<DOC> [106th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:60842.wais] COMPUTER SECURITY IMPACT OF Y2K: EXPANDED RISKS OR FRAUD? ======================================================================= JOINT HEARING before the SUBCOMMITTEE ON TECHNOLOGY of the COMMITTEE ON SCIENCE and the SUBCOMMITTEE ON GOVERNMENT MANAGEMENT, INFORMATION, AND TECHNOLOGY of the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED SIXTH CONGRESS FIRST SESSION __________ AUGUST 4, 1999 __________ Science Serial No. 106-23 __________ Government Reform Serial No. 106-57 __________ Printed for the use of the Committee on Science U.S. GOVERNMENT PRINTING OFFICE 60-842 WASHINGTON : 2000 COMMITTEE ON GOVERNMENT REFORM DAN BURTON, Indiana, Chairman BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California CONSTANCE A. MORELLA, Maryland TOM LANTOS, California CHRISTOPHER SHAYS, Connecticut ROBERT E. WISE, Jr., West Virginia ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York STEPHEN HORN, California PAUL E. KANJORSKI, Pennsylvania JOHN L. MICA, Florida PATSY T. MINK, Hawaii THOMAS M. DAVIS, Virginia CAROLYN B. MALONEY, New York DAVID M. McINTOSH, Indiana ELEANOR HOLMES NORTON, Washington, MARK E. SOUDER, Indiana DC JOE SCARBOROUGH, Florida CHAKA FATTAH, Pennsylvania STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland MARSHALL ``MARK'' SANFORD, South DENNIS J. KUCINICH, Ohio Carolina ROD R. BLAGOJEVICH, Illinois BOB BARR, Georgia DANNY K. DAVIS, Illinois DAN MILLER, Florida JOHN F. TIERNEY, Massachusetts ASA HUTCHINSON, Arkansas JIM TURNER, Texas LEE TERRY, Nebraska THOMAS H. ALLEN, Maine JUDY BIGGERT, Illinois HAROLD E. FORD, Jr., Tennessee GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois DOUG OSE, California ------ PAUL RYAN, Wisconsin BERNARD SANDERS, Vermont HELEN CHENOWETH, Idaho (Independent) DAVID VITTER, Louisiana Kevin Binger, Staff Director Daniel R. Moll, Deputy Staff Director David A. Kass, Deputy Counsel and Parliamentarian Carla J. Martin, Chief Clerk Phil Schiliro, Minority Staff Director ------ Subcommittee on Government Management, Information, and Technology STEPHEN HORN, California, Chairman JUDY BIGGERT, Illinois JIM TURNER, Texas THOMAS M. DAVIS, Virginia PAUL E. KANJORSKI, Pennsylvania GREG WALDEN, Oregon MAJOR R. OWENS, New York DOUG OSE, California PATSY T. MINK, Hawaii PAUL RYAN, Wisconsin CAROLYN B. MALONEY, New York Ex Officio DAN BURTON, Indiana HENRY A. WAXMAN, California J. Russell George, Staff Director and Chief Counsel Matt Ryan, Senior Policy Director Bonnie Heald, Communications Director/Professional Staff Member Grant Newman, Clerk Trey Henderson, Minority Counsel COMMITTEE ON SCIENCE F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman SHERWOOD L. BOEHLERT, New York RALPH M. HALL, Texas LAMAR SMITH, Texas BART GORDON, Tennessee CONSTANCE A. MORELLA, Maryland JERRY F. COSTELLO, Illinois CURT WELDON, Pennsylvania JAMES A. BARCIA, Michigan DANA ROHRABACHER, California EDDIE BERNICE JOHNSON, Texas JOE BARTON, Texas LYNN C. WOOLSEY, California KEN CALVERT, California LYNN N. RIVERS, Michigan NICK SMITH, Michigan ZOE LOFGREN, California ROSCOE G. BARTLETT, Maryland MICHAEL F. DOYLE, Pennsylvania VERNON J. EHLERS, Michigan SHEILA JACKSON LEE, Texas DAVE WELDON, Florida DEBBIE STABENOW, Michigan GIL GUTKNECHT, Minnesota BOB ETHERIDGE, North Carolina THOMAS W. EWING, Illinois NICK LAMPSON, Texas CHRIS CANNON, Utah JOHN B. LARSON, Connecticut KEVIN BRADY, Texas MARK UDALL, Colorado MERRILL COOK, Utah DAVID WU, Oregon GEORGE R. NETHERCUTT, Jr., ANTHONY D. WEINER, New York Washington MICHAEL E. CAPUANO, Massachusetts FRANK D. LUCAS, Oklahoma BRIAN BAIRD, Washington MARK GREEN, Wisconsin JOSEPH M. HOEFFEL, Pennsylvania STEVEN T. KUYKENDALL, California DENNIS MOORE, Kansas GARY G. MILLER, California VACANCY JUDY BIGGERT, Illinois MARSHALL ``MARK'' SANFORD, South Carolina JACK METCALF, Washington C O N T E N T S ---------- Page August 4, 1999: Opening Statement by Representative Constance A. Morella, Chairwoman, Subcommittee on Technology, U.S. House of Representatives............................................ 1 Opening Statement by Representative Stephen Horn, Chairman, Subcommittee on Government Management, Information and Technology, U.S. House of Representatives.................. 3 Opening Statement by Representative Mark Udall, Member, Subcommittee on Technology, U.S. House of Representatives.. 6 Witnesses: Mr. Joe Pucciarelli, Vice President and Research Director, Gartner Group Inc.: Oral Testimony........................................... 7 Prepared Testimony....................................... 10 Biography................................................ 15 Financial Disclosure..................................... 16 Mr. Harris Miller, President, Information Technology Association of America: Oral Testimony........................................... 17 Prepared Testimony....................................... 19 Biography................................................ 33 Financial Disclosure..................................... 35 Mr. Dean Rich, Vice President for Security Services, WarRoom Research: Oral Testimony........................................... 36 Prepared Testimony....................................... 39 Biography................................................ 41 Financial Disclosure..................................... 44 Mr. Wayne Bennett, Chair, Commercial Technology Practice Area, Bingham Dana LLP: Oral Testimony........................................... 45 Prepared Testimony....................................... 47 Biography................................................ 52 Financial Disclosure..................................... 56 Appendix 1: Additional Statements Statement by Representative Debbie Stabenow, Member, Subcommittee on Technology, U.S. House of Representatives................... 76 Appendix 2: Materials for the Record USA Today Article, Y2K fixes open door for electronic heist, M.J. Zuckerman...................................................... 78 Gartner Group Report, Year 2000 and the Expanded Risk of Financial Fraud, April 1, 1999................................. 80 HEARING ON THE COMPUTER SECURITY IMPACT OF Y2K: ``EXPANDED RISKS OR FRAUD?'' ---------- WEDNESDAY, AUGUST 4, 1999 House of Representatives, Subcommittee on Technology, Committee on Science, and the Subcommittee on Government Management, Information, and Technology, Committee on Government Reform, Washington, DC. The subcommittees met, pursuant to notice, at 10:06 a.m., in Room 2318, Rayburn House Office Building, Hon. Constance A. Morella [chairwoman of the subcommittee] presiding. Present: Representatives Morella, Horn, Bartlett, Gutknecht, Turner, Rivers, Stabenow, Udall, and Wu. Chairwoman Morella. I'm going to call to order the latest in our series of ongoing hearings on our House Y2K Working Group made up of the Science Committee's Technology Subcommittee and the Government Reform Committee's Government Management, Information, and Technology Subcommittee. On behalf of my colleagues Chairman Horn, Ranking Members Barcia and Turner, and Mr. Udall, I want to welcome our distinguished panel as we discuss today the concerns raised by a number of information technology experts that Y2K fixes may pose a substantial security threat to computer operating systems. While the Technology Subcommittee has been reviewing the year 2000 problem over the past 3 years, during that time we have also been looking closely at the issue of computer security. Many of you have heard me compare our Nation's lack of adequate information security to the year 2000 computer problem. Well, it now appears that Y2K and computer security aren't just inviting comparisons, but have overlapped into one issue. A lot of recent attention has been focused on the April 1, 1999, GartnerGroup report suggesting that as part of every year 2000 system fix, every aspect of every single information technology system is potentially subject to change and manipulation, raising the risk of theft, fraud, or corruption. The GartnerGroup report also stated that at least one publicly reported theft exceeding $1 billion may occur through lapses in security directly resulting from Y2K remediation efforts. Since the publication of the report, a number of independent scientists, security professionals, and others in the Y2K community appear to have few quarrels with the GartnerGroup's dire prediction. The concern is that Y2K employees who have been hired to correct systems might have left ``trap doors'' or may manipulate the computer code through which they can clandestinely take control of the system at a future date-- leaving vulnerable the systems that electronically move $11 trillion a year among financial institutions, corporations, governments, and private organizations. The computer security threat, however, may not be motivated merely by just financial theft and fraud. Some Y2K programmers with malicious intent may be quietly installing malicious software codes--such as a logic bomb or a time-delayed virus--to sabotage companies or gain access to sensitive information sometime in the new millennium. Most troubling is that several security firms say that they have already found ``trap doors'' in Y2K programming. If used successfully for hostile purposes, these computer ``trap doors'' can open to make sensitive national and proprietary information systems vulnerable to be accessed, stolen, compromised, or disrupted. With less than 150 days now before the January 1, 2000, deadline, the last thing we want to do is to defer any Y2K remediation efforts. It should be made clear that nobody should halt or suspend fixing their Y2K problems simply because there exists this potential for computer security breaches. The goal of this hearing is not to create a how-to guide and stoke the embers of those Y2K programmers with a felonious heart and malicious intent. The goal of this hearing is to determine what measures can be undertaken to protect our computer systems and to limit the potential of Y2K computer security breaches. It is my hope that, today, this panel can collectively come up with measures and guidelines that both the private and public sectors can review and utilize in their current remediation efforts to deter and catch any computer security breach that may occur as a result of the Y2K fix. Toward that end, I am pleased that we have a very distinguished panel. I welcome Mr. Joe Pucciarelli, Vice President, Research Director of the GartnerGroup, a leading and influential information technology research firm, which we know very well through our hearings, and the author of the GartnerGroup Y2K computer security report. Also joining us is a familiar figure to us, Mr. Harris Miller, President of the Information Technology Association of America. The Technology Subcommittee has worked very closely with Mr. Miller and the ITAA in the past on both the Y2K and the computer security issue, and it is great to see him back as a witness before us. We also have Mr. Dean Rich, Vice President for Security Services at WarRoom Research in Annapolis, Maryland, who is a computer security consultant with a great deal of expertise and experience in both the public and private sectors. I'm somebody who knows Annapolis well. I welcome you also, Mr. Rich. Additionally, Mr. Wayne Bennett, Chair of the Commercial Technology Practice Area of the law firm of Bingham Dana in Boston and an expert in computer security laws and practice, is with us today. A pleasure to have you, Mr. Bennett. So I look forward to everybody's testimony, and I would now like to turn to our distinguished Co-Chair of today's hearing, the member from California, Chairman of the Government Management, Information and Technology Subcommittee, Mr. Horn, for any opening statement that he may wish to make. Mr. Horn. Mr. Horn. Thank you very much. For the past 3 years, these two Subcommittees have been prodding agencies in the executive branch of the Federal Government to prepare their computer systems for the year 2000. Nearly all seem to have made good progress toward avoiding major computer disruptions at the end of this year. However, the rush to solve the year 2000 problem may have created another more insidious and potentially troubling problem. Today, we will discuss the danger that government agencies, corporations, and individuals are now more vulnerable to computer fraud, whether it is in the form of electronic robberies or information warfare. The reality is that computer systems can be compromised for any number of reasons--some far more damaging than the loss of money. Among them are the threats of industrial or military espionage and the use of computers and the network systems by terrorists or organized crime. Private companies