[House Hearing, 111 Congress]
[From the U.S. Government Printing Office]
[H.A.S.C. No. 111-128]
PRIVATE SECTOR PERSPECTIVES ON DEPARTMENT OF DEFENSE INFORMATION
TECHNOLOGY AND CYBERSECURITY ACTIVITIES
__________
HEARING
BEFORE THE
SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES
OF THE
COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
SECOND SESSION
__________
HEARING HELD
FEBRUARY 25, 2010
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
----------
U.S. GOVERNMENT PRINTING OFFICE
58-308 PDF WASHINGTON : 2010
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES
LORETTA SANCHEZ, California, Chairwoman
ADAM SMITH, Washington JEFF MILLER, Florida
MIKE McINTYRE, North Carolina FRANK A. LoBIONDO, New Jersey
ROBERT ANDREWS, New Jersey JOHN KLINE, Minnesota
JAMES R. LANGEVIN, Rhode Island BILL SHUSTER, Pennsylvania
JIM COOPER, Tennessee K. MICHAEL CONAWAY, Texas
JIM MARSHALL, Georgia THOMAS J. ROONEY, Florida
BRAD ELLSWORTH, Indiana MAC THORNBERRY, Texas
PATRICK J. MURPHY, Pennsylvania
BOBBY BRIGHT, Alabama
SCOTT MURPHY, New York
Kevin Gates, Professional Staff Member
Alex Kugajevsky, Professional Staff Member
Andrew Tabler, Staff Assistant
C O N T E N T S
----------
CHRONOLOGICAL LIST OF HEARINGS
2010
Page
Hearing:
Thursday, February 25, 2010, Private Sector Perspectives on
Department of Defense Information Technology and Cybersecurity
Activities..................................................... 1
Appendix:
Thursday, February 25, 2010...................................... 21
----------
THURSDAY, FEBRUARY 25, 2010
PRIVATE SECTOR PERSPECTIVES ON DEPARTMENT OF DEFENSE INFORMATION
TECHNOLOGY AND CYBERSECURITY ACTIVITIES
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Conaway, Hon. K. Michael, a Representative from Texas,
Subcommittee on Terrorism, Unconventional Threats and
Capabilities................................................... 3
Sanchez, Hon. Loretta, a Representative from California,
Chairwoman, Subcommittee on Terrorism, Unconventional Threats
and Capabilities............................................... 1
WITNESSES
Bodenheimer, David Z., Partner, Crowell and Moring, LLP.......... 5
Bond, Phillip J., President and CEO, TechAmerica................. 3
Schneider, Dr. Fred B., Samuel B. Eckert Professor of Computer
Science, Cornell University, Computing Research Association.... 7
APPENDIX
Prepared Statements:
Bodenheimer, David Z......................................... 44
Bond, Phillip J.............................................. 29
Miller, Hon. Jeff, a Representative from Florida, Ranking
Member, Subcommittee on Terrorism, Unconventional Threats
and Capabilities........................................... 27
Sanchez, Hon. Loretta........................................ 25
Schneider, Dr. Fred B........................................ 72
Documents Submitted for the Record:
[There were no Documents submitted.]
Witness Responses to Questions Asked During the Hearing:
Mr. Marshall................................................. 105
Questions Submitted by Members Post Hearing:
[There were no Questions submitted post hearing.]
PRIVATE SECTOR PERSPECTIVES ON DEPARTMENT OF DEFENSE INFORMATION
TECHNOLOGY AND CYBERSECURITY ACTIVITIES
----------
House of Representatives,
Committee on Armed Services,
Subcommittee on Terrorism, Unconventional Threats and
Capabilities,
Washington, DC, Thursday, February 25, 2010.
The subcommittee met, pursuant to call, at 2:06 p.m., in
room 2118, Rayburn House Office Building, Hon. Loretta Sanchez
(chairwoman of the subcommittee) presiding.
OPENING STATEMENT OF HON. LORETTA SANCHEZ, A REPRESENTATIVE
FROM CALIFORNIA, CHAIRWOMAN, SUBCOMMITTEE ON TERRORISM,
UNCONVENTIONAL THREATS AND CAPABILITIES
Ms. Sanchez. Good afternoon. Before we begin, this is my
first subcommittee hearing as chairwoman for this subcommittee,
and I would like to share that I am extremely honored to be
serving in this new role, and I look forward to working with
the subcommittee members and staff.
I would like to welcome you all and thank you for joining
us today to discuss cybersecurity, a high priority issue for
the Department of Defense [DOD] and for the security of this
nation as a whole and, I think, on an individual basis a high
priority for many people who value their privacy.
Today our witnesses will be providing us with private
sector perspectives on the Department of Defense's information
technology [IT] and cybersecurity activities. Cybersecurity is
an issue that I have been following very closely for many
years, including in my role as vice chair of the Homeland
Security Committee. Cyber threats have only recently received,
I think, the attention that we should have been giving them the
entire time, particularly within the defense community. DOD is
continually working to gain a better understanding of
cybersecurity and how to best protect this nation's cyberspace.
There have been many mainstream discussions in the press
regarding cybersecurity lately, in particular because of the
Google incident. However, there have been a number of high
profile events against the DOD and others, including cyber
attacks against Estonia and Georgian government forces, reports
of intrusions into contractor networks to exfiltrate data on
the F-35 Joint Strike Fighter, intrusions in to the networks
that control our electricity grid, and intrusions on Pentagon
e-mails as well.
Those are only a few of the incidents that we know of. Many
people are unaware that our systems, especially our defense
networks, are attacked on a daily basis. In the Department of
Defense there are more than 15,000 different computer networks
which are operated across 4,000 military installations around
the world. We must protect those systems and ensure that
information on them is only available to authorized personnel,
and we must not only be prepared to respond quickly and
effectively to cyber attacks but we need to invest what is
necessary in particular resources to protect our systems.
That is why it is important that the government engage the
private sector as a partner in cybersecurity and not simply as
the technology provider that you have been for such a long
time. There is a vast array of intellectual capital and
expertise in the private sector. I should know because I am
from California and a lot of the cyber people live there.
It is not consulted on key strategic questions, even though
some of those decisions have as much impact on industry as on
government, because sometimes government becomes the standard
and then others take from them.
We should recognize that the private sector is very much a
part of the DOD family, and we should treat it that way. DOD
works with countless defense industries, and these industries
must also be held responsible for handling classified and
sensitive unclassified information appropriately.
