<DOC> [109 Senate Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:29759.wais] S. Hrg. 109-893 CYBER SECURITY: RECOVERY AND RECONSTITUTION OF CRITICAL NETWORKS ======================================================================= HEARING before the FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT INFORMATION, AND INTERNATIONAL SECURITY SUBCOMMITTEE of the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE ONE HUNDRED NINTH CONGRESS SECOND SESSION __________ JULY 28, 2006 __________ Available via http://www.access.gpo.gov/congress/senate Printed for the use of the Committee on Homeland Security and Governmental Affairs __________ U.S. GOVERNMENT PRINTING OFFICE WASHINGTON : 2007 29-759 PDF For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS SUSAN M. COLLINS, Maine, Chairman TED STEVENS, Alaska JOSEPH I. LIEBERMAN, Connecticut GEORGE V. VOINOVICH, Ohio CARL LEVIN, Michigan NORM COLEMAN, Minnesota DANIEL K. AKAKA, Hawaii TOM COBURN, Oklahoma THOMAS R. CARPER, Delaware LINCOLN D. CHAFEE, Rhode Island MARK DAYTON, Minnesota ROBERT F. BENNETT, Utah FRANK LAUTENBERG, New Jersey PETE V. DOMENICI, New Mexico MARK PRYOR, Arkansas JOHN W. WARNER, Virginia Michael D. Bopp, Staff Director and Chief Counsel Michael L. Alexander, Minority Staff Director Trina Driessnack Tyrer, Chief Clerk FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT INFORMATION, AND INTERNATIONAL SECURITY SUBCOMMITTEE TOM COBURN, Oklahoma, Chairman TED STEVENS, Alaska THOMAS CARPER, Delaware GEORGE V. VOINOVICH, Ohio CARL LEVIN, Michigan LINCOLN D. CHAFEE, Rhode Island DANIEL K. AKAKA, Hawaii ROBERT F. BENNETT, Utah MARK DAYTON, Minnesota PETE V. DOMENICI, New Mexico FRANK LAUTENBERG, New Jersey JOHN W. WARNER, Virginia MARK PRYOR, Arkansas Katy French, Staff Director Sheila Murphy, Minority Staff Director John Kilvington, Minority Deputy Staff Director Liz Scranton, Chief Clerk C O N T E N T S ------ Opening statements: Page Senator Coburn............................................... 1 WITNESSES Friday, July 28, 2006 George Foresman, Under Secretary for Preparedness, U.S. Department of Homeland Security................................ 5 Richard C. Schaeffer, Jr., Director of Information Assurance, National Security Agency....................................... 7 Karen Evans, Administrator for Electronic Government and Information Technology, Office of Management and Budget........ 9 Keith Rhodes, Chief Technologist and Director, Center for Technology and Engineering, U.S. Government Accountability Office......................................................... 10 Thomas E. Noonan, President and Chief Executive Officer, Internet Security Systems............................................... 20 Roberta A. Bienfait, Senior Vice President, Global Network Operations, AT&T............................................... 22 Michael A. Aisenberg, Director of Government Relations, VeriSign, Inc., and Vice Chair, IT Sector Coordinating Council........... 24 Karl Brondell, State Farm Insurance Companies, on behalf of the Business Roundtable............................................ 26 Alphabetical List of Witnesses Aisenberg, Michael A.: Testimony.................................................... 24 Prepared statement........................................... 161 Bienfait, Roberta A.: Testimony.................................................... 22 Prepared statement........................................... 139 Brondell, Karl: Testimony.................................................... 26 Prepared statement........................................... 167 Evans, Karen: Testimony.................................................... 9 Prepared statement with an attachment........................ 53 Foresman, George: Testimony.................................................... 5 Prepared statement........................................... 33 Noonan, Thomas E.: Testimony.................................................... 20 Prepared statement........................................... 132 Rhodes, Keith: Testimony.................................................... 10 Prepared statement........................................... 111 Schaeffer, Richard C., Jr.: Testimony.................................................... 7 Prepared statement........................................... 50 APPENDIX Hon. Thomas Jarrett, Secretary and CIO, Delaware Department of Technology and Information, prepared statement................. 174 Questions and responses for the Record from: Mr. Foresman................................................. 181 Mr. Schaeffer................................................ 197 Mr. Evans.................................................... 200 Mr. Rhodes................................................... 209 Mr. Bienfait................................................. 213 Mr. Aisenberg................................................ 223 Mr. Brondell................................................. 226 CYBER SECURITY: RECOVERY AND RECONSTITUTION OF CRITICAL NETWORKS ---------- FRIDAY, JULY 28, 2006 U.S. Senate, Subcommittee on Federal Financial Management, Government Information, and International Security, of the Committee on Homeland Security and Governmental Affairs, Washington, DC. The Subcommittee met, pursuant to notice, at 9:35 a.m., in room 342, Dirksen Senate Office Building, Hon. Tom Coburn, Chairman of the Subcommittee, presiding. Present: Senator Coburn. OPENING STATEMENT OF CHAIRMAN COBURN Chairman Coburn. The Subcommittee on Federal Financial Management, Government Information, and International Security will come to order. Today's hearing is titled ``Cyber Security: Recovery and Reconstitution of Critical Networks.'' This is the second hearing in a series we will be conducting on cyber security. It is actually the third. We have had a high-level secured briefing and hearing on this, as well. On July 19, 2005, this Subcommittee held a hearing on the importance of cyber security to our Nation's critical infrastructures. The hearing highlighted the importance of forging a public-private, and I will emphasize private, partnership to protect critical infrastructure and focused on challenges facing the Department of Homeland Security (DHS) in facilitating and leveraging such partnerships. Things that we have learned through the September 11 terrorist attacks and the response to Hurricane Katrina further emphasize these challenges. Today, despite spending millions of dollars over the past year, DHS continues to struggle with how to effectively form and maintain effective public-private partnerships in support of cyber security, including how to protect Internet infrastructure and how to recover it in the case of a major disruption. The public-private partnership necessary to accomplish DHS's goals in securing computer networks continues to remain a public-private divide. I am grieved to note that our Nation's security from a cyber-based attack has not improved since we were here last year. The objective of today's hearing is to highlight immediate steps that DHS and the private sector can take to formalize a partnership and to ensure effective response and recovery to major cyber network disruptions. Our economy and national security are reliant on the Nation's information and communications infrastructure, including the Internet. The Internet connects millions of information technology systems and networks together, which, in sum, provide e-commerce to the country and critical services allowing the government to function. On July 19, 2005, we learned that these computer networks can also control physical infrastructure, such as electrical transformers, chemical systems, and pipelines. DHS recently released its National Infrastructure Protection Plan (NIPP), 3 years after its due date. This plan highlights the importance of cyber security and the Internet to critical infrastructure, stating that the U.S. economy and national security are highly dependent upon the global cyber infrastructure. But according to today's GAO report, DHS fails to adequately plan for recovery of key Internet functions. Moreover, the Department has not adequately prepared to effectively coordinate public-private plans for reconstitution from a cyber Internet disruption. The success of the protection efforts in the NIPP hinges on information sharing between the Federal Government and the private sector. However, a number of barriers exist to information sharing. Recent incidents at the Department of Veterans Affairs, Department of State, and a national laboratory indicate that the government has trouble protecting sensitive information. The government also does not have a good record of sharing sensitive intelligence-derived threat data with the private sector. GAO identified numerous challenges to development of a plan and is here today to present the recommendations to strengthen the Department's abilities. Government agencies and private companies, including telecommunications companies, cable companies, peering organizations, and major data carriers, need clarity on what is expected of them in a crisis. Overlapping and unclear roles and responsibilities lead to frustration and confusion, and will hamper recovery efforts in a crisis, which will be deeply injurious to our Nation. The overarching concern for the Committee is whether the Department of Homeland Security knows what functions of government need to be protected, how those functions interact with State and local governments, and what is DHS's role and responsibility in working with the private sector during a cyber or telecommunication-based incidence of national significance. The recently released DHS plan requires the use of a risk assessment method that has been criticized as not focusing on what really needs to be protected in the information technology and telecommunication sectors, and focusing heavily on physical assets. The risk assessment methodology should be reevaluated, as it could lead to significant wasteful spending. While this sector has physical assets to protect, government needs to understand that this sector is about protecting critical functionality, not assets. The private sector and government must work together to ensure the Nation's critical infrastructure can function in the reliable and stable fashion that the American public expects. Therefore, private industry must devise plans in coordination with the government to ensure critical functions do not fail or can be recovered quickly when faced with an incident of national significance. The National Communications System has worked under this concept for years. Both government and private industry admit there are vulnerabilities in the networks that can and have been exploited or damaged by accident or natural causes. A perfect system cannot be built. We realize that. The difficult part of any organization, especially government, is how does it respond, recover, and reconstitute after an incident. The Homeland Security Act of 2002 and Presidential Directives lay out a clear mandate on cyber security at the Department of Homeland Security. They require DHS to assess our vulnerability to a cyber attack, develop a plan to fix it, and implement that plan using measurable goals and milestones. In order to implement the plan, the Department has the admittedly difficult task of engaging and securing action from diverse players, which include State and local governments, other Federal agencies, and especially and most importantly, key industry actors. The nature of terrorists is to attack private citizens, as we recently saw in the horrific railway attacks in India. There can be no excuse for not effectively engaging the private sector, even though it is hard. We ask no less of our food safety, airline safety, and pharmaceutical industries. The issue is lack of leadership and lack of courage. Nobody wants to micromanage the private sector or DHS. However, America does expect the Department of Homeland Security and the private sector to take every reasonable measure to protect us from terrorism. I am not convinced that threshold has been met. If America is to be safe from the damage of a cyber attack, we will need a plan, a budget tied to that plan, and Congressional commitment to the implementation of the plan. One year ago, the Department announced the creation of the position of Assistant Secretary for Cyber and Telecommunications Security to elevate the importance of cyber critical infrastructure protection. Today, this position remains vacant. This vacant post was designed by the Department to lead the Nation in buttressing our critical information technology and telecommunications systems against threats. The