and government agencies alike have opened up their most sensitive computer systems to outside contractors who are helping them sort through billions of lines of computer code to ensure their year 2000 compliance. Although the vast majority of these contractors are honest and truthworthy people, even a few unscrupulous operators could create a significant problem. The GartnerGroup, which is represented here today, has predicted that by 2004, there will be at least one reported $1 billion or more theft due to the year 2000 remediation effort. The concern involves something called ``trap doors,'' computer coding that can give unscrupulous contractors access to the sensitive information in a computer long after the year 2000 work is completed. From bank accounts and intellectual property to medical records and defense secrets, companies and government agencies have given contractors the keys that unlock an enormous storehouse of information. With only 149 days left until the new millennium, we must ensure that our critical information technology infrastructure is secure long after the year 2000 has passed away. So, with Mrs. Morella, I welcome the witnesses we have today, and I'm sure you will enlighten us in a number of areas. [The prepared statement of Hon. Stephen Horn follows:] [GRAPHIC] [TIFF OMITTED] T0842.001 [GRAPHIC] [TIFF OMITTED] T0842.002 Chairwoman Morella. Thank you, Chairman Horn. I am now pleased to recognize for any opening comments Mr. Udall, who is our ranking member today. Mr. Udall. Thank you, Madam Chairman. I want to join my colleagues in welcoming all of you here today to the hearing. This hearing focuses on two issues, the way I see it: computer and network security and then, secondly, whether Y2K-related computer system upgrades have increased the threat to a company's or a federal agency's computer security. I'd like to take a few minutes to speak about the Science Committee's role in the area of computer security. Going back into the late 1980s, the members of this Committee were aware that the first computer networks, such as ARPANET, which became NSFNET and is now known, of course, as the Internet, had a two- edged quality: they improved electronic communication but also compromised computer security. In 1987, the Science Committee was instrumental in developing and passing the Computer Security Act. This was the first effort to improve the security of federal computer systems. Ever since, the Science Committee has maintained a high profile in this area. I mention this issue because many believe that Congress has not given sufficient attention to this issue of computer security. I wanted to highlight that at least one Congressional Committee has worked diligently to raise public and government awareness of computer security issues for more than a decade. This was long before most people even knew that the Internet existed, let alone before related computer security issues became important. Today's hearing, as my fellow colleagues have mentioned, was prompted by recent newspaper stories about a GartnerGroup report warning that by 2004 there will be at least one publicly reported electronic theft exceeding $1 billion and that steps to solve the Y2K problem will be a root cause of the security lapses that have allowed this step to happen. This is a serious assertion that raises more questions than it answers. For example, if it's true there will be at least a $1 billion theft, what about the likelihood of several thefts in the range of $100 million or the tens of thousands of dollars? Further, how credible are these alarms? After all, the warnings themselves could undermine public trust in our financial systems and the government's ability to provide public services and in our computer-based infrastructure as a whole. So, in that spirit, there are several issues that I hope our witnesses will address today. The first is: What data substantiates claims that there's an increased risk of fraud as a result of these Y2K fixes? Secondly, federal agencies, including Congress, and industry have relied on contractors to service their computer systems since their first installation. What has been the past experience of this type of fraud? And then, finally, if this Y2K-related fraud is a real problem, what steps can federal agencies and large corporations take to determine if the malicious code, the so-called trap doors, have been inserted into their programs? I want to thank you for being here. I very much look forward to hearing what you have to say. Thank you. Chairwoman Morella. Thank you, Mr. Udall, and thank you for also mentioning sort of the genesis of the Science Committee's interest and involvement in this issue. I'm now going to ask our panelists if they would rise and raise their right hand. It's the policy of this Committee to swear in those who will testify. Do you swear that the testimony you are about to give is the truth, the whole truth, and nothing but the truth? Mr. Pucciarelli. I do. Mr. Miller. I do. Mr. Rich. I do. Mr. Bennett. I do. Chairwoman Morella. The record will reflect an affirmative response from all. And, again, we'll try to follow a tradition, to give time for questions and other comments, of asking each panelist to speak about 5 minutes, and then we'll open it up to questions. And we'll start off then in the order in which I mentioned you. Mr. Pucciarelli, you will start off with the Gartner report. STATEMENTS OF JOSEPH C. PUCCIARELLI, VICE PRESIDENT AND RESEARCH DIRECTOR, GARTNERGROUP, INC., STAMFORD, CONNECTICUT; HARRIS N. MILLER, PRESIDENT, INFORMATION TECHNOLOGY ASSOCIATION OF AMERICA, ARLINGTON, VIRGINIA; L. DEAN RICH, VICE PRESIDENT FOR SECURITY SERVICES, WARROOM RESEARCH, ANNAPOLIS, MARYLAND; AND WAYNE D. BENNETT, CHAIR, COMMERCIAL TECHNOLOGY PRACTICE AREA, BINGHAM DANA LLP, BOSTON, MASSACHUSETTS STATEMENT OF JOSEPH C. PUCCIARELLI Mr. Pucciarelli. Madam Chairman--Madam Chairwoman, Mr. Chairman, and Members of the two Subcommittees, I appreciate the opportunity to testify---- Chairwoman Morella. I think you should either move it closer or make sure it's on. Mr. Pucciarelli. Madam Chairwoman, Mr. Chairman, and Members of the two Subcommittees, I appreciate the opportunity to testify today on the computer security impact of year 2000 and the expanded risks of fraud. Key points in my testimony we will discuss: our prediction, the analysts of GartnerGroup, that by 2004 there will be at least one publicly reported electronic theft exceeding $1 billion, 70 percent likelihood; our forecast that year 2000 remediation efforts will be identified as a root cause of the security lapses that will have allowed this theft to happen, 70 percent likelihood; and how input from our clients was factored into these predictions and caused us to increase the probabilities. My role is to advise business and financial executives in the public and private sector on actions they should take to protect and maximize the effectiveness of their investments in computer technology. We found medium and large organizations in the United States spend some 8 percent of sales revenue--that is, 8 cents of every sales dollar--for computer systems. Ten years ago, this number was only 1 percent. During the same period, our financial systems have largely migrated to an electronically interconnected business model. Best estimates are that $11 trillion in electronic transfers occurred in the United States in 1998. Earlier this year, as part of my ongoing research, I reviewed those issues that may require action by my clients. I concluded, by reviewing the technical research conducted by my colleagues at GartnerGroup, that many firms had not taken adequate steps to secure and audit a year 2000 remediation process. Based on these observations, I formulated a recommendation to our clients. I reviewed these preliminary findings with some 300 clients on Tuesday, March 2, 1999, at a conference in New Orleans. Our clients had differing opinions. Their feedback indicated that the risk of theft was even higher than I had proposed. As a result, we formally advised our clients in April that we believe that by 2004 there will be at least one publicly reported electronic theft exceeding $1 billion, and that Y2K remediation efforts will be a root cause of those--that allowed this theft to happen, 70 percent likelihood. Predicting what will happen is challenging. Anticipating how it may happen raises the bar considerably. In the case of the first $1 billion electronic theft, the motive will likely be one of greed combined with feelings of underappreciation by a highly skilled software engineer, especially related to the stress of the year 2000 remediation effort. The means will be the tools at hand--the same electronic systems reliably transact the business of the day will be instructed to transfer funds beyond the boundaries of the enterprise into the hands of a thief. The opportunity to perpetrate the crime will come in an odd moment, a situation outside the bounds of the operating manual. A system will crash unexpectedly and a single software engineer could make changes without the normal reviews, due diligence, or oversight. Further, the incident will likely occur long after January 1, 2000. Clearly, a billion dollars is a huge sum of money. However, compared with the $11 trillion in annual volume of financial electronic data interchange transfers during 1998, which are growing some 40 percent annually, it represents only 0.0009 percent. To use a metaphor, a $1 billion theft compared to the $11 trillion in throughput equates to 48 minutes over the course of a year. In this context, a billion seems somewhat less significant. Opposing all this money is the unbounded creativity of the human mind--which has proved the world round, produced Einstein's theory of relativity, placed a man on the moon, and committed countless crimes throughout history. From the Brinks armored car robbery through the Great Train Robbery, to the most recent financial scandals including BCCI and Barings, each generation adapts theft and fraud to the technological circumstances of the day. Given the enormity of the year 2000 remediation process, the scope of the cash flowing through these systems and the resourcefulness of the human mind in finding different ways to steal, a large theft seems much more likely perhaps inevitable. Specific steps need to be taken now and continually re- emphasized to minimize risk. Specifically, we recommended: One, the most effective theft and fraud deterrent is maintaining the perception that there are high levels of security. To accomplish this, we advise our clients to collaborate to create a year 2000 security team with the requisite technical and auditing skills to review procedures, assess the threats, and implement a containment plan. Second, procedure reviews must limit the ability of a single individual to make changes or initiate activities without a second person participating in the process. Third, risk assessment must include reviewing all enterprise insurance coverage as well as contracts with external service providers and independent (programmer) contractors. Four, risk management plans should include careful reconsideration of all existing theft and fraud deterrence activities in light of this expanded threat profile. The law of very large numbers dictates that we will have a vastly increased risk of theft after the year 2000 remediation efforts. In the rush to aggressively solve one problem, enterprises need to ensure appropriate resources have been rededicated to protecting the enterprise from the increased risks of electronic theft and fraud--possibly the most important artifact created by year 2000 remediation. These nonlinear consequences of the year 2000 computer maintenance effort may have a more profound implication than the linear consequences such as a failure of a specific computer system. Thank you. [The statement of Mr. Pucciarelli follows:] [GRAPHIC] [TIFF OMITTED] T0842.003 [GRAPHIC] [TIFF OMITTED] T0842.004 [GRAPHIC] [TIFF OMITTED] T0842.005 [GRAPHIC] [TIFF OMITTED] T0842.006 [GRAPHIC] [TIFF OMITTED] T0842.007 [GRAPHIC] [TIFF OMITTED] T0842.008 [GRAPHIC] [TIFF OMITTED] T0842.009 STATETEMENT OF HARRIS N. MILLERMr. Miller. Thank you, Chairwoman Morella and Chairman Horn and other Members of the Subcommittee. It is an honor to appear before your joint Subcommittees, and I want to commend you and your colleagues for holding this hearing on computer security as attention moves from the Y2K problem to the next and even greater challenge--Information Security or Critical Information Infrastructure Protection, as it is often called. Just as your two Subcommittees were among the leaders in educating Congress and the Nation on the year 2000 challenge, I know that you will