Today, the Committee on Governmental Affairs is holding a hearing on the ability of the Federal government to protect against and respond to potential cyber attacks. This Committee spent considerable time during the last Congress examining the state of Federal government information systems. Numerous Governmental Affairs Committee hearings and General Accounting Office reports uncovered and identified systemic failures of government information systems which highlighted our nation’s vulnerability to computer attacks -- from international and domestic terrorists to crime rings to everyday hackers.

We directed GAO to study computer security vulnerabilities at several Federal agencies including the Internal Revenue Service, the State Department, the Federal Aviation Administration, the Social Security Administration, and the Department of Veterans’ Affairs. From these and other numerous reports, we learned that our nation’s underlying information infrastructure is riddled with vulnerabilities which represent severe security flaws and risks to our national security, public safety and personal privacy.

Every year, the government gathers information on every one of us because we give the government this information in order to obtain government services – like getting social security benefits, veterans benefits, Medicare, or paying taxes. And yet, year after year, this Committee continues to receive reports detailing security breaches at these same agencies. Sometimes things improve – agencies usually will respond to specific GAO recommendations or to an particular Inspector General report. But, this is a "band-aid" approach to protecting information systems – fixing the system little by little, problem by problem, after it is revealed that it is no longer secure.

What is most alarming to me is that after all this time, and all these reports, there is still no organization-wide approach to preventing cyber attacks. And the security program management is totally inadequate. I’m afraid it’s another example of how difficult it is to get the Federal bureaucracy to move, even in an area as important as this.

The reports highlight that an underlying cause of Federal information security vulnerabilities is inadequate security program planning and management. When GAO studied the management practices of eight organizations known for their superior security programs, GAO found that these organizations managed information security through continuous management activities which included specific practices to support their information security principles. We think this is lacking in the Federal government.

And we think agencies must do more than establish programs and set management goals – agencies and the people responsible for information systems in those agencies must be held accountable for their actions. And I believe that Congress should examine how we can provide assistance to the agencies to ensure that they have the resources necessary to maintain information technology security preparedness at all times.

It is clear to me, based on GAO report after GAO report, that what needs to emerge in government is a coordinated and comprehensive management approach to protecting information which incorporates the efforts already underway and takes advantage of the extended amount of evidence that we have gathered over the years. The objective of such an approach should be to encourage agency improvement efforts and measure their effectiveness through an appropriate level of oversight.

In order to develop such an approach and begin to find solutions to the problems which have been identified, we concluded that a more complete and meaningful statutory foundation for improvement is needed. That is why Senator Lieberman and I introduced S. 1993, the Government Information Security Act, at the end of last year. The primary objective of our bill is to address the management challenges associated with operating in the current interdependent computing environment.

Our bill begins where the Paperwork Reduction Act of 1995 and the Clinger-Cohen Act of 1996 left off. These laws, and the Computer Security Act of 1987, provide the basic framework for managing information security. We view the introduced bill as just the beginning and recognize that these aren’t the only things that need to be done. Some have suggested we provide specific standards in the legislation. Others have recommended we establish a new position of a National Chief Information Officer or even a national security "czar."

These issues and more will be brought up during our hearing today. The witnesses before us represent a broad array of experience and expertise in the area of information security. First, we have Mr. Kevin Mitnick who has described himself as a reformed hacker. Next, we will hear from Mr. Jack Brock who is the director of Governmentwide and Defense Information Systems at GAO and Ms. Roberta Gross, the Inspector General for NASA. Both of them have done significant work in the area of government information security. We also will hear from Mr. Ken Watson who is the manager of Critical Infrastructure Protection at Cisco Systems and Mr. James Adams, the CEO and co-founder of iDefense. I welcome all of you and look forward to your testimony about the cyber threats that we face today and how we can work together to fashion solutions to the many problems associated with computer security.