The Honorable Neal Lane
Mr. Chairman, members of the
Committee, I would like to thank you for this opportunity to discuss
research and development (R&D) activities that the federal government
is conducting to improve our ability to protect the nation’s critical
infrastructures. You are all
familiar with the challenges facing our nation as we take measures to
ensure the robust and reliable operation of our critical infrastructures.
This is truly a national challenge – one that goes beyond the
traditional bounds of national security.
Our economic security, competitiveness, and our way of life also
rest upon the continuous and assured availability of the services provided
by our infrastructures – reliable services that we all too often take
Research and development is – and must be – a key element of an integrated national agenda to protect our critical infrastructures. The President recognized this fact in May, 1998 when he issued Presidential Decision Directive PDD-63 on Critical Infrastructure Protection (CIP). Among other things, this Directive tasked the Office of Science and Technology Policy to coordinate the federal government’s critical infrastructure protection R&D. More recently, the President underscored the importance of protecting our national information infrastructure by requesting funds to establish an Institute for Information Infrastructure Protection. This Institute, working closely with the private sector and academia, will focus upon the development of technologies that neither the government nor the private sector are currently developing, yet are crucial to the security of our information infrastructure. The importance of critical infrastructure protection R&D is reflected in the President’s FY2001 budget which contains $606 million for CIP R&D, an increase of $145 million (31%) from last year’s enacted funding level.
The Federal Critical Infrastructure Protection R&D Agenda
Reflecting the diversity of
our critical infrastructures and the R&D needed to protect them, this
funding is distributed among numerous agencies, as illustrated in the
This overall R&D program comprises four primary thrusts, each of which draws on the resources of multiple agencies and covers a broad spectrum of both physical and cyber security issues. The four thrusts address the following research questions:
· Threat/Vulnerability/Risk Assessments. As its name implies, this research focuses on threat, vulnerability, and risk assessments of all critical infrastructures. The initiative also includes modeling and simulation programs, metrics, and testbeds.
· System Protection. This research covers both physical and cyber protection of individual systems, and it includes programs such as encryption, public key infrastructures, network security products, reliability and security of computing systems, physical barriers, robust controls for power grids, and secure supervisory control and data acquisition (SCADA) systems.
· Intrusion Monitoring and Response. This research examines technologies to detect and provide immediate responses to intrusions or infrastructure attacks. R&D programs include network intrusion detection, information assurance technologies, mobile code and agents, network alarm systems, forensic tools for electronic media, network defensive technologies, and explosives detection devices.
· Recovery and Reconstitution. This research concentrates on those technologies required to reconstitute and restore critical infrastructures in the aftermath of disruptions. Specific research programs include risk management studies and tools, system survivability technologies, and consequence analysis tools and supporting technologies.
Although the R&D agenda
includes both physical and cyber security programs, the majority of the
funding – $527 million – focuses on cyber security.
Coordinating Federal Critical Infrastructure Protection R&D
In recognition of the
crucial role R&D plays in infrastructure protection, two years ago
this month my office established an interagency working group and process
to develop and coordinate the federal government’s critical
infrastructure protection R&D agenda.
This group has operated through two budget cycles and has recently
commenced work on a third. I emphasize the word “coordinate” – even before we
created our working group, the federal government conducted many R&D
programs that either directly or indirectly contributed to infrastructure
protection. However, the
heart of our interagency process is the coordination of these programs,
ensuring that they all aim toward common goals and address crucial
vulnerabilities and threats. We
have gotten off to an excellent start, and I will share some of our
successes with you shortly.
I would like to emphasize
several key facets of our interagency process.
First, all programs recommended in the R&D agenda are tied to
vulnerabilities or R&D shortfalls.
A number of recent reports, in both the private sector and
government, have highlighted vulnerabilities in our infrastructures.
We ensure that each of our R&D programs, whether ongoing or a
proposed new start, directly addresses one or more infrastructure
Second, we ensure that each
agency is aware of the others’ R&D programs.
