1998 Congressional Hearings
Intelligence and Security

Thank you Mr. Chairman and members of the Committee for inviting me here today to testify on the critical issue of computer security.  I am Ray Kammer, Director of the National Institute of Standards and Technology (NIST), a component of the Technology Administration at the Department of Commerce.  NIST’s mission is to promote U.S. economic growth by working with industry to develop and apply technology, measurements and standards.  In the computer and communications area, our Information Technology (IT) Laboratory provides technical leadership for the nation’s measurement and standards infrastructure for IT.  One component of our IT Laboratory focuses exclusively on security issues.  As requested in your invitation, it is the IT security work of NIST’s Computer Security Division that I would like to focus primarily upon today.

Let me commend the Committee for focusing on the issue of computer security.  As you recognized in calling today’s hearing, security is a critical component necessary to meet the needs of both industry and government in achieving economic and social benefits from applications of IT, including in the important area of Electronic Commerce. Your hearing is also particularly timely given the recent report issued by the President’s Commission on Critical Infrastructure Protection highlighting security issues.  I will not dwell on threats to computer systems, other than to note that they are wide-ranging and show no sign of diminishing.  They include such threats and risks as: sabotage, loss of infrastructure support, malicious hacking, industrial and state-sponsored espionage, human error, fraud, and viruses as well as other types of malicious code.

NIST’s activities in the area of computer security address requirements of both the IT industry and federal agencies.  Our industry customers include the vendors of general IT products as well as security-specific products.  NIST’s responsibilities are specified in the Computer Security Act of 1987 (and were reinforced under the Clinger-Cohen Act, more formally known as the IT Management Reform Act of 1996).  In addition, OMB’s Circular A-130 (Appendix III) expands on these and gives NIST a number of specific responsibilities in support of agency computer security efforts.  Last, the Computer Systems Security and Privacy Advisory Board (CSSPAB), provides us with valuable input on emerging security issues and other matters.

Another recent development is the Federal Government’s concern over the security and robustness of the nation’s critical infrastructures, as these are increasingly dependent on information technology and computer networks such as the Internet.  NIST computer security programs and expertise will help address problems involving these infrastructures.

NIST has developed a strategy that recognizes the essentially common security needs of the majority of government agencies and the private sector.  In particular, we believe that the best way to provide security for Federal Government systems is to make maximum use of commercial products, services, standards and technology.  NIST works with the private sector to foster the availability of high quality security products that may be used by both private sector and government organizations with confidence - thus achieving higher levels of security and interoperability for both.  The NIST IT security program focuses on those technologies and needed infrastructures that will achieve these goals.  Briefly, the key focus areas in the NIST IT security program are the following:

Security Criteria and Testing,
Internet and Network Security,
Cryptographic Technology and Applications,
Public Key Infrastructure, and
Security Management

These areas address some of the most critical issues facing organizations today as they expand their uses of computers and networks.  By focusing on these key areas, NIST is able to leverage its unique expertise in standards and measurements to help both government and the private sector.  Let me briefly discuss each.

The goal of our first focus area, Security Criteria and Testing, is to promote the development of objective criteria for testing and assessing the functionality and assurance of security technology and products.  This is needed because, when it comes to security, organizations (including government) are looking for independent assurances that the security features of products indeed perform “as advertised.”  Many of our activities in this area are being accomplished under our recently-announced “National Information Assurance Partnership” (NIAP).  NIAP is a NIST/NSA-sponsored forum through which industry and government organizations can collaborate to develop security metrics, tests, test methods, tools, reference implementations, and protection profiles.  These can then be used by independent, private sector testing laboratories to conduct product tests and certifications.  It is important to note here that NIST does not intend to perform tests or product certification - only to help provide the necessary elements to support usable and credible formal test processes.  In this way, government (and industry, to the extent it needs tested products) will be able to procure and deploy security technologies and products that have been independently tested.  NIAP will also serve as the mechanism for mutual international recognition of evaluation tests conducted under the “Common Criteria” program, an internationally agreed upon means to specify security functionality and assurance so that tests for conformance can be conducted.