While DOD may find it difficult to engage with industry,
that is not the case for Congress, and we feel that gaining
insight from the private sector is essential. We hope that the
witnesses today will share their views on a broad range of
topics to further inform our awareness of these issues as we
work with the DOD to craft an appropriate strategy for
defending and operating our cyberspace.
I feel the views of our private sector witnesses are a
valuable complement to those views that we have within the DOD.
For example, understanding the implications of how the recent
QDR addressed the issue of cyberspace would be, I think,
valuable to us and we would love to hear the thoughts on the
proposed directions for the new established Cyber Command that
the DOD has set.
A major focus of this subcommittee is on the science and
technology [S&T] programs of the DOD, so getting an outside
view on the proposed research agenda would also be valuable.
And with a proposed increase of more than $70 million in new
funding for computer science and security research in the S&T
budget this year I would like to better understand, from a
private sector perspective, if we are investing in the right
thing.
If not, what should we be investing in and how much would
that cost us? Because I believe we must better protect our
information networks before we experience more situations where
state and non-state actors are able to infiltrate our systems
and not only steal data on our weapons system but also put
lives in danger by disrupting military operations on our front
lines.
[The prepared statement of Ms. Sanchez can be found in the
Appendix on page 25.]
So let me quickly introduce our three witnesses. Today we
have Mr. Phil Bond, who is the president and CEO [Chief
Executive
Officer] of TechAmerica; Mr. David Bodenheimer, who is a
partner of Crowell and Moring; and Dr. Fred Schneider, a
professor of computer science at Cornell University.
All written testimony submitted by the witnesses will be
included in the hearing record. Also, a reminder for
subcommittee members that we will be adhering to the five-
minute rule for questions. Once again, I want to thank our
witnesses for being here, and I would now like to yield to my
ranking member from Florida, Mr.--oh, Mr. Miller is not here.
Who are we ranking? Okay. Sorry.
Mr. Conaway, from Texas? From Texas----
Mr. Conaway. Yes, ma'am. Madam Chairman, your situational
awareness is magnificent, yes.
Ms. Sanchez. From Texas?
Mr. Conaway. Texas.
Ms. Sanchez [continuing]. Will be filling in for Mr.
Miller, and we will hear the opening statement from your side.
STATEMENT OF HON. K. MICHAEL CONAWAY, A REPRESENTATIVE FROM
TEXAS, SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL THREATS AND
CAPABILITIES
Mr. Conaway. Well, Madam Chairman, thank you very much, and
welcome to the chair of the subcommittee. Looking forward to
seeing you in your new role. It will not be long before none of
us will remember Adam Smith and the role he played for a number
of years as chairman. So congratulations, and look forward to
working with you.
Rather than read Jeff Miller's statement--Jeff is on the
floor working on the Intel reauthorization bill, which I will
have to go as well in a few minutes, but I would ask unanimous
consent to submit his written opening statement for the record
and--if that is all right?
Ms. Sanchez. Perfect. I am sure Mr. Miller wrote something
that is very, very good and we will put it in the record. And
if you will yield back----
[The prepared statement of Mr. Miller can be found in the
Appendix on page 27.]
Mr. Conaway. All right, yield back.
Ms. Sanchez [continuing]. I would again ask our witnesses
one at a time to summarize your written testimony. We did
receive it, and I think we even received it on time, which is
great. And we will ask you to summarize in five minutes. We try
to adhere to the five-minute rule here.
And we will begin with Mr. Bond.
STATEMENT OF PHILLIP J. BOND, PRESIDENT AND CEO, TECHAMERICA
Mr. Bond. Thank you, Chairwoman Sanchez and members of the
committee. Privilege to be here on behalf of TechAmerica and
representing some 1,200 member companies across the country.
Let me begin by thanking the chair and the members of the
committee for raising these important issues and holding the
hearing. Our members in our association share the panel
members' concerns about these vital topics and the need to
apply technology to every aspect of national security, from the
basement offices in the Pentagon to the warfighters in the
battlefield.
We share a commitment to protecting these critical networks
and infrastructure from attacks and disruption. Today I want to
focus on two fundamental themes here: IT, which includes the
procurement thereof; and then cybersecurity, including
information assurance.
We believe that the inability of our IT acquisition process
to keep pace with innovation indeed threatens our warfighters'
technical advantage, and notably our adversaries are not tied
up in the same red tape. Deputy Secretary Lynn put it well when
he said: With IT technology changes faster than the
requirements, faster than the budget process, faster than the
acquisition milestone process. For all these reasons the normal
acquisition process does not work for information technology.
To solve that problem, we recommend first that DOD should
build a new cadre of acquisition professionals, people
dedicated solely to purchase of large systems, much as is done
in the private sector. The Department also needs greater
flexibility in budgeting. We cannot afford to wait too much
time in a world where cycles are so short.
There also is a need to restore and enhance commercial IT
products and their use. There is an inadequate supply of STEM-
carrying [Science, Technology, Engineering and Mathematics]
degree workforce out there and that is a long-term challenge.
Another long-term challenge is basic research. We are certainly
supportive of substantial increases in basic research scheduled
for DOD in the coming year.
On the second broad theme of cybersecurity and the related
topic of information assurance, let me acknowledge the critical
natures the chair mentioned about the collaboration between DOD
and the private sector. In our view, DOD's dialogue with the
private sector has been incomplete so far in this area--
certainly engaged with the Defense Industrial Base, with system
integrators that are a part of TechAmerica, but the vast
majority of the commercial software development world is not a
part of that conversation and needs to be. They have not been
formally involved.
Related to any of these kinds of discussions about the
collaboration on information assurance and--is a discussion of
supply chains--excuse me. Again, here, government needs to work
with industry to understand the global deployment, the benefits
of it, and the risks of it. And then once you assess the risk,
share the risk so that the very best minds in the private
sector can help.
We would encourage some specific steps refocusing and
reforming the existing certification processes, identifying
commercial sector best practices and tools to expand their use
within the government realm. We also would recommend creating a
governance structure for assurance. We underscore the need to
accelerate--accelerate the efforts in this regard.
Now, I want to suggest one idea in particular that we, as
an association, have begun to explore, which is--the threat to
national security is real. And perhaps there are other models
we can use to bring the best of the private sector into
collaboration with the best of the public sector.
So if you think of the Reserve model, which allows
reservists to keep their civilian jobs, come in and do
service--do their national service--and perhaps have the
government salary supplemented by the private sector. But that
legal framework might well apply so that leading cyber
companies could donate talent on tours of duty, much like
reservists, and really help the national security.