Compiling information about each agency’s R&D, and sharing
this information with all other participating agencies, helps agencies
leverage investments and avoid duplication of effort.
In this way, individual critical infrastructure protection R&D
programs become a unified interagency product – a package coordinated
and integrated across agency boundaries.
In selected areas of
particularly high-priority research, our coordination activities go beyond
this across-the-board information collection and sharing. In these areas, staff from my office works closely with
agency R&D managers to examine in detail each agency’s research
activities. We then discuss
how each program should be modified to build an integrated whole that is
stronger than the sum of its parts. Such
an intensive coordination effort is difficult to accomplish, but very
worthwhile. To give one
example, representatives from my office, the Defense Advance Research
Projects Agency, and Departments of Energy and Transportation have
examined in detail their respective programs in infrastructure
interdependencies – analyses of how each infrastructure relies upon
others for its continuous operation.
These representatives are developing a single, multiagency research
program that strives towards common national goals, satisfies agency
mission requirements, and eliminates duplication.
We have recently begun a similar effort for intrusion detection and
monitoring, and we plan to commence a third intensive coordination program
for incident recovery and reconstitution R&D.
Third, we validate our
R&D agenda by soliciting feedback and comment from technology experts
in government, the private sector, and academia.
The technical expertise in infrastructure protection resides in
academic and government laboratories, as well as with the private sector
owners, operators, maintainers, designers, manufacturers, and customers of
our infrastructure systems. Consequently,
we must draw upon the expertise of all sectors as we build our R&D
agenda. For example, we gave
over 20 briefings of our program last year, the majority of which were to
private sector organizations. We
have asked for – and received – excellent feedback on our energy
sector R&D programs from the Electric Power Research Institute.
My office and the President’s National Security
Telecommunications Advisory Committee (NSTAC) jointly sponsored a critical
infrastructure protection R&D exchange meeting at Purdue University in
October 1998, and we are planning a follow-on event for later this year. Through these outreach efforts we will ensure that our
R&D program heads in the right direction, addresses the key technical
issues, and does not reinvent technology that is already on the shelf.
In summary, we have put
substantial energy, analysis, and effort into developing and coordinating
an interagency R&D agenda that addresses the key technical challenges
of critical infrastructure protection.
The result is an integrated program package that will help us
ensure the reliable and robust operation of our nation’s critical
The Institute for Information Infrastructure Protection
I would now like to turn to
a major new critical infrastructure protection R&D initiative that the
President has requested in his FY01 budget: the Institute for Information
Infrastructure Protection (I3P). This
concept originated with the President’s Committee of Advisors on Science
and Technology (PCAST), which proposed to the President in December 1998
that the federal government establish an institute to address crucial
topics in information infrastructure protection R&D.
As we are all aware, information technologies are evolving at an
extremely rapid rate. PCAST
was concerned that key information technologies needed to ensure the
security of the national information infrastructure were not being
developed by either the federal government or the private sector, and that
the federal government’s mechanisms for funding and producing R&D
might not be able to keep pace with the explosive rate of technological
change. The Committee
believed that an independent, not-for-profit Institute, suitably designed,
could act flexibly and responsively enough to stay abreast of rapidly
evolving information infrastructure threats, vulnerabilities, and emerging
technologies. The PCAST
concept incorporated three primary criteria for the Institute:
The Institute must work in collaboration with the private
sector manufacturers, owners, operators, and users of the information
infrastructure to identify the most important research needs.
The Institute must engage the nation’s top technical
talent in the nation to address these needs, whether that talent resides
in industry, academia, government laboratories, or other research
The Institute must operate flexibly enough to keep pace with
the rapid evolution of information technologies.
In studying the PCAST
proposal, the Administration analyzed whether such an Institute was
needed; whether that need could be satisfied by existing facilities,
either internal or external to the government; and whether the private
sector supported such an Institute’s establishment.
