CYBERSECURITY ACTIVITIES AT NIST’S INFORMATION TECHNOLOGY LABORATORY HEARING BEFORE THE SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION COMMITTEE ON SCIENCE AND TECHNOLOGY HOUSE OF REPRESENTATIVES ONE HUNDRED ELEVENTH CONGRESS FIRST SESSION OCTOBER 22, 2009 Serial No. 111–59 Printed for the use of the Committee on Science and Technology ( Available via the World Wide Web: http://www.science.house.gov U.S. GOVERNMENT PRINTING OFFICE 52–857PDF WASHINGTON : 2010 For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512–1800; DC area (202) 512–1800 Fax: (202) 512–2104 Mail: Stop IDCC, Washington, DC 20402–0001 COMMITTEE ON SCIENCE AND TECHNOLOGY HON. BART GORDON, Tennessee, Chair JERRY F. COSTELLO, Illinois RALPH M. HALL, Texas EDDIE BERNICE JOHNSON, Texas F. JAMES SENSENBRENNER JR., LYNN C. WOOLSEY, California Wisconsin DAVID WU, Oregon LAMAR S. SMITH, Texas BRIAN BAIRD, Washington DANA ROHRABACHER, California BRAD MILLER, North Carolina ROSCOE G. BARTLETT, Maryland DANIEL LIPINSKI, Illinois VERNON J. EHLERS, Michigan GABRIELLE GIFFORDS, Arizona FRANK D. LUCAS, Oklahoma DONNA F. EDWARDS, Maryland JUDY BIGGERT, Illinois MARCIA L. FUDGE, Ohio W. TODD AKIN, Missouri BEN R. LUJA´ N, New Mexico RANDY NEUGEBAUER, Texas PAUL D. TONKO, New York BOB INGLIS, South Carolina PARKER GRIFFITH, Alabama MICHAEL T. MCCAUL, Texas STEVEN R. ROTHMAN, New Jersey MARIO DIAZ-BALART, Florida JIM MATHESON, Utah BRIAN P. BILBRAY, California LINCOLN DAVIS, Tennessee ADRIAN SMITH, Nebraska BEN CHANDLER, Kentucky PAUL C. BROUN, Georgia RUSS CARNAHAN, Missouri PETE OLSON, Texas BARON P. HILL, Indiana HARRY E. MITCHELL, Arizona CHARLES A. WILSON, Ohio KATHLEEN DAHLKEMPER, Pennsylvania ALAN GRAYSON, Florida SUZANNE M. KOSMAS, Florida GARY C. PETERS, Michigan VACANCY SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION HON. DAVID WU, Oregon, Chair DONNA F. EDWARDS, Maryland ADRIAN SMITH, Nebraska BEN R. LUJA´ N, New Mexico JUDY BIGGERT, Illinois PAUL D. TONKO, New York W. TODD AKIN, Missouri DANIEL LIPINSKI, Illinois PAUL C. BROUN, Georgia HARRY E. MITCHELL, Arizona GARY C. PETERS, Michigan BART GORDON, Tennessee RALPH M. HALL, Texas MIKE QUEAR Subcommittee Staff Director MEGHAN HOUSEWRIGHT Democratic Professional Staff Member TRAVIS HITE Democratic Professional Staff Member HOLLY LOGUE Democratic Professional Staff Member DAN BYERS Republican Professional Staff Member VICTORIA JOHNSTON Research Assistant (II) C O N T E N T S October 22, 2009 Page Witness List ............................................................................................................. 2 Hearing Charter ...................................................................................................... 3 Opening Statements Statement by Representative David Wu, Chairman, Subcommittee on Tech- nology and Innovation, Committee on Science and Technology, U.S. House of Representatives ................................................................................................ 6 Written Statement ............................................................................................ 6 Statement by Representative Adrian Smith, Ranking Minority Member, Sub- committee on Technology and Innovation, Committee on Science and Tech- nology, U.S. House of Representatives ............................................................... 7 Written Statement ............................................................................................ 7 Prepared Statement by Representative Harry E. Mitchell, Member, Sub- committee on Technology and Innovation, Committee on Science and Tech- nology, U.S. House of Representatives ............................................................... 8 Witnesses: Ms. Cita M. Furlani, Director, Information Technology Laboratory, National Institute of Standards and Technology Oral Statement ................................................................................................. 9 Written Statement ............................................................................................ 10 Biography .......................................................................................................... 15 Dr. Susan Landau, Distinguished Engineer, Sun Microsystems, Burlington, MA Oral Statement ................................................................................................. 16 Written Statement ............................................................................................ 17 Biography .......................................................................................................... 20 Dr. Phyllis Schneck, Vice President, Threat Intelligence, McAfee Corporation Oral Statement ................................................................................................. 