Finally, we think it is important to underscore that the
leadership of DOD and the warfighter ultimately traces itself
back to our leadership in the private sector in innovation and
believe that therefore the Department should take an interest
in the private sector leadership of American companies.
Let me make one other point quickly in summing up, which is
that we note there are many efforts in information assurance
and global supply chain assurance. So we encourage the
administration to look at a single authority to consolidate and
coordinate those.
And finally, Madam Chair, we would ask that the
subcommittee consider a strategic review of Title X to see if
in this information age there aren't some antiquated
authorities that just have not kept up with the pace of
technology that could be updated for the good of our nation's
security.
Thank you.
[The prepared statement of Mr. Bond can be found in the
Appendix on page 29.]
Ms. Sanchez. Thank you, Mr. Bond.
And now we will hear from Mr. Bodenheimer.
STATEMENT OF DAVID Z. BODENHEIMER, PARTNER, CROWELL AND MORING,
LLP
Mr. Bodenheimer. Chairwoman Sanchez and members of the
committee, thank you for your leadership on cybersecurity
issues. Without cybersecurity we cannot maintain military
superiority or economic security, and a vital key to
cybersecurity is a robust public-private partnership. Quite
bluntly, government and industry will either succeed together
or fail separately.
I am David Bodenheimer, a partner in the law firm of
Crowell & Moring, where I head the homeland security practice,
specialized in government contracts, and work on ABA [American
Bar Association] committees focusing on cybersecurity issues.
Today I appear in my personal capacity to talk about
cybersecurity, a topic that keeps me busy during the day and
awake at night.
I will not dwell on the threat today. Nearly everybody
agrees that the cybersecurity threat is imminent, relentless,
and catastrophic, and it is getting worse. The cyber barbarians
are stealing our secrets and our technology, they are
plundering our databases and private information, and they are
hacking into our critical infrastructure systems.
The real question is not the threat, but what we do about
it. I have six points, six suggestions--Winston Churchill would
say that is five too many, but let me see how many I cover--six
areas where the Department of Defense and the private sector
must work in tandem.
Number one: We must supercharge the public-private
partnership. With the same urgency that we mobilized the
industrial base in World War II, we need a public-private
partnership to attack today's cybersecurity threat so it does
not become tomorrow's digital Pearl Harbor.
With the Defense Industrial Base Initiative, DOD has made a
fine start with its pilot program for bilateral partnerships.
Now we need to move from limited partnership to full
partnership. Instead of a bilateral model with a few companies
we need a bigger tent with more private sector players and
broader participation. Additionally, full partnership should
involve a two-way exchange of information before the decisions
and strategy are cast in concrete.
Number two: We need more effective information-sharing. If
we cannot connect the dots our cyber defenses are just another
Maginot Line begging for a cyber ambush from the rear.
Too often the public sector gets information that is too
little, too late, and too classified. For effective
information-sharing the private sector needs timely data
exchanges with context and analysis, two-way sharing not a one-
way pipeline, and less classification with greater access.
Number three: We need clear, firm, and consistent cyber
standards. Working to inconsistent cyber standards works about
as well as serving two masters. It just doesn't work very well.
Multiple inconsistent standards drive industry crazy, and
it is not just a military versus civilian standard issue.
Sometimes even the Army, Navy, and Air Force don't agree.
Getting clear, firm, and synchronized standards would give us
better cyber defense at a lower cost.
Number four: We must encourage development of breakthrough
technologies. The Department of Defense, specifically DARPA
[Defense Advanced Research Projects Agency], brought us the
Internet. We need that same big-brain research to deliver
breakthrough technologies for cybersecurity that can leapfrog
our cyber enemies, but at a cost we can afford.
Innovation can be energized in other ways as well, such as
technology clearinghouses, DARPA prizes, and private
fellowships. For cybersecurity, the more brains the better.
Number five: We need to stimulate cyber defense through
liability safe harbors. Getting sued and penalized is a
surefire way to shut down information-sharing and technology
innovation.
For effective cybersecurity the private sector must share
information not only with the Department of Defense but also
its industry partners. To encourage that sharing we need safe
harbors so that industry partners can meet minimum security
standards and are not penalized with antitrust suits and other
sanctions for cooperating.
Safe harbors can also accelerate innovation, such as we
have with the SAFETY Act. We need to expand that so it also
applies to companies in the cyber industry as well.
Number six: We need to assure due process and dispute
resolution. In every partnership, partners sometimes disagree.
In the government contracts business, pulling the plug on a
government contractor that is connected to the DOD systems is
effectively a cyber death sentence.
A private party should not be unplugged when someone else
is responsible for a security breach. A disputes resolution
process--perhaps a cyber board of appeal of independent IT
experts--would allow government to do its job while assuring
due process for private sector in the event of such disputes.
As an old Navy guy I am proud to appear before this
historic committee. We thank you for your leadership on this
issue and welcome your comments.
Thank you.
[The prepared statement of Mr. Bodenheimer can be found in
the Appendix on page 44.]
Ms. Sanchez. Thank you so much to the gentleman.
And now, Dr. Schneider for five minutes or less.
STATEMENT OF DR. FRED B. SCHNEIDER, SAMUEL B. ECKERT PROFESSOR
OF COMPUTER SCIENCE, CORNELL UNIVERSITY, COMPUTING RESEARCH
ASSOCIATION
Dr. Schneider. Thank you for inviting me here to testify. I
want to focus on cybersecurity research and education. Military
and civilian computing systems need to tolerate failures and to
withstand attacks, but they don't. They are not trustworthy.
And our dependence on these systems is increasing both for
peace time and war time operations, often with system users
ignorant of what they depend on and the risks of that
dependence.
Moreover, we operate in a reactive mode and we improve
defenses only after they have been penetrated. We thus prepare
to fight the last battle rather than the next one. This means
attackers always win round one.
We need to move beyond this reactive stance to a proactive
one. In short, we must build systems whose trustworthiness
derives from first principles.
The proactive approach requires having a science base for
cybersecurity. Since we don't have one we need to develop one.
But doing that will require making significant investments in
research and the investments will have to be made on a
continuing basis, for without continuity few will be inclined
to make the intellectual commitment necessary to enter the
field.
Unfortunately, cybersecurity will never be a solved
problem. We are not going to find a magic bullet solution.