Department, working in conjunction with the private sector, needs to find that person and set that person to the task of reforming the plan and then implementing it. A leader can and will be found, and I am encouraging DHS to exhaust every effort to fill this position, ensure the proper authorities are in place to succeed, and ensure that this person receives adequate support from the top leadership at DHS to fulfill the mission. To that end, I look forward to hearing from our witnesses, NSA, DHS, OMB, GAO, AT&T, VeriSign, and Internet Security Systems, as well as the Business Roundtable. I welcome each of you. The Department of Homeland Security's testimony came in late last night. It is unavailable to me, the Chairman of this Subcommittee. It will not be accepted as part of it and it is a message to anybody else that wants to play games with the Subcommittee. You are going to send us the information that you want to testify about on a timely basis so we can do our job. And this is an example of exactly what is happening at DHS on cyber security. You can't meet the goals. You can't meet the expectations. This Subcommittee hearing was noticed June 12-- 6\1/2\ weeks ago, and for the testimony to come in last night is unacceptable and it will not be accepted. Let me welcome our guests. First is the Hon. George Foresman. He was first confirmed by the U.S. Senate on December 18, 2005. He is responsible for synchronizing national preparedness efforts under the direction of Homeland Security Secretary Michael Chertoff and Deputy Secretary Michael Jackson. He previously served in the Commonwealth of Virginia as Assistant to the Governor for the Commonwealth Preparedness and Homeland Security Advisor, a cabinet-level position. In this capacity, he was the principal advisor and overall coordinator for homeland security and preparedness efforts, as well as relations with military commands and installations throughout the Commonwealth. He is nationally recognized in the fields of emergency preparedness and homeland security. Richard Schaeffer is the Information Assurance Director at the National Security Agency (NSA). He is responsible for the Information Assurance Directorate at that agency. The Directorate's mission is to provide products and services critical to protecting our Nation's critical information and information systems. Moreover, he is responsible for defining and implementing the information assurance strategy to protect the Department of Defense's global information grid and supporting the ongoing military operations against terrorism. Next is the Hon. Karen Evans. She is Administrator of E- Government and Information Technology (IT), Office of Management and Budget. She is here as a break from her vacation. I want to tell you how much I appreciate you doing that. She oversees the implementation of IT throughout the Federal Government, including advising the Director on the performance of IT investments, overseeing the development of enterprise architectures within and across those agencies, directing the activities of the Chief Information Officer Council, and overseeing the usage of E-Government funds to support interagency partnerships and innovation. She also has responsibilities in the areas of capital planning and investment control, information security, privacy, accessibility of IT for persons with disabilities, and access to, dissemination of, and preservation of government information. Next is Keith Rhodes, Chief Technologist, Government Accountability Office (GAO). Mr. Rhodes is currently the Chief Technologist at GAO and Director of the Center for Technology and Engineering. He has been the senior advisor on a range of assignments covering continuity of government and operations, export control, computer security, privacy, e-commerce, E- Government, voting systems, and various unconventional weapons systems. Before joining GAO, he was supervisory scientist leading weapons and intelligence programs at the Lawrence Livermore National Laboratory. I would like to recognize each of you. Thank you for taking the time to be here. Mr. Foresman, you are recognized for 5 minutes. TESTIMONY OF GEORGE FORESMAN,\1\ UNDER SECRETARY FOR PREPAREDNESS, U.S. DEPARTMENT OF HOMELAND SECURITY Mr. Foresman. Mr. Chairman, thank you, and thank you for the opportunity to appear today to discuss the recovery and the reconstitution of critical cyber networks. Congressional discussion on this particular topic is absolutely essential and it is critical to the success that we need to achieve as a Nation toward strengthening our levels of preparedness. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Foresman appears in the Appendix on page 33. --------------------------------------------------------------------------- Mr. Chairman, I would like to highlight several key issues today and outline the Department's roadmap for success in advance of a very important discussion on the security and the protection of our cyber communications networks. The findings of the GAO report on the development of a joint public-private plan for recovering critical cyber infrastructure and the recent Business Roundtable's recommendations for strengthening cyber preparedness both echo the overall resounding themes that the Department of Homeland Security is pursuing in its work to lead a national effort to protect America's cyber assets. While these reports offer somewhat differing recommendations on the exact steps that we need to take, the shared national vision further reflects two very important and sometimes overlooked issues. First, the risk posed to the critical cyber infrastructure is becoming both better and more widely understood, both in the public sector and in the private sector. Second, the importance of mitigating these risks, whether on the individual, corporate, or government level, is also better understood. We know we must be ready for the cyber version of Hurricane Katrina or the September 11 attacks. Mr. Chairman, let me outline for you the Department's three strategic priorities on the cyber preparedness front. They include, one, preparing for a large-scale cyber disaster; two, working to forge more effective partnerships, as you noted in your opening statement; and three, fostering a culture of preparedness to prevent cyber incidents and mitigate damage when disruptions do, in fact, occur. Our primary strategic goal as part of our overall risk management approach is to prepare for high-consequence incidents. These would include, for example, a widespread disruption involving the Internet or critical communications infrastructure, whether it originates from an attack or from a natural disaster. The Department has established the Internet Disruption Working Group, the IDWG, to address the resiliency and recovery of Internet functions in the event of a major cyber incident. The IDWG is not examining all individual risks, but rather focusing on nationally significant Internet disruptions in a prioritized fashion. The IDWG is developing not only policy recommendations for cyber response, but also operational proposals and protocols to improve the deployment of Federal resources in the event of such an event and how to ensure coordination with local, State, and private sector partners of these assets. I am also pleased to share with you that the Department conducted its first national cyber security exercise, Cyber Storm, this past February, and this was the largest multinational cross-sector cyber exercise to date and assessed the policies and procedures associated with a cyber-related incident of national significance. The Department will soon be releasing a public exercise report on this effort that will outline findings to help bolster protective measures for potential cyber attacks. I will also note that these lessons, like those of Hurricane Katrina and other incidents, will not sit idle. They will be incorporated into our operations processes under the National Response Plan and these will be retested during Cyber Storm II in 2008, if not before. Cyber Storm demonstrated the close cooperation and information sharing needs across Federal agencies, across international boundaries, and most importantly, between the public and the private sectors. The exercise tested for the first time the full range of cyber-related response policy, procedures, and communications methods required in a real-world crisis. We know that there were successes. We also know that there is room for improvement. Another significant accomplishment in preparing for a nationally significant cyber disruption is last month's completion, as you noted, of the National Infrastructure Protection Plan. The NIPP sets forth a comprehensive risk management framework and clearly defines critical infrastructure protection roles and responsibilities for DHS, Federal sector-specific agencies, other Federal, State, local, tribal, and territorial agencies, as well as our private sector security partners. The plan addresses the physical, human, and cyber elements of the critical infrastructure issues which cross all sectors. This release of the NIPP is an important milestone, as it accompanies 17 sector-specific plans that will help build a safer and more secure and more resilient America by enhancing protection of the Nation's critical infrastructure and key resources to include the cyber community. Our second strategic goal is to improve the Department's partnership programs and practices. Homeland Security Presidential Directive 7, the Administration's policy on critical infrastructure protection, explicitly recognizes the importance of partnerships, which are essential for many sound reasons. In the cyber security arena, the Department is working to nurture existing partnerships and establish new relationships with three key stakeholder communities, the private sector, Federal departments and agencies, and the State, local, and tribal governments, as well as academia. Third, we must create a culture of preparedness, both to prevent a cyber disaster and to mitigate damages if a widespread disruption occurs. We are working every day to influence how individual citizens, government, and the private sector prepare for the security challenges of the coming decade. As with our other strategic priorities, this goal demands a focused and disciplined approach. We need interconnected strategies and processes, not individual actions. Just as our cyber systems are interconnected, so must be our approach to dealing with disruptions. Our national cyber security efforts are rapidly maturing and we have clear legislative and presidential direction and private sector interest. There is no magic wand that will allow us to do this overnight. There is, however, a growing coalescing of effort between government and the private sector as just two of the key entities. Chairman Coburn. I need for you to summarize, if you will. Mr. Foresman. Yes, sir, and I am finishing up. To create a long-term culture of preparedness, we are developing clear organizational doctrine which memorializes strategic policies, clarifies roles and responsibilities, and defines measures of accountability. The road ahead is critical and we are committed to ensuring success. Thank you. Chairman Coburn. Thank you. Mr. Schaeffer. TESTIMONY OF RICHARD C. SCHAEFFER, JR.,\1\ DIRECTOR OF INFORMATION ASSURANCE, NATIONAL SECURITY AGENCY Mr. Schaeffer. Good morning, Mr. Chairman. