ENVIRONMENT, TECHNOLOGY, AND STANDARDS HOUSE OF REPRESENTATIVES, ENVIRONMENT, TECHNOLOGY, AND STANDARDS SUBCOMMITTEE Hon. RICHARD K. ARMEY Chairman, Select Committee on Homeland Security, The Capitol, Washington, D.C. 20515 Hon. NANCY PELOSI Ranking Member Dear CHAIRMAN ARMEY and CHAIRMAN PELOSI: We are writing to ask that give careful consideration to the amendments offered by the Committee on Science, particularly the provision that strikes Section 202, paragraph (4) from H.R. 5005. Under this paragraph, the Computer Security Division of the National Institute of Standards and Technology (NIST) would be transferred to the Department of Homeland Security. We strongly oppose the proposed transfer of the Computer Security Division and request that you retain the Science Committee's position during the Select Committee's deliberations. As Members of the Environment, Technology, and Standards Subcommittee, which has jurisdiction over NIST, we gave careful scrutiny to the provision in H.R. 5005 that would transfer the Computer Security Division to the Department of Homeland Security. Based on information gathered from meetings with the Administration and from the two hearings on homeland security held by the Committee on Science, we concluded that the Computer Security Division could more effectively support the development and adoption of stronger information security standards, and thereby the mission of homeland security, if it remained in NIST. We do not reach this conclusion as a matter of protecting the Committee's jurisdiction, as we have carefully reviewed other proposed transfers and have not objected to them. Our interest lies in improving information security, avoiding duplication of effort, and preserving functions that have worked very well within the Federal Government. While the President's proposal does have many important aspects protecting homeland security, the proposal to move this division would undermine a successful partnership in improving information security standards that the Federal government has developed with the private sector. One reason that Computer Security Division has been successful in developing information security standards that are widely accepted in the information technology community is because of NIST's close connection to its industrial customers. This relationship works two ways: technical experts from the private sector are involved at every step of NIST's standards development process, and the trust developed between NIST and the private sector facilitates adoption of the NIST standards. Most of the nation's critical information infrastructure is privately owned and operated, and that which is government owned and operated relies on commercial offthe-shelf hardware and software. In short, in order to establish strong information security standards, government must work closely with the private sector. The information technology industry has been unanimous in their deep reservations about the proposed transfer of the Computer Security Division to the Department of Homeland Security. They do not believe that the relationship of trust and cooperation that they enjoy with NIST will survive the transfer of the division into the new Department. We share their reservations. We also oppose this transfer because it will harm work done by both the Computer Security Division and NIST as a whole. This Division is deeply integrated within the Information Technology Lab at NIST. Cleaving it from the lab and moving it to the new Department would leave a gaping hole within the IT lab. Clearly, NIST would have to recreate this division if it were to carry out its mission, because computer security is integrated in NIST's information technology mission as a whole. It makes no sense to transfer this activity to the new Department, only to have NIST scramble for funding in order to recreate an integral part of the Information Technology lab. If adopted, Congress would be left funding both the Computer Security Division at the new Department, as well as its replacement at NIST. In addition, when developing information security standards and carrying out computer security research, the Computer Security Division draws upon the technical expertise of many other NIST laboratories. For example, research on advanced encryption standards benefited from Nobel prize-winning research conducted by scientists in the Physics Laboratory at NIST. NIST's worldwide reputation for scientific excellence has an enormously positive impact on the work of the individual scientists who work there. If we sever or substantially alter this relationship, we may be ultimately undermining our goal of improving computer security within the Federal Government. We ask that you leave the Computer Security Division at NIST. We believe the interests of homeland security, particularly those aspects that relate to information security, will be best served by leaving the division at NIST. We wish you all the best in your important endeavor. Sincerely, VERNON J. EHLERS JAMES BARCIA AMERICAN ASSOCIATION FOR THE ADVANCEMENT OF SCIENCE Hon. NANCY PELOSI July 8, 2002 Ranking Member, Select Committee on Homeland Security, The Capitol, Washington, D.C. 20515 Dear RANKING MEMBER PELOSI: The American Association for the Advancement of Science (AAAS) has been following the current debate over the