐CERT. The NCS mission to ensure the redundancy and resiliency of our communications networks goes hand in hand with the critical mission of network and critical infrastructure defense. By working in
partnership with industry through its major carriers and with the Federal Communications Commission, DHS through the National Coordinating Center has provided a 24/7 watch communications capability for this country. This capability augments the situational awareness and defense capabilities of US‐CERT to more
effectively understand the full common operational picture and to defend our networks.

As the nations communications infrastructure continues to migrate to internet based communications and as the cybersecurity mission matures, we are confronted with the inevitable convergence of these two areas. I am pleased that you recognize that these mission sets are inextricably linked.

Establishment Of NCCC As An Operational Entity
The establishment of the National Cybersecurity and Communications Center as an operational component of DHS will place the necessary focus and emphasis on this mission area that it merits. As the former Deputy of TSA, I understand what it means to be an operational entity within DHS. It means not only having an
operational mission, but more control over the critical support functions that are vital to your success. The mission and responsibilities of the NCCC demands that type of control. In addition, giving the NCCC hiring and procurement authority will assist their rapid growth as they step into their new responsibilities.

Before I close, I would like ask you to take a few issues under advisement. First, DHS must be careful not to divert key resources from the building of critical capabilities at the Department. I know from personal experience that the disparate demands of the mission and the magnitude of DHS’s responsibilities can challenge the resources under your control. It is of vital importance that DHS maintain its focus, attention, and resources on quickly securing the dot gov domain. We must remember that it took the Department of Defense several years to ramp up their capabilities both in terms of node consolidation and the deployment of an effective perimeter defense. While their accomplishments should be commended, today, they still have work to do. As quickly as we want DHS to consolidate the nodes and establish a robust perimeter defense, we must allow them sufficient time to do it. This mission area is clearly within their capability and given the time and resources they should meet the challenges successfully.

Second, the diversity and magnitude of our critical infrastructure and key resources creates many challenges in effectively deploying capabilities and resources. This creates a resource challenge for DHS and I ask that the appropriate Congressional committees work with DHS and the Office of Management and Budget to determine what will be needed to carry out these responsibilities.

Finally, as this legislation moves through both chambers of Congress, we must remember that the dot gov defenses will and must evolve. This evolution will yieldvaluable lessons that will certainly impact critical infrastructure key resource standards and most likely will change and improve the requirements imposed by
DHS. DHS must be nimble and build in flexibilities to its processes and procedures to account for that Inevitable change.

Hearing: Protecting Cyberspace as a National Asset: Comprehensive Legislation for the 21st Century

Member Statements

• Senator Joseph I. Lieberman
• Senator Susan M. Collins
• Senator Thomas R. Carper

Witnesses
Panel 1

• Philip R. Reitinger, Deputy Under Secretary, National Protection and Programs Directorate, U.S. Department of Homeland Security

Panel 2

• Frances Fragos, Townsend Chairwoman of the Board, Intelligence and National Security Alliance
• Alan Paller, Director of Research, SANS Institute
• Steven T. Naumann, Vice President, Wholesale Market Development, Exelon Corporation
• Sara C. Santarelli, Chief Network Security Officer, Verizon

Related Statements

• Robert Jamison Statement for Record

Major Cybersecurity Bill Unveiled

Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, Ranking Member Susan Collins, and Federal Financial Management Subcommittee Chairman Tom Carper introduces comprehensive legislation to modernize, strengthen, and coordinate the security of federal civilian and select private sector critical infrastructure cyber networks.

The Committee’s hearing on the legislation will be held June 15, 2010.

The Protecting Cyberspace as a National Asset Act of 2010, S.3480, would create an Office of Cyber Policy in the White House with a director accountable to the public who would lead all federal cyberspace efforts and devise national cyberspace strategy. A National Center for Cybersecurity and Communications within the Department of Homeland Security, also led by a director accountable to the public, would enforce cybersecurity policies throughout the government and the private sector. The bill would also establish a public/private partnership to set national cyber security priorities and improve national cyber security defenses.

Among the bill’s supporters are: anti-virus software companies McAfee and Symantec; Karen Evans, former Administrator for E-Government and IT, Office of Management and Budget; Stewart Baker, former Assistant Secretary for Policy at DHS; the Intelligence and National Security Alliance; the Professional Services Council; and the Coalition for Government Procurement.