play the same role on Information Security. Make no mistake about it: Information Security is the next Y2K issue for the IT community and its users. The evildoers are not just unscrupulous Y2K repair firms. The infosec threat comes in numerous guises: mischief-minded hackers, disgruntled employees, corporate spies, cyber criminals, terrorists, and unfriendly nations. Virus episodes like Melissa and Chernobyl are becoming more frequent. The Symantec Anti-Virus Research Center estimates that new viruses are being launched at a rate of 10 to 15 per day and that over 2,400 currently exist, and 35 percent of those are considered to be intentionally destructive. And, of course, there are the unintended consequences associated with our new dynamic information technology evolution, and, of course, year 2000 is the exhibit number one. Assessing the ultimate infosec roles for government and the private sector is really very simple. Our new information-based assets must be protected and preserved. Participants and users must understand that along with the obvious benefits of information technology are corresponding commitments to protect information technology. With rights--the right for IT to become the firmament on which most of our society, our government, and our economy are built--come responsibilities. And the primary responsibility is to ensure the security of our information society. The societal stakes involved compel government and industry to seek common ground on the issue. Security is much more challenging in the digital world because it is not the traditional security of wire fences, thick walls, and guard dogs. And it is not an activity just to be left to the experts, for all of us are part of the information age and must be sensitive to protecting it. The road to a common ground between government and industry will never be a straight line. On the contrary, while the ends are commonly shared, the policies that government and industry will develop in order to provide this protection are likely to be quite different. Again, I remind the Subcommittees that the year 2000 is the wake-up call. A well-prepared and well- informed private sector can work with government to find the proper balance which optimizes the government's needs to protect the critical infrastructure with business' needs to manage risks appropriately. Significant reservations exist, however, on the part of both private industry and government, and ITAA is attempting to address both from a theoretical and practical standpoint. In developing industry positions on national infosec issues, ITAA has established a list of general principles that will guide the development of our policy. They emphasize industry leadership, communication and collaboration, infosec commensurate with the true threat involved without embellishment or magnification, and international collaboration. My written statement provided to the Committee outlines these principles in more detail. But there are also many questions that must be addressed, including the question, for example: What should be the mechanism for sharing information between government and the private sector, or even within the private sector itself? What type of threat and intrusion reporting will be required as opposed to optional? What type of organizations should plan and execute the strategy for critical information infrastructure defense? And what kind of legal and regulatory obstacles are there to information sharing and information security? And, of course, a less tangible concern must be addressed, particularly development of trust, both within the private sector and between the private sector and government. So as you can see, there is much to be done. We are working with our customers and with our government to build the necessary bridges. ITAA is taking a number of actions to focus on this issue. Following, for example, the issuance of Presidential Decision Directive 63 last year, ITAA was appointed as the sector coordinator for the IT sector along with two other high-tech trade associations. We are involved in massive education efforts, including White Papers, and we have held frequent meetings with representatives across the government to educate, discuss, and provide input. Education and outreach will be critical to the success of our efforts collectively. This past March, ITAA created the framework for a new Cybercitizen Partnership in conjunction with Attorney General Janet Reno. The partnership will focus on promoting individual responsibility in cyberspace and creating a private-public sector forum for exchange and cooperation. In all honesty, we at ITAA face a daunting job of convincing the IT industry and our customers to work with government on these initiatives. But it is a challenge we must step up to if we are to achieve any degree of success in opening lines of communication. The United States and much of the world are building their economic house on an information technology foundation. This is an extremely positive approach to take, delivering tangible benefits to a fast-growing percentage of the world's population. If year 2000 is the first challenge to place our economic house at risk, failure to adopt a rigorous approach to infosec will be the second and even more dangerous. ITAA and its member companies are committed to a private sector leadership role in ensuring that the necessary, timely, and cost-effective solutions are implemented. Thank you, and I would be happy to answer any questions you may have. [The statement of Mr. Miller follows:] [GRAPHIC] [TIFF OMITTED] T0842.010 [GRAPHIC] [TIFF OMITTED] T0842.011 [GRAPHIC] [TIFF OMITTED] T0842.012 Introduction [GRAPHIC] [TIFF OMITTED] T0842.013 [GRAPHIC] [TIFF OMITTED] T0842.014 [GRAPHIC] [TIFF OMITTED] T0842.015 [GRAPHIC] [TIFF OMITTED] T0842.016 [GRAPHIC] [TIFF OMITTED] T0842.017 [GRAPHIC] [TIFF OMITTED] T0842.018 [GRAPHIC] [TIFF OMITTED] T0842.019 [GRAPHIC] [TIFF OMITTED] T0842.020 [GRAPHIC] [TIFF OMITTED] T0842.021 [GRAPHIC] [TIFF OMITTED] T0842.022 [GRAPHIC] [TIFF OMITTED] T0842.023 [GRAPHIC] [TIFF OMITTED] T0842.024 [GRAPHIC] [TIFF OMITTED] T0842.025 [GRAPHIC] [TIFF OMITTED] T0842.026 Chairwoman Morella. Thank you, Mr. Miller. And I want all of the panelists to know that the entirety of their statements as submitted to us will be included in the record, and I know that you have submitted extensive statements, and we appreciate that. Mr. Rich, I now recognize you, sir. May I indicate that we have been joined by Mr. Bartlett from the great State of Maryland. Mr. Rich is from Maryland, Mr. Bartlett. STATEMENT OF L. DEAN RICH Mr. Rich. Thank you. Chairwoman Morella, Chairman Horn, and Members of the Subcommittees, I appreciate the opportunity to appear before you and I thank you for continuing to address the problems associated with information assurance and national critical infrastructure. As a lead into Y2K, I'd like to submit that Y2K, while a problem in itself, is a manifestation of a much larger issue--overall infrastructure assurance. We can look at Y2K as a wake-up event to better understand and manage those systems that are increasing in control or influencing every aspect of our lives. I come to this Committee with a background of information security as a Naval Reserve Officer in the Naval Cryptologic community and as a businessman working with industry to address the very issues we are discussing today. I support the Naval Criminal Investigative Service in my reserve capacity addressing threat issues. In my civilian position, I am currently with WarRoom Research as Vice President of Security Services, addressing both threat and vulnerability issues. You might recall that WarRoom research services the U.S. Senate's Permanent Subcommittee on Investigations under the 1996 Security in Cyberspace Hearings where we collected information security risk profiles of 205 Fortune 1,000 corporations. As we move even further into the digital age, those elements that comprise electronic commerce, networked systems, and national infrastructure are increasingly at risk. In order for this networked world to be viable and to be able to operate without concern and with all the worries transparent to the user, there must be an underpinning of robust security. Often we take security for granted or, using traditional cost analysis, will accept a certain level of risk as a cost of doing business. However, in today's environment, the cost of doing business without a strong security posture is too high. Yet many are unaware of these costs. In order to understand the new requirements of the digital age, governments and businesses must understand that security can no longer be an afterthought or redlined when budgets get squeezed. Security must be integral to one's overall management picture. To effectively manage security, one must manage risk. I believe in the formula risk equals threat multiplied by vulnerabilities and apply it to my own business decisions. You can see that with zero threat no matter the vulnerabilities, you will have zero risk. Likewise, if you have zero vulnerabilities and a world of ``bad actors,'' you have zero risk. Unfortunately, we have a great number of both, which is driving the risk index skyward. Vulnerabilities within our infrastructure are exposed on almost a daily basis. The scale of the infrastructure affected magnifies the impact of these vulnerabilities. Popular computer programs that get larger distribution have a larger impact. This has been demonstrated recently by a vulnerability that allows the promulgation of Macro viruses via e-mail. Using the risk formula, this vulnerability would not be an issue if it were not for the immense threat we live with on a daily basis. I believe the threat to our infrastructure is real. During the hearings on security in cyberspace in June of 1996, Mr. John Deutch did a great job of summarizing the threat and the need for increased public awareness. Many companies and government agencies have taken a skeptic's approach when discussing threats. They will say, ``My network and systems are running fine. I don't see any threat here.'' They lack the ability to see the threat and, therefore, deny it exists. They would be surprised to see, with an intrusion detection package--or intrusion detection application on their Internet perimeter, they would detect at least one unusual occurrence a day. A number of years ago, while on active duty in the Navy, I was deployed aboard a submarine for a couple of months. Having an interest in the sonar system, I asked one of the crew to give me an overview. The young officer was very proud of the system and said, ``If something were out in the water, we would hear it.'' I caught him by surprise when I said, ``So, let me get it straight. If you don't hear, it isn't there?'' I think that overconfidence in current capabilities and the unwillingness to ``think out of the box'' will lead to complacency. You need to look before you can see the threat. I support innovated efforts to look where no one has looked before. I'd like to share a couple of short stories, and I will keep it to the first one in the interest of time. In early 1995, I was running a vulnerability assessment on a large number of Internet connected systems operated by the Department of Defense--a Department of Defense organization. During the assessment, I entered a computer that was used by software developers to maintain the source code for a communications package. The source code was clearly unclassified, but it was disturbing for me to know its only use was on a classified network. A ``total systems'' approach was not used when implementing a support structure for the communications package. Others have demonstrated similar events over the last couple of years, and we'll still continue to have these problems. I'd like to address the Y2K vulnerability issue. A recent newspaper article brought to light a problem of outsourcing Y2K remediation and the threat of foreign nation states inserting backdoors for future year. I believe this is a valid threat and agree it needs to be addressed today. On the other hand, many Fortune 500 companies have been outsourcing source code development and maintenance for years. A large number of these U.S. companies have permanent network connections into their corporate networks to facilitate the work from overseas. I can tell you that without intrusion detection or traffic analysis, these foreign companies have the potential to run free and obtain unauthorized access to U.S. corporate proprietary information. In summary, I would recommend programs that support a total risk management approach to infrastructure assurance. I recommend protecting the critical path and the life cycle of high-value infrastructure, not just the