establishment of a new Department of Homeland Security with great interest. We are particularly concerned about the role and structure of counterterrorism research and development (R&D) in the new department. As Congress begins the process of defining and shaping this department, we hope that careful consideration will be given to this issue. We agree strongly with House Science Committee Chairman Sherwood Boehlert that a "clear focus on-and locus for-research" will allow a new Department of Homeland Security to coordinate the many diverse scientific and technological areas essential to its functions. This focus would be sharpened by providing for the appointment of a single official-for example, an under secretary with responsibility for coordination of R&D across the entire department and with other relevant agencies. This idea is underlined by the recent National Academies report which observed that the complexity and interdisciplinary nature of the science and technology involved in fighting terrorism requires more than just parallel investments in various areas of R&D. It calls for a well-orchestrated and coordinated endeavor among the 26 agencies that currently contribute to ournation's R&D enterprise. AAAS is the world's largest general scientific society, with over 130,000 individual members and 272 affiliated societies, representing 10 million individuals in all fields of science and engineering. Founded in 1848, AAĂS is also the publisher of the journal Science, and has long been a leader in promoting science to meet our national goals. These comments are respectfully submitted as a means for enhancing the dialogue between the executive and legislative branches on this vital issue. AAAS supports a balanced approach to protecting our national security and promoting scientific and technological advancement and stands ready to assist you in the future. Sincerely, ALAN I. LESHNER BUSINESS SOFTWARE ALLAINCE Hon. RICHARD K. ARMEY Chairman, Select Committee on Homeland Security, The Capitol, Washington, D.C. 20515 Dear CHAIRMAN ARMEY: The Business Software Alliance 1 (BSA) appreciates the opportunity to share with the Select Committee on Homeland Security our recommendations with regard to the committee-passed cyber security provisions of H.R. 5005 that we believe should be included in a final, consolidated Select Committee mark. 1 BSA members include Adobe, Apple, Autodesk, Bentley Systems, Borland, CNC Software/ Mastercam, Dell, Entrust, Hewlett-Packard, IBM, Intel, Intuit, Macromedia, Microsoft, Network Associates, Novell, Sybase, Symantec and Unigraphics Solutions (an EDS company). We commend the House of Representatives for the excellent work undertaken by numerous committees in recent days to ensure that the Department of Homeland Security is well equipped to protect and advance our nation's cyber security. In examining the recommendations of these committees as reported in their versions of H.R. 5005, several provisions stand out as critical to America's ability to ensure the cyber security of its citizenry, and we ask that you include these provisions in the consolidated legislation that the House will consider. These provisions are as follows: 1. Federal Government Computer Security H.R. 5005 should include the Federal Information Security Management Act, as amended • The Committee on Government Reform adopted provisions to require binding minimum Federal information security standards and guidelines for government departments and agencies. These provisions (based on H.R. 3844, the Federal Information Security Management Act, introduced by Rep. Tom Davis) will substantially strengthen what are currently unacceptably low levels of computer security within the Federal Government. Importantly, the bill adopted by the Committee on Government Reform states that these security standards and guidelines must be technology neutral and performance-based, and that they must not mandate the use of any specific hardware or software security solutions. Such flexibility is critical to the ability ofFederal agencies to respond to fast-changing computer security threats. HR 5005 should create a team of public and private sector experts to provide technical expertise on agency security. • The Committee on Energy and Commerce mark calls for the creation of a Federal Information System Security Team to assist Federal agencies in hardening their systems against cyber attack. Team members would include both public and private sector technical experts, including auditors, computer scientists, and computer forensics analysts, who would analyze Federal security systems and report their findings to the Secretary and Inspector General of each Department. Strong public-private partnerships of this nature are critical in the field of cyber security, where the private sector owns and operates over 90 percent of the critical infrastructure networks in question. 