Attackers grow evermore sophisticated. The systems themselves
change as do the deployment settings, bringing new
opportunities for attack and disruption.
So what research needs to be done? There have been 19
studies by federal agencies since 1997 each concerned with that
question, each offering some kind of cybersecurity research
agenda. And there is remarkable agreement among them all, so it
is time to move beyond the list-making phase and embark on
execution.
I will offer two observations about the conduct of
cybersecurity research, though. First, when the work is
classified it cannot engage many of the country's top
researchers, it necessarily receives less scrutiny by a diverse
community of experts, and it will be slow to impact the
civilian infrastructure on which even the military so depends.
Second, cybersecurity once was funded by a diverse ecology
of agencies and instruments--DARPA, MURI [Multidisciplinary
University Research Initiative], AFOSR [Air Force Office of
Scientific Research], ONR [Office of Naval Research], ARO [Army
Research Office], all within DOD, plus NSF [National Science
Foundation], DHS [Department of Homeland Security], and some
others. This diversity was valuable because different agencies
have different needs, goals, cultures, and style.
But the diversity has been eroding. Getting that restored
should be a priority, and it would undoubtedly bring better
value for research dollars spent.
I earlier made the observation that today's systems are not
as trustworthy as they need to be. The number of adequately
trained cybersecurity professionals is obviously a factor here.
To start, universities need to hire more faculty and to
teach cybersecurity courses and to expand their programs.
Significant increases in research funding will promote this.
In addition, employers need incentives to hire system
developers who have adequate training in cybersecurity.
Government policies can help here but they can also cause grave
damage. Some have advocated a cybersecurity credential for
system developers as a forcing function.
The medical profession is a useful point of departure as
it, too, is concerned with matters of life and death. Here,
obtaining a credential requires far more than passing an exam.
It requires years of postgraduate study in which the curriculum
has been set by the most respected thinkers and practitioners
in the field.
Second, credential-holders are required to stay current
through courses sanctioned by the institution that issues
credentials. Finally, the threat of legal action, such as
malpractice litigation against a credential-holder incentivized
professionals to engage in best practices. Eliminate any of
these three aspects and I have grave doubts that the--about the
success of the resulting scheme.
In closing, let me observe that the armed forces have a
long and distinguished record of supporting research and
education in cybersecurity and in systems trustworthiness, but
our adversaries are now overtaking those early modest
investments. We must now move from a reactive mode to a
proactive one, which means creating a science base and
significantly ramping up our research, and while we need to
create a workforce that is up to the challenges of today and
tomorrow, we need to be thoughtful about any policy incentives
we impose to promote that.
Thank you.
[The prepared statement of Dr. Schneider can be found in
the Appendix on page 72.]
Ms. Sanchez. Thank you, gentlemen.
I will remind my colleagues that we are going to work under
the five-minute rule, and I will begin by asking questions.
Once again, thank you for being with us.
Dr. Schneider, you said we need to develop a science basis
for cybersecurity, and then you spoke about how the medical
profession trains and takes 10, 12, 15 years sometimes before
they go out and really do their work. What would you envision
would be a science-based cybersecurity pod?
What would it look like? Who would fund it? Would it be at
some universities? How would we get the cross-pollenization of
different things going on?
Dr. Schneider. There is an active research community in
universities, and I would expect that most of the revolutionary
ideas would come from that community. By a science base I would
hope we come up with laws, like physical laws, that are
independent of technology, independent of specific application
problems, but that inform all our decisions about how to build
systems.
And like we see in the medical profession, there is applied
research, there are people who develop drugs, and there is
basic medical science research. And without this basic medical
science research we don't understand the mechanisms under which
diseases operate, and therefore we don't have a chance of
developing palliatives or cures.
And so really, medical research progresses on two planes.
There is a basic research that builds a foundation and it
enables specific research problem--topics to depart and address
specific diseases, and I would expect that to happen in this
setting as well.
Ms. Sanchez. Thank you.
Gentlemen, we just passed the cybersecurity bill in the
House maybe about two or three weeks ago, and one of the
amendments that I put onto it was to make it a little bit
easier for academia to, in particular, respond and work with us
at the government level, at the DOD level, to--with respect to
the security clearances and this type of thing. What do you
think are the major walls that are in place from having the
public sector, the working public sector, the people who are
commercializing some of this--actually doing their own basic
research most of the time and commercializing, but also taking
basic research we have and doing things.
What would you say are some of the barriers to working with
our Defense Department or other departments of our federal
government with respect to information-sharing and thought-
sharing, and what would you say it is from the academic
perspective from our universities and research centers?
And any of you can answer, or all of you, or----
Dr. Schneider.
Dr. Schneider. So, the risk of doing this is it might make
visible to our adversaries what is working and what is not
working, and that is primarily the concern about revealing
classified data to a broader community. On the other hand, it
seems pretty clear that we overclassify content with respect to
cybersecurity. And there is a grave risk that academics and
others who don't have access to this information will solve the
wrong problem.
Mr. Bond. Let me add to that if I can. This is one of the
reasons why we advocated this potential review of Title X to
look at a number of things through that prism, because in a
networked world we can bring people and ideas together more
easily--academics with government, private sector and public
sector. There are a number of rules, regulations, laws,
authorities in place built in earlier times for good reasons
and rationales of the time but which today represent large and
small obstacles to just that collaboration.
If I can, with the analogy used earlier to the medical
research efforts, the difference is you can't really talk to
the disease or even the particle if it is really, really basic
kind of physics research you are doing, but in this case we can
talk to not only leading--leading thinkers and leading
companies are talking to some of the folks who are engaged in
this kind of gray world between perpetrators and the rest of
the world. So there are collaborations and conversations. We
can learn more about what the adversary is doing, bring that
through academic and private sector partners so that we get to
that forward-looking agenda that Dr. Schneider talked about in
his testimony.
Ms. Sanchez. Mr. Bodenheimer.
Mr. Bodenheimer. I would agree that there are, indeed,
legal barriers to the information-sharing between DOD and the
private sector. There was a recent report in the U.S. STRATCOM
[Strategic Command], which identified about 23 different laws
bearing upon the public-private partnership in information-
sharing. About ten of those have a direct effect upon the
information-sharing issues.
We need a dual-pronged approach. One, as Mr. Bond said, we
do need to look at some of those laws to determine whether
there needs to be additional authority for DOD to share the
information with the private sector. In addition, there are
models for sharing the information, such as in the U.S.
STRATCOM report, by using a nonprofit organization to receive
the information and effectively serve as a clearinghouse.