end product. Keeping vigilant in the search for vulnerabilities and new threats. I fully support the requirement for collaboration between government and commercial organizations. We will not survive as a country without a framework of trust, dialogue, and collaboration. I look forward to working with this Subcommittee and others on this issue within the months to come. Again, thank you for the opportunity to speak, and I'd be happy to answer any questions. [The statement of Mr. Rich follows:] [GRAPHIC] [TIFF OMITTED] T0842.027 [GRAPHIC] [TIFF OMITTED] T0842.028 [GRAPHIC] [TIFF OMITTED] T0842.029 [GRAPHIC] [TIFF OMITTED] T0842.030 [GRAPHIC] [TIFF OMITTED] T0842.031 [GRAPHIC] [TIFF OMITTED] T0842.032 Chairwoman Morella. We thank you very much, Mr. Rich, and it's now my pleasure to recognize Mr. Bennett. STATEMENT OF WAYNE D. BENNETT Mr. Bennett. Thank you, Chairwoman Morella, Chairman Horn, members of the Subcommittee. My name is Wayne Bennett. I'm a partner at the law firm of Bingham Dana, and I chair the Commercial Technology Practice Area at our firm. Thank you for inviting me to this hearing. The nearly boundless creativity of the criminal mind will likely one day result in a billion dollar computer fraud. But I believe the apparent increased risk presented by the Y2K remediation effort is more than offset by the improvements in remediation procedures that have been implemented at large and mid-sized companies precisely to deal with the behemoth Y2K effort. When the billion dollar fraud occurs, its connection to the Y2K remediation effort will be more in the nature of serendipity than statistical inference, and law enforcement will be in a better position to identify the perpetrator because of the changes that the Y2K effort has brought. Consider the recent testimony of Gary Beach, Publisher of CIO Magazine, before the Senate Special Committee on the Y2K Technology Problem. I'm a member of the CIO Magazine editorial advisory board, and I can attest to the efforts that organization has made to look past the Y2K hype and its coverage. While the purpose of Gary's testimony was to report the results of a Y2K tracking poll, Gary added a particularly incisive thought at the conclusion of his remarks that one positive legacy of the Y2K exercise is that many companies were finally moved to undertake comprehensive inventories of their information technology systems. I would expand on that notion of a positive legacy. The learning at many corporate IT departments, particularly at mid- sized corporations, has been greatly enhanced since the Y2K wake-up call went out. My clients are from diverse industries, including banks, mortgage companies, manufacturers, distributors, broker dealers, grocers, IT hardware, software, and services lenders, and e-commerce companies. Many of them contacted leading experts to teach their IT personnel the best industry practices for implementing their Y2K projects, and they're applying that learning to their maintenance activities generally. Before the Y2K exercise, systems maintenance was in some IT shops just a tedious chore that was relegated to anonymous junior programmers. Maintenance was a stepchild, and many IT departments struggled with version control, documentation, and accountability. Often IT personnel would open a source code file and find no written clue regarding who worked on the code last, what changes had been made, or even when or why it was changed. The best maintenance practices recently introduced by consultants have a by-product. Many systems environments are now more secure than they were just a couple of years ago. For example, the introduction of project notebooks requiring formal sign-offs by responsible employees and contractors have employees staking their reputations on their work. Each sign- off indicates that a software routine is ready and that it successfully integrates into the larger system. Testing naturally becomes more comprehensive. Validation efforts are enhanced to ensure that no unwanted changes have been introduced into the system. Internal and external auditors review project notebooks as part of their Y2K and technology operations audits. Reports are generated at each management level until a summary is presented to the board of directors. Visibility and accountability at every level has increased. Security has been enhanced. Trap doors and the attendant risk of major fraud have been around since shortly after the beginning of commercial computing. Then you enacted the Computer Fraud and Abuse Act of 1986, the Information Infrastructure Act of 1996, the Economic Espionage Act of 1996, and the No Electronic Theft Act of 1997. The criminal laws are in place. Now, with the introduction of better maintenance practices, the forensic evidence is more likely to be available to track down a wrongdoer. A billion-dollar fraud is inevitable at some point since no security system is completely airtight. But is it more likely now as a result of the Y2K effort? I don't think so. Consider the current criminal opportunity. With increased scrutiny of every line of code, choosing this juncture to hide nefarious software in systems is akin to the decision of a second story man choosing to burglarize the police chief's house. Some burglars may find the prospect challenging, but most won't and those that do will find the going rather rough. At the July 22nd Senate Y2K hearing, Senator Bennett put the question of the reported increased security risk to a panel of IT executives. The panelists acknowledged that the security risk is increasing every day because of the increase in computer usage generally. But they also responded that the procedures implemented to perform Y2K remediation make them more confident today that while they can never fully prevent a security problem, they can at least better now detect a security problem. These procedures can fail, so we need to be ever vigilant about security. But we should also be careful about any message that we send to those thousands of employees and contractors who are honestly and diligently trying to solve the Y2K problem. The Nation's IT personnel are right now working at a breakneck pace doing thankless, yeoman's work against an unforgiving deadline. If they succeed in their Herculean task, some--perhaps even some here today--will question why we spent billions of dollars on a crisis that never came about. If they fail, they will be blamed. At this point, I suggest that we let the security officers quietly pursue their jobs while we lend all necessary support to the employees and contractors working on the Y2K effort-- without any inadvertent suggestion from any quarter that any of them might be criminals, even in the face of continuing risk. The job of fixing the Y2K problem and the consequences of failure are so enormous that the ongoing risk of fraud pales by comparison. We should keep our focus over these next critical few months. Thank you for your time. [The statement of Mr. Bennett follows:] [GRAPHIC] [TIFF OMITTED] T0842.033 [GRAPHIC] [TIFF OMITTED] T0842.034 [GRAPHIC] [TIFF OMITTED] T0842.035 [GRAPHIC] [TIFF OMITTED] T0842.036 [GRAPHIC] [TIFF OMITTED] T0842.037 [GRAPHIC] [TIFF OMITTED] T0842.038 [GRAPHIC] [TIFF OMITTED] T0842.039 [GRAPHIC] [TIFF OMITTED] T0842.040 [GRAPHIC] [TIFF OMITTED] T0842.041 [GRAPHIC] [TIFF OMITTED] T0842.042 Chairwoman Morella. Thank you very much, Mr. Bennett. I'm glad we, you know, ended with you because then you put another perspective on the concept of computer security being important, but not necessarily, I was going to say, increased because of Y2K. I understand also you were at the--what used to be called the National Bureau of Standards. Mr. Bennett. Yes, I was. Chairwoman Morella. Which is now NIST, which has been very much involved with our computer security system and more legislation coming up on that. As you could tell, we do have a vote coming up. Maybe I could start off by asking one question, and then we could recess for about 15 minutes, if you'll all be here, and then continue with questions. Unless you wanted to start off with a question, Chairman Horn? Mr. Horn. I'll be glad to, if you'd like. I don't know if you want to go vote and then I can go vote and keep the show on the road. Whatever you'd like. Chairwoman Morella. All right. He's got a great idea. I will go vote, and then he will keep this--keep it going, and then I'll come back. Mr. Horn. Mr. Bennett, I was interested when you said the criminal laws seem to be in place. Is that true in every state? Have we done an analysis of that? Mrs. Morella and I can request the American Law Division to look at that now that you've raised the question. Mr. Bennett. Well, I think the federal laws are in place. In fact, there was just a recent article in, I believe, Computer World where a defense attorney based in San Francisco was complaining that the federal laws are set up so that her-- this is not surprising--that her clients are having a tough time going and are pleading out instead of going to trial because they risk very severe criminal penalties. I do not know, however, on a state-by-state basis what the answer is. Mr. Horn. Any comments from anyone else here on that point? Well, the $1 billion does catch a headline, and that's, I think, more likely to be banks. What will happen with the non- banks where you could not have money to move, is blackmail. And the question would be: To what degree can we already cope with blackmail, the disgruntled employee that was mentioned? No question about it. You could--with a smart programmer, you could have chaos within a computer system. Mr. Miller. Mr. Chairman---- Mr. Horn. Mr. Miller. Mr. Miller. Mr. Chairman, we had Mr. Scott Charney, who heads the Criminal Division area of computer crimes speak at a conference we cosponsored last week with George Mason University. And Mr. Charney indicated in his public comments, at least--and maybe the Subcommittee would want to contact him directly, but I think I would agree with Mr. Bennett--that the federal laws are pretty strict. The challenge is finding the miscreants and prosecuting them. But I think they feel that the laws are pretty strict, and they've been fairly successful in prosecutions. State laws, I don't have any information on them. Mr. Horn. If it is blackmail and it isn't moving money around from accounts here to accounts abroad and so forth, how do we deal with the blackmail aspect? Mr. Miller. They're both federal statutes, as I understand it. I'm not a lawyer. Mr. Horn. Have we had much computer security blackmail? Mr. Miller. I've been told of stories anecdotally. Nothing's been reported publicly. Mr. Horn. Well, I realize it's like rare-book libraries. They don't want to talk about it, and that was the mistake of their life because now that they started talking about it, you find these people. And the thief just had a field day, can walk off with all the precious books, and they did it at Harvard and Yale and my own university and so forth. But it just seems to me we need a strategy here in educating chief executives. As we went through the Y2K bit in the last year, one of the things that discouraged me was the bad advice that their lawyers gave, which was, Chief, don't say anything, then they can't do something to you in court. Well, that's utter baloney because they'll do you for not doing anything, and we really needed CEOs to provide some leadership, which they finally woke up and did. But how would you deal with this in this way to get top management to understand that they've got to do some strategies and tactics here to protect themselves in the interest of their stockholders? Mr. Pucciarelli. Congressman Horn? Mr. Horn. Yes? Mr. Pucciarelli. If I could just say, in my opinion, security is to computers what safety was to automobiles in the 1960s. We have a relatively immature technology, relatively in the context of 20 and 30 years versus 100 years. And what goes with a new technology is a certain exuberance and a denial of some of those risks. And I think what happens over time, the experience of using the technologies, of understanding the consequences, and understanding the implications will bring to light to the executives and to the leadership of the organizations that use these tools the risks. So rather than delegating the leadership and management of these systems to technical specialists, the executives will become more involved and more active in establishing security procedures for the overall enterprise. Mr. Horn. Now, with the Presidential Directive--by the way, if you have your mikes still on, turn them off so we don't get a feedback On the Presidential Directive, how active has the security community and the information technology community been helpful in that? And where