2. Structure of the Department of Homeland Security H.R. 5005 should create a specific cyber security program within the Department of Homeland Security. • The Committee on Energy and Commerce included provisions to create a Cyber Security Program within the Department of Homeland Security's Office of Information Assessment and Critical Infrastructure. In so doing, the Committee seeks to ensure that cyber security functions receive sustained attention and concerted resources within the context of the Department's overall critical infrastructure protection mission. Strengthening cyber security requires analytical and technological capabilities that are related to, but also distinct from, traditional intelligence gathering and physical security functions, and we believe that these are best handled through a dedicated office or program within DHS. Further, we believe that the Department's CIO and Under Secretary for Management should advance existing efforts in key Department agencies to fund, implement and maintain the enhanced information security necessary for sensitive data and communications to be securely stored, transmitted, and disseminated within the Department. H.R. 5005 should create the position of Undersecretary for Science and Technology. • The Committee on Science mark creates the function of Undersecretary of Science and Technology within the Department of Homeland Security. Given the Department's wide responsibilities in this area, and the importance of sustained, focused R&D to our nation's ability to develop leading security technologies, the creation of this function is highly merited. We believe that this function should be tasked with explicitly establishing priorities for directing, funding and conducting R&D to improve cyber security, and that all such research should also be done in conjunction with private sector business partners (examining existing models of such partnerships) in order to maximize its effectiveness. H.R. 5005 should maintain NIST's Computer Security Division within NIST. • The Committee on Science included a provision to maintain NIST's Computer Security Division (CSD) within NIST, instead of moving its functions to the Department of Homeland Security, as has been proposed. We strongly support the Committee's decision in this regard. While we wholeheartedly endorse the Administration's efforts to create the greatest possible cohesion among security-related offices within the Federal Government, we believe that the CSD-a standards-setting entity is integral to NIST's overall standards-setting mission and that its work in this area can best be achieved in the context of the Institutes itself. Further, we are concerned that moving CSD to the Department of Homeland Security-an agency that will focus primarily on law enforcement-related issues could result in CSD failing to adequately recognize the technological and cost feasibility issues associated with cyber security topics under the Department's jurisdiction. Moreover, since the Administration has repeatedly stated that it does not desire or envision imposing cyber security technological mandates on the private sector, we do not see the need to incorporate NIST's CSD within the Department. 3. Information Sharing HR. 5005 should encourage increased information sharing about cyber security threats-The Committee on Government Reform has included provisions that would greatly facilitate the voluntary sharing of information with the government and within industry. This provision protects against the disclosure of such information through the FOIA process and ensures that the information cannot be used against those providing the information in a civil suit. The measure was adopted on a bipartisan basis by the Committee and we urge its inclusion in H.R, 5005. * We believe that the provisions outlined above will form the basis of a strong and effective cyber security strategy by the Department of Homeland Security and the Federal Government overall. We urge the inclusion of these provisions in the consolidated legislation that will be considered by the full House of Representatives, and we thank you for your consideration of our views in this area. Sincerely, ROBERT HOLLEYMAN, Hon. RALPH HALL PUBLIC AND SCIENTIFIC AFFAIRS BOARD Ranking Minority Member, Committee on Science, The Capitol Washington, D.C. 20515 Dear RANKING MEMBER HALL: The American Society for Microbiology (ASM) is writing concerning issues related to the proposed Department of Homeland Security (DHS) and the policy implications for the civilian biodefense and infectious disease research programs. The ASM has reviewed the Administration's Bill to establish a Department of Homeland Security and S.2452 to establish a Department of Homeland Security and a National Office for Combating Terrorism, introduced by Senator Lieberman. The ASM is the largest life science society with over 40,000 members and its principal goal is the promotion of scientific knowledge of microbiology for the benefit of human welfare. The ASM has worked with the Administration, the Congress and federal agencies on measures to protect against biological weapons and bioterrorism. Most recently, ASM provided expert advice on provisions to expand the Biological Weapons Statute in the USA Patriot Act and on Title II of the Public Health Security and Bioterrorism Preparedness and Response Act of 2002, which expands controls on certain dangerous biological agents and toxins. ASM members are involved in research and public health initiatives aimed at eradicating the scourge of infectious diseases, which daily end the lives of thousands of Americans and tens of thousands around the world. Infectious diseases remain the major cause of death in the world for those under the age of 45 and particularly