21 Written Statement ............................................................................................ 23 Biography .......................................................................................................... 26 Mr. William Wyatt Starnes, Founder, CEO, and President, SignaCert, Inc.; Founder, Tripwire, Inc. Oral Statement ................................................................................................. 27 Written Statement ............................................................................................ 28 Biography .......................................................................................................... 36 Dr. Fred B. Schneider, Samuel B. Eckert Professor of Computer Science, Cornell University Oral Statement ................................................................................................. 37 Written Statement ............................................................................................ 38 Biography .......................................................................................................... 41 Mr. Mark Bohannon, General Counsel and Senior Vice President for Public Policy, Software & Information Industry Association (SIIA) Oral Statement ................................................................................................. 42 Written Statement ............................................................................................ 44 Biography .......................................................................................................... 47 Discussion ................................................................................................................. 47 (III) IV Page Appendix: Answers to Post-Hearing Questions Ms. Cita M. Furlani, Director, Information Technology Laboratory, National Institute of Standards and Technology .............................................................. 58 Dr. Susan Landau, Distinguished Engineer, Sun Microsystems, Burlington, MA ......................................................................................................................... 59 Dr. Phyllis Schneck, Vice President, Threat Intelligence, McAfee Corporation . 60 Mr. William Wyatt Starnes, Founder, CEO, and President, SignaCert, Inc.; Founder, Tripwire, Inc. ........................................................................................ 61 Dr. Fred B. Schneider, Samuel B. Eckert Professor of Computer Science, Cornell University ................................................................................................ 63 Mr. Mark Bohannon, General Counsel and Senior Vice President for Public Policy, Software & Information Industry Association (SIIA) ........................... 65 CYBERSECURITY ACTIVITIES AT NIST’S INFORMATION TECHNOLOGY LABORATORY THURSDAY, OCTOBER 22, 2009 HOUSE OF REPRESENTATIVES, SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION, COMMITTEE ON SCIENCE AND TECHNOLOGY, Washington, DC. The Subcommittee met, pursuant to call, at 2:07 p.m., in Room 2318 of the Rayburn House Office Building, Hon. David Wu [Chair- man of the Subcommittee] presiding. (1) 2 3 HEARING CHARTER SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION COMMITTEE ON SCIENCE AND TECHNOLOGY U.S. HOUSE OF REPRESENTATIVES Cybersecurity Activities at NIST’s Information Technology Laboratory THURSDAY, OCTOBER 22, 2009 2:00 P.M.–4:00 P.M. 2318 RAYBURN HOUSE OFFICE BUILDING 1. Purpose On Thursday, October 22, 2009 the Subcommittee on Technology and Innovation of the Committee on Science and Technology will hold a hearing to review the rec- ommendations made in the Cyberspace Policy Review that may be appropriate for the National Institute of Standards and Technology (NIST) and the proposed reorga- nization of the NIST Information Technology Laboratory. 2. Witnesses Ms. Cita Furlani is the Director of the Information Technology Laboratory at NIST. Dr. Susan Landau is a Distinguished Engineer at Sun Microsystems. She is a former member of the Commission on Cyber Security for the 44th Presidency and the NIST Information Security and Privacy Advisory Board. Dr. Fred Schneider is the Samuel B. Eckert Professor of Computer Science at Cor- nell University and a current NIST Information Security and Privacy Advisory Board member. Dr. Phyllis Schneck is the Vice President of Threat Intelligence at McAfee. She served as a commissioner for the Commission on Cyber Security for the 44th Presi- dency and on the National Board of Directors for the Federal Bureau of Investiga- tion’s InfraGuard. Mr. William Wyatt Starnes is the Founder and CEO of SignaCert, Inc. He is for- merly a member of the NIST Visiting Committee on Advanced Technology. Mr. Mark Bohannon is the