<DOC>
[106th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:60842.wais]
COMPUTER SECURITY IMPACT OF Y2K:
EXPANDED RISKS OR FRAUD?
=======================================================================
JOINT HEARING
before the
SUBCOMMITTEE ON TECHNOLOGY
of the
COMMITTEE ON SCIENCE
and the
SUBCOMMITTEE ON
GOVERNMENT MANAGEMENT, INFORMATION,
AND TECHNOLOGY
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
FIRST SESSION
__________
AUGUST 4, 1999
__________
Science Serial No. 106-23
__________
Government Reform Serial No. 106-57
__________
Printed for the use of the Committee on Science
U.S. GOVERNMENT PRINTING OFFICE
60-842 WASHINGTON : 2000
COMMITTEE ON GOVERNMENT REFORM
DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut ROBERT E. WISE, Jr., West Virginia
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
STEPHEN HORN, California PAUL E. KANJORSKI, Pennsylvania
JOHN L. MICA, Florida PATSY T. MINK, Hawaii
THOMAS M. DAVIS, Virginia CAROLYN B. MALONEY, New York
DAVID M. McINTOSH, Indiana ELEANOR HOLMES NORTON, Washington,
MARK E. SOUDER, Indiana DC
JOE SCARBOROUGH, Florida CHAKA FATTAH, Pennsylvania
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
MARSHALL ``MARK'' SANFORD, South DENNIS J. KUCINICH, Ohio
Carolina ROD R. BLAGOJEVICH, Illinois
BOB BARR, Georgia DANNY K. DAVIS, Illinois
DAN MILLER, Florida JOHN F. TIERNEY, Massachusetts
ASA HUTCHINSON, Arkansas JIM TURNER, Texas
LEE TERRY, Nebraska THOMAS H. ALLEN, Maine
JUDY BIGGERT, Illinois HAROLD E. FORD, Jr., Tennessee
GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California ------
PAUL RYAN, Wisconsin BERNARD SANDERS, Vermont
HELEN CHENOWETH, Idaho (Independent)
DAVID VITTER, Louisiana
Kevin Binger, Staff Director
Daniel R. Moll, Deputy Staff Director
David A. Kass, Deputy Counsel and Parliamentarian
Carla J. Martin, Chief Clerk
Phil Schiliro, Minority Staff Director
------
Subcommittee on Government Management, Information, and Technology
STEPHEN HORN, California, Chairman
JUDY BIGGERT, Illinois JIM TURNER, Texas
THOMAS M. DAVIS, Virginia PAUL E. KANJORSKI, Pennsylvania
GREG WALDEN, Oregon MAJOR R. OWENS, New York
DOUG OSE, California PATSY T. MINK, Hawaii
PAUL RYAN, Wisconsin CAROLYN B. MALONEY, New York
Ex Officio
DAN BURTON, Indiana HENRY A. WAXMAN, California
J. Russell George, Staff Director and Chief Counsel
Matt Ryan, Senior Policy Director
Bonnie Heald, Communications Director/Professional Staff Member
Grant Newman, Clerk
Trey Henderson, Minority Counsel
COMMITTEE ON SCIENCE
F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman
SHERWOOD L. BOEHLERT, New York RALPH M. HALL, Texas
LAMAR SMITH, Texas BART GORDON, Tennessee
CONSTANCE A. MORELLA, Maryland JERRY F. COSTELLO, Illinois
CURT WELDON, Pennsylvania JAMES A. BARCIA, Michigan
DANA ROHRABACHER, California EDDIE BERNICE JOHNSON, Texas
JOE BARTON, Texas LYNN C. WOOLSEY, California
KEN CALVERT, California LYNN N. RIVERS, Michigan
NICK SMITH, Michigan ZOE LOFGREN, California
ROSCOE G. BARTLETT, Maryland MICHAEL F. DOYLE, Pennsylvania
VERNON J. EHLERS, Michigan SHEILA JACKSON LEE, Texas
DAVE WELDON, Florida DEBBIE STABENOW, Michigan
GIL GUTKNECHT, Minnesota BOB ETHERIDGE, North Carolina
THOMAS W. EWING, Illinois NICK LAMPSON, Texas
CHRIS CANNON, Utah JOHN B. LARSON, Connecticut
KEVIN BRADY, Texas MARK UDALL, Colorado
MERRILL COOK, Utah DAVID WU, Oregon
GEORGE R. NETHERCUTT, Jr., ANTHONY D. WEINER, New York
Washington MICHAEL E. CAPUANO, Massachusetts
FRANK D. LUCAS, Oklahoma BRIAN BAIRD, Washington
MARK GREEN, Wisconsin JOSEPH M. HOEFFEL, Pennsylvania
STEVEN T. KUYKENDALL, California DENNIS MOORE, Kansas
GARY G. MILLER, California VACANCY
JUDY BIGGERT, Illinois
MARSHALL ``MARK'' SANFORD, South
Carolina
JACK METCALF, Washington
C O N T E N T S
----------
Page
August 4, 1999:
Opening Statement by Representative Constance A. Morella,
Chairwoman, Subcommittee on Technology, U.S. House of
Representatives............................................ 1
Opening Statement by Representative Stephen Horn, Chairman,
Subcommittee on Government Management, Information and
Technology, U.S. House of Representatives.................. 3
Opening Statement by Representative Mark Udall, Member,
Subcommittee on Technology, U.S. House of Representatives.. 6
Witnesses:
Mr. Joe Pucciarelli, Vice President and Research Director,
Gartner Group Inc.:
Oral Testimony........................................... 7
Prepared Testimony....................................... 10
Biography................................................ 15
Financial Disclosure..................................... 16
Mr. Harris Miller, President, Information Technology
Association of America:
Oral Testimony........................................... 17
Prepared Testimony....................................... 19
Biography................................................ 33
Financial Disclosure..................................... 35
Mr. Dean Rich, Vice President for Security Services, WarRoom
Research:
Oral Testimony........................................... 36
Prepared Testimony....................................... 39
Biography................................................ 41
Financial Disclosure..................................... 44
Mr. Wayne Bennett, Chair, Commercial Technology Practice
Area, Bingham Dana LLP:
Oral Testimony........................................... 45
Prepared Testimony....................................... 47
Biography................................................ 52
Financial Disclosure..................................... 56
Appendix 1: Additional Statements
Statement by Representative Debbie Stabenow, Member, Subcommittee
on Technology, U.S. House of Representatives................... 76
Appendix 2: Materials for the Record
USA Today Article, Y2K fixes open door for electronic heist, M.J.
