<DOC> [109 Senate Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:23163.wais] S. Hrg. 109-402 SECURING CYBERSPACE: EFFORTS TO PROTECT NATIONAL INFORMATION INFRASTRUCTURES CONTINUE TO FACE CHALLENGES ======================================================================= HEARING before the FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT INFORMATION, AND INTERNATIONAL SECURITY SUBCOMMITTEE of the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE ONE HUNDRED NINTH CONGRESS FIRST SESSION __________ JULY 19, 2005 __________ Printed for the use of the Committee on Homeland Security and Governmental Affairs U.S. GOVERNMENT PRINTING OFFICE 23-163 WASHINGTON : 2006 _____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800 Fax: (202) 512ÿ092250 Mail: Stop SSOP, Washington, DC 20402ÿ090001 COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS SUSAN M. COLLINS, Maine, Chairman TED STEVENS, Alaska JOSEPH I. LIEBERMAN, Connecticut GEORGE V. VOINOVICH, Ohio CARL LEVIN, Michigan NORM COLEMAN, Minnesota DANIEL K. AKAKA, Hawaii TOM COBURN, Oklahoma THOMAS R. CARPER, Delaware LINCOLN D. CHAFEE, Rhode Island MARK DAYTON, Minnesota ROBERT F. BENNETT, Utah FRANK LAUTENBERG, New Jersey PETE V. DOMENICI, New Mexico MARK PRYOR, Arkansas JOHN W. WARNER, Virginia Michael D. Bopp, Staff Director and Chief Counsel Joyce A. Rechtschaffen, Minority Staff Director and Chief Counsel Trina D. Tyrer, Chief Clerk FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT INFORMATION, AND INTERNATIONAL SECURITY SUBCOMMITTEE TOM COBURN, Oklahoma, Chairman TED STEVENS, Alaska THOMAS CARPER, Delaware GEORGE V. VOINOVICH, Ohio CARL LEVIN, Michigan LINCOLN D. CHAFEE, Rhode Island DANIEL K. AKAKA, Hawaii ROBERT F. BENNETT, Utah MARK DAYTON, Minnesota PETE V. DOMENICI, New Mexico FRANK LAUTENBERG, New Jersey JOHN W. WARNER, Virginia MARK PRYOR, Arkansas Katy French, Staff Director Sean Davis, Legislative Assistant Sheila Murphy, Minority Staff Director John Kilvington, Minority Deputy Staff Director Liz Scranton, Chief Clerk C O N T E N T S ------ Opening statements: Page Senator Coburn............................................... 1 Senator Carper............................................... 3 Senator Akaka................................................ 5 Senator Collins (ex officio)................................. 6 WITNESSES Tuesday, July 19, 2005 Donald (Andy) Purdy, Jr., Acting Director, National Cyber security Division, Information Analysis and Infrastructure Protection Directorate, U.S. Department of Homeland Security... 6 David A. Powner, Director, Information Technology Management Issues, U.S. Government Accountability Office.................. 8 Paul M. Skare, Product Manager, Siemens Power Transmission and Distribution, Inc., Energy Management and Automation........... 22 Thomas M. Jarrett, Secretary and Chief Information Officer, Department of Technology and Information, State of Delaware.... 25 Alphabetical List of Witnesses Jarrett, Thomas S.: Testimony.................................................... 25 Prepared statement with attachments.......................... 105 Powner, David A.: Testimony.................................................... 8 Prepared statement........................................... 46 Purdy, Donald (Andy) Jr.: Testimony.................................................... 6 Prepared statement........................................... 35 Skare, Paul M.: Testimony.................................................... 22 Prepared statement with attachments.......................... 69 APPENDIX Questions and responses for the Record from: Mr. Purdy.................................................... 120 Mr. Powner................................................... 153 Mr. Skare.................................................... 158 Mr. Jarrett.................................................. 164 SECURING CYBERSPACE: EFFORTS TO PROTECT NATIONAL INFORMATION INFRASTRUCTURES CONTINUE TO FACE CHALLENGES ---------- TUESDAY, JULY 19, 2005 U.S. Senate, Subcommittee on Federal Financial Management, Government Information, and International Security, of the Committee on Homeland Security and Governmental Affairs, Washington, DC. The Subcommittee met, pursuant to notice, at 2:05 p.m., in room 562, Dirksen Senate Office Building, Hon. Tom Coburn, Chairman of the Subcommittee, presiding. Present: Senators Coburn, Carper, Akaka, and Collins (ex officio). OPENING STATEMENT OF CHAIRMAN COBURN Senator Coburn. The Committee will come to order. This is the first of probably many hearings on cyber security within the Federal Government and I am going to have a very limited opening statement. Being from Oklahoma, we had some significant events there while I was a Member of Congress that taught us all a huge lesson in terms of terrorism. But there are several significant points associated with cyber security in America. First of all, the United States does not currently have a robust ability to detect a coordinated cyber attack on our critical infrastructure, nor does it have a measurable recovery and reconstitution plan for key mechanisms of the Internet and telecommunications system. Second, the Department of Homeland Security has not completed the National Infrastructure Protection Plan. Third, cyber attacks on control systems can be targeted from remote locations around the globe. We know that. Fourth, DHS is responsible for protecting the Nation's critical infrastructures. However, 85 percent of all the critical infrastructures are controlled by the private sector. And then, finally, there is a lack of stable leadership at the National Cyber Security Division, which has hurt its ability to maintain trusted relationships with the private sector and has hindered its ability to adequately plan and execute activities. This is the first of the hearings that we intend to hold to look at Internet and informational, as well as cyber security within this Subcommittee. [The prepared statement of Senator Coburn follows:] PREPARED STATEMENT OF SENATOR COBURN On the morning of April 19, 1995, Oklahoma learned firsthand the horrific effects of terrorism in the homeland. The prevention of terrorism starts with a proactive plan with cogent, measurable goals and the development and empowerment of effective moral leaders to accomplish these goals. In October 2003, Chairman Adam Putnam of the House Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, held a hearing where he clearly identified the problem, saying, ``The nation's health, wealth, and security rely on these systems, but, until recently, computer security for these systems has not been a major focus. As a result, these systems on which we rely so heavily are undeniably vulnerable to cyber attack or terrorism.'' Those vulnerabilities still exist today, only now they are less excusable. More importantly, the government's plan to secure our critical infrastructures from a cyber threat remains vague and formative despite clear legislative and executive mandates. Since September 11, 2001, the focus of security in the United States has been on physical terrorist attacks. In contrast, the government's cyber security efforts have focused on the internet and networking and desktop functions we all use every day. Unfortunately, operational control systems, which are at the heart of our critical infrastructures, do not work like conventional desktop business computer systems. The President has spoken to this in Homeland Security Presidential Directive #7 (HSPD-7) and the National Strategy to Secure Cyberspace, emphasize that our nation's critical infrastructures provide services which are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States. Congress has also spoken through The Homeland Security Act of 2002 which laid clear mandate on cyber security at Department of Homeland Security. The Act requires DHS to (1) assess our vulnerability to cyber attack (2) develop a plan to fix it and (3) implement that plan using measurable goals and milestones. In order to implement the plan the Department has the admittedly difficult task of engaging and securing action from diverse players, state and local governments, other federal agencies, especially key industry actors. Cyber vulnerability is primarily in the private sector and the Department must find a way to overcome the challenges there. The nature of terrorists is to attack private citizens as we recently saw in the horrific attack in the United Kingdom. There can be no excuse for not effectively engaging the private sector, even though it is hard. We ask no less of our food safety, airline security and pharmaceutical industries. Nobody wants to micromanage the private sector; however, American expects DHS to take every reasonable measure to protect us from terrorism. I am not convinced that threshold has been met. If America is to be safe from the damage of a cyber attack, we will need a plan, a budget tied to that plan and Congressional commitment to the implementation of the plan. In particular, I hope we can commit to the following: 1. The completion of the National Infrastructure Protection Plan, fully incorporating the cyber component with more than vague generalities; 2. A way to measure milestones in the NIPP that will be assigned to a named department head; 3. A budget line item associated with the milestones. To that end, I look forward to hearing from our witnesses from GAO, DHS, the State of Delaware, and Siemens Power Transmission & Distribution, Inc. Senator Coburn. At this time, I will yield for an opening statement to the---- Senator Carper. Be careful what you say. [Laughter.] Senator Coburn [continuing]. Ranking Member, and my friend, the other ``TC'' on the Subcommittee, for his opening statement. Senator Carper, thank you for being here. OPENING STATEMENT OF SENATOR CARPER Senator Carper. Thank you, Mr. Chairman. I am happy to be here with you and Senator Collins and to welcome our first panel of witnesses and look forward to the next panel of witnesses, which includes an old friend from--not an old friend, but a good friend from Delaware, one of our leaders. I would just reflect back. I think some 2 weeks ago now, we had the devastating terrorist attacks on the London transportation system and it reminded us once again--especially those of us who live in the Northeastern corridor of the United States--it reminded us once again that terrorists are increasingly able to exploit our vulnerabilities and to cause an enormous amount of damage, destruction of property and taking of human lives. Since September 11, the majority of our Homeland Security efforts have been aimed to strengthen security of our Nation's physical infrastructure. A good example of that is the aviation industry. Some of us are hopeful it eventually will focus more on rail and transit and subways, too. Last week, the Homeland Security and Governmental Affairs Committee held under Senator Collins's leadership--I think it might have been in this room--held a hearing on protecting chemical facilities within the United States. The hearing highlighted the necessary precautionary measures that should be taken to protect a chemical facility from a terrorist attack. The importance of cyber security is oftentimes overlooked in discussions involving homeland security. Cyber security, though, plays an important role in the protection of our critical infrastructures. Computers and networks provide an increasing convenience and effectiveness for the everyday operation of critical infrastructures. In fact, on a critical infrastructure such as a railroad, combined with a cyber attack on the computer system of a major electric utility, it can have an enormous impact on the emergency response capabilities that are needed in times of disaster. It is the Committee's job, this Committee, and I think specifically this Subcommittee, it is our job to ensure that we are taking the steps that are needed to minimize the chance and to minimize the consequences of such an attack if it occurs. Again, I mention, Mr. Chairman, we have one of my friends and colleagues from Delaware, Tom Jarrett, not a ``TC'' but a ``TJ,'' who is our Chief of Information. He works in the Governor's cabinet, heads up the Department in our State called the Department of Information and Technology and I am just delighted to hear from Tom and to see him again. Accompanying Secretary Jarrett, I am told, is a woman named Elayne Starkey, and I am looking out in the audience. I think she is sitting right behind--there she is. Elayne, welcome. When you see Tom Jarrett's lips move, hear his voice speak later on, you will see Elayne's lips move. When I was privileged to be Governor, she just did great work, helping us really to bring technology to bear in our law enforcement efforts and we will always be grateful for the great work that she did. We are going to hear from Secretary Jarrett today about a Department of Technology Information that is really all too familiar with the challenges that are facing cyber security. One of Delaware's critical infrastructures is our State computer network. It is a large target of over, listen to this, 3,000 cyber attacks per day, little Delaware. I can't imagine what happens in big States like yours, but over 3,000 cyber attacks per day. I am not sure why that is. Maybe it is because we are the home of incorporation of over half-a-million companies, half the New York Stock Exchange, half the Fortune 500. I am not sure what it is, but that is a lot of attacks. Secretary Jarrett implemented a number of cyber security initiatives to address the cyber risks associated with our State's computer network. Delaware's Department of Technology and Information aims to strengthen and provide proper cyber security through partnerships with State agencies, multi-state forums, and a collaborative with Microsoft Corporation. Secretary Jarrett meets on a routine basis with all cyber security stakeholders to share cyber