Key elements of the legislation include:

1. Creation of an Office of Cyberspace Policy in the Executive Office of the President run by a Senate-confirmed Director, who will advise the President on all cybersecurity matters. The Director will lead and harmonize federal efforts to secure cyberspace and will develop a national strategy that incorporates all elements of cyberspace policy, including military, law enforcement, intelligence, and diplomatic. The Director will oversee all related federal cyberspace activities to ensure efficiency and coordination.
2. Creation of a National Center for Cybersecurity and Communications (NCCC) at the Department of Homeland Security (DHS) to elevate and strengthen the Department’s cyber security capabilities and authorities. The Director will regularly advise the President on efforts to secure federal networks. The NCCC will be led by a Senate-confirmed Director, who will report to the Secretary. The NCCC will include the United States Computer Emergency Response Team (US-CERT), and will lead federal efforts to protect public and private sector cyber and communications networks.
3. Updates the Federal Information Security Management Act (FISMA) to modernize federal agencies practices of protecting their internal networks and systems. With strong leadership from DHS, these reforms will allow agencies to move away from the system of after-the-fact paperwork compliance to real-time monitoring to secure critical systems.
4. Requiring the NCCC to work with the private sector to establish risk-based security requirements that strengthen cyber security for the nation’s most critical infrastructure that, if disrupted, would result in a national or regional catastrophe.
5. Requiring covered critical infrastructure to report significant breaches to the NCCC to ensure the federal government has a complete picture of the security of these sensitive networks. The NCCC must share information, including threat analysis, with owners and operators regarding risks to their networks. The Act will provide specified liability protections to owners/operators that comply with the new risk-based security requirements.Creation of a responsible framework, developed in coordination with the private sector, for the President to authorize emergency measures to protect the nation’s most critical infrastructure if a cyber vulnerability is being exploited or is about to be exploited. The President must notify Congress in advance before exercising these emergency powers. Any emergency measures imposed must be the least disruptive necessary to respond to the threat and will expire after 30 days unless the President extends them. The bill authorizes no new surveillance authorities and does not authorize the government to ‘take over’ private networks.
6. Development of a comprehensive supply chain risk management strategy to address risks and threats to the information technology products and services the federal government relies upon. This strategy will allow agencies to make informed decisions when purchasing IT products and services.
7. Requiring the Office of Personnel Management to reform the way cyber security personnel are recruited, hired, and trained to ensure that the federal government has the talent necessary to lead the national cyber security effort and protect its own networks.

Lieberman said:

“The need for this legislation is obvious and urgent.”

“The Internet may have started out as a communications oddity some 40 years ago but it is now a necessity of modern life, and sadly one that is under constant attack. It must be secured, – and today, Senators Collins, Carper, and I have introduced a bill which we believe will do just that. The Protecting Cyberspace as a National Asset Act of 2010 is designed to bring together the disjointed efforts of multiple federal agencies and departments to prevent cyber theft, intrusions, and attacks across the federal government and the private sector. The bill would establish a clear organizational structure to lead federal efforts in safeguarding cyber networks. And it would build a public/private partnership to increase the preparedness and resiliency of those private critical infrastructure cyber networks upon which our way of life depends.”

“For all of its ‘user-friendly’ allure, the Internet can also be a dangerous place with electronic pipelines that run directly into everything from our personal bank accounts to key infrastructure to government and industrial secrets. Our economic security, national security and public safety are now all at risk from new kinds of enemies - cyber-warriors, cyber-spies, cyber-terrorists and cyber-criminals.”

Collins said:

“As our national and global economies become ever more intertwined, cyber terrorists have greater potential to attack high-value targets. From anywhere in the world, they could disrupt telecommunications systems, shut down electric power grids, and freeze financial markets. With sufficient know-how, they could cause billions of dollars in damage and put thousands of lives in jeopardy. We cannot afford to wait for a ‘cyber 9/11′ before our government finally realizes the importance of protecting our digital resources, limiting our vulnerabilities, and mitigating the consequences of penetrations of our networks.”

“Yet, for too long, our approach to cyber security has been disjointed and uncoordinated. Our vital legislation would fortify the government’s efforts to safeguard America’s cyber networks from attack. This bill would build a public/private partnership to promote national cyber security priorities and help prevent and respond to cyber attacks.”

Carper said:

“Over the past few decades, our society has become increasingly dependent on the internet, including our military, government, and businesses of all kinds. While we have reaped enormous benefits from this powerful technology, unfortunately our enemies have identified cyber space as an ideal 21st century battlefield. We have to take steps now to modernize our approach to protecting this valuable, but vulnerable, resource. This legislation is a vital tool that America needs to better protect cyber space. It encourages the government and the private sector to work together to address this growing threat and provides the tools and resources for America to be successful in this critical effort.”

Supporting Efforts to Bolster America’s Cybersecurity

Senator John D. (Jay) Rockefeller IV, Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation, and Senator Olympia J. Snowe, a senior member of the Commerce Committee, released the following statement on the importance of passing comprehensive cybersecurity legislation and applauded Senator Joe Lieberman (I-CT) and Senator Susan Collins (R-ME) for introducing legislation that aims to achieve this goal.