are we in the progress under the Presidential Directive? Mr. Miller. I think there's some good news and there's some bad news there. I think the good news is that the various government agencies are trying to come up with a plan. We saw a leaked version of it in the New York Times very recently, an article by Mr. Markoff which focused on just the privacy issue. But there has been extensive consultation, and I do commend the people in the government for trying to get as much industry input as possible into the process. As an example of bad news, though, Mr. Chairman, I'll give you one specific example. We were designed by the Department of Commerce, as I mentioned in my testimony, as the sector coordinator for the information technology sector along with the Telecommunications Industry Association and the U.S. Telephone Association. That office within the U.S. Department of Commerce is probably going to be defunded in the year 2000. So, on the one hand, we are trying to undertake activities in conjunction with the Department of Commerce agency. On the other hand, the Department of Commerce, even though they did request some money, apparently it's not a very high priority. Congress hasn't seen it as a high priority. So we're going to-- may find ourselves on October 1st being designated by the sector coordinator of an office that no longer exists. Mr. Horn. Well, we thank you for alerting us because we ought to keep on top of that. I'm going to have to declare a recess now so I don't miss a vote. So we're in recess until Mrs. Morella returns to chair the meeting. Thank you very much. [Recess.] Chairwoman Morella. Thank you, gentlemen and others, for bearing with us as we had two votes instead of one vote. And matter of fact, one was on---- Mr. Horn. Patent policy. Chairwoman Morella. Yeah, patent policy, which might interest some of you. Ms. Rivers is here from Michigan, and I guess I'll start off with a question or two and then let Ms. Rivers ask any questions. Mention was made--I think you, Mr. Miller, mentioned the Presidential decision, Directive 63, which was issued in May of 1998, and that explains the Administration's policy on critical infrastructure protection. Incidentally, we had the first House hearing on the critical infrastructures report. The infrastructures include telecommunications, banking and finance, and all the essential government services. The directive requires immediate Federal Government action, including risk assessment and planning to reduce exposure to attack. Maybe I'd start off with you, Mr. Miller, in responding to this, but I want to hear from the others, too. In your opinion, has the implementation of this directive been effective? And why or why not? Does more need to be done? Mr. Miller. The process has been a little slower than I think many of us anticipated, but maybe that's all for the good. The trial CIAO office, which everyone sort of chuckles at, but the Critical Information Assurance Office, which has coordinated the development of the longer-term plan, has been somewhat slow, but they have to engage numerous federal agencies. They have done a good job, Madam Chair, I believe, of trying to engage industry and academia in getting input in the development of that plan. So I think they are moving forward in a reasonable pace to come up with a plan. It's very tricky, though, because the exact lines of responsibility between the private sector and government--there may be differing views, as I suggested in my testimony. The private sector may believe that the government needs to be less involved, and some people in government want to be more involved. The point I mentioned to Chairman Horn while you were away was some of the things that disturb us, for example, is the government, to industry, is not necessarily someone we like to work with all the time. I have a little bit of concern about it. One of the departments, however, I think industry is most comfortable with is the Department of Commerce. The Department of Commerce in the National Telecommunications Information Agency, headed by Assistant Secretary Irving, has responsibility for this critical information issue, and we were designated, along with two other associations, as a sector coordinator for the IT industry. But now it looks like they are going to have no money for FY 2000. There was a request for a small amount of money, I believe $3.5 million, for FY 2000, but, candidly, I don't think it's very high on the Administration's priority list. And from what I understand, with all the pressures that you all have to cut domestic spending, that money may disappear. So that's an example of where we thought there were good plans in place to try to move forward, and we were excited about the opportunity to be the sector coordinator for the IT industry. But if that agency funding goes away and there's nothing in Commerce for us to work with, then in some sense industry's role is back to square one. At least my sector's role is back to square one. Chairwoman Morella. Would any of the other panelists like to comment on that? I'm going to ask a question also that you might want to respond to at the same time. Do you think we need a computer security czar? I don't mean to overuse that term, but somebody in the Federal Government such as the role that John Koskinen has played with Y2K that will be an oversee also of critical infrastructures, computer security. Mr. Pucciarelli? Mr. Pucciarelli. Congresswoman, first a quick comment on the Presidential Policy Directive 63. In general, the entire area of cyber warfare and security is moving extremely quickly. It's very difficult to design a solution, just from an engineering perspective to design a solution to address a threat, and to do it and get it implemented in a timely fashion. If you look at the typical procurement cycle right now, from the time an engineering solution is designed until it's presented, run through for hearings, funded and implemented, it could take 2 years. The problem is, is that it's difficult to anticipate--it's virtually impossible to anticipate 2 years ahead of the threat what needs to be done because this area is moving so quickly. So just one comment on that is just I would counsel you to look at the time lines to actually acknowledge the threat, design a solution, and implement it. As far as your question on the computer security czar, I think there's a plus and a minus. My own personal perspective and the perspective of the GartnerGroup is that security is an enterprise issue. It is not an issue that belongs dedicated to somebody who sits in the back room of the organization or off to the side in an ancillary role. So I think there's a risk with setting up a czar in that it might be viewed as something that is the domain of the technical specialists. I think the challenge is how do we elevate security to an executive issue and an executive priority, and if a computer security czar was able to portray the issue with that type of presentation, I think there's an opportunity to have a very positive impact. Chairwoman Morella. Mr. Rich. Mr. Rich. I support his statement. I think having a computer security czar would probably be not a good idea, that security is part of an infrastructure, an enterprise implementation, and that we need to support the current infrastructure assurance directives that have been put out there. Chairwoman Morella. Mr. Bennett, would you like to comment on---- Mr. Bennett. I think that anything that's done has to draw some very clear lines between government and corporate enterprises. I think that the prospect of a czar might actually frighten some corporations who may have some operations that are even part of what you might consider infrastructure. I mean, I think that there are a lot of large corporations out there that would be happy to just have government approve their international use of very strong encryption methods and then stay out of the picture as far as their own security is concerned until such time as there is--where their own security procedures fail, and then they'll want the help of law enforcement officials to try to track down whoever did it. Their biggest issues right now do not involve a billion- dollar fraud. If they look past Y2K and they're talking about people taking things from them, they're worried about competitive intelligence. Chairwoman Morella. Would either of you like to comment on Directive 63? Mr. Rich. I haven't been myself involved a great amount with the directive. From what I've observed and talking with others, I support Mr. Miller's comment on that it's moving maybe not as fast as some would expect, but I think it's moving in the right direction. And I've seen a lot of corporations now starting to talk to the government. I like the idea of collaboration and trust. Unless we can get the point across to the commercial organizations that the government can help and not mandate or dictate and more or less work together, I think we'll get longer--further down the path. Chairwoman Morella. I didn't mean to be rigid when I said computer security czar. I guess I'm thinking to implementation of current policies in terms of coordinating. There is no doubt in my mind we lack that in the Federal Government, but we can get into that in some other questioning. I would like to now recognize Ms. Rivers. Ms. Rivers. Thank you, Madam Chair. Mr. Miller, I have a question regarding funding you raised in your written commentary, and I apologize that I wasn't here for the testimony. But in your written statement, you raised concerns that the $3.5 million that is now being allocated for CIIAP is inadequate in your view or barely adequate. Are you aware that the Commerce, Justice, State bill, appropriations bill that we're going to vote on this afternoon, zeroes out that program? And what will the effects be of that decision? Mr. Miller. I heard--I haven't actually seen the language of the legislation, Congresswoman Rivers, but I heard that they were going to zero it out. I think that would be most unfortunate from the perspective of private industry. Clearly, the issue of information security has spread throughout the government--the Department of Defense, the Department of Justice, National Security Agency, et cetera, et cetera. And, by the way, in response to Congresswoman Morella's question, I would support a czar for exactly that reason. But, clearly, the government is perceived by many people in industry as kind of threatening, particularly if you're talking to national security people or law enforcement people. To the extent the industry is comfortable, I think they're most comfortable talking to the Department of Commerce, and so that's a logical place for business to communicate. And zeroing out that budget item from within NTIA I think would be most unfortunate. Even a relatively small amount, $3.5 million, is better than nothing, and I think the problem is--I've spoken to Assistant Secretary Irving about this--is he's already had severe budget cuts over the last 2 or 3 years, and if this money gets cuts down, he can't find it to take out of hide somewhere else. So I'd hope that the Congress would take another look at that, and whether $3.5 million is exactly the right number or not, I don't know. But I hope the Congress would take another look at that and put some funding in there because that would make industry much more comfortable in terms of working with government. Again, there's no disrespect to the FBI or the Defense Department, but if we have to talk to somebody, it's a lot easier to talk to the Commerce Department. Ms. Rivers. Thank you. Mr. Pucciarelli, I have a question for you. In your comments, you talk about a 70 percent probability that there would be at least one electronic theft of a billion dollars, which--I may not have it right, but that would seem to be the biggest theft in our history. I mean, I don't think we've ever had a billion dollar theft. And you use the terminology that really reflects sort of the science of statistics. How did you arrive at that? Mr. Pucciarelli. What we do, Congresswoman, is, as part of our recommendations at GartnerGroup, we have a practice of assigning a probability to a particular prediction. And the reason that we assign probabilities is so that our clients have an ability to take these predictions and appropriately factor them into their business plans. The probabilities were not scientifically derived. They were arrived--derived based on judgment, and there is an explanation of the probability process in my formal written testimony which has been submitted to the Committee. Ms. Rivers. How do you translate a probability--or a judgment into a 0.7 likelihood? Mr. Pucciarelli. A 0.7 likelihood, in terms of how we explain that