threat and vulnerability information to better protect our State's network from cyber attacks. Delaware's cyber security initiatives are an excellent example, we believe, of the processes and partnerships that are needed to protect against cyber attacks. In May 2005, at the request of Senator Lieberman, our colleague, and several Representatives, including Chris Cox, Representative Davis, Representative Thornberry, Lofton, the Government Accountability Office released a report that was titled, ``The Department of Homeland Security Faces Challenges in Fulfilling Cyber Security Responsibilities.'' That is a pretty big title. The report criticized the Department of Homeland Security's efforts thus far in fulfilling its cyber security responsibilities that are established for in law and policy. To fulfill the Department's cyber security responsibilities, such as assessing national cyber threats and vulnerabilities, the Government Accountability Office recommends that the Department of Homeland Security improve organizational stability and foster better partnerships with the private security, much as we have done in Delaware. As demonstrated by Delaware's Department of Technology Information, partnerships provide education, the technical expertise, and information sharing outlet that is needed to effectively secure cyber assets. Proper information sharing between the Federal Government and the private sector is instrumental to protecting our Nation's critical infrastructure from cyber attack. Last week in this room, Secretary Chertoff laid out a reorganization plan of the Department that includes a new Assistant Secretary for Cyber Security and Telecommunications to strengthen information technology management and cyber security responsibilities within the Department of Homeland Security. As that Department sets forth in strengthening national cyber security initiatives and efforts, I ask that the Department build cyber security partnerships within the private sector and provide a road map of priorities and milestones of cyber security responsibilities and initiatives, much as we have done in our State and perhaps in your States, as well. I really do look forward to this hearing and the testimony from all of our witnesses concerning the challenges that we face along these lines and the Federal Government's role, our role, in protecting our Nation's critical infrastructures from a cyber attack. I hope that the discussion that occurs here today and following this hearing will lead us to real solutions to the challenges that we face within the Federal Government with respect to cyber security. Mr. Chairman, I thank you, and to our witnesses, welcome. We look forward to hearing from you. Thanks. Senator Coburn. Senator Akaka, I understand that you have a hearing that you need to chair at 2:25. The Chairman has graciously allowed you to go ahead of her, if you would care to make your opening statement. OPENING STATEMENT OF SENATOR AKAKA Senator Akaka. Thank you very much, Chairman Coburn. Thank you for permitting me to do it now, and thank you, Chairman Collins, for letting me do this. Chairman Coburn, I want to compliment you on holding today's hearing on cyberspace. I know we both are also interested in agroterrorism, so these are up and coming issues, and I thank you so much for giving me this time. Computers and computer networks reside at the heart of the systems upon which the American people rely on on a daily basis. As our witnesses know, many of these systems are far too vulnerable to cyber attack, which would inhibit their function, corrupt important data, and expose private information. The Internet is the backbone of the U.S. economy and our Nation's critical infrastructures. It is the electronic roadway of commerce, industry, and defense. Databases stored on computer networks, in particular, have been an attractive target for criminal hackers who have breached the networks of several well-known companies and have stolen the personal data of millions of Americans. A successful attack on the computer systems that support our critical infrastructures would threaten our national security, public health, and, of course, our way of life. The former head of the National Infrastructure Protection Center, Ron Dick, once said, ``The thing that keeps me awake at night is the thought of a physical attack on the U.S. infrastructure combined with a cyber attack which disrupts the ability of the first responders to access 911 systems.'' This is not an exaggerated fear, as our own military realizes the power of cyber warfare in destroying an enemy's command and control. The Department of Homeland Security is responsible for protecting the key resources and critical infrastructures in the United States. In carrying out this role, DHS has a number of responsibilities established by law and Presidential directive. We are here today to discuss these DHS issues and how DHS is fulfilling those responsibilities and the specific challenges that the Department faces as it moves forward. One area that is of particular concern to me is the failure by DHS to complete a comprehensive cyber threat and vulnerability assessment. This threat assessment should be the foundation for the Department's risk-based approach to mission and priorities. A comprehensive threat assessment is needed in order to be certain that we are adequately protected and to ensure that precious Federal dollars are well spent. I want to thank you, Mr. Chairman, for having this hearing today and thank you for the time and wish you well. We look forward to our witnesses' testimony. Thank you. Senator Coburn. Thank you, Senator Akaka. Now, I am pleased to recognize the Chairman of the full Committee, Susan Collins from Maine. Thank you, Senator. OPENING STATEMENT OF CHAIRMAN COLLINS Chairman Collins. Thank you very much. Let me begin by thanking you, Mr. Chairman, for convening this hearing today and shining a spotlight on a critical infrastructure issue. And your timing could not be better. Just last week, Secretary Chertoff testified before the full Committee regarding his Second Stage Review recommendations for the Department of Homeland Security. As Senator Carper has mentioned, Secretary Chertoff proposes to create a new Assistant Secretary for Cyber Security and Telecommunications, a position that has long been needed. Clearly, Secretary Chertoff has acknowledged that cyber security is an issue worthy of much more attention and resources from within the Department. This hearing will provide an opportunity to explore some of the challenges that the new Assistant Secretary will face. Computers and information systems are key components that support the operations of critical infrastructure in our country, whether it is chemical facilities or oil refineries, dams, power systems, telecommunications, or mass transit systems. Increasing computer interconnectivity has improved the quality of daily life for Americans, but unfortunately, this interconnectivity has also created a weakness that can be exploited by our enemies in this post-September 11 world. I am pleased that the Department is placing more emphasis on this vital component of our Nation's critical infrastructure sectors and I look forward to working with you, Mr. Chairman, as well as the Department to strengthen our protections and defenses in this area. Senator Coburn. Thank you, Madam Chairman. Our first panel consists of two witnesses, Andy Purdy, Acting Director, National Cyber Security Division of the Department of Homeland Security, and David Powner, Director of IT Management at GAO. Mr. Purdy, your complete statement will be made a part of the record. If you would limit your comments to 5 minutes, I would appreciate it. Thank you. TESTIMONY OF DONALD (ANDY) PURDY, JR.,\1\ ACTING DIRECTOR, NATIONAL CYBER SECURITY DIVISION, INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY Mr. Purdy. Thank you. Good afternoon, Chairman Coburn and Madam Chairman Collins. My name is Andy Purdy. I am the Acting Director of the National Cyber Security Division (NCSD) within the Department of Homeland Security. I am delighted to appear before you today on behalf of my colleagues to share with you the work of NCSD and those with whom we are partnering. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Purdy appears in the Appendix on page 35. --------------------------------------------------------------------------- In today's world, we recognize that attacks against us may manifest in many forms, including physical and cyber. We recognize the potential impact of collateral damage from any one attack to a variety of assets. As such, our Directorate takes a holistic view of critical infrastructure vulnerabilities and works to protect America from all threats by ensuring the integration of physical and cyber approaches. NCSD was created in June 2003 to serve as a national focal point for cyber security and to coordinate the implementation of the national strategy to secure cyberspace. Our mission is to work collaboratively with public, private, and international entities to secure cyberspace and America's cyber assets. To meet that mission, we have developed a set of goals with specific objectives for each goal and milestones, and we have identified two overarching priorities. One, to build a national cyberspace response system. Two, to implement a cyber risk management program for critical infrastructure protection. Focusing on these two priorities establishes the framework for securing cyberspace today and a foundation for addressing cyber security for the future. A core component of our effort to establish a national cyberspace response system is the US-CERT Operations Center, a partnership between DHS and the public and private sectors. US- CERT provides a national coordination center that links public and private response capabilities to facilitate information sharing across all infrastructure sectors and to help protect and maintain the continuity of our Nation's cyber infrastructure. To assist Federal agencies in protecting their cyber infrastructure, we have established the Government Forum of Incident Response and Security Teams to facilitate interagency information sharing and cooperation across Federal agencies for readiness and response efforts. A key component of our response system is the Cyber Annex, which we created as part of the recently issued National Response Plan, that provides a framework for responding to cyber incidents. To provide a Federal approach to coordinated cyber incident response, we worked with the Departments of Defense and the Departments of Justice to form the National Cyber Response Coordination Group, later formalized by the Cyber Annex as the principal Federal interagency mechanism to coordinate preparation for and response to cyber incidents of national significance. Under our second priority, we are engaged in a risk management program to assess threats and reduce the risk to our critical infrastructure. For the cyber component of the National Infrastructure Protection Plan, DHS is the sector specific agency, with our Division as the lead for the information technology sector, and we are working with the IT ISAC and the newly formed Information Technology Sector Coordinating Council to identify critical assets, assess vulnerabilities, and determine protective measures. In addition, we are attempting to ensure that cyber is comprehensive throughout this national plan by providing guidance to the other critical infrastructure sectors in analyzing, identifying, and assessing and protecting their cyber assets and the cyber component of their physical assets. Within this framework, we are pursuing other priority vulnerability reduction effort: The Internet Disruption Working Group, our Control Systems Security Program, and our Software Assurance Program. We believe the recent GAO report on critical infrastructure has provided a fair assessment of the progress to date and we agree that while considerable work has been done, much work remains to meet the challenges in this rapidly changing area. With the proposed appointment of a new Assistant Secretary for Cyber and Telecommunications Security, we are confident that we will accelerate our cyber security efforts. Secretary Chertoff's recent release of the findings from his second stage review of the entire Department illustrates DHS's commitment to addressing leadership and organizational concerns that also have been raised by GAO. We are committed to achieving success in meeting our goals and objectives, but we cannot do it alone. We will continue to meet with industry representatives, our government counterparts at the State and Federal level, and academia to formulate the partnerships and leverage the efforts of all, including the private sector, so that we as a Nation are more secure in cyberspace. Again, thank you for the opportunity to testify before you today and I would be glad to answer any of your questions. Senator Coburn. Thank you very much, Mr. Purdy. Mr. Powner. TESTIMONY OF DAVID A. POWNER,\1\ DIRECTOR, INFORMATION TECHNOLOGY MANAGEMENT ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE Mr. Powner. Dr. Coburn, Chairman Collins, and Ranking Member Carper, we appreciate the opportunity to testify on the Department of Homeland Security's efforts associated with securing our Nation's infrastructures from cyber security threats. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Powner appears in the Appendix on page 46. --------------------------------------------------------------------------- Recent attacks and threats have underscored the need to effectively manage and bolster the cyber security of our Nation's critical infrastructures. For example, criminal groups, foreign intelligence services, and terrorists are threats to our Nation's computers and networks. Regarding recent attacks in March of this year, hackers gained access to the electric industry's control systems. To address these threats, Federal law and policy calls for critical infrastructure protection activities and establishes DHS as our Nation's focal point. It also designates other agencies to coordinate with key sectors, including energy, banking and finance, transportation, and telecommunications. This afternoon, I will summarize four points, as requested. First, DHS has many responsibilities called for in law and policy. Second, although progress has been made in each area, much work remains ahead. Third, DHS faces many challenges in fulfilling these responsibilities. And fourth, Several recommendations remain outstanding that, if effectively prioritized and addressed, could greatly improve our Nation's cyber security posture. Expanding on each of these, first, we recently reported that based on Federal law and policy, DHS's 13 key cyber security responsibilities that include developing a national plan, enhancing public and private information sharing of cyber threats, vulnerabilities, and attacks, conducting a National Threat Assessment, facilitating vulnerability assessments, and coordinating incident response and recovery efforts if, in fact, an attack occurs. Although DHS has initiated efforts that begin to address each of these 13 responsibilities, the extent of progress varies and more work remains on each. For example, its Computer Emergency Response Team, referred to as the US-CERT, issues warnings on vulnerabilities and coordinates responses to cyber attacks. However, our Nation still lacks a National Threat Assessment, sector vulnerability assessments, a mature analysis and warning capability, and key recovery plans, including plans for recovering the Internet. DHS faces many challenges in building its credibility as a stable, authoritative, and capable organization that can fulfill its cyber critical infrastructure responsibilities. These include achieving organizational stability and authority. Over the past year, multiple DHS cyber security executives have left the Department. Establishing the Assistant Secretary for Cyber may help. However, leveraging this new authority and recruiting top talent to fill it remains a challenge. Another challenge is establishing effective partnerships and information sharing arrangements with other government entities and the private sector. During our most recent review, representatives from the banking and finance sector told us that the level of trust is not sufficient to have productive information sharing. In addition, DHS needs to demonstrate value, meaning that it needs to provide useful and timely information on such items as threats and analytical products to key stakeholders. Over the last several years, we have made a series of recommendations to enhance the cyber security of critical infrastructure that demand immediate attention, including conducting important threat and vulnerability assessments, developing a strategic analysis and warning capability to identify potential attacks, developing a strategy to protect infrastructure control systems, and developing recovery plans to respond to attacks. We also recommended that DHS prioritize its critical activities and closely monitor progress with appropriate performance measures. In summary, Mr. Chairman, DHS has made progress in planning, in coordinating efforts to enhance cyber security, but much more needs to be done, including conducting threat and vulnerability assessments, bolstering our cyber analytical capabilities, aggressively pursuing threat and vulnerability reduction efforts, and developing recovery plans. Our testimony today lays out a comprehensive road map for what remains to be accomplished in each area. Until DHS addresses its many challenges and more fully completes critical activities, it cannot function as the cyber security focal point intended in Federal law and policy, resulting in increased risk that large portions of our national infrastructure are unprepared to effectively manage cyber security attacks. This concludes my statement. I would be pleased to respond to any questions you have at this time. Senator Coburn. Thank you, Mr. Powner. I have numerous questions. I will not ask them all at the hearing, but I would like for each of you to agree to answer in written form the questions that we will submit for the record and do that on a fairly timely basis, if you would not mind. That will spare you some time. Mr. Purdy, when is it anticipated that the National Infrastructure Protection Plan will be completed? Mr. Purdy. Well, Acting Under Secretary Robert Stefan has told the Hill that he expects to have a version of the plan in pretty good order by the end of the summer, so we don't have a precise date on that. Senator Coburn. Will the reorganization, the stage two review, move that later? Mr. Purdy. Oh, I don't expect so. No, sir. Senator Coburn. If you don't care to comment on this, it is fine, but will this protection plan be beefed up with milestones that are linked to the budget line items and the department heads that are carrying that out? Mr. Purdy. I am not sure that the plan that is in existence at the end of the summer will have that, but that is anticipated to be part of the plan as it rolls forward, including the specific sector plans that have to be developed in partnership between the government and the private sector, yes. Senator Coburn. It seems that some industry sectors are more mature with regards to securing their cyber assets than others. I think that is a true statement. That is probably true throughout the residential cyber areas, as well. It seems that the title of the new Assistant Secretary for Cyber Security and Telecommunications would indicate that some critical infrastructures have more security needs than others, like the electric, chemical, telecommunication industries. Which sectors are more technologically mature and could be used as examples for sectors that are less mature when building guidance with which to self-regulate? Mr. Purdy. Well, until we do a complete assessment by sector, it is difficult to give a quantitative approach to that. I certainly believe that the telecommunications and finance sectors are among the most robust. Senator Coburn. We did have the penetration of some of the power companies' data. It kind of scares you when ``24'' is doing this ahead of the cyber crooks. As this NIPP plan comes up, one of the questions I think a lot of people are wondering, why is it taking so long to do that? Why is it taking so long to have a National Infrastructure Protection Plan? Mr. Purdy. Well, I think it is a very difficult task. But on some of the specific items you mentioned, we have accelerated the prioritization of three major areas that we believe, although part of the National Infrastructure Protection Plan framework, deserve accelerated efforts. Those are our Internet Disruption Working Group that we co-chair with National Communication Systems, and Department of Treasury and others are members of that. So that is a high-priority effort, to identify the assets, the interdependencies, the protective measures, the response and the recovery, building on the ESF- II, which as you know has evolved from telecommunications to communications generally. So that piece of it is fairly robust and that group will work to accelerate that and respond to some of the specific areas in the GAO report. In addition, our control systems effort is a very robust effort that we brought over from our Protective Security Division in May 2004. We had the strategic plan. We had our goals. We have a tremendous partnership with the Department of Energy, with the Idaho National Lab and other labs. And finally, our Software Assurance Program is also very robust, building on a key partnership with the Department of Defense, co-founding the National Infrastructure--the NIAP review in terms of the acquisition piece. So we think those three priority efforts are not being held up by any time frame of the National Infrastructure Protection Plan and we believe those are the priorities, and so they are very important to us. Senator Coburn. So your testimony is, sometime after the first of the year, we ought to have this plan intact, the NIPP plan? Mr. Purdy. Actually, if I said that, I didn't mean to say that. Senator Coburn. You said, by the end of this summer, we are going to have the structure of it, is that right? Mr. Purdy. We are going to have a plan that is in pretty good shape. It is not going to be the final draft of it, yes. Senator Coburn. But sometime after the first of the year, we should be able to expect that moving forward? I know you are implementing sections of that even before you have the NIPP plan, but for cyber security, where are we within that? Mr. Purdy. Well, cyber security, we are moving forward in the work with the emerging Sector Coordinating Council, as you know, the private sector group, and the Government Coordinating Council. In fact, I think the organizations of one of your witnesses, NASCIO is a member of the Government Coordinating Council of the IT sector. And so we are working to build the framework for the sector-specific plan and the cyber guidance that will go to all the critical infrastructures. So that is moving ahead, and I certainly expect that the cyber piece will be ready well before the first of the year. Senator Coburn. Now, you have an Internet Disruption Working Group. Mr. Purdy. Yes. Senator Coburn. Would you mind providing the Subcommittee a list of the achievements of that group, where you started and where you are now? One of the things that Mr. Powner said that really bothers me is that some of the limitation is because there is a lack of a level of trust. Those were his words just a moment ago. Do you perceive that is real? Is it founded on real actions? In other words, do they perceive a threatened loss of some technologic advance or proprietary information by working with you as we try to do this? Mr. Purdy. Well, I think we are moving ahead very successfully in trying to facilitate information sharing with the private sector. As you may know, our secure portal, our US- CERT portal that involves approximately 200,000 government and private sector folks, we are working to integrate into the Homeland Security Information Network. In addition, we are very excited by our partnership with the IT ISAC and the eight other ISACs that supply them cyber information so that we can incorporate that flow among those nine ISACs with the government into the HSIN structure. In addition, the private sector is standing up an information sharing group and we will be sending some members to it to try to facilitate the exchange of value and incorporation of private sector input into the articulation of a threat. So the information can be shared among groups and move out in a way that efficiently gets to folks in a timely fashion. So we think that is very substantial progress. In addition, we are reaching out to the private sector to convene some meetings that will be in the early fall to bring in the incident response teams from major private sector entities from across the country to engage in training and moving forward to really target the information sharing, building on the existing information sharing of US-CERT and the efforts in information sharing from the ISACs that I just mentioned. Senator Coburn. Are those web portals that you mentioned 100 percent secure? Mr. Purdy. Well, we believe they are secure. I am not sure that there is a standard in current technology to say that something is 100 percent secure. Senator Carper. I want to back up if we could just a little bit and take a somewhat different approach. I don't care who leads off, but talk to us about the nature of the threat that we face. Talk to us about where the threat is coming from. Talk with us about whether the threat is rising, and if so, in what respect. And you have touched on this a little bit, Mr. Purdy, but I mentioned in my remarks about our folks that were here from Delaware who will testify shortly, how we partner with the private sector, and I just want to hear your thoughts about those kinds of partnerships. Mr. Purdy. The cyber assessment of threat was completed in the form of the National Intelligence Estimate for Cyber that we partnered with the intelligence and the law enforcement community on. Subsequent to that--and there are classified and unclassified versions of the NIE for cyber--subsequent to that, we have worked through our Information Analysis Division to provide intelligence collection requirements to the intelligence community for cyber, and those include information that would provide indicators of attacks against critical infrastructure, including control systems. Senator Carper. What kind of control systems are we talking about? Mr. Purdy. Across the critical infrastructure. Senator Carper. Just give me some examples. Mr. Purdy. Well, we have them in power, in chemical, in water. There are some in telecommunications. There are some in the finance industry. Most of the critical infrastructure sectors, pipelines, have control systems, and that is why it is one of the major priorities in our effort and in our funding. Senator Carper. Is it fair to say that those different critical infrastructures are under attack on a daily basis, weekly basis, monthly basis, or some never under attack? And if so, where are the attacks coming from? What is the source of those attacks? Mr. Purdy. The National Intelligence Estimate for Cyber identified some particular Nation States that are the source of particular kinds of attacks. There are attacks that are rampant throughout cyberspace. Within minutes, as you probably know, when you hook up a new computer, you can see different levels of attack. Obviously, we are more focused, particularly focused on attacks against major critical infrastructure, attacks, whether successful or otherwise, targeted against control