Chairman Rockefeller said:

Cybersecurity is one of the biggest national security issues this country faces and the threat is growing every day. Today’s outdated cybersecurity policies are not up to the task of protecting our nation and our economy and we must act now. We cannot wait for a crisis and then impose reactive solutions. We will do far better by acting proactively now, and by acting together. I commend Senators Lieberman and Collins for proposing solutions to this critical national security challenge and I look forward to working with them to pass comprehensive legislation to bolster our cyber defenses.

Senator Snowe said:

The broad overlap between this measure and the Rockefeller-Snowe initiative further underscores the bipartisan consensus within the Congress to confront this urgent threat. Our failure to implement effective policies and procedures to prevent unauthorized intrusion has proven extremely consequential, and I stand ready to work with my colleagues in the Senate to swiftly enact a 21st century national security policy that will protect and preserve American cyberspace.

THE ROCKEFELLER-SNOWE CYBERSECURITY ACT
Earlier this year, Chairman Rockefeller and Senator Snowe introduced the Rockefeller-Snowe Cybersecurity Act. The bill was favorably reported out of the Commerce Committee on March 24, 2010. The Rockefeller-Snowe Cybersecurity Act’s central guiding principle is to modernize the government-private sector relationship on cybersecurity. A vast majority of America’s networks are owned and operated by the private sector. The Rockefeller-Snowe Cybersecurity Act provides a framework for proactive engagement, collaboration and teamwork between the government and the private sector on cybersecurity, addressing current reactive, ad hoc responses by the government to cyber attacks.

The Rockefeller-Snowe Cybersecurity Act received positive reviews from key stakeholders on this important issue.

KEY PROVISIONS OF THE ROCKEFELLER-SNOWE CYBERSECURITY ACT WOULD:

• Significantly raise the priority of cybersecurity throughout the federal government and streamline cybersecurity-related government functions, authorities and laws.
• Protect civil liberties, intellectual property and business proprietary information.
• Promote cybersecurity public awareness, education, and research and development.
• Foster market-driven cybersecurity innovation and creativity to develop long-term technology solutions and train the next generation of cybersecurity professionals.

Policy Official Notes Cybersecurity Challenges

By Jim Garamone
American Forces Press Service

WASHINGTON, May 12, 2010 – Putting cybersecurity in place poses significant challenges for the Defense Department, the government as a whole and for critical infrastructure, the principal deputy assistant secretary of defense for policy said today.

James N. Miller, said cybersecurity “is not a glass half full/glass half empty story.”

“There is a glass,” he said. “It has some water in it. The water is dirty, and we have an insatiable thirst in this area.”

The issue has the attention of all defense leaders, and progress is being made, Miller said. Confirmation of Army Lt. Gen. Keith Alexander to receive his fourth star and serve as the first chief of U.S. Cyber Command is a positive step, he added. The command will stand up shortly under U.S. Strategic Command.

Meanwhile, Miller said, the U.S. government is working on a cybersecurity strategy that’s expected to be out soon. That strategy, he said, must be flexible to address the diverse and growing threats of the future.

The challenges are immense, Miller said. “We don’t really understand the nature of the threat that we face,” he noted. But one thing that is clear, he said, is that the Defense Department relies heavily on information technology, and enemies, criminal gangs and hackers are stealing terabytes of information from The Defense Department and the rest of the government.

The Defense Department alone has about 15,000 networks, with millions of users in 88 countries.

Another threat comes from outright attacks, Miller said, including denial-of-service attacks, viruses and worms.

“Over the past decade, we have seen the frequency and sophistication of intrusions into our networks increased,” he said. “Our networks are scanned thousands of times an hour.”

More than 100 foreign intelligence services are trying to get into Defense Department systems, Miller added, and some foreign militaries are developing offensive cyber capabilities. Knowing who is delivering them is extremely difficult to pin down, he said, and foes will confront the United States using these cheap, asymmetric tools.

“The linkages between intelligence, offense and defense are particularly important in cyber operations,” Miller said. “The ability to repel attackers is closely tied to the ability to identify them.”

Cyber Command will have three core missions: defense of the military networks, supporting on-going military operations and planning for future operations, and supporting civilian efforts, as directed. Alexander will remain as director of the National Security Agency as he takes on leadership of Cyber Command.

Much basic work remains to be done in the cybersecurity effort, Miller said, including determining when a cyber event becomes an attack covered by the law of armed conflict. “At what point does it rise to such a level that it becomes an act of aggression?” he asked. “Those are legal questions and policy questions we are trying to address.”

