The Honorable Neal Lane
Assistant to the President for Science and Technology
Director of the Office of Science and Technology Policy
Committee on Armed Services
U.S. House of Representatives
March 8, 2000
Mr. Chairman, members of the Committee, I would like to thank you for this opportunity to discuss research and development (R&D) activities that the federal government is conducting to improve our ability to protect the nation's critical infrastructures. You are all familiar with the challenges facing our nation as we take measures to ensure the robust and reliable operation of our critical infrastructures. This is truly a national challenge - one that goes beyond the traditional bounds of national security. Our economic security, competitiveness, and our way of life also rest upon the continuous and assured availability of the services provided by our infrastructures - reliable services that we all too often take for granted.
Research and development is - and must be - a key element of an integrated national agenda to protect our critical infrastructures. The President recognized this fact in May, 1998 when he issued Presidential Decision Directive PDD-63 on Critical Infrastructure Protection (CIP). Among other things, this Directive tasked the Office of Science and Technology Policy to coordinate the federal government's critical infrastructure protection R&D. More recently, the President underscored the importance of protecting our national information infrastructure by requesting funds to establish an Institute for Information Infrastructure Protection. This Institute, working closely with the private sector and academia, will focus upon the development of technologies that neither the government nor the private sector are currently developing, yet are crucial to the security of our information infrastructure. The importance of critical infrastructure protection R&D is reflected in the President's FY2001 budget which contains $606 million for CIP R&D, an increase of $145 million (31%) from last year's enacted funding level.
The Federal Critical Infrastructure Protection R&D Agenda
This overall R&D program comprises four primary thrusts, each of which draws on the resources of multiple agencies and covers a broad spectrum of both physical and cyber security issues. The four thrusts address the following research questions:
Agency FY2000 ($M) FY2001 ($M)
Coordinating Federal Critical Infrastructure Protection R&D
I would like to emphasize several key facets of our interagency process. First, all programs recommended in the R&D agenda are tied to vulnerabilities or R&D shortfalls. A number of recent reports, in both the private sector and government, have highlighted vulnerabilities in our infrastructures. We ensure that each of our R&D programs, whether ongoing or a proposed new start, directly addresses one or more infrastructure vulnerabilities.
Second, we ensure that each agency is aware of the others' R&D programs. Compiling information about each agency's R&D, and sharing this information with all other participating agencies, helps agencies leverage investments and avoid duplication of effort. In this way, individual critical infrastructure protection R&D programs become a unified interagency product - a package coordinated and integrated across agency boundaries.
In selected areas of particularly high-priority research, our coordination activities go beyond this across-the-board information collection and sharing. In these areas, staff from my office works closely with agency R&D managers to examine in detail each agency's research activities. We then discuss how each program should be modified to build an integrated whole that is stronger than the sum of its parts. Such an intensive coordination effort is difficult to accomplish, but very worthwhile. To give one example, representatives from my office, the Defense Advance Research Projects Agency, and Departments of Energy and Transportation have examined in detail their respective programs in infrastructure interdependencies - analyses of how each infrastructure relies upon others for its continuous operation. These representatives are developing a single, multiagency research program that strives towards common national goals, satisfies agency mission requirements, and eliminates duplication. We have recently begun a similar effort for intrusion detection and monitoring, and we plan to commence a third intensive coordination program for incident recovery and reconstitution R&D.
Third, we validate our R&D agenda by soliciting feedback and comment from technology experts in government, the private sector, and academia. The technical expertise in infrastructure protection resides in academic and government laboratories, as well as with the private sector owners, operators, maintainers, designers, manufacturers, and customers of our infrastructure systems. Consequently, we must draw upon the expertise of all sectors as we build our R&D agenda. For example, we gave over 20 briefings of our program last year, the majority of which were to private sector organizations. We have asked for - and received - excellent feedback on our energy sector R&D programs from the Electric Power Research Institute. My office and the President's National Security Telecommunications Advisory Committee (NSTAC) jointly sponsored a critical infrastructure protection R&D exchange meeting at Purdue University in October 1998, and we are planning a follow-on event for later this year. Through these outreach efforts we will ensure that our R&D program heads in the right direction, addresses the key technical issues, and does not reinvent technology that is already on the shelf.
In summary, we have put substantial energy, analysis, and effort into developing and coordinating an interagency R&D agenda that addresses the key technical challenges of critical infrastructure protection. The result is an integrated program package that will help us ensure the reliable and robust operation of our nation's critical infrastructures.
The Institute for Information Infrastructure Protection
As the culmination of the Administration's review, the President announced on January 7 that he would request $50 million in his Fiscal Year 2001 budget for an Institute for Information Infrastructure Protection. He has also requested $4 million in a supplemental appropriation for the current Fiscal Year to establish the Institute and get started on its first R&D projects. He stated that the I3P "will fill research gaps that neither public nor private sectors are filling today," and that it will "bring to bear the finest computer scientists and engineers from the private sector, from universities, and from other research facilities to find ways to close these gaps." Based on preliminary work, the President has called for the Institute to be funded through the Commerce Department's National Institute of Standards and Technology (NIST), which has the mission of working with the industry to develop technology, measurements, and standards to strengthen our economy and improve our quality of life.
I want to emphasize, however, that the planning, establishing, and operating this Institute must be done collaboratively by government, industry, and academia. I have therefore asked PCAST, working with additional experts in the private sector and academia, to conduct a short-term, rapid-turnaround study to advise me on the Institute's organizational structure, operational activities, staff recruitment, and initial R&D priorities. PCAST sponsored a meeting with private sector and academic technology leaders on February 18 to commence the detailed design of a recommended concept of operations and R&D agenda. Thanks to PCAST's leadership, we received the first detailed design papers on February 25. PCAST is considering two organizational models: one based within NIST that works closely with the private sector and academia, and one located external to the government. PCAST is intently examining both possible structures and will provide its conclusions and recommendations to me.
To date, the participants in this effort have identified "gap-filling" R&D as the Institute's primary function. While the private sector clearly has a substantial information security R&D effort under way, there are important technologies that are unlikely to attract private investment: those that are too long-term, too risky, or too likely to benefit a large number of "bystander" firms that did not fund or conduct the original research. At the same time, federal agencies have traditionally supported research directly related to their mission needs, without necessarily addressing areas that are important to securing the national information infrastructure as a whole. The result is a gap between federal and private sector research - a gap that the government, private sector, and academic technology experts agree must be filled to ensure the security of our information infrastructures. As an example, one particularly important research theme not being adequately addressed by the government or private sector is the holistic, "system-of-interacting-systems" nature of our information infrastructure: its complex behaviors, its vulnerabilities, its robustness and whether it degrades gracefully when stressed, the effects of its interconnections with other infrastructures, and its interfaces with its human operators and users. This Institute, working closely with the government, private sector and academia, will close this and other research gaps. As I noted previously, we are currently working intensively with the technology experts to identify the initial set of research projects.
Mr. Chairman, the President directed that critical infrastructure protection be a national priority in PDD-63. We have developed a robust R&D program that will ensure our infrastructures continue to operate reliably even in the face of new threats in the 21st century. I thank you for this opportunity to discuss our overall R&D program and I am looking forward to working with you as we bring this technology agenda to fruition.