to our clients and advise that to our clients, is we would say that you should assume that this is likely to happen. If you--if it had a 0.8 probability as an example, we would say assume it will happen. So with a 0.7 probability there is still some risk that it won't happen. The range of probabilities that we publish goes from 0.6 to 0.9. The whole notion and the whole purpose of this piece of research was to advise our clients to escalate their risk management practices. And in the context of that, what we are really saying with the probabilities is that we believe it's likely that there will be at least one large outrageous theft. Ms. Rivers. So what you're saying is it's really not a scientific tool, it's a sales tool? Mr. Pucciarelli. No. That's--not at all, Congressman. What my point was, it's not a sales tool at all. What it is is it's a way for management within our client organizations to appropriately weigh the probability. Ms. Rivers. That's what I'm trying to understand, given my training, is how you are creating your probabilities, what you are actually using that can be replicated by someone else. Looking at the same data, can they come up with the same conclusion? Mr. Pucciarelli. The way that we actually create the probabilities is based on--first of all, it is not data. It is--it is qualitative interactions with our clients and qualitative assessments of what's going on in the environment. The intention of the probabilities is to factor them into the management process within our clients. So the idea is that we can give our clients a degree of confidence as to how sure we are that this will happen. Ms. Rivers. What are the elements that you weigh in coming to this conclusion? Mr. Pucciarelli. We look at three different major aspects in forming a probability. First we do primary research, which is to look at the specific area. And as I testified earlier, we did that based on direct examination and in conversations with our clients, what was going on in terms of the process itself. We then review preliminary findings with our clients and ask their opinions and their assessments of our recommendations. Then the third and most important thing is, before we publish a recommendation and assign a probability, we--as a community of analysts, GartnerGroup has over 700 analysts review the major policy statements, and as a community of analysts, we have to agree on what those probabilities are, and we have to agree what the major statements are. So this forecast represents a consensus position of literally hundreds of people within our organization to support--and it has to agree with their qualitative and quantitative observations as well. Ms. Rivers. Okay. Thank you. Thank you, Madam Chair. Chairwoman Morella. Thank you, Ms. Rivers. Chairman Horn. Mr. Horn. I've had 5 minutes, so let everybody else go, and then I'll have one question. Chairwoman Morella. Mr. Turner from Texas. Mr. Turner. I will yield to Mr. Horn. Chairwoman Morella. Chairman Horn? I mean, I'll ask a question. Mr. Horn. Let me just ask one question. I've appreciated the various papers you four gentlemen have submitted. You've suggested, Mr. Miller, that we grade federal agencies on computer security, much like we currently do for the year 2000 work. And I'm just curious, What categories of criteria in relation to this subject would you suggest and use? Mr. Miller. I think, Mr. Chairman, your grading system the last 3\1/2\ years or so for the government's reliability and readiness for Y2K has been a tremendous tool toward driving them toward the successes that you mentioned in your statement earlier today, and you deserve a great deal of credit, as does Congresswoman Morella, for focusing attention. A similar system, I believe, could be developed. I'm not prepared to give you the exact criteria, but things like the percentage of spending on IT devoted to computer security, the attention paid by senior management to computer security; reports of intrusions and detections of intrusions could be another metric that you could look to. So I think you could get--probably put together a fairly straightforward and easily agreed upon list of indicia that you could use to use your excellent grading system, and I think that would help drive the agencies toward more attention to this problem. Mr. Horn. Where do--where are the data on intrusions kept? Is it simply by agency? Does OMB have any information that they've collected over the years? Mr. Miller. There are two sets of data. There are data from the private sector, which are reported to what's called CERT, the Computer Emergency Response Team, at Carnegie Mellon University. They're, of course, voluntary reports. And to go back to Congresswoman Rivers' question about hard data versus theoretical data, I do note that the number of incidents reported to CERT has increased dramatically over the last few years. Within the government, my understanding is that they don't necessarily share information among agencies, and that's one of the issues being looked upon--looked at within the PDD-63, is to exactly how do you make sure that all the information is being shared appropriately among the agencies. Mr. Horn. Are the Carnegie information--are those data accessible? Mr. Miller. In some cases, the specifics are accessible, and sometimes it's just the generic numbers. I think one of the biggest challenges that this issues faces, as Mr. Pucciarelli was suggesting in his earlier comments, is how much willingness is there among companies as they mature to share information. Certain industries such as the financial services industry have already been exposed. Citibank had a relatively large potential theft several years ago, and so Citibank is now wanting to talk about this publicly. You can get them to go to any conference, any open meeting, and they'll come and talk about it. But if you ask 99 percent of all financial institutions or other types of organizations, ``Do you want to admit times that you've had intrusions or thefts or breakdowns?'' most of them are going to be totally silent, totally mum. So one of the challenges we've had as an industry, Mr. Chairman, is figuring out how to get companies to share information in a way that will help everyone fight off other potential intrusions and threats, but at the same time not be concerned that proprietary information will leak out or that their competitors will get an advantage or it will leak to the press and hit the stock price, et cetera. So companies are always trying to balance these two things off. It's not just the legal issue which you raised before in regard to the Y2K. It's a whole set of potential down sides to exposing information as opposed to the one up side, which is to sort of be a good citizen and by reporting the information about an intrusion that you had, you may save somebody else or you may help to protect the entire economy. And we are not yet at a position, I think, where the leadership of business in this country has made that balance of that equation and said in all cases we will share information. And one of the reasons is that they're not sure about sharing information. Let me just bring one more specific problem to your attention, is the Shelby amendment. I think industry supports the Shelby amendment generally. We believe that federally funded research results should be available to the public. And what Senator Shelby has done is good. But my companies have come to me and said, Now, what if we share information and there's some kind of federal grant involved with the organization that has that information and we believe it's confidential and then a FOIA request comes in? Government FOIA exemptions can't be used because it's a private sector organization. Then what do we do? So I think that's not--it's an unintended consequence of the Shelby amendment which is something we're trying to puzzle through right now. Mr. Horn. Yeah, well, as you know, we're going to struggle through on that, and you have to protect the people that, let's say, are trying to win the Nobel Prize or something. We shouldn't have their data all around and polluted. That will get tested soon enough. And we don't want to discourage science. On the other hand, we don't want to--in this situation, we're talking about, we don't want to have sitting- duck targets because they say, boy, look at all the entries there, let's see if we can do it. And I suspect that's worrying some. The Good Samaritan law has helped on the year 2000 a bit, and industry plants have been working with each other, from the best we can understand on that. I don't know if that's your feeling or not. There's much sharing of information. Mr. Miller. Definitely. But it took legal action to do it. But, again, if Long Beach State, your former institution, set up a classified center and encouraged companies to provide information and they got Federal funding somehow, what does the Shelby amendment do to that data? It supposed to be sanitized. It's supposed to be protected within this research center within the university. But can someone use--I don't know, but the questions have been asked. Can someone use the Shelby amendment to come in and say I want access to all that data? And suddenly the whole confidentiality system breaks down, the trust breaks down, and no one supplies information to the Long Beach State center. We've lost the whole purpose of the organization in the first place. Mr. Horn. Are there any questions and thoughts that none of you have mentioned that you now would like to make? This is at least my wrap-up question. Mrs. Morella might have many more. But just what are we missing that we haven't really focused in on? Mr. Rich. Mr. Chairman, I'd like to make a quick comment there. In the spirit of PDD-63, rather than requiring--or asking people to give you their particular data on break-ins, if we take a baby step and say how about sharing threat information-these are people that are trying to touch you and look at your networks but not successful in getting in--that would be a first step in establishing the trust relationship. Mr. Horn. That's a good suggestion. Chairwoman Morella. Thank you, Chairman Horn. That's great. This is so reminiscent of Y2K when we talk about failure to and concern about sharing information and the coordination that is necessary. And, of course, we're talking about computer security that is troubled particularly because of Y2K compliance. With regard to the Shelby amendment, it's interesting that here we are in the room where the ranking member, George Brown, is the one who's introduced the legislation to get rid of the Shelby amendment, and, of course, I've heard from National Institutes of Health and a number of other institutions like that that are hoping that--Mr. Miller, that you can--we can work out some kind of a compromise. I--in terms of where information may come from, I can remember years ago, GAO, you know, when they came out with their list of high-risk areas, they had Y2K there, and they've had computer security there for some time. That maybe another source of information to have GAO do further reporting. And, of course, they've done a number of reports on problems with computer security, particularly in DOD. And I wonder, the inspector generals, would they not also be looking at this, or should we be telling them to begin to look at this? I don't know if any of you are cognizant. Mr. Pucciarelli. Mr. Pucciarelli. Congresswoman, I think that the whole issue of computer security could clearly fall into the domain of the inspector generals, and I think that depending on which agency is looked at, I think you'll see different degrees of activity in the area. I think that there's clearly an opportunity to raise the issue on the agenda of the IGs, and, again, I'll come back to my point earlier. The real challenge is how do we get the leadership of the organizations involved as well. Yes, the IG is the means by which to do it, but the challenge is how do we get it to the executives. Chairwoman Morella. And you mentioned--Mr. Miller, you wanted to comment. Mr. Miller. I agree exactly with what Mr. Pucciarelli is saying. That's why I endorse your idea of the czar, as long as the czar is conceptualized the way Mr. Koskinen has conceptualized the role, not that the czar---- Chairwoman Morella. Right. Mr. Miller [continuing]. Is to fix everything himself or, if it's a czarina, herself; but that, number one, that person has the authority to go directly to Cabinet officers and make sure that the Cabinet officers personally are paying attention to the issue; that that person has the ability to work with the private sector by organizing them by sectors, as Mr. Koskinen has done very effectively. He's not trying to fix the problems