I also agree with Dr. Schneider that overclassification has
been an issue. I think that we do need some institutionalized
methods, such as technology clearinghouses, with restrictions
on access but still access so that industry and the Department
of Defense can, in fact, work together.
Ms. Sanchez. I see that my time is up, and I am going to
pass on to Mr. Marshall, my colleague from Georgia. Georgia?
Mr. Marshall. Thank you, Madam Chair. Congratulations on
heading up the committee.
You note that there aren't a lot of members present, and it
is not that we are all over attending the health care summit or
watching the health care summit. We are certainly busy and we
tend to focus on things that we think we might, you know, add
some value to, and that might explain why so few of us are
here.
I am a former law professor, you know, reasonably well-
educated. I use computers all the time, and it is very
difficult for me to follow a lot of--your suggestions actually
are fairly straightforward and so I can follow the suggestions,
I just don't have a sense of--enough of a sense of the problem,
of the structure we currently have that is attempting to
address this problem, and whether that structure that we
currently have--those individuals who are currently doing this
who have expertise I don't come close to having nor will I ever
have--are the right experts to have. Are they appropriately
structured? Do they have the appropriate authorities?
So I have to assume that you all are here because you do
have some familiarity with how we, the government, are
currently structured to try and analyze, understand this issue
and then make recommendations to Congress concerning how we
should proceed--make recommendations to Congress for how we
should proceed. I fully accept Secretary Lynn's statement and
your description of the urgency of this. There is no doubt in
my mind that this is critically important; I just have no clue
what direction to go in.
So with your familiarity with our structure can you tell me
whether or not you are kind of comfortable with who is there,
how they are organized, and what they are doing to try and
tackle these issues that you are addressing today?
Mr. Bond. Let me take a first stab at your question, which
I think is a good one and I note the attendance as well, which
I think tells us in the industry something about our need to be
better in terms of educating and engaging policymakers on
this----
Ms. Sanchez. Mr. Bond.
Mr. Bond. Yes.
Ms. Sanchez. I might note for the record that the intel
authorization is--intelligence authorization bill is up on the
floor and many of the members who tend to be on this committee
are interested in some of the matters there, so it could very
possibly be--yes, and you know, we were shut down for two weeks
here so everybody is trying to catch up. So it could be a
matter of the timing as well as a matter of the fact that the
intel bill is on the floor that we may not see some of the
people here. But I know everybody is interested in it, and it
is a very complicated, very difficult issue to get our hands
around, but it is not because of you three.
Mr. Marshall. If I could reclaim my time here, it is
definitely not because of the three of you, but I have been on
this committee now for a while, and we have had hearings like
this in the past, and they are typically not very well
attended. And it is not because we aren't alarmed; it is not
because we don't worry about this problem. It is because we
don't really understand it very well.
And so we are hoping that we are appropriately organized,
that we have the right people in the government organized
appropriately to try and listen to folks like you and come up
with the right suggestions for us, whether it is change the
law, increase funding here or there, and that is my question:
Do you feel like we do have those folks in place and that they
are going to--and who are they, and how are they--are they
appropriately organized, they are going to make the right
recommendations?
Mr. Bond. I think there is an awful lot of talent across
the government applied against some of these things, and
indeed, as I tried to point out in my testimony, sometimes too
much talent.
So if there are 12 different efforts on the same topic--
that was what is behind our recommendation that the
administration maybe look at a coordinator to bring those
together; that was in information assurance. We also have the
challenge of legal prohibitions on co-locating private sector
and public sector folks together to work on some problems, and
this challenge cries out for exactly that kind of thing.
Mr. Marshall. Okay, so you, having said that, are there--
does Bill Lynn, for example, or the people who are advising him
concerning these issues, do they agree? Have they made a
suggestion to us the we modify the law in a certain way that
would then permit them to do the kind of collaboration that
they think is advisable and that you have in mind maybe?
Mr. Bond. On that last specific point, not that we are
aware of. We have had direct conversations with Secretary
Napolitano about it from a DHS perspective, so I know that she
is aware of that, and Phil Reitinger over there has identified
that as something he would like to address. So those kind of
discussions are going on, certainly.
Another one I would mention that is a specific challenge, I
think, to Capitol Hill is the speed of innovation is so much
faster than the speed of legislation that issues around budget
flexibility, the color of money and when that money dies, how
much flexibility you can have to respond quickly in a fast-
changing technology environment, those would be challenges here
with that branch of government that has the power of the purse.
Mr. Bodenheimer. I would like to add to what Mr. Bond said.
One of the things that we do see is a divided structure within
DOD and the civilian agencies. One of the things that Congress
has done well is to bring both from the Senate and the House
side the staffs together into cyberjams, and it would be great
to see a model like that, you know, within DOD and the civilian
side as well.
We need to bring together the standards that we see on the
DOD side with those on the civilian side and the IC
[intelligence community] in a way that we have a single set of
standards. We need the government--the executive agency
speaking with a single voice.
Mr. Marshall. Just to sort of give you an idea of how far
behind you I am, I--a single set of standards. What does that
mean? You just want to stop it all, so, I mean, that is how
basic my--there is a standard of acceptable--there is an
acceptable level of----
You don't really need to tell me. I have never going to
have that kind of expertise. I just want to know that the right
people are in place doing the right things.
Dr. Schneider. So, the good news is you have some very good
people. The bad news is they are not working in a context in
which they can get the job done. And I am a professional
computer scientist; I am going to become an amateur
governmentist and point something out.
The Defense Department is dependent on lots of stuff that
is highly vulnerable--the power grid, the communications
infrastructure in the public sector as well as stuff that they
operate themselves. There are some obvious things to make this
better. You could imagine a staged plan where you start
addressing short-term things, you worry about 10-year-out
problems, and you worry about investing in research long-term.
If you go into the Pentagon and look around you will find
nobody who is doing this, but what is worse is you will not
find anybody who believes this is his or her job. There is
nobody who feels it is job number one to create a program and
to execute on it.
With the appointment of Howard Schmidt in the White House
you could argue for the nation at large there has been some
movement in this direction, but the Defense Department cannot
depend on the efforts for the nation at large. Your needs are
slightly different; your needs are more critical, and there
needs to be somebody there. The people exist but nobody has
that job.
Mr. Marshall. Why don't we just go back and forth? There
are only two of us.