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Schaeffer appears in the Appendix on page 50. --------------------------------------------------------------------------- Chairman Coburn. Good morning. Mr. Schaeffer. I appreciate the opportunity to be here today to talk briefly about the NSA's information assurance mission and its relationship to the work of the Department of Homeland Security and others concerned with helping operators of crucial information systems prepare for and recover from hostile acts or other disruptive events. The NSA's information assurance mission focuses on protecting what National Security Directive 42 defines as national security information systems, systems that handle classified information or are otherwise critical to military or intelligence activities. Historically, most of our work has been sponsored by and tailored for the Department of Defense. Today, national security systems very often rely on commercial products or infrastructure or interconnect with systems that do. This creates significant common ground between defense and broader U.S. Government and homeland security needs. More and more, we find that protecting national security systems demands teaming with public and private institutions to raise the information assurance level of products and services more broadly. If done correctly, this is a win-win situation that benefits the whole spectrum of information technology users, from warfighters and policy makers to Federal, State, local governments and operators of critical infrastructure and major arteries of commerce. This convergence of interests has been underway for some time and we can already point to several examples of the kind of fruitful collaboration it inspires. For instance, the NSA and the National Institute of Standards and Technology have been working together for several years to characterize cyber vulnerabilities, threats and countermeasures to provide practical cryptographic and cyber security guidance to both IT suppliers and consumers. Among other things, we have compiled and published security checklists that harden computers against a variety of threats. We have shaped and promoted standards that enable information about computer vulnerabilities to be more easily cataloged and exchanged, and ultimately, the vulnerabilities themselves to be automatically patched. And we have begun studying how to extend our joint vulnerability management effort to directly support compliance programs, such as those associated with the Federal Information Security Management Act. All of this is unclassified and advances of cyber security in general, from national security and other government networks to critical infrastructure and other commercial and private systems. The NSA partners similarly with the Department of Homeland Security. In 2004, DHS joined the NSA in sponsoring the National Centers of Academic Excellence Program to foster training and education programs to support the Nation's cyber security needs and increase the efficiency of other Federal cyber security programs. The NSA has supplied trained personnel and other technical support to the U.S. Computer Emergency Readiness Team, and we routinely alert one another to possible or emerging hostile cyber threats. In fact, DHS has just named an integree to work in the NSA-Central Security Service Threat Operations Center, which has as one of its missions to monitor the operations of the global network in real time to identify network-based threats to DOD and intelligence community networks. NSA and DHS cooperate on investigations and forensic analysis of cyber events and malicious software, and together, we look for and mitigate the vulnerabilities in various technologies that would render them susceptible to similar attacks. We each bring to these efforts complementary experience, insight, and expertise based on the different problem sets and user communities on which we concentrate, and we each then carry back to those communities the dividends of our combined wisdom and resources. With regard to post-incident response, the NSA supplies technical personnel, advice, and equipment to support an efficient response and recovery to disasters. The NSA has worked with the DHS Infrastructure Protection Division to plan for interoperable communications systems needed to support response and recovery. We did this for Hurricane Katrina and do it for other disasters, as well. When it comes to reconstructing networks, however, beyond just communications systems, bringing in replacement technology may be the easy part. The real challenge is knowing what to reconstruct. That means maintaining an up-to-date understanding of what set of data, functions, and connections available to what set of users qualify as critical. Looking forward, NSA and DHS interests will continue to merge and the opportunities needed for shared network and mutual support will continue to grow. Finally, beyond technical convergence, in the post- September 11 world, the NSA and DHS are bound together by the need to provide for communications across once unbridgeable chasms of classification and practice, from the President all the way to first responders and the owners and operators of critical infrastructure. As a starting point, the NSA and NIST have established a suite of unclassified algorithms that can be implemented in commercial off-the-shelf offerings as well as specialized high-end government equipment. This sets the stage for interoperable encryption and message authentication and is an important step, although just one step in the broader effort to ensure that the Nation can recognize and respond to impending emergencies or their aftermath. Once again, thank you, Mr. Chairman, for giving me the opportunity to appear before you today and for your leadership in this area. Chairman Coburn. Thank you, Mr. Schaeffer. Next, Ms. Evans, just a side note. Thanks for all your help on our Government Accountability and Transparency Act. It passed the Committee unanimously yesterday. TESTIMONY OF KAREN EVANS,\1\ ADMINISTRATOR FOR ELECTRONIC GOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET Ms. Evans. Congratulations. Good morning, Mr. Chairman, and thank you for inviting me to speak about ``Cyber Security: Recovery and Reconstitution of Critical Networks.'' My testimony today will focus on OMB's activities to improve security and resilience of the Federal Government's cyber critical assets. --------------------------------------------------------------------------- \1\ The prepared statement of Ms. Evans with an attachment appears in the Appendix on page 53. --------------------------------------------------------------------------- Last year, the Director of OMB issued a regulation on maintaining telecommunication services during a crisis or an emergency. The regulation required each agency to review its telecommunications capability in the context of planning for contingencies and continuity of operation situations. OMB also asked each agency to confirm that they were complying with directives issued by the National Communications System (NCS), and guidance issued by the Federal Emergency Management Agency (FEMA). In August 2005, all large agencies submitted reports on the status of their telecommunications services. OMB and the NCS analysis revealed the need for additional guidance to the agencies regarding the use of redundant and physically separate telecommunications service entry points into buildings and the use of physically diverse local network facilities. In October 2005, the NCS hosted a Route Diversity Forum for representatives from over 70 Federal agencies. In addition, the NCS developed a Route Diversity Methodology, enabling agencies to self-assess their own facilities. When an agency initiates new telecommunications procurements, the agency must determine the appropriate level of availability, performance, and restoration that is required. The General Service Administration's upcoming Networx procurement will specify telecommunications infrastructure security requirements to protect contract network services, infrastructures, and information processing resources against cyber and physical threats, attacks, or system failures. The Networx program will ensure that telecommunications capabilities are continuously ready to meet the needs of the Federal agencies during national emergencies. On December 17, 2003, the President signed Homeland Security Presidential Directive 7, ``Critical Infrastructure Identification, Prioritization, and Protection.'' This directive established the national policy for Federal departments and agencies to identify and prioritize U.S. critical infrastructure and to protect it from terrorist attacks. OMB worked with the Department of Homeland Security to evaluate the protection plans. We have provided each agency with a written response explaining our approval, our disapproval of the agency's cyber security plan, and highlighting areas where improvements were needed. Additionally, each year, agency CIOs, chief information officers, and program officials conduct IT security reviews for systems that support their programs. As part of their evaluations, agencies are asked to categorize their information systems into high, moderate, and low impact and document the security controls implemented for each. Last, the National Cyber Response Coordination Group is the principal Federal interagency mechanism to coordinate the preparation for and response to cyber incidences of national significance. OMB is a member of the group, along with other agencies having a statutory role in cyber security, cyber crime, or protection of critical infrastructure. During a cyber incident, the member agencies would integrate their capabilities in order to assess the scope and severity of the incident, govern response and remediation efforts, and advise senior policy makers. The group would also use their established relationships with the private sector and State and local governments to help manage the cyber crisis and develop recovery strategies. In conclusion, each agency is responsible for ensuring the continued availability of its mission-essential services. Strategic improvements in security and continuity of operations planning can make it more difficult for attacks to succeed and can lessen the impact of attacks when they occur. The Administration will continue to work with the agencies, Congress, and GAO to ensure appropriate risk-based and cost- effective IT security programs, policies, procedures are put in place to protect the Federal Government's critical cyber infrastructure. I would be happy to take any questions, sir, that you may have. Chairman Coburn. Thank you, Ms. Evans. Mr. Rhodes. TESTIMONY OF KEITH RHODES,\1\ CHIEF TECHNOLOGIST AND DIRECTOR, CENTER FOR TECHNOLOGY AND ENGINEERING, U.S. GOVERNMENT ACCOUNTABILITY OFFICE Mr. Rhodes. Thank you, Mr. Chairman. We appreciate the opportunity to testify on our Internet reconstitution report being released today that we completed at your request. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Rhodes appears in the Appendix on page 111. --------------------------------------------------------------------------- Last summer when GAO testified before your Subcommittee, we discussed the work that remained for DHS to fulfil its cyber security responsibilities in 13 key areas, including developing a plan for recovering the Internet when it is disrupted. Despite Federal policy requiring DHS to develop this integrated public-private plan, to date, no such plan exists. Today, at your request, we will briefly discuss the growing threats to the Internet, where our Nation is in its efforts to develop this plan, and recommendations to both DHS and the Congress to facilitate public and private efforts to recover the Internet when major disruptions occur. First, threats. Criminal groups, foreign intelligence services, hackers, and terrorists are all threats to our Nation's computers and networks. A recent intelligence report on global trends forecasts that terrorists may develop capabilities to conduct both cyber and physical attacks against infrastructure nodes, including the Internet. In fact, the Internet itself has been targeted and attacked and private companies who own the majority of the Internet infrastructure deal with cyber and physical disruptions on a regular basis. For example, viruses and worms are often used to launch ``denial of service'' attacks that result in traffic being slowed or stopped. Several recent cyber attacks highlight the importance of having robust Internet recovery plans, including a 2002 coordinated denial of service attack that targeted all 13 Internet route servers. For most of these attacks, the government did not have a role in recovering the Internet, but recent physical attacks like the terrorist attacks of September 11, 2001, and Hurricane Katrina, highlight the need for public-private coordination associated with Internet recovery. DHS has begun a variety of initiatives to fulfill its responsibility for developing an integrated public-private plan, but these efforts are not yet complete nor are they comprehensive. Specifically, DHS has developed high-level plans for infrastructure protection and national disaster response, but components of these plans that are to address Internet recovery are incomplete and inadequate. For example, the National Response Plan Cyber Annex does not reflect the National Cyber Response Coordination Group's current operating procedures. DHS has started a variety of initiatives to tackle this problem, including working groups to facilitate response and exercises to practice recovery efforts. However, these efforts are immature and the relationships among groups like the Internet Disruption Working Group and others are not evident. Regarding challenges that have impeded progress, first, it is unclear what government entity is in charge, what the government's role should be, and when it should