The Administration commissioned the Institute for Defense Analyses
(IDA) to review the concept in depth and to consult extensively with the
private sector and academia. IDA’s
review demonstrated broad private sector support for the concept.
In addition, OSTP and PCAST jointly hosted a meeting of Chief
Technology Officers (CTOs) of 15 of the nation’s leading information
technology corporations last October.
The CTOs, too, indicated that such an Institute is clearly needed.
As the culmination of the
Administration’s review, the President announced on January 7 that he
would request $50 million in his Fiscal Year 2001 budget for an Institute
for Information Infrastructure Protection.
He has also requested $4 million in a supplemental appropriation
for the current Fiscal Year to establish the Institute and get started on
its first R&D projects. He
stated that the I3P “will fill research gaps that neither public nor
private sectors are filling today,” and that it will “bring to bear
the finest computer scientists and engineers from the private sector, from
universities, and from other research facilities to find ways to close
these gaps.” Based on
preliminary work, the President has called for the Institute to be funded
through the Commerce Department’s National Institute of Standards and
Technology (NIST), which has the mission of working with the industry to
develop technology, measurements, and standards to strengthen our economy
and improve our quality of life.
I want to emphasize,
however, that the planning, establishing, and operating this Institute
must be done collaboratively by government, industry, and academia.
I have therefore asked PCAST, working with additional experts in
the private sector and academia, to conduct a short-term, rapid-turnaround
study to advise me on the Institute’s organizational structure,
operational activities, staff recruitment, and initial R&D priorities.
PCAST sponsored a meeting with private sector and academic
technology leaders on February 18 to commence the detailed design of a
recommended concept of operations and R&D agenda.
Thanks to PCAST’s leadership, we received the first detailed
design papers on February 25. PCAST
is considering two organizational models: one based within NIST that works
closely with the private sector and academia, and one located external to
the government. PCAST is intently examining both possible structures and will
provide its conclusions and recommendations to me.
To date, the participants in this effort have identified “gap-filling” R&D as the Institute’s primary function. While the private sector clearly has a substantial information security R&D effort under way, there are important technologies that are unlikely to attract private investment: those that are too long-term, too risky, or too likely to benefit a large number of “bystander” firms that did not fund or conduct the original research. At the same time, federal agencies have traditionally supported research directly related to their mission needs, without necessarily addressing areas that are important to securing the national information infrastructure as a whole. The result is a gap between federal and private sector research – a gap that the government, private sector, and academic technology experts agree must be filled to ensure the security of our information infrastructures. As an example, one particularly important research theme not being adequately addressed by the government or private sector is the holistic, “system-of-interacting-systems” nature of our information infrastructure: its complex behaviors, its vulnerabilities, its robustness and whether it degrades gracefully when stressed, the effects of its interconnections with other infrastructures, and its interfaces with its human operators and users. This Institute, working closely with the government, private sector and academia, will close this and other research gaps. As I noted previously, we are currently working intensively with the technology experts to identify the initial set of research projects.
Ensuring the robust,
reliable, and assured operation of our critical infrastructures presents a
serious challenge. Advanced
technology will help us meet this challenge – and for this reason, the
Administration has developed a comprehensive critical infrastructure
protection R&D agenda that is coordinated across many agencies.
Each program in the agenda is tied directly to infrastructure
vulnerabilities and addresses infrastructure protection R&D
shortfalls. An important new
initiative in the FY2001 agenda is the Institute for Information
Infrastructure Protection, which will enable our nation to protect its
information infrastructure even as information technologies are rapidly
Mr. Chairman, the President directed that critical infrastructure protection be a national priority in PDD-63. We have developed a robust R&D program that will ensure our infrastructures continue to operate reliably even in the face of new threats in the 21st century. I thank you for this opportunity to discuss our overall R&D program and I am looking forward to working with you as we bring this technology agenda to fruition.