Okay. My impression jives with what I think I heard from a
few of you, and that is that the technology that we use for
most of our systems lags behind a little bit, and I think in
part it is because of the process that we go through in order
to develop it, and then the concerns that we have concerning
changing it. You know, so we change it here, how is it going to
be compatible there? If we make this change how are we going to
train people, et cetera?
And I wonder, is there an accepted mechanism for us to
evaluate the effective--it would be very helpful if there were
some way to--an accepted way where, you know--not going to be a
lot of argument about this--to evaluate the talent and
productivity of the folks that we have that are developing our
software?
We have got a lot of software engineers out there that we
are relying upon, I guess people who could be working for
Google or Microsoft or what have you but they happen to be
working for us on software for UAVs [Unmanned Aerial Vehicles],
on software for communication, et cetera, in addition to
cybersecurity stuff. How do we evaluate whether or not they're
as talented as they need to be and productive as they need to
be?
Mr. Bond. Let me take a first stab at that. It strikes at
some fundamental issues, so I appreciate the question.
Much of the talent does come through private sector
partners on a lot of the large projects and there are a number
of metrics in the--from the very initial stages through
contract performance and other things. I would take the
question, if I could, and try to get back to you on how far
down the chain those go to individual engineers and how much
transparency there may be there.
So with your----
Mr. Marshall. No, no, that would be great.
Mr. Bond [continuing]. Forbearance we will try to take that
and get back to you with something.
[The information referred to can be found in the Appendix
on page 105.]
Mr. Marshall. And Dr. Schneider, if you would, I mean, the
committee staff here is great and they have been really working
on this issue for some time, and so if you could, if you would
get back with committee staff on that. And then, Dr. Schneider,
in your case, your thoughts concerning the absence of a mission
within the Pentagon, people specifically tasked to these kinds
of issues, if you could--it may be that it is in your
testimony. If it is not, if you could share that with us in
writing that would be very helpful if you could detail that.
And I am sorry, I interrupted--other thoughts about how we
evaluate, or, you know, do we have the right talent pool, is it
appropriately productive?
Mr. Bodenheimer. One of the things that we need to do is to
make cyber sexy to the people that are in the software
business. For example, my nephew is an IT wizard. He has no
interest in becoming involved in cybersecurity because there
are so many other opportunities, and I think part of it is a
marketing job and part of it is a credentialing job to make
cybersecurity professionals stand out. That would make a
difference.
Dr. Schneider. I am curious about your interest in
evaluating the quality of people since ultimately we really
want to evaluate the quality of the artifacts they produce. And
if, for example, we could evaluate the quality of what they
built--how secure it was--then we would have an easy way to
determine how good the people who built it are. Certainly when
you are going to buy a car you read Consumer Reports or
something and they discuss the car, they don't discuss the
engineers.
The bad news is, we don't really have a way to measure
security. We don't have a way to measure security or return on
investment from defenses, and this isn't--and this is a hard
fundamental problem. It is not something we are going to crack
in the near term. It is something everybody appreciates is a
big difficulty.
There is a famous quote that says, ``If you can't measure
something you really don't understand it,'' and the field is
well aware of this. And this is a fundamental disconnect.
And the reason it is a difficult problem is because you
don't know what to measure it against. You would like to
measure it against some hypothetical attacker, but as soon as
you deploy a defense the attacker gets wise and now you don't
know what to measure it against because the attacker may go in
any number of directions.
So this is the sort of problem that has eluded the field
for some time. This is one of the reasons I have been
advocating for the kind of science base, because I think that
is the only hope for getting these measurements. But I think in
the limit, we really want to be able to evaluate artifacts and
not evaluate people.
Mr. Bond. I would, if I could, just quickly observe, too,
there are a number of private sector-based efforts to measure
the reliability and kind of fundamental code within software
programs to increase your understanding of the assurance and
reliability of that, and I wanted to acknowledge and then agree
with Dr. Schneider's point, too, that one way of measuring that
is to look at the overall product, and is it working, and the
different levels of certification and other things.
Approaches to information assurance have tended to look at
it that way: Okay, let us break it down by level of
sensitivity, and therefore greater certification or greater
assurance as you climb up that stack. So each would have a
different metric assigned to it.
Ms. Sanchez. Gentlemen, what effect does having all these
former--these legacy systems in the Department of Defense and
sort of trying to hold on information and bring it forward and
move on--I mean, this is one of the reasons why we have had at
least hardware, in particular, sort of encumbered, if you will,
in the sense of trying to bring forward these legacy systems.
How does that impede us, or are we at the point where we could
just do a sort of data dump and move forward into the next
generation of whatever hardware and software will look like?
Are we in the process of doing that or are we still--I am
thinking in particular to the DOD. Are we still encumbered with
that? And I say that in the very naivest terms because I know,
you know, if we have a fire in some warehouse where the files
of our veterans are we could lose--I mean, there have been
cases where we lose everything we know about them, basically,
and we have to reconstruct from what they might have on hand.
How does the legacy issue affect an ability for us, from the
DOD standpoint, to move forward into this new arena?
Mr. Bond. I will take a first shot at that: I think that in
the rapid changing environment that we are in, the information
age, legacy systems are something that everybody deals with,
and perhaps government more than many others because
government, to a large extent, is in the information business
with its citizens and everything else, so I think that is a
constant. And large and small companies deal with it every day,
too. At my association I am sure most of my employees think our
systems are too old and would like something new and so forth,
so that is a constant.
What it takes me back to, though, is the recommendation--
and this is really why we need a panel of some experts to help
on these large-scale things, because it is like a multilevel
chess game, you have a lot of things you have to factor in. How
you are going to move information from the legacy systems, how
much of those are interoperable? Is the new system going to be
backward-compatible as you look at the next challenge and next
generation?
These are exactly the kinds of things that private sector
companies are dealing with all the time and could help the
agency deal with, but I think to best assist that would be kind
of an expert panel that can help on these, because these are
very large, complex systems, old and new, that the Department
needs to keep that warfighter at the very front on the edge.
Mr. Bodenheimer. Let me address that from an acquisition
standpoint. Many of these systems are in the process of being
replaced through various ERP [Enterprise Resource Planning]
procurements within the Department of Defense, you know,
replacing the stovepipe systems and the legacy systems.
I think one of the most important things we can do is make
sure that the contracts for replacing those old systems include
the requirements for information assurance and information
security in them. And in addition, I think that we need to take
a hard look to determine whether the existing DOD standards--
for example, the defense information assurance certification
and accreditation program, DIACAP--is the right standard, is a
sufficient minimum standard for applying to updating these
legacy systems.