systems, for example, and that is a major effort for us. Working with the Process Control System Forum, hundreds of private sector owners and operators that we are partnering with with DOE to try to make sure we build access to the information and provide protective guidance, such as we issued last week, Control Systems Information Bulletin for guidance to the control systems owners and operators to help raise the bar in terms of those efforts. A lot of the activity, the malicious activity in cyberspace right now, as you know, is targeted toward financial gain. The use and exploitation of vulnerabilities, the use of trojans and worms, there was an ABC news report last night on the use of keystroke loggers, the malicious code put on people's computers that log the personal identifying information, much of which is related to phishing and spam and identity theft. It is a major problem to our e-commerce in general, our financial community in particular, even though I think they are one of the most robust sectors in terms of financial security. And so we are working with Treasury. We met with the FBIC, that is the governmental group, 2 weeks ago to try to accelerate the information sharing in the financial sector, and we are also monitoring the black market in those malicious tools, because there is a black market in those tools. We are concerned and trying to help raise the bar because of the potential ability to use those vulnerabilities, to use those exploits to launch targeted, sophisticated attacks against our critical infrastructure, and that is why one of the priorities that I reference in my written testimony is trying to engage more effectively with the private sector on the priority areas that we need to focus on, and the one that we are suggesting to them is the identification of the major cyber attack scenarios, the serious cyber attack scenarios that we need to identify so we can mitigate, prevent, we can have our responses, in some cases automate it, and we can have the reconstitution in place to bring the systems back up and running. Senator Carper. Give us an example, if you will, of what you called a serious attack scenario. Mr. Purdy. Well, we would consider an effort that appears to be attempting to access the control mechanism of a control system, say in a waste treatment plant. We would consider that a serious attack because of the ability to change either the manipulation of the activity that it is manipulating and/or the monitoring that could be used to hide if there was a change or a problem. It might affect the sensors' ability to check that out. More serious situations that you see referenced in last Friday's alert about e-mail trojans that we put out is the exfiltration of data. We are very concerned about--which is basically stealing data from government and the private sector. We believe that is a very significant issue that we are addressing. You asked a question in terms of some of the activities with the private sector. We are working closely, as I said, with the Process Control Systems Forum. We have had discussions with Siemens, one of the companies that will be testifying later, on some activities in the control systems area and trying to use some of the test beds where we can test the real world activities and capabilities that folks are using and test them in terms of their vulnerability to cyber attack and what kind of measures can be used to help protect them. So that kind of real world activity--and frankly, some of the activities are not very visible. One of the key things about being a focal point for cyber security is we get classified information, we get law enforcement sensitive information, we get information from the CERT community and from others, and what we try to do is provide real protective measures. So, for example, there was an attack not too long ago against a private provider that affected a Federal Government customer, and so what we did, when we understood the---- Senator Carper. Say that again. There was an attack from-- -- Mr. Purdy. There was an attack against a private sector provider and there was a government account on that system, so we took that information and identified, working with the company, working with law enforcement, identified what we thought was the zone of danger in that situation in terms of the other Federal entities that had access to the same servers in separate accounts. So we had a conference call with about 15 Federal agencies that had not been attacked yet, but to make sure they knew and had specific information they needed so that they could act on it. Then we issued what is called a Federal Information Notice. That goes to 1,400 Federal agencies. A little less sensitive information, but still, evidence that nonetheless could be used by folks to protect themselves. And finally, a general alert that goes more broadly so that folks could know what to do to secure their systems. But we don't publicize those kinds of activities. Now, when there is, for example, an attack against a major State that we had to fly a team in to help, we don't publicize that information. We work with law enforcement, the intelligence community to try to bring value, and I share the point from my colleague from GAO that we want to provide value, and as part of this information effort, trying to figure out how to get the value to the private sector and our government partners and our State partners in a way that really is important is something that is very important to us and it builds that trust that you need for people to share, that if you don't go to the press and if you don't publicize these things and you provide real value, that kind of synergy is going to help us all. Senator Carper. Thanks very much. Senator Coburn. Just a couple other questions. Part of your statement was a major priority funding on control systems. Can you elaborate on that for me? Mr. Purdy. Yes. Our budget for fiscal year 2005 is in the high $70s of millions. The control systems funding is $11 million in 2005. The President's budget, which calls for approximately $88 million for us in 2006, includes between $15 and $16 million for control systems. So it is a major effort for us. Senator Coburn. One other question. Did your Department send a representative to the DOE road mapping exercise? Mr. Purdy. I don't know offhand. Senator Coburn. You have got some staff shaking their heads yes. Did DOE send a representative to DHS's framework meeting in Salt Lake City today? I get ``yes,'' too. All right. Thank you. One of the things that---- Senator Carper. Mr. Chairman, how do we know that just wasn't members of the audience shaking their heads? [Laughter.] Mr. Purdy. Yes. I am told that the answer to those questions was yes. I do know that NASCIO, for example, has participated in some of our meetings, building for our national cyber exercise, Cyber Storm, in November, and that kind of outreach is obviously fundamental to the success of these efforts. Senator Coburn. One other question for you and then a couple more for Mr. Powner. GAO has pointed out that DHS's efforts to promote a trusted two-way communication information sharing have been found lacking by the private sector and some other Federal agencies. In fact, your testimony reflects that the National Cyber Security Division's second priority is cyber risk management, or assessing the threat and reducing the risk. However, you state, with regard to assessing the risk, NCSD collaborates with law enforcement intelligence communities in a number of ways. My concern is, is your role law enforcement or is it cyber security and prevention, and with a prevention plan? Which is it? Which hat do you all wear? Mr. Purdy. We are about the business of critical infrastructure protection, and what we have found in our discussions with the major executive agencies, law enforcement agencies, is when there is law enforcement information about an attack, for example, against the control systems, my discussions, for example, with the Assistant Director of the FBI for Cyber was, if you get information in the field about something which is obviously a crime, when there is a successful penetration of a control system or even a targeted attack against a control system, we would appreciate it very much if we would get that information so that we can work the critical infrastructure protection so we can understand what is involved, what is the vulnerability being exploited, so we can share the information, not referring to it in its law enforcement sensitive way, but we can give guidance out. In addition, we have had situations where law enforcement finds out that there is an attack. We get information about, for example, the source IP addresses of the apparent source of the attack. We work with the intelligence community to have them work the international piece to see if they can trace it back to see what is involved. So it really is critical infrastructure protection, but we have to share that information with law enforcement intelligence and the CERTs to make sure we can all do our jobs better. Senator Coburn. But do you then share that with the private sector so that they can enable themselves? Mr. Purdy. And that is what I am saying that we do in terms of the information bulletins and the alerts that we send out. And as we build our portal into the Homeland Security Information Network, we are going to be able to improve our real-time information sharing, and the best example of that is bringing those nine ISACs in that our information will go into that mix and theirs, as well, and we will share that much more quickly. Senator Coburn. Mr. Powner, just share with us your view of how serious the threat is to us in terms of our cyber security. Mr. Powner. Well, years ago, if you looked at the situation here, we were more focused on hackers who were attempting to break into systems for the sheer challenge or for bragging rights. I agree with Mr. Purdy's analysis. We have organized crime groups that are focused on monetary gains from using cyber tools. We have foreign intelligence services that are using cyber tools for espionage activities. I think the real question out there is where are the terrorist cells in terms of their cyber capabilities. If these folks have the capabilities that we are aware of right now, where are the terrorists? I think Senator Akaka put it nicely when he mentioned some of the FBI's concerns, which date back many years, looking at what is referred to as swarming attacks, combined attacks where it is not just a cyber attack, but if you have a physical attack where you disrupt the response capabilities via some of the cyber tools, you could then have a very serious situation at hand. So it is real and that threat is growing. Senator Coburn. Your report was fairly critical of the efforts that are ongoing, and DHS in the response letter to you all states that it has a strategic plan with milestones and performance measures. Where are they insufficient and why are they insufficient? Mr. Powner. There is a strategic plan. There is the National Infrastructure Protection Plan. Some of those plans lack milestones. Some of those plans lack key activities. We made recommendations in areas where we saw some weaknesses in their plans. You look at the National Cyber Threat Assessment, vulnerability assessments by sector, and also response plans, not only response plans for the individual sectors, but also when you start looking at combined plans where we have multiple sectors that play in a certain arena. Probably the best example is if you look at the Internet. If we had a major disruption in the Internet today, the question is, who is in charge of leading that effort to reconstitute the Internet? Senator Coburn. Who is? Mr. Purdy. Multiple players, I think, is the answer today. NCSD would play a role. The National Communication System---- Senator Coburn. Let me ask Mr. Purdy that. Who is responsible for putting it back together? Mr. Purdy. Well, the Secretary of DHS is the incident manager for all incidents in the country. The National Cyber Response Coordination Group that we co-chair helps provide input to the Secretary and provides input to the Interagency Incident Management Group. With NCS, National Communication System, as part of that effort, we would coordinate the efforts across the Federal Government for reconstitution in partnership with the private sector. Senator Coburn. Two last questions for Mr. Powner. DHS is going to move from $11 to $18 million, I believe that was Mr. Purdy's testimony, in 2006, on cyber security. Mr. Purdy. Eleven to between $15 and $16 million. Senator Coburn. Eleven to $15 and $16 million out of $70 to $88 million. Is there a problem with priority or is there a problem with funding, in your assessment, as you look at what is going on? Mr. Powner. Clearly, there is an issue with priority and there is also an issue with delivery on the budget that is currently allocated. As we pointed out in several areas in our report, there is a situation here where we need to take additional steps--there have been steps in each of the areas that we looked at but there needs to be further steps. One good example is the National Threat Assessment. In working with the other intelligence organizations, if you look at the FBI Cyber Crime Division and other organizations across the Federal Government, there is a lot of information out there that exists today on the situation associated with the national threat. If we put out, as one example, a National Threat Assessment that the Department agreed to update annually and to provide information on an as-needed basis throughout the area, I think that would go a long ways into building credibility and adding value, where the private sector would clearly view them as a partner in this. So I think when you look at the current budget, and I think folks up on the Hill--we have had many discussions with them-- would like to