Because NIAP promotes the development of security product testing through independent, private sector laboratories, we hope that this will lead to the greater commercial availability of secure products for use in protecting government (and, again, to the extent needed, industry) information systems.  NIAP also is laying out a course for transition of exiting government-conducted security product testing activities to commercial testing laboratories, thus supporting the development of an American IT testing industry which is commercially viable and sustainable.

Much of the work of NIAP is supported by the “Common Criteria” (CC), on which NIST has been working for some time.  The goal of this effort is to provide a detailed technical specification which can be used to describe, with technical precision, the security functions of an application, security product, or system (which subsequently may undergo security testing).  The CC also provides a means to specify a corresponding “assurance level” of a product, meaning, in effect, the degree of confidence one may have that a given product’s security features operate as specified.  This will allow for a range of testing, from a fairly quick review, to an in-depth, technical product review.  The degree of testing appropriate will, in part, be determined by the threat and risk environment (including the sensitivity of information) in which a given product is intended to operate.

The goal of our activities in the area of Internet and Network Security is to provide interoperable security capabilities across networks and user "domains.” What exactly does this mean?  Many of the networks in existence today, notably the Internet, were not designed with security functionality in mind.  A challenge that faces us today is how to migrate to new technology that provides for a higher level of security.  One key area that NIST has focused on to accomplish this is to work with the Internet Engineering Task Force (IEFT) to develop the technical security protocols for use in the new version of the supporting network security protocols (known as “IPSec”).  We have developed a security reference implementation, which will be widely distributed and can be used to test for interoperability by builders of IPSec products.  IPSec provides for security services for both the currently-deployed Internet Protocol (IP) version 4 and the emerging IP version 6.

Another important activity that NIST has undertaken, particularly to address the needs of our federal customers, is the Federal Computer Incident Response Capability (FedCIRC).  This is an initiative originated by NIST and made operational in October 1996, which helps address the need in the Federal Government for network incident response capabilities.  FedCIRC provides, under NIST auspices and in collaboration with DOE's Computer Incident and Advisory Capability and Carnegie-Mellon University's Computer Emergency Response Center (CERT), a variety of subscription funded services such as site evaluation, incident handling services, access to incident and vulnerability advisories, and training opportunities.

Thanks to startup funding from the Government Information Technology Services (GITS) initiatives, we are able to provide 7-day-a-week, 24-hour-a-day service. To date, we have handled more than 75 incidents from the civilian side of government since we became operational. Additionally, we have fielded hundreds of other requests for information and assistance.  Through its workshops and seminars, FedCIRC has trained over 1000 individuals on various aspects of computer security.  In conjunction with other federal agencies, we are currently looking at ways to continue this important activity beyond that provided for by the initial one-time GITS start-up funding.

Our next focus area is Cryptographic Technology and Applications.  The goal of our work in cryptography is to ensure the availability of high-quality cryptographic technology standards, tests, and application program interfaces to that technology.   NIST’s work in cryptography focuses not only on core algorithm-based standards and associated conformance tests, but higher level standards and tests for the “modules” in which algorithms (and other cryptographic-related functions are implemented).  Included at the algorithm level are such activities as our development of the Advanced Encryption Standard and our work with the American National Standards Institute (ANSI) on digital signature standards for RSA and Elliptic Curve techniques.  At the module level, our work is focused in our Cryptographic Module Validation Program.  I will briefly explain each of these in more detail.

Advanced Encryption Standard (AES). In January of last year, NIST announced that it would begin the process of working with the private sector on an Advanced Encryption Standard (AES). As you may know, the Data Encryption Standard (DES) has been the operative private sector standard, as well as formal government standard, for assuring the confidentiality of information for almost two decades. DES will continue to provide adequate levels of security for many applications for years to come.  However, in an effort to look ahead, NIST has begun the work with the private sector on AES in anticipation that demand for the next generation of encryption standards will require a concerted, multi-year effort to evaluate, develop and build consensus towards acceptable long-term standards. We are pleased by the response of the private sector to this initiative, and we look forward to receiving candidate algorithms nominations by the mid-June deadline.  Thereafter, we plan a series of public workshops and comment periods before selecting an algorithm for the AES.