get involved. Expanding on each of these, DHS National Cyber Security Division and the National Communications System have overlapping responsibilities. In addition, there is a lack of consensus about the role DHS should play. The government is pursuing the grandiose plan approach with the NIPP and the National Response Plan, while the private sector wants more of an assist or tactical role from the government that our report lays out in detail. And triggers that clarify when the Federal Government should be involved are unclear. Second, our Nation is working in a legal framework that doesn't specifically address the government's roles and responsibilities in the event of an Internet disruption. In addition, the Hurricane Katrina recovery effort showed that the Stafford Act can create a roadblock when for-profit companies that own and operate critical infrastructures need Federal assistance during national emergencies. Third, the private sector is reluctant to share information with DHS because it does not always see value in sharing, does not necessarily trust the government, and views DHS as an organization lacking effective leadership. To address these inadequacies, our statement includes nine specific recommendations for DHS, including determining who should be in charge given the convergence of voice and data communications, developing a plan that is consistent with what the private sector infrastructure owners need during a time of crisis, and incorporating lessons learned from incidences and exercises. In addition, the Congress should consider clarifying the legal framework that guides roles and responsibilities for Internet recovery. In summary, Dr. Coburn, exercises to date and a recently issued report by the Business Roundtable found that both the government and private sector are poorly prepared to effectively respond to cyber events. Although DHS has various initiatives underway, these need to be better coordinated and driven to closure. Until that happens, the credibility of the Department will not be where it needs to be to build effective public-private relationships needed to effectively respond to major Internet disruptions. This concludes our statement. Thank you, Mr. Chairman, and we are prepared to answer any questions the Subcommittee may have. Chairman Coburn. Thank you very much. Mr. Foresman, your response to Mr. Rhodes' report? Mr. Foresman. Mr. Chairman, let me offer two responses. One, as we have gone through that report, we clearly agree that the road ahead, whether we are talking about GAO or the private sector, we agree on the road ahead. I would, however, not agree with him in terms of the perception that he might leave in the relationship with the private sector. My fourth day on the job back in January, one of the first groups I met with in this particular case was the Business Roundtable and one of the key issues we talked about were cyber security, the concern about reconstitution and recovery of the Internet, and I think that as you said in your statement, Mr. Chairman, this is not easy and there are a lot of folks who have said, well, it is not where it should be, and I would agree. But we need to have definitive milestones. We need to have definitive deliverables. But I will tell you, sir, just as your comment to us that we need to work closely with the private sector, getting agreement across the various elements in the private sector, whether it is the information technology sector or the telecommunications sector, this is not easy. We are not in a position to force them. We are coalescing the road ahead. So I would agree that we share the vision. I think his assessment in terms of progress is much bleaker than what is the actual progress to date. Chairman Coburn. Why would the private sector be reluctant to give DHS information on this? Mr. Foresman. Mr. Chairman, I think there are three things. There are those elements of the private sector that are reluctant to give us information and there are those elements of the private sector that are not reluctant to give us information. A conversation with a handful of people does not, I think, effectively reflect the private sector as a whole because the private sector is rapidly big. But as you know, there are a couple of issues here. One, there is the concern of our private sector partners out there, the proprietary nature of the information that they have in a business competitive environment. They want further and stronger assurances that proprietary information is not going to be shared with competitors. The second issue, and frankly is a legitimate issue, is government and the private sector have typically operated in a regulator-regulatee relationship over the past 20 or 25 years. When we talk about the IT community, it is not, if you will, regulated by government, and clearly there are the institutional---- Chairman Coburn. Thank goodness. Mr. Foresman. Yes, sir, and clearly, the institutional barriers to getting beyond a 25- or a 50-year culture to get into a collaborative partnership is not a culture that you change overnight. And so I think it is part policy, it is part culture, but we are seeing more and more every day as we collaborate with the private sector. As our US-CERT, for instance, gets specific information provided to us through a variety of sources, such as the NSA, we rapidly get that information out to the private sector and they rapidly come back to us with information. So it sometimes comes down to who did you talk to last and what is it that they said to you? Chairman Coburn. Well, the group that I talked to last were the ISPs and the telecommunications companies, and I would tell you in that meeting, uniformly, there was no trust of DHS with any of their proprietary data, and that was in a classified briefing I had 3 months ago. How do you establish the leadership role and the trust that allows the private sector to do what they know how to do that you don't know how to do? Mr. Foresman. Well, Mr. Chairman, this comes down to the continued interaction. As Ms. Evans identified and as other folks have identified, we have got a number of working groups where we have got government and the private sector sitting side by side, developing sector-specific plans, for instance, under the National Infrastructure Protection Plan, and trust is not a function of me coming into the room and sitting with our private sector partners and saying, trust me. We have to prove it. This is the benefit of these joint planning activities. As much as we would like them to be done in immediacy overnight, they are not. But just as it is taking time to develop those plans, one of the important byproducts is that we are raising trust every day when we put these people in the room together. Chairman Coburn. I will be submitting some questions to you separate from that. I would hope that we could get a timely response. Mr. Foresman. Mr. Chairman, I will ensure that you get a timely response and I will acknowledge that we were remiss in not hitting the deadline on getting our testimony to you. I accept full responsibility and I will give you my personal assurance that we will correct those issues in the future. But I also want to underscore, by no means were we trying to not get information to you. This is a critically important area. This Subcommittee is one of the few committees across the Congress that has shown a continuing interest in this area. It is not an easily understood area, and frankly, this level and more of this type of dialogue is going to be absolutely critical to our success. Chairman Coburn. Mr. Schaeffer, at NSA, tell me about your relationship with the private sector and trust and relationship and information sharing and how have you developed that and how do you utilize that. Have you emphasized recovery more than physical asset protection? Mr. Schaeffer. Well, sir, I think our relationship with industry or the private sector is on a number of levels. Clearly, there are, as I mentioned in my testimony and others did, as well, the dependence upon the private sector to deliver the technology, the capabilities that we need within the national security community, and quite frankly, across the entire Nation, is dependent upon the reliability, the security of that technology. So we have a very deep relationship with the private sector in establishing on a one-on-one basis the availability of vulnerability information of the products that they provide, assisting them in increasing the overall security or assurance of those products, and then we also work with the infrastructure providers themselves to understand the vulnerabilities within those environments and help them address the situation, the improvements that can be made in that environment. Most of our relationships that are strong come from a one- on-one basis with the agency. We participate. We collaborate with industry associations and do that in a very open and, I think, positive way. But I think as Mr. Foresman outlined, it is a situation that takes a tremendous amount of work with individual companies, then with industry or association groups, and then in larger forums to build the trust and confidence that information that is exchanged with the government, and in this case NSA, receives the appropriate level of protection. It is something that we work on every day. It takes that sort of attention and commitment. And we have seen actually tremendous progress over the last several years as the community at large, the public-private community, has come to better understand the risks associated with operating in this highly networked environment and the need for close collaboration amongst public-private enterprises to better understand the vulnerabilities and ways of mitigating them. I think we are an example of where it has worked because we have developed the trust and confidence over a long period of time with companies, trade groups, industry associations, and so forth, and I see promise in what DHS is leading, in what DHS is participating in, and quite frankly, what I see the entire IT industry participating in. We are just at the bottom of a very steep hill. Chairman Coburn. Has NSA's main focus been on functionality? Mr. Schaeffer. No, sir. NSA's main focus has been on the assurance of the functionality that is provided in the devices, so---- Chairman Coburn. That is what I mean. But the goal is function. The ultimate goal for security is to maintain function, or to recover function. Mr. Schaeffer. Yes, sir. That is correct. Chairman Coburn. All right. Mr. Rhodes, you mentioned the working groups aren't communicating. We don't have cross- reference. You also mentioned a role that is more grandiose rather than recovery. Talk for a minute, if you would, about the working groups that have been established and what you see that needs to be changed there so that we accomplish this goal of protecting and recovering functionality. Mr. Rhodes. The big struggle with the working groups seems to be that there are a lack of roles and responsibilities and clear lines of authority. There seems to be a not clear definition of how the working groups relate to one another---- Chairman Coburn. In other words, they could come up with a really appropriate plan, but have no authority to get that plan implemented? Mr. Rhodes. And no milestones. Your original point about budget against effect, a recommendation with money, a recommendation with schedule, not just--they can come up with that, but then what is their schedule? What is their time line? What is their relationship? That is the main struggle we see. Also, working groups without authority. What purpose do they serve? If they don't--if no one has the hammer, if no one has the authority to get anyone to do anything, then it is just another group that meets to meet instead of meeting to get something done. As you say, they could have very fine recommendations, but where do they go from there? Chairman Coburn. OK. One last question for you, the comment on the Stafford Act. I don't believe we have gotten anything, and I may be wrong, from the Administration on modifying the Stafford Act so that we can help the telecommunications industry and the Internet industry to recover by assisting them with either protection or transportation or security as they bring these systems back up. Would you agree that is something that we ought to hear from the Administration? And we may have, I am just not aware of it. Mr. Rhodes. We haven't seen anything, either, but when you look at the tactical needs, the tactical view that private industry takes, they are talking about just those things--fuel, access, transportation. They are not talking about, tell