Dr. Schneider. New systems are more secure than old
systems, but if you read the newspapers the front page is about
attacks against new systems. I don't believe that moving to
today's new systems is going to appreciably change how
vulnerable DOD is to cyber attacks.
I think the only way to change things is to build systems
differently, and that requires a different force field, whether
it is economic policy, legislative, that changes the equation
about how people are prepared to make investments when they
build the system, whether they are prepared to spend more time
testing the system, whether they are prepared to sacrifice
complexity, because complexity gives attackers an edge. But
just upgrading our systems to the latest is not going to
appreciably change the vulnerability of DOD systems.
Mr. Marshall. I am certain that software engineers, as they
develop products, have security in mind as they do so. How
could you not? I mean, it is just sort of--it is all around you
and your packages, your product is not going to be as
attractive in handling--you are not going to--it won't be as
attractive to the market, if the market is something that wants
security, if you can't somehow establish the security.
Within the private sector when large software packages are
being developed does the company go so far as to actually have
red teams that are trying to figure out ways to attack the
product, to destroy the product, to--you know, what are the--it
is not just relying on the software engineer who is designing
the product to come up with security that is adequate, but
actually trying to attack it. Do we have that?
I guess, Dr. Schneider, if we don't have anybody within DOD
that is really specifically charged with the responsibility of
worrying about these security issues we probably don't have red
teams that are actually out there trying to penetrate or
systems.
Dr. Schneider. No, actually DOD has some of the finest red
teams in the world. What we don't have in DOD is somebody who
is worried about the road map and making investments and
executing on a plan to move the field and move DOD forward so
that DOD is less vulnerable to all of the attacks that exist
today----
Mr. Marshall. Well, if we have got the best red team in the
world we are obviously concerned about cybersecurities, and yet
we are not appropriately structured because we are not--we
don't have the right mindset or the right division of
responsibilities, or our attention isn't drawn to this
adequately as we develop systems? Is that what you are saying?
Dr. Schneider. Yes, sir.
Mr. Marshall. And yet, here we are. It is national
security. We know cybersecurity is an issue. It is hard for me
to believe that we wouldn't have cybersecurity in mind as we
develop our software products.
Dr. Schneider. Yes, sir. It is very disturbing.
Mr. Marshall. So you have made the statement that, in fact,
we have this lack. How do you, you know--because frankly, if
the chairlady here was convinced there was such a lacking this
committee would be moving forward with whatever needs to be
done in order to make sure that that gets fixed. So would DOD
agree?
If we went to the folks in DOD who are principally
responsible for this at maybe the undersecretary level and we
said, ``Geez, you know, Dr. Schneider says we are not
structured appropriately. We don't have the right mindset. The
products that we are producing are inadequate because of this
failing.'' Would they say, ``Yes, that is true''?
Dr. Schneider. I couldn't put words in their mouth, but I
believe there are people who see it this way, yes.
Mr. Bond. If I can, I probably see it a little bit
differently. I do think DOD is moving exactly that direction
with the Cyber Command. There is a senior official in charge of
information assurance, which goes to the supply chains and so
forth. And I think in recent years, to your basic point, that
there has been a greater emphasis and understanding of the need
to build security into software even though companies certainly
test, because their reputation and their brand is going to be
at risk and can be--somebody can choose another product with
the click of a mouse.
But that said, there is much greater awareness just in the
last few years, nationally and throughout the software
community--the entire high tech community--to put more
attention and effort into building security in from the very
beginning so that it is not just patches and things you bolt on
the edge of your network or onto the software, but you build it
in from the very beginning. And so that should continue to
increase because the risk and importance is only growing, but I
do observe that in the last few years I think both the private
sector and DOD and the public sector generally have been moving
in that direction.
Ms. Sanchez. And I think that we have seen that, in
particular working on the homeland side, with respect to the
civilian side of the federal government. We certainly have seen
a bigger impetus to--a momentum to try to get that done, and
obviously also coming out of the White House and their
cybersecurity czar.
Did you have a comment----
Mr. Bodenheimer. Yes, Chairwoman. One of the things that I
think DOD would agree upon is we do need the regulations--the
acquisition regulations--out in public with comment and
discussions. This is one area that the Department of Defense
has shown leadership. They have prepared a set of acquisition
regulations specifically addressing the information security
issues. That puts DOD ahead of a number of other agencies which
have not issued those regulations.
I think it would be a great thing to get those regulations
through OMB and out into the public so we can comment and get
those regulations improved and as good as they can be. It would
then provide a gold standard for other agencies to use that as
a model for acquisition.
Ms. Sanchez. Let me ask you, what is the role of the
Defense Security Service in working with industry to secure
industry unclassified networks? Do they have a role in any of
this?
Mr. Bond. If I can----
Ms. Sanchez. Mr. Bond.
Mr. Bond [continuing]. I would just volunteer to get you
more detailed input from some of our member companies----
Ms. Sanchez. That would be great.
Mr. Bond [continuing]. On exactly their perspective and
what they would have the chair know about that.
Ms. Sanchez. I would like to see that. Great.
Do you have any more questions, Mr.----
Mr. Marshall. Yes, I do.
Mr. Bond, were you the one that suggested Reserve
officers--Reserve--has that proposal been kicked around with
DOD?
Mr. Bond. This is something that arose out of a
conversation between CEOs and chief information security
officers out in Silicon Valley with Secretary Napolitano where
she talked about her--the challenge that agency has in getting
enough skilled professionals in to meet the cybersecurity needs
of DHS and the palpable frustration of everybody else around
the table that they want to help defend their country and they
feel like they can't. They want to give executives to the
government for a short period of time; they want to supplement
their salary or do whatever they can to try to help defend
their country and they feel like they can't.
And so we began to look and talk to others in government
about models that might already exist that would be a good
framework that policymakers could quickly understand and the
reservist model suggested to us seems to be one that everybody
can understand quickly and say, ``Okay, great. You keep your
civilian job, you get to supplement the government salary, and
you get to come back to your civilian job. But in the meantime,
go help defend your country.''
Ms. Sanchez. And it sounds like a great idea. We ran into
this on Homeland, actually, having been on Homeland since the
inception of that committee, in just trying to fill the
cybersecurity czar position over there in the Homeland
Department. I would--and I am estimating--but having lived
through it I would guess that 50 percent of the time that
position was vacant, and that the other 50 percent of the
time--I am talking about the first 5 years' worth--I believe we
had six czars, and that the median stay of that--those czars
might have been 6 or 7 months.