with the electricity industry or the retail industry, but he's working with the appropriate private sector groups to do that. Also, he or she would be able to coordinate among the different agencies, and, frankly, it's a little confusing to the private sector to know whether we should talk to people at the CIAO or Mr. Hamre at DOD or people at the NIPC or people at Commerce. It would be a little bit easier to, if there were someone who had a central role and also had access directly to the President and Vice President, as I believe Mr. Koskinen does on Y2K issues. Chairwoman Morella. And looking at the private sector, Mr. Pucciarelli, you mentioned in your statement that many firms have not taken--you used the term ``adequate steps''--to secure and audit the year 2000 remediation process. I wonder, what do you mean by adequate steps? Mr. Pucciarelli. Congresswoman, in forming this scenario that I identified, one of somebody stealing a large amount of money, I started from the premise that somebody would do it. And then I posed the question back to my clients and said how likely is this to happen. And the response back from the practitioners in the field was that, in general, the level of security in their opinion was not very high. And that was one of the reasons why I went forward with this research and deemed it appropriate to recommend to the executive leadership of the various organizations to take as a given that this is a likely event and to implement risk management activities, which was really the underpinning of what my research was. It basically said you as leaders of these organizations need to implement risk management because the details--the people that are actually doing it, the practitioners, believe that there is a relatively high risk. Chairwoman Morella. Is implementing an independent verification validation process going to mitigate the problems and the trap doors? Mr. Pucciarelli. To implement a comprehensive security program, we have to cover three specific areas. We have to cover people, process, and products. And when talk about people, a metaphor might be to look at the bar exam. If we were to look at process, it might be the equivalent of the FDA certifying a surgical procedure, or a process might be the certification of a particular software development process. And a product might be the equivalent of the regulation that DOT has for automobiles to meet safety standards or, in the public domain, the UL underwriting seal of approval. To get true security, we're going to have to approach it from all three fronts. Chairwoman Morella. I'm glad you wanted to respond, Mr. Bennett, because I really felt I had to give you an opportunity to engage since your point is that it's not Y2K that is the big problem with computer security. So, sir? Mr. Bennett. Well, I think I stated my point on the relationship. I think they're both very important issues. I just don't see them--the statistical inference there. But with respect to the independent audit and the IG's role, it seems to me that the independence of both an IG or an outside auditor is one piece and the only piece that should be independent of line management. While auditing on the one hand has to be independent, someone has to come in and say how good a job you're doing, there are a couple of stages that have to come before that, and those, if you're ever going to make this work, it seems to me, have to be done by line management because they have to believe in what they're doing. Now, in defense, there may be a different weighing that takes place. How much--there's a certain drag on productivity that's going to happen when you implement extra security procedures. You try to minimize it, but it happens. That-- where--how much of a drag on productivity you're willing to tolerate may be different if I'm trying to keep secret the Nation's defense secrets. At the same time, if I'm a corporation and I am trying to keep competitive information out of my competitor's hands, which is very important, there's a different drag on my productivity that I might accept. So line management, first of all, has to decide how important is it and to what level are we going to protect it or try to protect it. And then there has to be an implementation process, all of which should stay within line management. And only then, after you've done those two steps, it seems to me, without sort of alienating line management, who you need to do those two steps, then there's a role for an outsider to come in and say, okay, how good a job are you doing? Chairwoman Morella. Prioritize, organize, then verify. Mr. Rich. I'd like to recommend that we take a look, as was mentioned here earlier about process, that over a period of time in my time working in the government we had process, accreditation for systems for security. And over a period of time, the accreditation process failed to work because it wasn't updated, that we would do the checklists and everything was great. I think as the IG goes through the process of checking, somebody should be checking the IG. Maybe that's the computer security czar that you mentioned, as an oversight position, that we have to keep up with the technology that we're looking at as we go through that. Chairwoman Morella. Thank you. Mr. Turner. Mr. Turner. I was really interested in knowing what suggestions any of you might have regarding how we might strengthen law enforcement in this area. It seems that it's an area that we're really very ill equipped to deal with. We don't have the expertise in local district attorney's offices. I'm not even sure we have it in the Department of Justice. But I think we really--there seems to be a need to take a good look at the existing criminal laws. Obviously, some of the laws fit. Theft is theft, I guess, no matter how you accomplish it. But in any of the intrusions that don't result in outright theft of dollars, I'm just not sure that the penalties are out there, the laws are out there to really effectively deal with this, nor is there the expertise available to fully prosecute what appears to me, from listening to your testimony, to be a growing area of criminal activity. Am I correct on that? And do any of you have any suggestions you might---- Mr. Miller. I think that's a very important point, Mr. Turner. We're working very close with the Justice Department Criminal Division on this, and they have asked, for example, to help us help them put together a list of experts, cyber experts, that they can call upon for--when they need to do prosecutions so that the Assistant U.S. Attorneys around the country, when they're referred these cases, frequently do not have the kind of expertise that they may have in securities fraud or other kinds of more traditional non-digital fraud. And so we are working with Mr. Scott Charney and Attorney General Reno to help put together a list of those experts that the Assistant U.S. Attorneys can call upon. Also, I have been told that the Justice Department is doing training for state and local officials on cyber crime, detection, investigation, prosecution. But how extensive that is, I don't really know. You can contact the Justice Department. I don't have any data on how many--how many training sessions have been done. I understand that when they do offer them, they are heavily subscribed, that there's clearly a lot of interest among law-- local law enforcement officials to get this kind of training. But how extensive the training is currently, I don't know. Mr. Bennett. Congressman? Mr. Turner. Yes? Mr. Bennett. I believe you have the laws. You have got your Computer Fraud and Abuse Act. You have the Espionage Act, which covers trade secrets, and both of those have attempt parts to them. You also have a fair amount of expertise. It is growing within the Department of Justice, but there's a fair amount of expertise. When we call up on behalf of our clients and there's been a problem, we do not get a befuddled person who has either no interest or expertise in the area. We're generally directed to somebody who does that for a living. I think the only problem we're running into is the usual, and that is, you've got to have enough time and so you've got to allocate scarce resources even in the Department of Justice. And the way they've allocated it, to use one example, one of my clients called up, and someone had scanned their ports looking for a way in, and they were very concerned that some--a specific competitor, in fact, might have been the one doing it. And they wanted to get to the bottom of it. And when we called up, it seemed to us that there was a bright line from the United States Attorney's Office, and that was, really, if you can show us that they got in, then that's going to put it into one basket over here and we're going to have the time to be able to address it. If, on the other hand, you don't know because your firewall software maybe only tracks unauthorized attempts and maybe perhaps doesn't track authorized entries that might have been fraudulent, then we're--maybe you ought to go the civil route and try to discover this by suing the ISP and getting the name and then going after them and finding out who it is on your own. And, clearly, you don't want to go down both those paths, and we could really understand it. We ended up going down in this last instance, which was only a few months ago, going down the civil route and finding out that it was some teenage hackers attempting to get into a corporate--past a corporate a firewall. But the laws are certainly there. The expertise is there and growing, at least at the Federal level, and now it's just a matter of putting in a priority because I think they have enough to do with the actual break-ins at this point. Mr. Miller. Mr. Turner, my staff reminds me that Senator Leahy has introduced a bill to provide $25 million a year to the Department of Justice for state and local cyber crime training. So obviously Senator Leahy at least believes there's not currently sufficient funds and is trying to increase that. Mr. Turner. Thank you, Mrs. Morella. Chairwoman Morella. Thank you, Mr. Turner. It seems to me there could be a problem with companies overseas and the kind of security because they haven't had a check to do--an opportunity to do background checks of--and this made by the more prone to computer security problems with Y2K. Would any of you like to comment on that, maybe what we could do about it? You look ready, Mr. Bennett, then Mr. Miller. Mr. Bennett. I believe this problem's been with us for a while, and to try to put it in perspective, if you got three different levels of folks you might engage--and they've been engaged over the course of time, at least in corporate America, to work on IT systems there, your own employees, your domestic contractors, and then foreign contractors, and I would suggest that at this moment in most states in the United States you can learn not very much about your own new employees for starters. So, yes, it is true that there could be foreigners or contractors who could pose a definite threat to your IT. But right now, in the position of any ordinary employer-- not the government but an ordinary employer, we're just not permitted to get the kind of information you can get, and so I have a live threat right with my employees. A second quick point is that--put aside just for a moment-- I know it's not the scope here, but to try to put this in perspective, you've got the threat to your IT systems, and yet in many, many companies today, the most valuable information that they have walks out the door every single day with their employees. It is not sitting on their computer system. So when they put this whole thing into perspective for, you know, the billion dollar fraud over here and then the foreign threat and then even the domestic contractor threat, then the employee threat, what they're really worried about is: How can I find out information about the people who are here? And, moreover, where are they going to go? In the State of California, for example, companies cannot use non-competes for some good and wholesome reasons. And so that means that my employee can leave today, go down the street to my competitor, and use that information. Mr. Horn. I missed the word there. Companies cannot use what? Mr. Bennett. They cannot use--in California, as an example, one cannot include a non-competition clause in a contract with an employee to say, look, for 6 months after you leave here please don't go down the street--or you may not go down the street to our competitor to do the same kind of thing. Mr. Horn. As you were talking, I was thinking, the whole evolution of Silicon Valley is when somebody walked out and started their own firm. American productivity. Mr. Bennett. Absolutely