me how to bring the Internet back up. They are saying, let me get into the disaster area with my business credential or some emergency credential issued by the U.S. Government so I can go to the location to do the job that the government can't. Chairman Coburn. And modify the law so that the government assets---- Mr. Rhodes. And modify the law---- Chairman Coburn [continuing]. And assist that effort. Mr. Rhodes. Absolutely. I mean, what we hear from private-- and it is not just relative to the Internet, it is whether we are talking to the chemical industry or we are talking to gas and oil or we are talking about the power grid or folks like that, they are all saying, let me do my job. I am not the enemy because I am for profit. Chairman Coburn. Yes. Mr. Rhodes. I am the infrastructure. Let me go into the area I am supposed to in order to fix it. Chairman Coburn. Right. Which we saw lots of problems with during Hurricane Katrina. Mr. Rhodes. Absolutely, and saw it during September 11, 2001, also. Chairman Coburn. All right. Ms. Evans, not long ago, the Federal Government's critical infrastructure protection coordination efforts were run out of the White House and some in private sector viewed this, and I think probably still do, as a higher Administration priority than it is now. Should these initiatives remain within DHS or should we consider the prior model? Ms. Evans. The model that we have right now is in place as a follow-on from the Homeland Security Act as well as the President's HSPD-7, which clearly outlines that the Secretary of Homeland Security has the responsibilities for these activities. This does not mean that the Administration does not view this as a priority, because oversight activities still occur out of the White House and the Executive Office of the President, with the Office of Management and Budget, myself, as well as the Homeland Security Council. So the Administration is very much committed to this and continues to have cyber security reconstitution, continuity of operations, as a priority. I do think that the model that we have in place right now is an effective model and can work, because the actual work and execution happens in the agencies. The President holds the Secretary accountable for these actions. The President holds him accountable for getting these plans in place with clear milestones. This clearly has been talked about, and to achieve the results. We, in the White House, do not do the actual execution. The work is done out in the agencies. And so it doesn't diminish that the Administration doesn't view this as a priority by having a person clearly responsible for the execution of these activities at a department level. Chairman Coburn. Any of you can respond to this if you want. It just seems to me that 75 percent of this is private sector. Why wouldn't the Administration's view say, OK, you are the guys that know all this. You are the guys who are responsible for it. Your bottom line depends on it staying up and working. Why don't you go tell us what you think we ought to do rather than us tell you what we think you ought to do? Why shouldn't the debate be, private industry, come tell us what to do. Why shouldn't the organizational framework be, let us listen to them and then let us create the framework based on what they suggest we ought to do rather than top-down? Why not private industry up? Mr. Foresman. Mr. Chairman, if I might, that is exactly what we are doing, and that is why we have the National Infrastructure Protection Plan. That is why we have the development through the sector coordinating councils. The role of the Federal Government is not to tell the private sector what to do. It is to create the environment to provide for a national approach, and what I mean by that is the Federal Government is uniquely positioned to bring together the elements of local government, State government, tribal and territorial, the private sector partners, because this is a homeland security issue. It is a national security issue. So our job is to get all of the players around the table and to go through and get the best and the brightest in the room to say, what is it that we, as a Nation, need to be doing, because this is not a Federal issue. It is clearly a national issue. Chairman Coburn. Do you think that is happening right now? Mr. Foresman. Senator, I don't think it is happening to the degree that it should, and I think, as all of the folks have pointed out, this continues to be a growth effort, a growing effort on the part of this Nation in the post-September 11 era. When I was vice chairing the Gilmore Commission prior to September 11, we raised the whole issue of critical infrastructure protection and the fact that a significant amount of work needed to be done. I don't think we have reached the optimal level of private sector direction and input into it, but at the end of the day, I don't think we were going to start--we are not going to start at the perfect position. This is very much a learning process for everyone, Federal, State, local, public sector, and private sector. Chairman Coburn. Well, the private sector is being attacked all the time now and they are responding, both in terms of physical assets and software and encryption and everything else. They are doing the things because they are seeing the attacks anyway. It just seems to me we have got it backwards. We ought to have the private sector come together and say, here is how we think you ought to mobilize State and local governments. Here is how we think you ought to set up the structure to best maintain this. Here is how we think you assure protection. What would happen to this economy if you had a 4-week disruption, interruption of the Internet? We would be on our back, and everybody knows that, and yet the urgency to make sure that can't happen, or if it did happen to recover quickly, I don't see anywhere except in the private sector. Mr. Foresman. Mr. Chairman, I would respectfully disagree in this context. We are aware of a variety of things we obviously cannot get into in an open hearing---- Chairman Coburn. I understand that. Mr. Foresman [continuing]. But we are aware of a significant number of things that have occurred in recent time that the private sector was not aware of had government not made them aware of it. So we are doing our part to give them the information. They, in turn, are assessing the situation, bringing recommended solution sets back to us, implementing solution sets in the broadest of terms, and so our role wasn't to go to them and say, here is the problem. Here is what we want you to do to fix it. We made them aware of the problem. We know that they are the owners and the providers of a lot of the critical IT backbone. They assessed it. They took steps. And this happens hundreds, if not thousands, of times every month. I would very much underscore that US-CERT, as just one example, there is daily ongoing dialogue between Federal agencies and the private sector, not in the context of here is what you have to do, but here is the problem and please come back to us. Now, I will tell you that there are going to be times that the private sector is going to assess the risk differently than we do in government and then they are forced to make a business decision about whether they are going to invest the time and effort into it to address it. So this is all part of the trust process that we can get to an equal common ground. Chairman Coburn. Fair enough. One last question for Ms. Evans, and I will have questions for each of you. I also would like for you to have staff stick around here to hear our other panelists because routinely I see Administration witnesses leave before those that have a different position and constructive criticism can be heard. Ms. Evans, do you have enough staff to handle the cyber security of critical infrastructure and Federal information security management? Ms. Evans. My answer would be yes, sir, that I do. We have subject matter experts for each of the areas that I am responsible for and the way that we manage within OMB is that we have portfolios of agencies and we work very closely with all parts of OMB so that we are managing the issues across the board as they affect each of the agencies. So it isn't just my staff, but it is the entire resources that are available within OMB because we take a portfolio approach to this. There is one thing that I would like to follow up on, Mr. Foresman's comment, and this is what the government is doing as a whole, at least from a Federal perspective. We do view it as we are buying services, because we don't own the infrastructure. There are activities that we have done and that we are continuing to do. In my written testimony, I have included the information security line of business. But as you know, we spend $65 billion on information technology, so in the course of that spending, we make it very clear what the services are that we need, what the risk is associated with the services and the information we need to protect, and as Mr. Foresman said, then it is up to industry to offer us the solutions back, and the way that we structure those procurements is not to tell them, we want you to do X, Y, and Z, but to really frame, this is the service, this is the recovery level, this is the level of risk that we are willing to accept. Here is the type of protection that we think we need to have. And then we do look to private industry to give us the solutions that can best service those needs, because as you have said, sir, it is about the functionality and the mission critical nature of the services that we provide that we need to have that reliability. Chairman Coburn. I would like you to repeat that number so everybody can hear what you spend annually on IT. Ms. Evans. Sixty-five billion dollars. Chairman Coburn. This Subcommittee will have a hearing on whether or not that is spent properly or not. I can tell you, from the Defense Travel System, you certainly haven't spent the money properly. So we will be looking at that. Ms. Evans. Well, we are looking forward to it, yes, sir. [Laughter.] Chairman Coburn. Sixty-five billion dollars is a lot of IT. Thank you. You will each receive questions. Thank you for the report from GAO. I thank each of you for your service to our country and I would dismiss this panel and ask our next panel to come forward. I am going to start introducing our witnesses while they are being seated. Thomas Noonan is Chairman, President, and Chief Executive Officer for Internet Security Systems (ISS). He is responsible for the overall strategic direction, growth, and management of the company. Under his leadership, ISS revenues soared from start-up in 1994 to nearly $330 million in its first decade. The company has grown to more than 1,200 employees with operations in 26 countries. In 2002, President Bush appointed Mr. Noonan to serve on the National Infrastructure Advisory Council, a homeland defense initiative that protects information systems that are critical to the Nation's infrastructure. He currently chairs the NIAC Evaluation Enhancement of Information Sharing and Analysis Working Group. Robin Bienfait, Senior Vice President, Global Network Operations, AT&T, welcome. She is the first woman in company history to be responsible for AT&T's global network, including local, data, and voice network worldwide. I pay them a lot of money every month. In addition, she leads teams that manage network security and global network disaster recovery. And additionally, she previously led AT&T's international and domestic core network operations and technical support division and has held a variety of other technical and leadership positions of increasing responsibility since joining AT&T in 1985. She is a graduate of the Georgia Institute of Technology with a Master's degree in management of technology. She also holds a Bachelor's degree in engineering from Central Missouri State University and an Associate in Business degree from Maryland University, European Division. Michael Aisenberg, Director of Government Relations for VeriSign, serves as the company's principal liaison with the Administration and Federal agencies, including the Departments of Homeland Security, Defense, State, and Justice. He manages a portfolio of policy issues, including global infrastructure security, digital signatures, e-health, intellectual property and government procurement on behalf of the world's leading Internet trust and identity provider. He is the Vice Chairman and Chair-Elect of the Information Technology Sector Coordinating Council. In 2004, he was elected Chairman of the ITAA's Information Security Committee. He leads VeriSign's participation in the President's National Security Telecommunications Advisory Committee. He holds a B.A. from the University of Pennsylvania, a J.D. from the University of Maine Law School. He attended Georgetown University Law Center in 1975 and 1976, and upon graduation served 5 years as an attorney advisory and legislative counsel at the FCC. Karl Brondell, Strategic Consultant State Farm Insurance Companies, representing the Business Roundtable here today. He is a CPCU, a strategic consultant in the Strategic Resources Department of State Farm Insurance Company. He is the past Chairman of the Board of Directors for the Insurance Placement Facilities of Pennsylvania and Delaware. He is a member of the national CPCU International Insurance Section Committee and an at-large Board of Director for Villanova University's Executive MBIA Alumni Association. He received a Bachelor's degree from Benedictine College, Acheson, Kansas. I, by the way, have visited there. He has a Master's degree from Villanova University in Villanova, Pennsylvania. He earned the Charter Property and Casualty Underwriter Designation and holds an Associate in Claims certificate and a certificate for general insurance. Welcome to you all. We will start with you, Mr. Noonan. TESTIMONY OF THOMAS E. NOONAN,\1\ PRESIDENT AND CHIEF EXECUTIVE OFFICER, INTERNET SECURITY SYSTEMS Mr. Noonan. Mr. Chairman, thank you for the opportunity to appear before you today. My name is Tom Noonan. I am President and Chief Executive Officer of Internet Security Systems. We are a leading provider of preemptive cyber security technologies for large-scale enterprises, and I represent the technology industry today. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Noonan appears in the Appendix on page 132. --------------------------------------------------------------------------- We operate five cyber security centers around the world, two in the United States, the rest in Asia through Tokyo, Australia, Brussels, and a partner operation in Latin America. We protect our customers by monitoring the Internet for cyber threats 24 hours a day, 365 days a year, providing preemptive protection for customers. This is critical preemption before reconstitution, obviously. We utilize that security intelligence, technology, and expertise to preempt the strikes that would cripple critical networks and stay ahead of the threats. I want to stress three important messages about our Nation's security landscape this morning, and this comes from my 13 years in this industry as one of the founders of this company and a person that has been working to advocate better security practices in both the private and public sector. First, threats to the critical infrastructure are real, and without a doubt, they are growing. The question is not if but when. The explosive growth of new Internet technologies, from wireless to voice-over Internet telephony, has engendered new threats that are far outpacing the security responses of many private and governmental users. Second, the intelligence protocols and technologies necessary to protect against emerging cyber threats are, by and large, robust and widely available. In other words, we have the tools at our disposal today to safeguard our critical infrastructure. And finally, despite our knowledge of these threats and our overall ability to protect ourselves, we as a Nation are not doing nearly enough to preempt the types of attacks that could debilitate our critical network infrastructure. Leadership is desperately needed at the Federal level, not to replicate existing private sector efforts but rather to extend the impact of those efforts by encouraging the private sector to collectively increase in cooperation with the government. This means five things for me this morning. First, appointing an Assistant Secretary of Homeland Security for Cyber Security and Telecommunications who will help secure the Federal Government's own networks as well as those of the broader economy. Second, clearly delineating and hardening the roles and responsibilities of many public-private entities working today to secure cyberspace. Three, ensuring that the Federal Government makes use of existing industry resources to gather and analyze data on cyber security threats and methods. Four, creating a national plan to restore connectivity on a prioritized basis. And five, providing sustained Federal funding--that $65 billion sounds like a lot, but sustained Federal funding and active Congressional oversight to ensure that the Department of Homeland Security is getting the job done for this country. I think we know cyber threats are serious and they are growing in sophistication. The rules of criminal hacking today are no longer shaped by teenage malfeasants, but by confederated crime operations that are driven by the economics of opportunity, incentive, and risk, just like traditional theft, burglary, and extortion. I think it is this professionalization of cyber crime that is unsettling for many reasons, not the least of which are indications that those who would seek to do harm to our Nation have been working to improve their technological abilities. Particularly unsettling is not just the threat to privacy information, which we read about in the newspaper, or our e- commerce applications, but more importantly to the very control networks of the automated systems that control and regulate our Nation's industrial systems, like SCADA. Control systems are now Internet-connected and they are susceptible to major attacks. Under contract with customers, ISS has conducted real world penetration tests with large power plants and others to show that they are at risk. Put simply, Mr. Chairman, the fact that our Nation's critical infrastructure has yet to fall victim to a significant and coordinated cyber attack does not mean that it can't happen. Emerging technologies coupled with an exponential increase in the use of new applications on the Internet have opened many new avenues to attack and keeping up with this large increase in vulnerabilities is a daunting task. It is only complicated by the shrinking window that we are seeing between the time a vulnerability is disclosed and the time that it is exploited by criminal interests. I think there is good news, Mr. Chairman. Our Nation already has the technological capabilities to protect the critical infrastructure. Private industry is operating positively against many of the requirements associated with technology, vulnerability, discussion, etc. But what is missing is genuine leadership on the part of the Federal Government. We, as a Nation, can protect our critical infrastructure, and in fact, we already are, but that requires also Federal leadership. I think your role here boils down to two things. The first one is minding the store, and I know that Secretary Chertoff and the Department of Homeland Security are working around the clock to protect the Nation, but we need to be able to talk to the person who is minding the store and that is the Assistant Secretary. Second, it is difficult for the Federal Government to preach strong cyber security practices across our economy when the Federal networks themselves are so woefully unprotected. While steps have been taken in recent years to improve agency security practices through FISMA, most Federal agencies are still getting failing marks when it comes to securing their networks. When it comes to strengthening Federal leadership, I just want to reiterate these five points in closing. Appointment of the Assistant Secretary for Cyber Security and Telecommunications. The job has been open for over a year. Two, a clear delineation and hardening of the roles and responsibilities of these countless public-private entities. Three, ensuring that the Federal Government makes full use of existing industry resources. We are absolutely willing and able to participate as a private sector. Four, we need to develop the national plan to restore connectivity on a prioritized basis. And five, sustained Federal funding. So there is no silver bullet here, Mr. Chairman. Securing our Nation's infrastructure from cyber attack requires a heightened degree of public-private coordination and I think it is a challenge but it is one we are up to. We are pleased at ISS to be partnering with you and I thank you for the opportunity to participate this morning. Chairman Coburn. Thank you. Ms. Bienfait. TESTIMONY OF ROBERTA A. BIENFAIT,\1\ SENIOR VICE PRESIDENT, GLOBAL NETWORK OPERATIONS, AT&T Ms. Bienfait. Good morning, Mr. Chairman. --------------------------------------------------------------------------- \1\ The prepared statement of Ms. Bienfait appears in the Appendix on page 139. --------------------------------------------------------------------------- Chairman Coburn. Good morning. Ms. Bienfait. My name is Robin Bienfait and I am Senior Vice President of AT&T's Global Network Operations. I want to thank you for allowing me to share with you what we have done and what we are generally doing to ensure the reliability and restorability of AT&T network services. We are committed to a strong public-private partnership and we hope our experience is helpful. We believe there are keys to network security and disaster recovery and I will focus on the following areas: The strength of the public-private partnership; the lessons learned, especially from Hurricane Katrina and the 2003 Midwest and Northeast power outages; and a series of policy recommendations. Our country relies on cyber and physical infrastructure that is provided by a very close partnership among all the providers and users of this infrastructure. Each partner, both in the public and private sector, has a responsibility to keep their part of the infrastructure working. They also each have a responsibility to be able to recover or restore their piece of the infrastructure. At AT&T, our goal is to have a network where failures are prevented or identified and corrected before they affect our customers. Since 1991, we have invested more than $300 million in our mobile network disaster recovery infrastructure and capabilities. We have also invested $200 million in a system that proactively monitors and manages the networks of some of our largest customers. We have more than 500 fully loaded emergency communication vehicles that we can quickly deploy to respond to any disaster anywhere in the United States. We have the basic building blocks of our network infrastructure installed in 150 technology trailers and it is ready to roll at a moment's notice. I would like to draw on the examples of Hurricane Katrina and the 2003 blackouts to illustrate our approach to response and restoration efforts and to show you how our incident command structure makes every minute count. For Hurricane Katrina, we followed our prescribed command and control approach to a tee. AT&T began moving equipment and teams from around the country toward the Gulf States in the days before the storm made landfall. The first team restored AT&T service to its prior levels, a second team maintained and monitored AT&T's facilities so as to prevent new issues from arising, and a third team came in to help others. AT&T worked around the clock to respond to this crisis and safeguard its network and support the efforts to respond to the disaster. AT&T was also able to direct its effort to benefit its customers, other telecommunication competitors and their customers, first responders, and evacuees, as needed. AT&T also helped to provide relief to those directly affected by the hurricane and flooding and assistance to charitable relief efforts. Thanks to these efforts and the intense dedication of the employees involved, AT&T's network remained essentially intact. We were able to carry at least 95 percent of all calls in the Gulf Coast area that came to our network. Of the five percent of our capacity in the area that was initially lost, we restored half of that capacity within a couple of hours. Related to the blackouts, as you know, in 2003, large portions of the Midwest, Northeast, and Ontario, Canada, experienced an electrical power blackout affecting 50 million people. Power was not restored for 4 days in some parts of the United States. Because of the reliability and redundancy that we designed and built into our network infrastructure, Internet traffic, data services, and voice calls flowed across our network without interruption. These and other experiences have reinforced lessons that we must incorporate in future planning and are the basis of our following policy recommendations. More detailed recommendations are available in my written testimony. Establish and practice disaster recovery processes in