see more value coming out of the budgets that are currently allocated today. Senator Coburn. So this threat assessment would be one way to engage the private sector. What are other ways that DHS could engage the private sector? Mr. Powner. One other way, I think if you go back to the Internet reconstitution, I think Mr. Purdy talked about or mentioned that NCSD would take a leadership role. There are many folks in the private sector, when you are looking at Internet service providers and telecommunication companies, energy companies, they also would play a major role in that, and if the NCSD, as one example, put together some initial plans, I think the working group that Mr. Purdy mentioned is a step in the right direction, but there needs to be further progress in putting in place response plans that are comprehensive, where the private sector views the Federal Government as a partner. Senator Coburn. Is there a backup hardware infrastructure in place now if, in fact, the Internet--they would successfully challenge and shut it down, without reprogramming it and everything else, is there a backup infrastructure with which that could be reassembled quickly on a short-term basis? Do either one of you want to answer that? Mr. Purdy. Well, I think ESF-II, the communications plan for recovery, is a very robust effort and the telecommunications backbone is the foundation for the Internet. We have done a lot of modeling work in terms of potential disruptions of the Internet and what it would take to carry it out for a long period of time. So I think we are in pretty good shape on that. I do echo the point that in terms of the priorities, we want to partner more effectively with the private sector on the recovery piece, on the response piece and the information sharing and threat piece. We recognize and we support those conclusions and we are working hard to do that. Senator Coburn. Have you sent a letter to them saying, how can we do that? Has DHS gone to the private sector and said, how can we partner with you better? Mr. Purdy. We had two large meetings with the private sector over the last 2 weeks. We had a meeting with the representatives of the Sector Coordinating Council yesterday. We will be meeting within DHS after July 26 to lay out how we are going to move forward to engage. We have had meetings with our lawyers to figure out how we can comply with the Federal Advisory Committee Act, to have private sector folks actually tasked on a working group or a task force. So we expect to have some concrete progress in setting up those groups, and for each of those groups, identifying milestones and metrics, because the metrics piece is the other big piece that we are moving forward on with our internal and external metrics, and we want the private sector involved with us. So it is not just performance, it is cyber security preparedness, metrics that folks can follow over time to see where we stand, and that is going to help impact the whole National Infrastructure Protection Plan cyber piece. Senator Coburn. Senator Carper. Senator Carper. Just a couple more, if I could. I think I will direct these to Mr. Powner, if I may. I am going to read you something that was prepared in my briefing papers here. Cyber attacks are launched for monetary gain, for intelligence information, or for the thrill of a challenge. The most commonly used cyber attacks are viruses and worms that are transmitted through the networks and systems to disrupt computer files and programs. Go back to the first part. Cyber attacks are launched for monetary gain, for intelligence information, or for the thrill of a challenge. In the work that you have done, the study that you have--the time you have invested in this, which of those three, monetary gain, intelligence information, or the thrill of a challenge, seem to predominate? Mr. Powner. We don't have specific numbers on that, Ranking Member Carper, but I would say that the monetary gain, when you look at some of the surveys that are done by some of the institutions out there that track this on an annual basis, for monetary gain, those numbers continue to grow year to year. The hacking community, I think they are always going to attempt to hack for the thrill of hacking. The underground community is strong and vibrant. But clearly, when you look for monetary gain, also if you look at recently with online fraud and identity theft, that is also a growing area where there is great concern with security vulnerabilities. Senator Carper. I don't know if it was a football coach from someplace in Oklahoma, Oklahoma State University, OSU, or the other OSU, Ohio State University, but one said that---- Senator Coburn. I happen to be an alum of both. Senator Carper. I know. I am an alumni of Ohio State. Somehow, I got on the list from Oregon State University. They send me solicitations for money, so I hear from a lot of OSUs. But one of them once said that the best defense is a good offense. It sounds to me like we play a lot of defense, trying to fend off these cyber attacks. Talk to us about the offense that we are playing, as well. I will start with you, Mr. Powner, and then I will go back over to Mr. Purdy. Mr. Powner. Ranking Member Carper, I think if you look at our offensive capabilities, it is probably best if we talked about that in a closed setting. Senator Carper. All right. Should we ask our guests to leave? I am just kidding. We won't do it here. Mr. Purdy> Mr. Purdy. Let me say the piece of it that I can respond to, because the point is well taken, we are attempting, and I say in my written testimony, to leverage the capabilities of the Federal Government from a cyber defense perspective. That is situation awareness. That is the ability to attribute the source of attacks, the ability to coordinate and prepare for responding to specific attacks and the reconstitution piece. So we are mapping those capabilities across the Federal Government and we are going to identify of those capabilities what do we need to tie into US-CERT? And third, when there is a cyber incident of national significance, we want to in advance identify the surge capacities and resources that we need brought to bear so we have the full resources of the Federal Government coordinated in partnership with the ISPs and the telecommunications providers, as well. And if you have a good defense, you don't have to respond to other alternatives. We would prefer to try to make ourselves as safe as possible, dealing with the threat as was discussed, but we need to reduce the vulnerabilities because too often, we are not going to know the specific threat information as to who is going to attack us. So we need to prioritize the vulnerabilities under the risk management framework of the Secretary to help mitigate the risks that we face. Senator Carper. Sometimes when folks commit crime for monetary gain, they do so because they feel that--there is a risk-benefit situation here. People are willing to take a risk and in return they feel they get a certain potential payoff or a benefit from it. When it comes to folks that are doing this for monetary gain, I don't know how likely it is that they feel they are going to get caught, prosecuted, go to jail, be fined. Talk to us a little bit about the likelihood that the folks who are doing this for monetary gain are going to be punished and whether or not the punishment is commensurate with the crime. Mr. Purdy. Who are you directing the question to? Senator Carper. Either one of you. Let me start with Mr. Powner. Mr. Powner. Would you repeat that, please? Senator Carper. I sure will. What I am trying to find out is, somebody is out there. They are going to commit one of these crimes, one of these cyber attacks for money, for monetary gain, and they are thinking through, does this really make sense? Am I going to get something that is worth taking the risk to commit this crime? How likely is it that we are going to catch them, and if we do, is it fair to say that the punishment, the level of punishment, is enough to make them think twice about committing the crime? Mr. Powner. A couple comments. One is GAO does not have specific numbers on that, but a lot of these activities go undetected to begin with. So if you start there and say that there are a large number of these attacks that we do not detect, then I think the chances are high that, in fact, they will not get caught because they may not even be detected. Consistent with Andy's comments, I think that is why we are trying to reduce our vulnerabilities, increase our intrusion detection capabilities so that, in fact, we can detect more on a going forward basis. Senator Carper. Same question. Mr. Purdy, what I am trying to get at is sometimes when criminals are contemplating a crime, they actually think about, well, what if I get caught? If I get caught, what is likelyhood that I will be convicted. If I am convicted, do I go to jail or pay a fine? Is it worth it? And what I am trying to get at is how likely is it that we are going to catch these guys and is the punishment commensurate with the crime. Mr. Purdy. Well, most of those questions, I would prefer to defer to the Department of Justice. They really have the responsibility in that area. The point that Mr. Powner referenced, though, in terms of the seriousness with which we view the criminal activity that is occurring in cyberspace and the difficulty of attributing the source of some of the largest attacks we have ever seen, that is all the more reason why we want to focus on reducing the vulnerabilities and working with law enforcement and in the R&D space to try to do a better job of figuring out who is doing these things to us, because obviously in the dynamic of if you don't think you are going to get caught, it doesn't matter what the punishment is. Senator Carper. The last question I want to ask is to go back to Mr. Powner. I think it was the May 2005 report called ``Department of Homeland Security Faces Challenges in Fulfilling Cyber Security Responsibilities.'' GAO identified, I think you called it a road map of 13 key responsibilities that were established, both in law and in policy. And my question of you would be, what priorities--and I think the Chairman actually mentioned this before--what priorities, and if you are GAO, should the Department focus on first? Mr. Powner. First of all, that was our recommendation, that you take these 13 areas and that they prioritize. But one thing that you could--that could help with the prioritization, I think Mr. Purdy has clearly mentioned a number of their priorities, priority areas on a going-forward basis with building trust relationships and tackling the threat and vulnerability reduction. There are certain areas that the government, and in particular NCSD, controls more than others. So if you compared threat assessment to vulnerability assessment, vulnerability assessment, they can facilitate the vulnerability assessments, but that really has to be done by the infrastructure owners of the private sector, for the most part. Threat assessment, they control most of that. So in terms of the priorities, there are perhaps some quicker hits with areas that the government controls more than the private sector. So that could be a factor in their prioritization efforts. Senator Carper. All right. Gentlemen, thank you. Senator Coburn. Thank you very much. Thank you for your testimony. We will now have panel two. Our first witness will be Paul Skare. He is the Product Manager of SCADA, Substation Automation Products for Siemens Power Transmission and Distribution, Energy and Management Automation Division. With us, also, I will let Senator Carper introduce Thomas Jarrett. Senator Carper. Thank you, Mr. Chairman. I am going to ask Mr. Jarrett when he speaks to just take a moment and introduce the members of his team that are with us here today. I would just say, because I already talked a good bit about Tom earlier in my opening comments and I appreciate the opportunity to introduce him here today. I was fortunate to serve as Governor for 8 years and one of our real challenges in State Government was to put together at the cabinet level an agency that could help us take our information systems really into the 21st Century, and we struggled with that. We actually had an overall sort of top-to-bottom review of State Government in, I want to say, 1993. We looked at our Information Services Agency, OIS, and tried to determine how we should change it, how we could make it better and to enable us to better serve the folks in our State. I am never convinced we got it quite right. I think one of the very good things that has been done under the administration of my successor is, I think they have pretty much gotten it right. Part of getting it right is really having the right person to lead that effort, and in Tom Jarrett, I think we have that person. He brings us to today the perspective of one who has worked in the private sector in these areas, one who has provided great leadership, not just for our State, but I think for others who do his work, his job, his counterparts in other States across the country, and I am really proud of him and the agency and the men and women that he leads. I thank you for the chance to say those nice words about him. Senator Coburn. I am struck by the fact that we lost 75 percent of the people that are here, and I am just wondering if all those worked for GAO and DHS, and if they did, no wonder we are not getting where we need to be. Senator Carper. They are doing the security for the two witnesses. Senator Coburn. Thank you both for coming. Mr. Skare, if you would. TESTIMONY OF PAUL M. SKARE,\1\ PRODUCT MANAGER, SIEMENS POWER TRANSMISSION AND DISTRIBUTION, INC., ENERGY MANAGEMENT AND AUTOMATION Mr. Skare. Good afternoon, Chairman Coburn, Senator Carper. I am Paul Skare, the Product Manager at Siemens Power Transmission and Distribution. My role is, as we said, managing many of the products that we are talking about here. I am also involved in many standards groups relating to SCADA, or Supervisory Control and Data Acquisitions Systems. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Skare with attachments appears in the Appendix on page 69. --------------------------------------------------------------------------- Siemens is a very large company in this product space and we operate in over 190 countries worldwide. In the United States, we have over 70,000 employees and we have operations in all 50 States. In energy management and automation, we provide software and technologies for the energy market, and these SCADA systems are systems that collect data from all the remote places, the substations, the power plants and other expensive pieces of power equipment, bring them to a central location, and do analysis on this data and turn this data into information so that the operators can then make the right, appropriate actions to correct problems in the field. Obviously, this is a key point for power reliability. Adding more smart applications to these SCADA systems allows you to then do even more detailed analysis and really look at preventing--proactive approaches to preventing blackouts and things. My testimony today is focusing on identifying some of the potential security vulnerabilities of a SCADA system, some of the activities related to this, and some recommendations to better protect these systems. While our customers primarily use these systems in the electric sector, many also use the same basic technology for gas, water, and transportation. With some background on this information, I have prepared some appendices that can be submitted into the public record to help the---- Senator Coburn. Without objection, they will be. Thank you. Mr. Skare. And I would like to say that in the last few years, I have seen industry and government working better together. What is really noticeable is that a lot of this type of discussion has moved away from the art, or the world called art into a more firm science approach to the issues. and it helps spread awareness and get everyone to speak the same language. But nonetheless, some of the SCADA vulnerabilities that are issues to look at are obviously remote access. Anytime you have remote access to make it easier to access these devices remotely, it is going to present a vulnerability or the potential for a vulnerability. Network configurations, the way that you would remotely access these things, of course is very important, to make sure that they are secured, and any minor misconfiguration can create a vulnerability. Disgruntled employees, whether they are current employees or ex-employees, are a big factor, whether they are mad and they go immediately and do something they still have access to, or whether they have just been terminated but they still have access privileges to the system will allow them to go out and do a malicious act. The discussion earlier about security holes and patches and viruses, worms and so on, is going to be always an issue for this industry because of our high reliance on commercial off- the-shelf technology. Our systems are based on all the standard computers that are available on the market. Communications should be encrypted. This means if you are using a wide-area network approach, you should have a public- private key infrastructure with encryption and authentication to make sure the data is private and can't be hacked into. You should also make sure that for a lot of these remote devices you are talking to, that you have valid encryption and authentication in place for those, as well. One of the things that we have talked about in the previous testimonies today is incident reporting, really. How do you know how bad it is when it is unclear how you measure? What are the real incidents? Are you getting a false positive on an attack report? Are the companies that use these systems, are they reporting actual incidents to anybody? Certainly as a SCADA vendor, most of our customers do not want this information public. They don't want to tell us, and they would prefer not to tell anyone because of the potential harm the publicity could bring. So some of the challenges for these SCADA systems is making sure that all user activity is audited by the individual doing the activity, making sure that there is upgrade kits for older systems to make them secure without having to replace the whole system, making sure all the third-party products involved in these systems are also set up for security and the latest patch is built into those. Again, making sure that we have the secure communications, both over WANs and over slower dial-up-type access. And finally, making sure that a lot of the low, weak devices that you are talking to have the ability to have encryption between them so that when you are talking from a control center out to an RTU or a remote device that is bringing the data in, even if it is a really old one, that you can still get a secure communications and not have concerns from that regard. Some of the recommendations that will help achieve securing these systems is making sure that business processes are aligned with security in mind. Now, NERC has done a lot to create some security policy where it is sent to foster requirements for security policies, but not necessarily--with the energy bill now, the enforcement becomes a possibility for NERC to be able to address these issues. Today, the enforcement is only a voluntary enforcement, and so for a utility to have a security manager and a security awareness program and making sure there are no little yellow sticky notes with user names and passwords laying around is an important aspect of security. Types of SCADA systems also have some challenges on the different types of security because an electric SCADA system will be processing information every one or two seconds, pulling that information in and doing analysis on it, while something on a gas pipeline system might only need to pull that data in once every 10 minutes. So a gas pipeline system can have a higher level of encryption and still get its data in time, but for an electric power system, when you are talking about collecting data at perhaps once every second, you can't block the access of the data by having so much encryption that it slows down the availability of the data. So with that regard, one of the recommendations is to foster some research into that area so that for these low- powered devices, that includes some of the wireless devices that are out there now, too, because more and more, you are seeing sensors connected into the system through a wireless connection before they come upstream to the control center, and right now, there is a need for research in the security of these wireless communications. Another recommendation is to have a secure way of reporting both the threats and the incidents in these systems. So, for example, whether someone has a threat available, it is not necessarily accurate that everyone is aware of that threat, and also, if a utility is faced with an attack or a security incident, there is no mandate that says they have to report that to anyone. And if there was a way for these incidents to be shared along with the vendors that make these systems, it would allow us to more rapidly respond to fixes for these incidents. Another issue is incentives for the utilities when they secure their systems. If there was an approach that would ensure that the culture at these utilities had the mindset of securing their systems in a way to help their cost recovery on those through either tax incentives or some such mechanism, would be helpful, I think, for the electric utilities. Federal and State cooperation, it is not just the people we have talked about today, but each State Public Utility Commission is also involved in the operation of these electric utilities and the cooperation and perhaps public outreach in these areas with the Public Utility Commissions would be of benefit. And then there is also non-jurisdictional utilities also could be useful to be brought into the fold with the security discussion. Another recommendation is Department of Homeland Security and Department of Energy have some similar programs and it would be useful, I think, to have them perhaps a little more coordinated or merged together. We heard earlier today about the Control System Security and Test Center, and there is also the National SCADA Testbed, both out at Idaho National Laboratory. And while Siemens has a system out there, I think that it would be useful to have these programs combined and have a longer-term funding approach for them so that you can see that as these vendor systems get out there and the vendors produce fixes and patches for them, that over time, you can verify that these systems are really getting secured. But this is not a one-year type of approach. This is a multi-year activity. The other thing that would be useful is if the different national laboratories were a little bit more in sync and didn't appear to be competing. For example, Idaho National Lab, Sandia National Lab, specific Northwest National Lab and Oakridge, which all have some relevance to this subject, in fact, three of them do have a partnership for the National SCADA Testbed, but in overall, there has still in the past been some confusion as to who is taking what role in this activity. The various management changes and reorganizations have had an impact, also, on making sure you know who you are talking to in order to accomplish various tasks in this arena. Senator Coburn. Let me get you to summarize, if you would. Mr. Skare. OK. Absolutely. The final point is that a risk- based approach is, I think, the most effective approach to these issues. Finally, I would like to say that Siemens is very supportive of these activities and will continue to be made available and to assist and to work in the area to secure the Nation's critical infrastructure. Thank you. Senator Coburn. Secretary Jarrett. TESTIMONY OF THOMAS M. JARRETT,\1\ SECRETARY AND CHIEF INFORMATION OFFICER, DEPARTMENT OF TECHNOLOGY AND INFORMATION, STATE OF DELAWARE Mr. Jarrett. Thank you. At Senator Carper's request, first, I will introduce the folks that came along with me. First is Elayne Starkey, the Chief Technology Officer for the Department; Michele Ackles, who is my Deputy in the Department; and I would also like to introduce Shay Stautz, who is here with me from NASCIO, so I am glad that they joined me today. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Jarrett with attachments appears in the Appendix on page 105. --------------------------------------------------------------------------- Thank you for inviting me to appear before you today. I appear in two capacities, first representing the great State of Delaware as Secretary of Delaware's Technology and Information Agency, and second, as the current President of the National Association of State Chief Information Officers, or NASCIO. First, I would like to thank Chairman Coburn and a special thanks to Delaware's Senator Tom Carper for inviting me to speak with you today. As Delaware's CIO in charge of all State Government information and communications technology, my highest priority is cyber security. The security of Delaware's information technology system is critical to the well-being of our State as a whole, not just the business of the State, but also its economy. Further, from a Federal perspective, Delaware's information system is key to providing Federal services to our citizens and supports homeland security efforts. In the most simple of terms, keeping those who would wish to do us harm out of our network and systems is the primary challenge of IP security staff in Delaware and across the Nation. Delaware's State network may be small in comparison to some other States, yet we are responsible for over 130,000 users, representing all three branches of government, including our law enforcement, first responder, and educational communities. We have recently deployed new software that permits us to check network events on a daily basis and we fend off nearly 3,000 daily attempts at entering our network. I would like to repeat that, nearly 3,000 attempts a day to invade our network. As you will see in the documentation that I have attached to my statement, these numbers are not out of line with what other States are seeing. Because of our extreme diligence, we have not had a significant intrusion into our network. Keeping those that would wish to do us harm out of our network requires multiple layers of protection. While it is rarely a terrorist in the traditional sense of the word that threatens the State network, we do not focus specifically on who is trying to infiltrate our network. Rather, our goal is to keep all those with bad intentions from entering our system. Without lapsing into too many technical terms, we deploy a number of different hardware and software products to protect our networks. We scan, scan, and scan again all traffic coming into the network. We search for viruses, spam, spyware, and other recognized problems. Delaware is proactive in establishing collaborative partnerships at the Federal and local level. We have a working relationship with the FBI, who performs vulnerability audits and scans for us. We collaborate with the private sector, as well. Delaware was the first State to become part of an extensive security cooperation program that Microsoft has established. During times of heightened security alerts, like that resulting from the recent terror incidents in London, we also raise the bar on cyber security. We increase our vigilance and our monitoring because we are well aware that a virus that begins in Asia can propagate to the United States in a matter of a few short hours. In a very short period of time, it is possible for a system that has been not hardened or