And the biggest problem we found was how do we pay them for
what they are worth to come over and do that? And in fact, we
had one of them who was supplemented, I believe through a
university, maybe MIT [Massachusetts Institute of Technology]
or one of the others that was a Northeastern University.
And there was a total outcry when the newspapers came out
with the fact that they were funded by the university and only
taking the $160K, or whatever, that we were paying the czar but
had a total compensation package of $400 because--$400,000
because they were being subsidized by some university who, by
the way, the deanship of that university or the flagship of
that university was a private company. And therefore wasn't it
amazing that this czar guy was considering that the best stuff
was coming from, oh, by the way, the company that was funding
the university's program that was basically funding--you know,
I mean, you can imagine the iterations of what we went through
with this.
So the answer is, the reservist model is a new thing for me
to think about, but it is very difficult to figure out how we
do that--and that is one of the things we have to think through
if we do take a look at that--because, without naming names but
more or less my--what I remember of the situation was people
didn't stay very long because they weren't paid. If they were
paid from the outside it was a problem.
These people came, they stayed for a while. What did they
do when they left? They came back and they were the contractors
to the Homeland Department to bring in, you know, other
people's goods trying to sell us. So it is a very--it is a very
slippery slope on how we get people to come in and give us good
information, do the patriotic thing to their country, and at
the same time not be partial to whatever it is their company is
selling.
Mr. Bond. Couldn't agree more on exactly some of the
challenges. I think one of the things that appeals to many of
the executives involved about the reservist model is that it
could be more widespread, so it is not about what any one
individual and how they are gaming the system. The American
people understand the reservist concept as well, and it could
be a range of talent, too--it might be mid-level; it might be
senior level folks for a while--but could be a range, and that
therefore maybe that might be enough to get over some of those
obstacles you identified.
I guess it does, in my mind, two other things: One, it
underscores that this really is urgency. This is about national
security and if we are serious about it then we should bring
more people and talent to bear on it. And it goes to a point
that was raised earlier about making cybersecurity a little bit
sexy, you know, that no matter where you work in the industry
you can spend some time helping defend your country might be
very appealing.
Ms. Sanchez. Thank you.
Mr. Marshall. Could I ask----
Ms. Sanchez. I will allow one more question.
Mr. Marshall. Pardon me?
Ms. Sanchez. I will allow you one more question.
Mr. Marshall. You are all familiar with how software
programmers and others--you know, mid-level and higher level--
the reservists typically come in for a brief period, leave for
a brief period. How long do you think they would have to come
in in order to be effective?
Mr. Bond. Well, I----
Mr. Marshall. On average.
Mr. Bond. This is----
Mr. Marshall. Too much in the weeds?
Mr. Bond. Well, no. I just think the answer would vary. I
think just, you know, there might be longer tours of duty,
there might be particular talents that you want to bring in, a
shorter term on a project. So I think it probably would vary.
But also it is very much something notionally that some
leaders in the space have talked about and have not had the
benefit of enough thought and research yet to be a full-bodied
proposal to you. But I think it does underscore how much the
industry wants to help and how frustrated that they are.
Mr. Marshall. You know, it would be great--if you are
representing 1,200 companies you obviously have resources. I
think it would be wonderful if you could pull some folks
together and explore this with some detail and get it to us,
get it to DOD, you know, get it to whoever. And I think the
chair listed some of the concerns that we would have; no doubt
there are others out there as well. But the potential seems
fairly obvious to me.
Dr. Schneider, I hear you when you say we should be looking
at the quality of the product. I did mention productivity as
well as talent, and in this arena, just like many others,
obviously the talent of the workforce has a lot to say or to--a
major effect on the quality of the product that you wind up
getting, let alone productivity.
And so I hear Mr. Bond saying, and I think all of you would
agree, that, you know, to the extent that we can organize
ourselves in a way that brings to the table the best talent
that the country has to offer to try to tackle this problem
that affects both national security and--at a public level and
a private level--then we ought to be doing that if there is a
way to do that.
And I don't have to--I will never be an expert in this
area, and I don't have to be an expert in this area in order to
understand that we need to fund it, and if the right people are
in place giving us advice concerning how to go about funding it
then we will do it.
Mr. Bond. Well, I will commit to you that we will get back
to you. Next week in San Francisco is the world's largest
cybersecurity trade show. We will have a number of the CEOs who
are affiliated with our association meeting at that and I will
convey your message to them and we will get back to you with
some thoughts.
Mr. Marshall. Thank you.
Ms. Sanchez. Gentlemen, thank you so much for being before
our committee. As is the usual course of business, members will
have some--a few days to ask some additional questions in
writing and put them to you. We hope that you would answer them
fairly quickly for our committee.
And with no other questions out there we will close the
committee. Adjourned.
[Whereupon, at 3:09 p.m., the subcommittee was adjourned.]
=======================================================================
A P P E N D I X
Thursday, February 25, 2010
=======================================================================
PREPARED STATEMENTS SUBMITTED FOR THE RECORD
Thursday, February 25, 2010
=======================================================================
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
=======================================================================
WITNESS RESPONSES TO QUESTIONS ASKED DURING
THE HEARING
Thursday, February 25, 2010
=======================================================================
RESPONSE TO QUESTION SUBMITTED BY MR. MARSHALL
Mr. Bond.
Federal Avg. Private Sector
Annual Wage Avg. Annual Wage
(2008) Wage (2008) Differential
Computer Systems Design and Related Services $53,355 $88,698 66%
Engineering Services $76,732 $79,363 3%
Research and Development in Physical, Engineering, and Life $89,732 $97,709 9%
Sciences
Source: Bureau of Labor Statistics, QCEW Database.
EDUCATION
For-profit firms are the largest employer of individuals with
science and engineering degrees.
For-profit firms employ 47% of individuals whose highest degree is
in science and engineering, compared to 13% employed by the government.
(The rest are employed by colleges/universities, nonprofits, or are
self-employed)
For-profit firms employ 28% of individuals with science and
engineering doctorates, compared to 9% employed by the government. (The
largest employers here are 4 year colleges and universities which
account for 42%.)
Source: National Science Board. 2010. Science and Engineering
Indicators 2010. Arlington, VA: National Science Foundation. P. 3-24.
[See page 13.]
|
NEWSLETTER
|
|
Join the GlobalSecurity.org mailing list
|
|
|