Expanded Digital Signature Standard. NIST also has requested public comments on additional algorithms that the federal government may endorse to authenticate electronic information and transactions and assure high levels of integrity. This initiative will expand the number of techniques that the Federal government should be using in the area of "digital signatures" and should bring forth the best and most cost-effective technologies that the private sector has to offer. I want to note that we have specifically asked for comment on elliptic curve technology and on RSA's digital signature technology.  We have been working with accredited voluntary standards committees of ANSI to finalize standards for both technologies, which we intend to recommend for federal use with appropriate implementing guidance.

Key Agreement / Exchange. In a third area, we have also sought public comments on potential technologies that assure very secure "key agreement or exchange" protocols as part of public cryptographic systems. There is no existing federal standard in this area, and we have specifically asked for comments on the following technologies: RSA, elliptic curve, and Diffie-Hellman.  We are also working with the ANSI voluntary standards committees on these standards, which we plan to adopt for federal use as appropriate.

Key Recovery.  NIST is also pursuing technical work in the area of key recovery for government applications, to ensure the availability of encryption keys, for both user and public safety requirements. We have provided technical support for the key recovery pilot tests sponsored by GITS.  We also support the Department of Commerce’s advisory committee to gain industry’s advice as to how the government should accomplish key recovery for itself.

Cryptographic Module Validation Program.  While sound algorithms are critical to providing for strong cryptographic-based services, they are insufficient in and of themselves.  It also necessary that the module in which cryptography is implemented (either hardware or software) be secure.  For example, one issue that must be addressed is how are cryptographic keys protected within the module.  Therefore, NIST, in conjunction with industry partners, developed the Security Requirements for Cryptographic Modules standard which specifies four security levels for cryptomodules.  Under its National Voluntary Laboratory Accreditation Program, NIST has accredited Cryptographic Modules Testing (CMT) laboratories to perform validation testing of cryptographic modules.  Netscape told us that, as a result of successful testing under this program, the Department of Defense recently purchased 2 million copies of their web browser.

Our projects in the area of Public Key Infrastructure (PKI) are aimed at ensuring the interoperability and security of the crucial components of the public key infrastructure needed to support electronic commerce and government activities. Public key technology holds great promise for improving the security of systems and serving as a key enabling technology for Electronic Commerce.  However, in order to enable truly global capabilities, and to avoid independent islands of users who cannot talk to each other, interoperability issues must be addressed.  Additionally, in order for users to have trust in the system, the security issues in the various components of the PKI must be also be addressed.

NIST has recently completed initial work in the area of PKI by developing, with the assistance of ten cooperative research and development agreement partners in industry, a Minimum Interoperability Specification for Public Key Infrastructure Components (MISPC). NIST is continuing this work with development of reference implementations of public key Certificate Authorities and related technical development.

Our final security focus area is that of Security Management to provide guidance in the selection, implementation and use of security technology in their systems and networks.  We recognize that technology does not provide strong security in isolation – there are always complicating human factors.  Technology appropriate to the risk and threat environment must be selected.  It must correctly installed and managed by knowledgeable, trained personnel. Organizations must have appropriate policies and security in place throughout a system’s functional life-cycle.  In order to address such critical managerial and operational controls, NIST develops and issues guidance to agencies.

Our basic overall approach to these security management issues was laid out a few years ago in our Computer Security Handbook and has been  supplemented via numerous other publications.  For example, during the last year, ITL has issued bulletins on security issues for telecommuting, audit trails, security considerations in computer support and operations, PKI technology, and Internet electronic mail.  Thanks to our collaborators in the Federal Information Systems Security Educators’ Association and the Federal Computer Security Program Managers’ Forum, we are currently coordinating two new draft guidelines on training and planning, respectively.

The Federal Computer Security Program Managers’ Forum, which we sponsor, provides an informal venue for federal officials to exchange real-world computer security issues and solutions.  The Forum also provides a means for NIST to share its advice with agencies, and to draw upon the computer security expertise at other federal agencies in developing guidance documents.

NIST has also undertaken a long list of activities with federal agencies designed to improve agency security management, education and awareness, and use of security technology. NIST staff would be happy to discuss this with you further.

Mr. Chairman, I want to thank you again for the opportunity to speak to your committee on NIST’s computer security activities. We at NIST look forward to working with your committee and others in the Congress on this important issue.