Miller said there is a world of difference between cyber espionage and acts meant to degrade U.S. networks or to input false data into those networks.

“There is no way we are going to fully defend against cyber espionage,” Miller said. “And we understand that not everything that happens in cyberspace is an act of war. As we think of the role of cyberspace in supporting military operations, and the role of cyber attacks as … the front-end of a kinetic military attack, then we would think about the potential for responses that are not limited to the cyber domain.”

Army Lt. Gen. Keith B. Alexander, Director of the National Security Agency, Appointed to Lead the New U.S. Cyber Command

The Senate confirmed Army Lt. Gen. Keith B. Alexander, director of the National Security Agency, to also lead the new U.S. Cyber Command, approving his promotion to four-star rank to lead both organizations at Fort Meade, Md. Alexander has served as director of the National Security Agency and chief of Central Security Service since 2005.

Cyber Command is subordinate to U.S. Strategic Command. The Department of Homeland Security has oversight responsibility for the “dot-gov” Internet domain. Cyber Command is responsible for “dot-mil” security and for giving early warning of cyber threats to the United States.

Cybersecurity R&D Themes Announcement, May 19, 2010, Claremont Resort, Oakland, California

On May 19, 2010, from 1:30-5:00pm, NITRD representatives from NSF, DHS, and other agencies will announce new Federal cybersecurity R&D themes. This event will take place at the Claremont Resort in Oakland, California, and is co-located with the IEEE Symposium on Security and Privacy. The themes will guide future Federal research activities and solicitations and are components of the framework for cybersecurity R&D called for in the President’s Cyberspace Policy Review. These R&D themes have been outlined in the President’s Budget Supplement for FY 2011 and recently highlighted by Mr. Howard Schmidt, Special Assistant to the President and the Cybersecurity Coordinator, in his keynote speech at the RSA Conference 2010. This event will be the first in-depth review of these Federal cybersecurity R&D objectives and will provide insights into the priorities that are shaping the direction of Federal research activities.

For questions, please email to nco@nitrd.gov.

Northeastern University Wins the Fifth Annual National Collegiate Cyber Defense Competition (NCCDC)

The Northeastern University team are the winners of the fifth annual National Collegiate Cyber Defense Competition (NCCDC). The University of Louisville took second and third place honors went to Cal Poly Ponoma.

The competition focuses on the operational aspect of managing and protecting network infrastructure. Teams are scored based on their ability to detect and respond to outside threats, maintain availability of existing services such as mail servers and web servers, respond to business requests such as the addition or removal of additional services, and balance security needs against business needs. In addition to the competition, the students get a chance to network with professionals from government and industry, who are always on the lookout for up and coming engineers.

The NCCDC, hosted by the University of Texas at San Antonio and sponsored by the Department of Homeland Security and various private sector organizations, brings winners of regional cyber defense competitions together for a three day competition each year.

FCC to Consider a Cyber Security Certification Program

STATEMENT OF CHAIRMAN JULIUS GENACHOWSKI
Re: In the Matter of a Cyber Security Certification Program, Notice of Inquiry, PS Docket No. 10-93
More and more of our Nation’s daily business depends on our broadband communications infrastructure. Companies large and small, and in every sector of the economy, including hospitals and other health care facilities, increasingly rely on communications networks to do their daily work. But for communications networks to remain a platform for global opportunity and prosperity, it is essential that end users of all types – consumers, and businesses large and small – remain confident that our global networks are safe and secure.

Increasingly, however, our communications networks are under attack. Viruses, denial of service attacks, harmful spam, and a host of other threats challenge end users and network operators. To ensure that consumers and businesses are fully protected from attacks that affect or occur over the communications infrastructure, the National Broadband Plan recommended that the Commission initiate a proceeding to establish a cyber security certification program and other incentive programs. The goal is to create incentives for broadband communications service providers to upgrade their cyber security measures.

This Notice of Inquiry represents an initial and necessary step to implementing this recommendation and enhancing the cyber security of our Nation’s communications systems.

ICCS 2010, International Conference on Cyber Security, August 2 - 5, 2010 New York City

The second annual International Conference on Cyber Security (ICCS 2010) will be held in New York City, August 2 - 5, 2010. The ICCS 2010 is organized by the Federal Bureau of Investigation and Fordham University. ICCS 2010 will consist of three full days, fifty unique lectures from distinguished, plenary, and parallel speakers in the disciplines of Emerging Technologies, Operations and Enforcement, and Real Life Experiences. Also included are panel discussions, sponsors’ presentations, exhibitions and exceptional networking opportunities. In response to heightened demand from cyber security leaders from around the world, ICCS 2010 is featuring two additional events: the Law Enforcement Workshop (LEW) and the Cyber Security Tutorial (CST).