anticipation of emergencies. Communication resources can be brought where needed very quickly, but it is essential that those clear lines of command and control at all times are there to direct those resources effectively and to the area of greatest need. A single agency must be identified, funded, empowered to act as a national cyber incident commander for any required cyber infrastructure recovery and reconstitution efforts. Coordinate restoration and recovery efforts. Everyone available should be participating and there needs to be coordination so the efforts are not duplicated or in conflict with one another. Logistical information, such as what roads are closed and what medical precautions are needed, must be readily available. Moreover, a recommendation we made after September 11 still has not been widely implemented. Companies such as AT&T that are crucial to the response to disasters should have special credentials designed for employees and accredited in advance in order to assess disaster areas. Minimize the amount of regulation and data reporting requirements during a disaster and maximize the amount of coordination and cooperation between public and private sector. Interoperability and spectrum availability. A crisis on the scale we saw in the Gulf Coast and smaller challenges, as well, demand a well-coordinated information and communications delivery system. We must resolve the spectrums needed and highlighted by the 9/11 Commission. Consider subsidizing some of the emergency preparation by infrastructure companies. The government is likely to call on such capabilities in use or would otherwise need to duplicate resources ineffectively. We can never anticipate every contingency in an emergency, nor can we assure a foolproof communications network all the time under all circumstances. Nonetheless, at AT&T, we have done much to ensure reliability and restorability of communication networks, and together as an industry and as a Nation, we can do more. I thank you for holding this hearing to advance this important discussion. Chairman Coburn. Thank you, Ms. Bienfait. Mr. Aisenberg TESTIMONY OF MICHAEL A. AISENBERG,\1\ DIRECTOR OF GOVERNMENT RELATIONS, VERISIGN, INC., AND VICE CHAIR, IT SECTOR COORDINATING COUNCIL Mr. Aisenberg. Thank you, Mr. Chairman. Thank you for the opportunity to appear before the Subcommittee today. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Aisenberg appears in the Appendix on page 161. --------------------------------------------------------------------------- VeriSign's 4,600 employees operate intelligent infrastructures that enable and protect billions of interactions every day across the world's voice and data networks. I, too, have three key points I would like to make today. First, those who make policy in the United States must understand the economic value and critical interdependencies we have developed on our information networks. Second, we must understand and accommodate to the global nature of both our information networks and the attacks that are being continually mounted against them. Third, largely owned and operated by the private sector, our network security and ability to withstand and recover from the continuing attacks against them depends on effective partnership between government and we, the industry stewards. Americans must keep a clear focus on the critical economic and national security role which our information networks have come to fulfill. In less than two decades, the industrial nations have evolved an irreversible dependency and interdependency by our banking, finance, transportation, health care, education, power, manufacturing, and government service sectors on the networks managed by the companies, mostly American, which make up the ICT sector. Each day, $3 trillion pass over secure Federal financial networks. If these electronic transactions do not have Internet sites, such as NYSE.net, BankofAmerica.com, and Treasury.gov, available, secure, and running, the U.S. economy begins to grind to a halt at the rate of $130 billion per hour. As you have noted, Mr. Chairman, cyber security is indeed a responsibility which we all share and in which we all have a stake. We must recognize that information networks are global, increasingly managed by interests beyond U.S. control, but at the same time subjected to threats and attacked by actors from around the world. The role of an effective government cyber security function and government-industry partnership is central to the BRT report's critical conclusion. America needs a much improved cyber security activity, not just in DHS, but across government and industry interests. But while its conclusions are consistent with others from industry, the BRT report's suggestions about the extent and effectiveness of industry engagement with DHS are, I believe, out of touch with important progress being made in public- private collaboration in the last 18 months. There have been many, and there are increasingly significant collaborative engagements between the cyber industry and DHS, some of which were outlined by Secretary Foresman. In 2005, commented engagement with industry began to be regularly sought by new DHS leadership. Involvement in DHS policy processes from their beginning rather than at the end began to be practiced. Examples include the national cyber security exercise Cyber Storm, concluded in February of this year, DHS's Internet Disruption Working Group, the IDWG, the government Security Operations Community, GFirst, the just- released NIPP process, and the ongoing sector-specific plans just under development. Mr. Chairman, my sector colleagues and I have found these activities valuable and a marked departure from what we experienced prior to 2005. This steady improvement and expansion of industry involvement with DHS cyber and network security activities must continue. But while these milestones and improvement in the relationship between cyber sector industry interests and the NCSD and NCC staff are important and significant, they are not a solution, but a beginning. Mr. Chairman, we are at least twice as good in our cooperation as we have been, but we are not half as good as we need to be. Indeed, many of us believe that notwithstanding these improved public and private engagements, the operational posture is still fraught with risk. If a September 11-type attack were to take down the NYSE today, I doubt the Exchange could restore its network-dependent functions in the same 4 days it did in 2001, and indeed, perhaps not in 4 weeks, and the principal reason for this is DHS, or rather the bureaucratic impediments, many of which have already been discussed this morning, to the kind of action that the private sector was able to engage in in 2001 and was thwarted at during Hurricane Katrina. We need to act without delay to ensure that our networks and critical dependent sectors are resilient enough to withstand the daily attacks being mounted against them. And as the GAO is reporting today, they must be supported by the appropriate tools from government as well as industry to assure the ability to recover with minimum collateral impact on our economy and security. To conclude, Mr. Chairman, going forward, several steps are necessary. First, DHS's modest cyber security budget must be insulated from the continuing reprogramming and budgetary cuts now underway. Second, a cyber security leader with credibility in industry must be identified and appointed as DHS's permanent Assistant Secretary for Cyber Security and Telecommunications without further delay. Third, critical R&D projects to improve key network security protocols must be funded and launched or relaunched. Mr. Chairman, if we do these things, we will not guarantee that our adversaries will stop attacking our critical cyber assets, but we will improve the likelihood that we will continue to successfully withstand those attacks and retain the availability of these infrastructures on which we are now so dependent. Thank you, Mr. Chairman. Chairman Coburn. Thank you, Mr. Aisenberg. Mr. Brondell. TESTIMONY OF KARL BRONDELL,\1\ STATE FARM INSURANCE COMPANIES, ON BEHALF OF THE BUSINESS ROUNDTABLE Mr. Brondell. Thank you, Mr. Chairman. I am honored for this opportunity to testify today on Internet recovery on behalf of the Business Roundtable. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Brondell appears in the Appendix on page 167. --------------------------------------------------------------------------- Following the attacks of September 11, Roundtable CEOs formed the Security Task Force to address ways the private sector can improve the security of its employees, facilities, communities, and our Nation. The Roundtable believes that the business community must be a partner with government in disaster preparedness and response. The Roundtable commends the Subcommittee and its members for their continued interest in improving procedures and preparedness to ensure recovery of the Internet following a major disruption. Hardening the Internet and strengthening cyber security is one of the priorities of our Security Task Force. More than a year ago, the Roundtable began work on an initiative to assess the public and private sector plans and procedures for Internet recovery following a cyber catastrophe. We have just produced and delivered a report, ``Essential Steps to Strengthen America's Cyber Terrorism Preparedness,'' which finds that the United States is ill-prepared for a cyber catastrophe, with significant ambiguities in public and private sector responses that would be needed to restore and recover the Internet following a disaster. As the Subcommittee knows, the Internet and the cyber infrastructure serve as a critical backbone for the Nation's economy and its uninterrupted use is a crucial issue for our national and homeland security. But our analysis has exposed significant weaknesses that could paralyze the economy following a massive disruption. Despite progress having been made over the past decades on technical and IT issues, there are other issues that have not received the same attention. The Roundtable's report identifies three significant gaps in our Nation's response plans to restore the Internet. First, we found the United States lacks an early warning system to identify potential Internet attacks or determine if the disruptions are spreading rapidly across critical systems. Second, public and private organizations that would oversee restoration and recovery of the Internet have unclear or overlapping responsibilities, resulting in too many institutions with too little interaction and coordination. Finally, existing organizations and institutions charged with the Internet recovery have insufficient resources and support. Collectively, these gaps mean that the United States is not sufficiently prepared for a major attack. If our Nation is hit by a cyber catastrophe that wipes out large parts of the Internet, there is no coordinated public-private plan in place to restart and restore it. Let me make another point. Although there is no agreement among experts about the likelihood of a widescale cyber disaster, they do agree that the risks and the potential outcomes are serious enough to mandate careful planning and preparation. In my remaining time, let me talk briefly about our recommendations for government and business to consider. We believe it is important to understand that response and recovery to a cyber disaster will be different from natural disasters when the Federal Government has the leading role. Industry must undertake principal responsibility following an incident for reconstituting the communications infrastructure and the Internet. We believe that business and government must take action, individually and collectively, to address these issues. Let us start with the government. The Roundtable calls on the Federal Government to establish clear roles and responsibilities, to fund long-term programs, and ensure that national response plans treat major Internet disruptions as serious national problems. Regarding the private sector, our report urges companies to designate a point person for cyber recovery, update their strategic plans, and set priorities to prepare for a widespread Internet outage and its impact on the movement of goods and services. When it comes to protecting our Nation, neither the government nor business can do it alone. We feel the best security solutions will come from a public-private partnership that identifies and acts on ways to improve collaboration. Let me discuss a few of the collaboration recommendations. First, since the first 24 hours often determine the overall success of recovery efforts, we must