correct. And now--and we've gotten a lot of great things from that. In addition, we've gotten ourselves a rash of trade secret lawsuits. Chairwoman Morella. It seems to me--you know how we have the metal detectors going into buildings such as ours? What we really need is a mental detector, and a mental detector would probably take care of a lot of that problem that you mentioned. Mr. Bennett. God forbid. Chairwoman Morella. Okay. Right. Mr. Miller. Mr. Miller. Two brief points. One is that there's currently, in addition to the overall challenge of the shortage of information technology workers in our country, there's a specific subset of that. There's a huge shortage of people with sophisticated security training or the ability to carry out these jobs. Going back to Mr. Pucciarelli's earlier point about people being one of the critical three elements, it's very important. I know a very large, sophisticated firm which is doing a lot of work on a contract basis for the government has 1,500 positions to fill, and they have 1,000 people, and they can't find the other 500 because, first of all, you can't use foreign workers 99.9 percent of the time so you can't fall back on H(1)(b)s or anything like that. You can't even fall back on permanent residents. Most of the time they have to be U.S. citizens. They have to have security clearance. They have to have sophisticated training, et cetera, et cetera. So that's a big job. I know Attorney General Reno and other people are trying to focus on some kind of a cyber corps idea where there'd actually be government incentives, scholarships or a sort to encourage people to get the kind of sophisticated training that they could become specialists in information security. So I think that's an issue. Also, on the international front, Chairwoman Morella, I know that this is a huge issue in terms of laws. How do you enforce the security laws? And right now the U.S. Government is engaged in discussions with the G-8. Attorney General Reno I know is discussing with other members of the G-8, but it gets to be a huge issue in cyberspace. Let's talk about things like child pornography and getting access. What laws do you use? Do you let Muammar Qadhafi start issuing subpoenas for information that it wants to get from AOL because it believes somebody in Libya who's an AOL customer is violating the laws of Libya? How do you enforce those kind of laws? So there's some incredibly open-ended questions out there right now in terms of our cyber crimes on the international front which are just at the earliest, earliest stages of discussion right now. Chairwoman Morella. Mr. Rich. Mr. Rich. Yes. I'd like to mention a couple of months ago I went to a national infrastructure protection conference out in Denver, and I support the idea of Mr. Miller mentioning the cyber corps approach. I think that would go a long way, similar to the Peace Corps, in incentivizing those to bring up the awareness within the security area. And then they have a little payback to the government for helping them through school, or similar. Mr. Horn. If I might be yielded to for a question, I probably haven't unloaded on you my feelings on when that visa deal comes up. I was outraged by it. Why am I outraged by it? Very simply, we've got a community college system--certainly in California where it was founded, there's 107 campuses in California and we've got a Silicon Valley and San Diego, Orange County, and Santa Clara County, and popping up hopefully in other counties. And they need to work together, and we should not be importing people. We should be training our own people. When I think of the classrooms I go to where students are now exposed to computing, and it seems to me we're derelict both in education in California--and I've unloaded on many of the community college presidents and said, Where are you on this? And where are the CEOs in Silicon Valley that ought to be sitting down with them saying this is the kind of curriculum we need if they're going to be helpful to us? That was the whole purpose of the community college, was both vocational and academic. And you need both to be a good programmer. And I would hope that they would be working together so they could get the trained force. These are $60,000 jobs, and there are a lot of bright kids. Escalante showed that in the Los Angeles schools, you can teach young people to be as good as anybody, as good as they are at Harvard. And these students proved they could do it. And that's what we ought to be doing, but we need the equipment, which is--the state is always behind, every state in the Nation is behind when it comes to giving and granting and providing computer equipment. And if you're going to work on new generations, this is where Silicon Valley can take a tax writeoff, or wherever, and get something out of it. But your associations, it seems to me, would be very helpful to be where you get these people together, both the community college president and the CEO of a computer firm. We shouldn't have to be importing people from all over the world, and we shouldn't have to need a government program. I mean, the best education deal in America are the community colleges. There's very little tuition. At least in California it is; in Texas it is. So why aren't we taking advantage of that? Are we still going to just keep importing thousands of people? They're all wonderful people, but what about our own people? That's where I'm coming from. Mr. Miller. Did you want a comment, or is that just an observation? Mr. Horn. Well, I'm just saying--I'd like a comment, and I think--you know, where is that industry and where are those educators to be linked up to get the job done? Mr. Miller. Well, I do disagree with you on the immigration question, but I don't disagree with you on your fundamental point, Mr. Chairman. Our educational system is still an educational system designed for the industrial age, not the information age. And we are trying to work with community colleges. In fact, I recently met with the President of the American Association of Community Colleges to discuss potential collaborative activities. We're also working with particular outreach to minority communities. I think as you know, in the-- even though--for example, African Americans are 11 or 12 percent of the overall U.S. workforce; they're only about 5 or 6 percent of the IT workforce. So we're involved in some initiatives in that area, also. The challenge is to do both at the same time, though. It does take time for people to be trained and educated, and we have to incentivise them to come in. And I think that's why I was suggesting that government, cyber corps or IT tax credit training such as the legislation that Senator Conrad and Congressman Moran have introduced to try to create incentives. I do believe, Mr. Chairman, that community colleges are much more responsive than universities are in terms of adjusting their curriculum. And you have several in California which have done--moved relatively quickly. But it's--I think the late Governor of Florida once said, the only thing harder to move than a cemetery was the university faculty. So I think they find that trying to change, getting rid of Russian history and political science department for computer science departments isn't always easy; whereas, at community colleges they can move quite quickly. And certainly you see places like Contra Costa Community College. The one that's usually thrown up as the best example is Maricopa Community College in the Phoenix area where they work very closely with Motorola, Intel, and other semiconductor manufacturing firms for training. So I think we're getting there, Mr. Chairman. It's just slower than we'd like. Mr. Horn. Well, that's where you have to take these massive systems because most of that is done at the local college, and that's why I suggested the community college. There's more flexibility for the reasons we all know than in the major research universities around. But if you're doing it, I think that's wonderful. We don't need a government program to do it. We just need you guys on the phone, and gals, to work it out. Chairwoman Morella. I think we also need the partnerships of academia and the business sector and even government, you know, state government, maybe Federal Government in some way, also being kind of part of that partnership. But we have, Chairman Horn and I and Ranking Member Turner, been aware of the personnel needs throughout this whole thing, Y2K, now computer security, and we're trying to do something even legislatively on that, too, to increase fellowships and, as you mentioned, the cyber corps. We'll continue to work on that with your help. Just a wrap-up, if there are any comments from any one of you, real briefly, in terms of what we should be doing now since we have only that 149 days left to the end of--until we reach 2000, recognizing whether Y2K has been remediated or not with regard to computer security. Any final comments for us? Mr. Miller. My only concern is--and I don't think this is Mr. Pucciarelli's intention in releasing his report--is that people don't move more slowly on Y2K because they're concerned about information security. He's correct that information security has to be part of your Y2K, but I hope no one who reads that article uses that as an excuse not to do their Y2K remediation. I certainly know that wasn't his intent. I know that Gartner has been one of the strongest advocates for Y2K remediation. But one could imagine a situation where someone would misinterpret that message instead of the message being to be more conscious of security and say, well, that's one more excuse not to get my Y2K solution done. So I hope this hearing will help to send the message that that is not the intention. I assume Mr. Pucciarelli would agree. Chairwoman Morella. Thank you. Mr. Pucciarelli. Yes, Mr. Miller. I appreciate your comments. Congresswoman, one final thought that I have is that simply reminding folks, reminding organizations, enterprises, and the leaderships of those organizations of the need to redouble their efforts and maintain the appropriate risk management criteria while they complete their Y2K remediation activities. And I think that even having this hearing on this matter has served a very important purpose to that end. I think that encouraging the various federal agencies and departments along the same lines would also be of benefit. Again, clearly our intention was not to suggest that you should--that organizations should go slower, but to merely point out that risk management activities have a role as well. Chairwoman Morella. Thank you. Mr. Rich, a final comment? Mr. Rich. Yes, ma'am. I'd like to basically agree here with both of the gentlemen here in that people shouldn't slow down, they should pick it up a little bit and keep vigilant as we go toward the year 2000. And I hope these hearings will allow people to look at other aspects rather than just focus on Y2K remediation. Chairwoman Morella. Good point. Mr. Bennett. Mr. Bennett. I believe that if there are companies out there that are still doing serious remediation and are not now doing contingency planning, then they probably have even more serious issues than worrying about that trap that's probably been set somewhere in one of the other companies that's now doing contingency planning. Certainly a call has been made to the security officers, and they need to pay attention, as they always have. I think the message from this Subcommittee ought to be to keep focused on the Y2K effort. Chairwoman Morella. I want to thank all of you, and before we adjourn, I just want to mention the staff that have been very helpful always in contacting you and putting some things together: J. Russell George, who's with the Government Reform Subcommittee, Matt Ryan, Bonnie Heald, Grant Newman, Chip Ahlswede, and Seann Kallagher; our Technology Subcommittee, Jeff Grove and Ben Wu, and the clerk, Joe Sullivan. And there are others: Michele Ash, Trey Henderson, Earley Green, Jean Gosa; and the court reporter, Chris Bitsko. I think I covered everybody. Good. Thank you. You were just a splendid panel. I hope you'll feel free to contact us at any point with any of your suggestions or recommendations. And as usual, if we could--have other members who may have questions and any other questions we may have, if we may forward them to you. Great. Thank you. The Committee is now adjourned. [Whereupon, at 12:06 p.m., the Subcommittee was adjourned.] [GRAPHIC] [TIFF OMITTED] T0842.043 [GRAPHIC] [TIFF OMITTED] T0842.044 [GRAPHIC] [TIFF OMITTED] T0842.045 [GRAPHIC] [TIFF OMITTED] T0842.046 [GRAPHIC] [TIFF OMITTED] T0842.047 [GRAPHIC] [TIFF OMITTED] T0842.048 [GRAPHIC] [TIFF OMITTED] T0842.049