properly maintained to be completely overrun. Now, what does the future hold? Unfortunately, I have to state that I believe that threats to cyber security will only increase and we will face continuing attacks and attempts on multiple fronts. State IT officials must continually adjust how and what is filtered, blocked, and monitored. New threats appear almost daily and they can, in a matter of seconds, render services we have all come to depend upon, like e-mail and web browsing, completely unusable. In the worst case scenario, without proper protection, an attack could potentially cripple or completely shut down an entire State Government. While we must understand that all critical infrastructure is the same by its very nature, critical, whether it is a roadway system or an information network, infrastructure is about moving people and information and a State's network infrastructure is equally as important as its highways, electric power grid, or mass transit system. I will conclude my remarks with a few words about what NASCIO is doing. NASCIO is working with the States to get a comprehensive picture of the challenge that cyber security represents. We have produced a series of snapshots into what a few States are doing. Let me share just a few experiences from my CIO colleagues. Michigan reports that nearly 32 percent of its incoming e- mail carries viruses, while Montana reports a rise from 93 attempted virus infections in 1997 to nearly 45 million in 2005. Kansas blocked 600,000 intrusion attempts over a 3- to 4- hour time period during one recent attack. Protecting critical IT infrastructure does not come cheaply. We estimate that my Department spends $5 million annually, or 15 percent of my annual budget, on cyber security. A recent Statewide assessment in North Carolina revealed that approximately $50 million was needed to implement a statewide security plan. NASCIO believes that the Federal Government and the States must increase collaboration in facing these threats which we share in common. NASCIO applauds last Wednesday's announcement by Secretary Chertoff that he will create an Assistant Secretary for Cyber Security within the reorganized Department. NASCIO supported the calls for such a position and has endorsed past legislative efforts seeking to create the position. In fact, State CIOs have made addressing deficiencies in public sector cyber security their No. 1 item on our Federal agenda. We believe that the creation of a higher-profile position for cyber security within DHS is an important statement to the Nation as a whole. Having provided you with this background, NASCIO comes prepared to offer the Subcommittee one substantive step that it can take forward toward improving intergovernmental cyber security. NASCIO has provided Subcommittee staff with language that encourages the Secretary to have DHS revise the existing strategy and assessment process to include requiring a cyber security preparedness plan from each State and each State's CIO. We feel that closing the cyber security planning gap in the near term, and especially before the next round of grant making gets underway, is the single most important issue facing our sector today. Finally, NASCIO points out that information systems in general are the only part of the Nation's critical infrastructure that is under attack everywhere, all the time, and these attacks are inflicting millions of dollars in damage. Cyber attacks, even those without terroristic intent, could disrupt government's operations in general or homeland security mission critical systems specifically. It is our duty to secure these systems from all types of threats, regardless of the intent behind them, and as soon as possible. As the CIO for the State of Delaware and the President of NASCIO, I appreciate the work that the Subcommittee is doing in confronting this national challenge. Thank you. Senator Coburn. Thank you, Mr. Jarrett. Senator Carper has to leave and I am going to defer to him for the first set of questions. Senator Carper. Thank you very much, sir. Again, to our witnesses, thanks a lot for coming and for really excellent testimony in ways that even I could almost understand. Sometimes when we have people testify on these subjects, I am not sure I understand the words. As Mrs. Einstein used to say, Albert Einstein's wife, ``Mrs. Einstein, do you understand what your husband is saying or talking about?'' And she said, ``I understand the words, but not the sentences.'' I think for your testimony, for the most part, I understood not only the words but, in many cases, the sentences. I want to return to a question I asked the last panel and never got the answer I was looking for. I raised the issue of a football coach who is looking for ways to provide a good offense, and not just a good defense. We had a big middleweight championship fight out in, I think it was Las Vegas, this past weekend. A guy who defended his title, I think 20 times, was unsuccessful in title defense No. 21. Senator Coburn. Fighting is not good for you. Senator Carper. That is what I have heard, at least fighting against those guys wouldn't be good for us. But as I listened to this testimony, I am reminded of a boxing match, maybe even a football game, where one side is on defense the whole time and you never get the ball to go on offense. I am reminded of a fight where you have got one guy is permitted to throw all the punches and the other guy just basically has to take them. Am I misreading this? Are there ways that we can fight back effectively? It seems that all we do is play defense, and I think we are pretty good at it, it sounds like we are very good at it, but I like to play offense, too. Are we? Should we be? Mr. Jarrett. Well, I would say from a State perspective, I think we are beginning that process. We have spent considerable dollars over the last several years building a very strong defense. But the real issue here is more in trying to identify the people that are actually trying to get into our networks, they hide themselves very effectively. So you need to have the resources and the money to then go after them, and I happen to be a believer that we should be going after them, but they are very difficult to find. In our case, as quickly as we make changes to our system, we see changes that have already countered those changes. So very definitely, I would hope that we will begin to take a much more offensive approach, but it is very difficult. Mr. Skare. I think that we have a very large installed knowledge now with intrusion detection systems, but now the latest thing that is coming along is intrusion prevention systems. So what it is, it is trying to take a look at the known signatures of some of these attacks and try and prevent them as they are happening, or the so-called zero day defense that is really happening. And when you combine that with a defense in depth approach to your control system, you have a much better chance of really trying to proactively stop them as it happens, although I would say that there is still a long ways to go there. But, for example, when you look at some of these control systems, they use quite common standardized protocols so that all the different systems can talk to each other and these are mostly publicly available, so we are taking a look at how do you scan real time these data communications and prevent things from happening real time. Senator Carper. All right. A question, if I could, this would be for Secretary Jarrett. I believe in your testimony, I think I heard you say that some 15 percent of your Department's budget is just for cyber security initiatives. Last week, Secretary Chertoff said, I believe in this hearing room, not only the establishment of the Assistant Secretary for Cyber Security and Telecommunications, but he talked about dedicating some Federal resources to help the efforts across the board. Let me just ask, what additional resources do you believe that the Federal Government, if any, should allocate, if any, for cyber security initiatives? Mr. Jarrett. Well, I think there are two pieces of that. I have read some of the numbers as far as dollars that they are talking about appropriating to that. When I compare them in direct comparison to what I spend, my comment would be that I don't think it is enough. So I would hope that the appropriations that they are going to put towards cyber security would be much larger than what I, at least from what I have currently seen. Senator Carper. It would also be great if, whether the allocations are huge or large or moderate, it would be great if they were doing something that sort of complemented what you were doing with this data, not necessarily duplicate or replicate. Mr. Jarrett. And that was going to really be my second thought, which is I heard the comments and what was honestly striking to me was the fact that though there was a lot of talk about connections between agencies and all that, there was no mention of connection really to the States. And I would argue that the States are really the first line of defense when it comes to, whether it is first responders and those kinds of things. We are kind of out front on a lot of areas, working in the area of cyber security. So we would like to work much more effectively with them in the future. I think that would be a tremendous approach if we could finally, or at least ultimately, reach that point. Senator Carper. One other thought, Mr. Chairman, comes to mind. I think it was Lincoln who used to say, the role of Government is to do for people what they cannot do for themselves. Maybe a reasonable role for the Federal Government here, for the Department of Homeland Security, is to do for States what you cannot do for yourselves, or for the private sector, for that matter. One last question, if I could, for Secretary Jarrett. I believe your first task, as I recall, as Secretary was to transform Delaware's Office of Information systems to this Department of Technology and Information. You hand picked and hired an entirely new organization that is built on a market- based compensation plan where individuals are compensated based on their performance within the Department. You also did away with many middle management positions. You enabled employees to be more connected with the end result. I would just ask what suggestions you might have, really for the Department of Homeland Security, for our Federal agency, for your big brother, if you will--that probably has the wrong connotations--but for Homeland Security in finding and retaining the most highly qualified individuals to protect our Nation's critical infrastructure. Mr. Jarrett. I have a pretty basic thought about that and it comes down to the most basic thing, which is pay. One of the key approaches that Delaware took was to be able to pay our people within the Department what the market, and what they would literally get in the market if they were to go outside of working in State Government. We found that to be very effective, because in the end, if you are going to be effective in managing, working these kinds of issues, then you have to have very good people, and if they are going to be accountable, then you have to be willing to pay them, or otherwise very likely they either won't come to you in the first place, or if they do, they won't remain very long. So we have found that our pay structure has been probably one of our greatest assets because it has allowed us to hire very excellent people who are more than willing to stay because we are very competitive. Senator Carper. Great. Mr. Chairman, thanks for letting me lead off here. And again to Secretary Jarrett, it is great to see you. Mr. Jarrett. Thank you. Senator Carper. Thank you for you and your team, who are representative of the great work you are doing on behalf of our State and for, I think, the wonderful example you are providing to a few other States. Congratulations. He is not only Secretary, Mr. Secretary, but he is also Mr. President of his national organization. It is not ever day we get to do that. Thank you both. Senator Coburn. The Senator from Delaware, are you proposing waiving government parameters limiting the ability to increase pay and pay for performance in Homeland Security? That is something our President has been trying to do here for some period of time. Senator Carper. When we have a private conversation with our earlier panel on the matters they couldn't discuss, let us bring that one up, too. Senator Coburn. OK. Good answer. [Laughter.] Senator Coburn. Mr. Skare, here is how my staff assesses you. He is a world class operational control systems technology expert. He works for one of the world's largest manufacturers and leaders in control systems. So I want to ask you very frankly, do you have a good working relationship with DHS? Are they communicating the way they should with you? Are you allowed to get information that is helpful to you when you should, and do you feel comfortable sharing information with them? Mr. Skare. Well, that is a very good question. I think that there has been some changes in management. I originally was contacted and had been working with Mike Lombard in the Department of Homeland Security, and then that had shifted over to David Sanders. I think as some of the activities go on--for example, the DHS did invite me to the road map meeting we had last week in Baltimore, and I think that it was a very good meeting for sharing ideas with the DHS people. My experience with DHS is that they are very focused on moving quickly. But as far as sharing any detailed information, I do not have any specific threats shared with me of any sort. Senator Coburn. So, in other words, there may be a threat to one of the systems that you are looking at that they know about that you don't know that could maybe enhance your ability to do the job better as a vendor for those items, yet you are not seeing the feedback