focus more attention on coordinating initial efforts to identify when an Internet attack or disruption is occurring. Second, we recommend the creation of a federally-funded panel of experts from business, government, and academia who would assist in developing plans for restoring Internet services in the event of a massive disruption. Finally, we believe the Department of Homeland Security, together with business, should conduct large-scale cyber emergency exercises with lessons learned integrated into programs and procedures. Without change, our Nation will continue to use ad hoc and incomplete tools for managing our critical risk to the Internet and to our Nation's economy and its security. Up to this point, I have outlined for the Subcommittee the basis for our observations and some of the recommendations to consider. Now I would like to spend a moment telling you about the Roundtable's plans to find solutions to the gaps that we have identified. First, let me say that we are confident that our member companies are able to manage most disruptions that affect Internet operations. For this reason, the Roundtable will focus its efforts on those large-scale events that no single company is positioned to manage absent widespread cross-industry and government collaboration. As an extension of our previous work, the Roundtable will examine the processes, protocols, and practices across the private sector before, during, and after a disruptive event. We will assess which institutions respond, how early warnings are established, and how companies access information and service critical disruptions and emergency situations. We believe this will provide a foundation for meaningful improvements in our Nation's ability to protect and restore the Internet as well as clarify specific, meaningful, and actionable decisions that will lead to well-coordinated public and private response and reconstitution processes. In conclusion, let me again thank the Chairman for the opportunity to present the Business Roundtable's report on cyber preparedness and to discuss our recommendations for improvements. Roundtable CEOs believe strongly that we need a national response to this challenge, not separate business and government responses, and that means better collaboration. I assure you, America's CEOs and our companies are committed to do their part. Thank you. Chairman Coburn. Thank you. One of the things I take from you all is leadership is important, and the fact that we don't have the position filled is significant. You know, that is a real problem in our Nation today and I don't know what the cause of it is. Some people say, well, the salaries aren't high enough. But for us to secure our future, we are going to have to make individual sacrifice and that means somebody out of private industry needs to come up and fulfill this role. When they are trying to recruit and nobody wants to do it because they are not willing to sacrifice a little bit of earnings for 3 or 4 years and make a commitment to make a difference to our country, we are losing the very essence of what it means to be Americans. So it is pretty hard to hire somebody into a Federal Government agency into a position that is going to mean their salary is going to be cut in half if there is no patriotic thought that you can make a contribution to our country. Each of you have raised that. Do any one of you all want to volunteer for that position? [Laughter.] Mr. Noonan. I know someone that does, sir. Chairman Coburn. Well, the man that probably is involved in that decision is sitting behind you. I hope you will communicate that with Secretary Foresman. Mr. Noonan. I certainly will. Chairman Coburn. I appreciate him being here. Just quickly, I am going to have several questions and I can't get them all through to you, so I am going to submit them in writing. What do you think about the GAO's report? Mr. Brondell has just made a recommendation, we have got all these working groups. Here is what you all think we ought to do. We have got working groups, yet we basically have nobody in charge. What would happen tomorrow if a major event happened? We don't have the coordination across government to the private sector to establish that. So how do we respond? How do we take your recommendation, Mr. Brondell, versus the problem? We have got working groups. We have got people that are involved in it. How do we get it off dead center and make something happen? Mr. Brondell. First of all, we do applaud that the efforts are moving in the right direction. As you heard earlier this morning, it is a long road that we are going to have to pull, but as we look at a collaborative approach, we do agree and have suggested that we do need some focal point within the government that private sector can rely upon. We support the addition of the position. We hope that it gets filled quickly and goes through the administrative process to be in place. But to your question of what we would do today if it happened, industry would continue to respond as it has in the past and overcome the hurdles based on the experience from past smaller incidents. But the lacking of collaboration, it could damage the overall economy with a long delay. Chairman Coburn. Mr. Aisenberg. Mr. Aisenberg. Senator, we see a steady stream of insults against the network on a daily basis. VeriSign routinely repels 1,000 or more attacks against the naming infrastructure, the DNS, every day. Major events happen with greater frequency than makes us happy, but we are successful in repelling those now, by and large. But every day, the sophistication in those attacks grows. The sources of them becomes more diverse and the risks inherent, therefore, becomes more severe. So you are absolutely right. We need a more coordinated approach. We cannot guarantee, no one can guarantee that an attack will not at some point be successful, and I agree, the ability to reconstitute and recover from a serious attack at the moment is not as good as we need it to be, and I could not predict how severe or how long a major attack that took down the naming system or fundamental other aspects of the Internet could persist and impact the economy. Our best defense is the aggressive investment that the infrastructure stewards make in massive overhead, massive engineering, constant exercising, constant testing of the security, and vigilance, and a little bit of good luck. Chairman Coburn. Is there an early warning system out there now? Mr. Aisenberg. It depends on what you mean by early warning. Ms. Bienfait. Not one that you would actually, as we would do with a hurricane in an emergency scenario, we see a hurricane coming and we have got a way to give an early warning---- Chairman Coburn. No, I mean is there a communication network where, whether it is NSA or whoever is experiencing it, all of the sudden, this is a major attack and time is of the essence and everybody knows it is happening in one area so they can prepare if their area is about to get hit. Is that out there now? Ms. Bienfait. Not across---- Chairman Coburn. Is there an early warning system so that there is communication to all the players that something is happening. You need to know about it. Here is what we see. You might be next. Is that happening now? Ms. Bienfait. We have something internal to ourselves that we can actually see the signatures and the knocking of all the hacking attacks against our network---- Chairman Coburn. That is your network? Ms. Bienfait. That is my network. But we are only doing this in our own domain. We are not doing a lot across companies, across collaboration---- Chairman Coburn. Is there something that prevents you legally from being able to communicate that with the rest of the service providers? Ms. Bienfait. Nothing at this point in time, other than us getting a trusted environment where we could actually do pre- planning ahead of time so that we know what that information might look like. We are doing some of that right now, trying to put best practices together, but there is not anything formal to the point that we know how to pull up a security alert and actually say, hey, the collaboration of the different units, I am going to shut down this part of my network or I am going to open up that part of my network so that this work can flow through. Chairman Coburn. And you would all agree that is needed? Ms. Bienfait. I think it is necessary. Chairman Coburn. It is needed, and one of the reasons it is not is because there is not a position of leadership and trust which you can work through? Ms. Bienfait. You really have to have a very trusted environment. It is essential---- Chairman Coburn. Otherwise you expose proprietary information. Ms. Bienfait. Exactly. And we are working through that, it is just not moving fast enough. Chairman Coburn. OK. Mr. Aisenberg. Senator, another aspect of that is that what we call the millisecond sectors--electric power, communications, IT--frequently see insults only after they are actually mounted. Unlike intelligence gathering around physical attacks where you hear a tip from one individual and you can grow your investigative technique, very often when the attacks are mounted against the Internet or the communications or power networks, you don't see the attacks until they are already at their zero moment and are massively engaging the infrastructure. Chairman Coburn. But, in fact, we know that is a possibility, so we can design to prevent that if we have the structure in place to communicate it, cross-communicate it without the sharing of proprietary data that would put somebody at a competitive disadvantage. I mean, that is possible. Everybody would agree with that, right? Mr. Noonan. Right. There is already a foundation in place, sir, but it is not broadly available cross-industry, cross- sector, cross-agency and government. There are multiple early warning activities that are operating at various levels of efficacy. These include the ISAC, the Information Sharing and Analysis Centers that are established as part of the IT, or as part of the Sector Coordinating Councils. They are not fully operating cross-functionally today, but they are a foundation that has been being built for many years. There are issues, but we are making progress there. I think the early warning vulnerability disclosure activity that is underway has actually moved this industry along in a number of years. If we know where our vulnerabilities are, there is a pretty good chance that is where the attacks are going to be. Whether they are malicious and disruptive or whether they are quiet and compromising, they are typically getting through our vulnerabilities. There, I think we have made progress. However, as an industry, or both a public and private sector perspective, we don't have the equivalent of turn on CNN and get the hurricane early warning system. We simply don't have that. Chairman Coburn. Are there any other comments from any of you all on the GAO report? [No response.] Chairman Coburn. I don't know if the silence is because--I won't say that. I will just let it go with that. None of you would disagree with the fact that there could be somebody in a position that could maintain the trust of the providers and the service companies and the Internet industry and work for government and maintain the integrity that is required for us to solve these problems. Would you agree with that? Ms. Bienfait. I would agree with that. Mr. Noonan. I would agree. Chairman Coburn. So one of the real issues for us to move things offline is to fill the position with somebody that has the competency, character, and trust of the industry and the government and can put the impetus behind moving forward. If this hearing does anything with that, we will have accomplished something. I want to thank each of you for being here. This is a difficult problem we face, but it is also, besides difficult, it is critical. Our country can't take many more hits. This is one that is preventable, provided we do the right thing. It is at least, if not preventable, recoverable if we do the right thing. I would hope that we will continue to have good communications. We will have other hearings on this. We are going to move. There is going to be an Assistant Secretary, I promise you. Even if we have to raise the salary for the position, there is going to be one because it is just too important. We will be submitting some questions to you. I would hope that you would return those to us within 2 weeks. I thank you for your service, and the hearing is adjourned. [Whereupon, at 11:12 a.m., the Subcommittee was adjourned.] A P P E N D I X ---------- [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] <all>