for children. They are the third leading cause of death in the United States. The terrorist events of September 11 and the anthrax biocrime reveal the need and complexity of homeland defense. The ASM, therefore, supports efforts to establish a Department of Homeland Security that can provide oversight, coordination and leadership for biodefense activities. Given that science and technology will play vital role in the biodefense of the nation, the ASM supports the establishment of an Office of Science and Technology as proposed in S 2452. This office will provide the necessary linkage between the Secretary of Homeland Security and all the numerous mission agencies charged with science and technology development. It is critical that the proposed DHS build upon existing science and technology programs that hold promise in the defense against bioterrorism and in the effort against deadly infectious diseases. The ASM would like to submit the following comments to assist Congress as it deliberates how best to achieve this goal. Biodefense research is part of the continuum of biomedical research aimed at protecting the nation and the world against infectious diseases. The capability to develop countermeasures and interventions is directly related to information generated by biomedical research on pathogenic microbes and the host response to these microbes. Therefore, it is critical that federal research efforts related to civilian human health-related biological, biomedical, and infectious diseases should be prioritized and conducted by, and at the direction of the Department of Health and Human Services (HHS). It is important to distinguish between oversight functions such as policy and planning guidance and coordination, which would well be served by an Office of Science and Tecimology within a Department of Homeland Security, and the responsibility and authority for the direction, control and conduct of scientific research. ASM recommends that HHS, a public health and biomedical research agency of unparalleled success, should continue to be responsible for the conduct and direction of scientific research. The Administration's Bill recognizes the necessity that HHS conduct the research and development programs related to infectious diseases. Section 303(a)(1) of the Bill provides that the Secretary shall carry out responsibilities related to civilian human health-related biological, biomedical, and infectious diseases through HHS and the Public Health Service "under agreements with the Secretary of Health and Human Services, and may transfer funds to him in connection with such agreements." Section 30 1(2) of the Administration's Bill, however, gives DHS primary authority and responsibility for the conduct of national scientific research including “directing, funding, and conducting research and development" related to biological threats. Additionally, at Section 303(a)(2), the Bill provides that DHS, in consultation with HHS, "shall have authority to establish the research and development program, including the setting of priorities". The ASM understands the role envisioned for DHS is to integrate threat analysis and vulnerability assessments and identify priorities for preventive and protective steps to be taken by other federal agencies to protect the American public. The HHS, however, is best qualified to establish biomedical research and development programs and identify scientific opportunities and the research approaches for ensuring that biodefense needs are met in the best way possible. The NIAID is best able to bring together all aspects of biomedical research and the full capability of science to ensure breakthroughs and advances of high quality for biodefense. The proposed restructuring of program authorities in the Administration's bill will create unpredictability for research programs, will divert monies from research and will not be the best approach to achieving the goal of civilian biodefense, which requires the involvement of the best scientific minds and the support of excellent science based on merit review. We have already seen the ability of HHS to respond to bioterrorism. In the months since September 11, 2001, the National Institute of Allergy and Infectious Diseases (NIAID) within the National Institutes of Health (NIH) has rapidly accelerated work to protect the nation against the threat of bioterrorism. This acceleration has occurred across the spectrum of scientific activities from basic research in microbial biology to the development of vaccines and therapeutics to research related to diagnostic systems. It is critical that this work continue to develop rapidly and efficiently without delay, disruption or loss of momentum. ASM agrees that DHS should have an important role in developing the nation's defenses against, and responses to biological threats. The DHS can and should coordinate, review, and evaluate scientific and teclmical programs related to human, animal, and plant life. However, a scientific health agency, HHS, rather than the nonscientific, nonpublic health DHS should have the principal authority for developing and prioritizing scientific and health related programs. Essentially, therefore, the ASM suggests reversing the responsibilities identified in Section 303(a)(2) of the Administration's Bill. HHS, in consultation and coordina |