loop coming on that. Mr. Skare. That is right. I have seen no feedback in that area. Senator Coburn. Is that not something that we want to happen? Mr. Skare. I believe it is. I know that I actually had this discussion with one of the DHS people last week and we discussed if it meant that we should get security clearance, or maybe there is a new type of clearance that could be created, a trusted type of information sharing line that could go on. But the discussion was still an ongoing discussion. Senator Coburn. Well, if 85 percent of our cyber is in private hands, we are going to have to talk to the private sector. That would mean 15 percent is in the State and Federal hands and other entities. We are going to have to communicate, and I was most concerned about GAO's testimony as this lack of confidence, because if there is not confidence with DHS, then you as a spokesman or lead individual for your company are going to be somewhat hesitant to share with them information. And so if we can't get past the--it is kind of like marriage. If you can't get past the trust deal, you never get anywhere. So if we can't get there, this can build and this can grow if we have a working relationship. I am concerned. Have you noticed anything, Secretary Jarrett, in terms of your ability to relate and a level playing field and informational exchange that you could offer us? Mr. Jarrett. We have found that the information exchange has been very difficult. That is why we have built strong relationships with most of our business partners. I can tell you that most of the threat data that we get today, we get from those business partners and through US-CERT, but not directly from the Department. Senator Coburn. Through the US-CERT? Mr. Jarrett. Right. Senator Coburn. OK. And did either of you gentlemen happen to see the article yesterday in the Wall Street Journal where they talked about the trojans? I thought it was a very informative article for the public because it is us and our personal computers that are being used to scam everything else in the world and used to, what do they call it, bot---- Mr. Jarrett. Bots and zombies and---- Senator Coburn. Yes. I would also note that DHS is not in here anymore for them to hear your testimony, which is concerning for me, because that is one of the areas, we are sponsoring this, we have 15 people from DHS attend a hearing, but when they are through testifying, then they are not here to hear what the rest of the panel says so we don't get the information. So that says you don't build trust if you can't communicate, and if you aren't going to listen, you are never going to be able to communicate. So I am somewhat critical of that. Mr. Jarrett, does your office have regular contact with the National Cyber Security Division at DHS? Mr. Jarrett. We do not. We do on a kind of hit-or-miss basis. We do a lot of things. We are members of the MS ISAC, which is the 50-State group that has come together, but not directly with them. Senator Coburn. Did I hear you right a moment ago that you thought there should be a requirement for each State to have a preparedness plan? Mr. Jarrett. A cyber security preparedness plan, absolutely. Senator Coburn. And should that be contingent on their DHS grant? Mr. Jarrett. I think it should be tied directly to the grant process. What has been difficult in the current grant process is that little of that money is going towards cyber- related issues. I can tell you, in the 3 years that monies have come out in my State, I just for the first time got a small amount of those dollars for some cyber work that we are doing. It has been driven toward other directions, and though I understand that and respect that, I think that we need to also understand that the cyber aspect of this is absolutely critical. All of our systems and everything that--I run all of the systems for all the first responders, the State police, everyone, so during time of greatest need, if my systems go down, they literally have no access to any of the information that they will require. Senator Coburn. And you already answered this somewhat, but I want to ask you again, and I find it strange. Fifteen to $16 million of this next year's budget for DHS, and you are going to spend $5 million, and you say to set a State up, it is going to take $50 million just in programming the structure and observations and diligence. I am kind of appalled that that is the priority. Are you? Mr. Jarrett. I am concerned about the priority, absolutely. I mean, we are very happy to see that they have established the Assistant Secretary for Cyber Security. That is something that we have pushed for for a long time. But with it must come the right funding to be able to do the job correctly and the amount of money, at least that I have seen, concerns me. Senator Coburn. How are you all at the State of Delaware informed of a fast-moving cyber threat? How do you find out, other than your own observation and blocking and monitoring technique? Mr. Jarrett. Two primary ways today, neither of which are the Department. One is through the MS ISAC structure that was created about 2 years ago---- Senator Coburn. Is that fast? Do you get that on a real time basis? Mr. Jarrett. We get that on a real time basis. It has become a very dynamic group. We meet once a month, and so we have built a structure within the States that allow us to share information on a very rapid basis. We also get it from our vendors through our cooperative program with companies like Microsoft and Oracle and others. And all of my key security folks are obviously also connected to the US-CERT process, as well. Senator Coburn. Is that timely, the US-CERT process, or does it come hours or days after the fact? Mr. Jarrett. We are actually finding the US-CERT process to be quite timely---- Senator Coburn. Good. Mr. Jarrett. So we have been very pleased with that at this point. Timeliness, obviously, in our business, is absolutely critical, given the fact that we are talking about threats that--we are not talking about days, we are talking about minutes and hours. Senator Coburn. And going back to your testimony, Mr. Skare, if you are talking about a power generation facility and they are monitoring sequentially, there is not the technology for encoding or encrypting instantaneously that information so that you can stay on a real time basis without putting that facility at risk? Mr. Skare. There are ways to do that for network connections, although a lot of the standards are still lacking in approval from an approval perspective, and many utilities are reluctant to roll out technologies like that until they have been standard and approved. Senator Coburn. And who holds that approval? Mr. Skare. It depends. In this case, there is international approval as well as U.S. approaches. In the international arena, it is the International Electrotechnical Commission. On the U.S. side, the standard that most U.S. utilities are going to be looking toward is one set by NERC. Senator Coburn. OK. I can't help but think about the television show ``24'' and how closely you were involved in that. Part of our risk--there has been $60 billion spent by the U.S. Government on IT in this last year, $60 billion by the Federal Government. That is a big sum of money. And yet it doesn't seem that we are a whole lot more secure. We may be faster and we may be moving information around, but the more IT we have, the more risk we have if it is vulnerable. What is the budget for the State of Delaware on IT? Do you have any idea? Mr. Jarrett. Well, about $300 million. Senator Coburn. A year? Mr. Jarrett. A year. Senator Coburn. And that is both hardware and software, the whole---- Mr. Jarrett. That is everything. Senator Coburn. That is the whole thing. All right. Mr. Skare, you talked about business process. What motivates, or what would motivate a company to make an investment in cyber security to protect their critical infrastructures, those that have not? Mr. Skare. I think those that have not, any type of business case where you can show them where the loss or the damage to their business due to such an incident would result in a negative impact on their business. For example, if an attack took down a particular substation and those customers were without power for a certain amount of time, you would have not only the lost revenue due to the power outage, but you would also have then the damage to the reputation. And quantifying those in terms of a business case would go a long way to help. Senator Coburn. And so you all are seeing more that your business is good, is that correct? Mr. Skare. Interestingly enough, common sense might dictate that after a major event, such as the blackout in 2000, it would spur investment in these areas. However, there was a certain amount of reluctance to spend purely so that it wasn't seen as a reaction or as a sign of weakness. So it is kind of a balancing act. Senator Coburn. I want to thank both of you for your testimony and for staying as long as we have. I appreciate you coming and giving this information. We may submit some questions to you in writing. We very much appreciate if you would be timely in your response to those. Thank you very much for attending. The meeting is adjourned. [Whereupon, at 3:44 p.m., the Subcommittee was adjourned.] A P P E N D I X ---------- [GRAPHIC] [TIFF OMITTED] T3163.001 [GRAPHIC] [TIFF OMITTED] T3163.002 [GRAPHIC] [TIFF OMITTED] T3163.003 [GRAPHIC] [TIFF OMITTED] T3163.004 [GRAPHIC] [TIFF OMITTED] T3163.005 [GRAPHIC] [TIFF OMITTED] T3163.006 [GRAPHIC] [TIFF OMITTED] T3163.007 [GRAPHIC] [TIFF OMITTED] T3163.008 [GRAPHIC] [TIFF OMITTED] T3163.009 [GRAPHIC] [TIFF OMITTED] T3163.010 [GRAPHIC] [TIFF OMITTED] T3163.011 [GRAPHIC] [TIFF OMITTED] T3163.012 [GRAPHIC] [TIFF OMITTED] T3163.013 [GRAPHIC] [TIFF OMITTED] T3163.014 [GRAPHIC] [TIFF OMITTED] T3163.015 [GRAPHIC] [TIFF OMITTED] T3163.016 [GRAPHIC] [TIFF OMITTED] T3163.017 [GRAPHIC] [TIFF OMITTED] T3163.018 [GRAPHIC] [TIFF OMITTED] T3163.019 [GRAPHIC] [TIFF OMITTED] T3163.020 [GRAPHIC] [TIFF OMITTED] T3163.021 [GRAPHIC] [TIFF OMITTED] T3163.022 [GRAPHIC] [TIFF OMITTED] T3163.023 [GRAPHIC] [TIFF OMITTED] T3163.024 [GRAPHIC] [TIFF OMITTED] T3163.025 [GRAPHIC] [TIFF OMITTED] T3163.026 [GRAPHIC] [TIFF OMITTED] T3163.027 [GRAPHIC] [TIFF OMITTED] T3163.028 [GRAPHIC] [TIFF OMITTED] T3163.029 [GRAPHIC] [TIFF OMITTED] T3163.030 [GRAPHIC] [TIFF OMITTED] T3163.031 [GRAPHIC] [TIFF OMITTED] T3163.032 [GRAPHIC] [TIFF OMITTED] T3163.033 [GRAPHIC] [TIFF OMITTED] T3163.034 [GRAPHIC] [TIFF OMITTED] T3163.035 [GRAPHIC] [TIFF OMITTED] T3163.036 [GRAPHIC] [TIFF OMITTED] T3163.037 [GRAPHIC] [TIFF OMITTED] T3163.038 [GRAPHIC] [TIFF OMITTED] T3163.039 [GRAPHIC] [TIFF OMITTED] T3163.040 [GRAPHIC] [TIFF OMITTED] T3163.041 [GRAPHIC] [TIFF OMITTED] T3163.042 [GRAPHIC] [TIFF OMITTED] T3163.043 [GRAPHIC] [TIFF OMITTED] T3163.044 [GRAPHIC] [TIFF OMITTED] T3163.045 [GRAPHIC] [TIFF OMITTED] T3163.046 [GRAPHIC] [TIFF OMITTED] T3163.047 [GRAPHIC] [TIFF OMITTED] T3163.048 [GRAPHIC] [TIFF OMITTED] T3163.049 [GRAPHIC] [TIFF OMITTED] T3163.050 [GRAPHIC] [TIFF OMITTED] T3163.051 [GRAPHIC] [TIFF OMITTED] T3163.052 [GRAPHIC] [TIFF OMITTED] T3163.053 [GRAPHIC] [TIFF OMITTED] T3163.054 [GRAPHIC] [TIFF OMITTED] T3163.055 [GRAPHIC] [TIFF OMITTED] T3163.056 [GRAPHIC] [TIFF OMITTED] T3163.057 [GRAPHIC] [TIFF OMITTED] T3163.058 [GRAPHIC] [TIFF OMITTED] T3163.059 [GRAPHIC] [TIFF OMITTED] T3163.060 [GRAPHIC] [TIFF OMITTED] T3163.061 [GRAPHIC] [TIFF OMITTED] T3163.062 [GRAPHIC] [TIFF OMITTED] T3163.063 [GRAPHIC] [TIFF OMITTED] T3163.064 [GRAPHIC] [TIFF OMITTED] T3163.065 [GRAPHIC] [TIFF OMITTED] T3163.066 [GRAPHIC] [TIFF OMITTED] T3163.067 [GRAPHIC] [TIFF OMITTED] T3163.068 [GRAPHIC] [TIFF OMITTED] T3163.069 [GRAPHIC] [TIFF OMITTED] T3163.070 [GRAPHIC] [TIFF OMITTED] T3163.071 [GRAPHIC] [TIFF OMITTED] T3163.072 [GRAPHIC] [TIFF OMITTED] T3163.073 [GRAPHIC] [TIFF OMITTED] T3163.074 [GRAPHIC] [TIFF OMITTED] T3163.075 [GRAPHIC] [TIFF OMITTED] T3163.076 [GRAPHIC] [TIFF OMITTED] T3163.077 [GRAPHIC] [TIFF OMITTED] T3163.078 [GRAPHIC] [TIFF OMITTED] T3163.079 [GRAPHIC] [TIFF OMITTED] T3163.080 [GRAPHIC] [TIFF OMITTED] T3163.081 [GRAPHIC] [TIFF OMITTED] T3163.082 [GRAPHIC] [TIFF OMITTED] T3163.083 [GRAPHIC] [TIFF OMITTED] T3163.084 [GRAPHIC] [TIFF OMITTED] T3163.085 [GRAPHIC] [TIFF OMITTED] T3163.086 [GRAPHIC] [TIFF OMITTED] T3163.087 [GRAPHIC] [TIFF OMITTED] T3163.088 [GRAPHIC] [TIFF OMITTED] T3163.089 [GRAPHIC] [TIFF OMITTED] T3163.090 [GRAPHIC] [TIFF OMITTED] T3163.091 [GRAPHIC] [TIFF OMITTED] T3163.092 [GRAPHIC] [TIFF OMITTED] T3163.093 [GRAPHIC] [TIFF OMITTED] T3163.094 [GRAPHIC] [TIFF OMITTED] T3163.095 [GRAPHIC] [TIFF OMITTED] T3163.096 [GRAPHIC] [TIFF OMITTED] T3163.097 [GRAPHIC] [TIFF OMITTED] T3163.098 [GRAPHIC] [TIFF OMITTED] T3163.099 [GRAPHIC] [TIFF OMITTED] T3163.100 [GRAPHIC] [TIFF OMITTED] T3163.101 [GRAPHIC] [TIFF OMITTED] T3163.102 [GRAPHIC] [TIFF OMITTED] T3163.103 [GRAPHIC] [TIFF OMITTED] T3163.104 [GRAPHIC] [TIFF OMITTED] T3163.105 [GRAPHIC] [TIFF OMITTED] T3163.106 [GRAPHIC] [TIFF OMITTED] T3163.107 [GRAPHIC] [TIFF OMITTED] T3163.108 [GRAPHIC] [TIFF OMITTED] T3163.109 [GRAPHIC] [TIFF OMITTED] T3163.110 [GRAPHIC] [TIFF OMITTED] T3163.111 [GRAPHIC] [TIFF OMITTED] T3163.112 [GRAPHIC] [TIFF OMITTED] T3163.113 [GRAPHIC] [TIFF OMITTED] T3163.114 [GRAPHIC] [TIFF OMITTED] T3163.115 [GRAPHIC] [TIFF OMITTED] T3163.116 [GRAPHIC] [TIFF OMITTED] T3163.117 [GRAPHIC] [TIFF OMITTED] T3163.118 [GRAPHIC] [TIFF OMITTED] T3163.119 [GRAPHIC] [TIFF OMITTED] T3163.120 [GRAPHIC] [TIFF OMITTED] T3163.121 [GRAPHIC] [TIFF OMITTED] T3163.122 [GRAPHIC] [TIFF OMITTED] T3163.123 [GRAPHIC] [TIFF OMITTED] T3163.124 [GRAPHIC] [TIFF OMITTED] T3163.125 [GRAPHIC] [TIFF OMITTED] T3163.126 [GRAPHIC] [TIFF OMITTED] T3163.127 [GRAPHIC] [TIFF OMITTED] T3163.128 [GRAPHIC] [TIFF OMITTED] T3163.129 [GRAPHIC] [TIFF OMITTED] T3163.130 [GRAPHIC] [TIFF OMITTED] T3163.131 [GRAPHIC] [TIFF OMITTED] T3163.132 <all>