Zuckerman...................................................... 78
Gartner Group Report, Year 2000 and the Expanded Risk of
Financial Fraud, April 1, 1999................................. 80
HEARING ON THE COMPUTER SECURITY IMPACT OF Y2K: ``EXPANDED RISKS OR
FRAUD?''
----------
WEDNESDAY, AUGUST 4, 1999
House of Representatives, Subcommittee on
Technology, Committee on Science, and the
Subcommittee on Government Management,
Information, and Technology, Committee on
Government Reform,
Washington, DC.
The subcommittees met, pursuant to notice, at 10:06 a.m.,
in Room 2318, Rayburn House Office Building, Hon. Constance A.
Morella [chairwoman of the subcommittee] presiding.
Present: Representatives Morella, Horn, Bartlett,
Gutknecht, Turner, Rivers, Stabenow, Udall, and Wu.
Chairwoman Morella. I'm going to call to order the latest
in our series of ongoing hearings on our House Y2K Working
Group made up of the Science Committee's Technology
Subcommittee and the Government Reform Committee's Government
Management, Information, and Technology Subcommittee.
On behalf of my colleagues Chairman Horn, Ranking Members
Barcia and Turner, and Mr. Udall, I want to welcome our
distinguished panel as we discuss today the concerns raised by
a number of information technology experts that Y2K fixes may
pose a substantial security threat to computer operating
systems.
While the Technology Subcommittee has been reviewing the
year 2000 problem over the past 3 years, during that time we
have also been looking closely at the issue of computer
security.
Many of you have heard me compare our Nation's lack of
adequate information security to the year 2000 computer
problem.
Well, it now appears that Y2K and computer security aren't
just inviting comparisons, but have overlapped into one issue.
A lot of recent attention has been focused on the April 1,
1999, GartnerGroup report suggesting that as part of every year
2000 system fix, every aspect of every single information
technology system is potentially subject to change and
manipulation, raising the risk of theft, fraud, or corruption.
The GartnerGroup report also stated that at least one
publicly reported theft exceeding $1 billion may occur through
lapses in security directly resulting from Y2K remediation
efforts.
Since the publication of the report, a number of
independent scientists, security professionals, and others in
the Y2K community appear to have few quarrels with the
GartnerGroup's dire prediction.
The concern is that Y2K employees who have been hired to
correct systems might have left ``trap doors'' or may
manipulate the computer code through which they can
clandestinely take control of the system at a future date--
leaving vulnerable the systems that electronically move $11
trillion a year among financial institutions, corporations,
governments, and private organizations.
The computer security threat, however, may not be motivated
merely by just financial theft and fraud.
Some Y2K programmers with malicious intent may be quietly
installing malicious software codes--such as a logic bomb or a
time-delayed virus--to sabotage companies or gain access to
sensitive information sometime in the new millennium.
Most troubling is that several security firms say that they
have already found ``trap doors'' in Y2K programming.
If used successfully for hostile purposes, these computer
``trap doors'' can open to make sensitive national and
proprietary information systems vulnerable to be accessed,
stolen, compromised, or disrupted.
With less than 150 days now before the January 1, 2000,
deadline, the last thing we want to do is to defer any Y2K
remediation efforts.
It should be made clear that nobody should halt or suspend
fixing their Y2K problems simply because there exists this
potential for computer security breaches.
The goal of this hearing is not to create a how-to guide
and stoke the embers of those Y2K programmers with a felonious
heart and malicious intent.
The goal of this hearing is to determine what measures can
be undertaken to protect our computer systems and to limit the
potential of Y2K computer security breaches.
It is my hope that, today, this panel can collectively come
up with measures and guidelines that both the private and
public sectors can review and utilize in their current
remediation efforts to deter and catch any computer security
breach that may occur as a result of the Y2K fix.
Toward that end, I am pleased that we have a very
distinguished panel.
I welcome Mr. Joe Pucciarelli, Vice President, Research
Director of the GartnerGroup, a leading and influential
information technology research firm, which we know very well
through our hearings, and the author of the GartnerGroup Y2K
computer security report.
Also joining us is a familiar figure to us, Mr. Harris
Miller, President of the Information Technology Association of
America.
The Technology Subcommittee has worked very closely with
Mr. Miller and the ITAA in the past on both the Y2K and the
computer security issue, and it is great to see him back as a
witness before us.
We also have Mr. Dean Rich, Vice President for Security
Services at WarRoom Research in Annapolis, Maryland, who is a
computer security consultant with a great deal of expertise and
experience in both the public and private sectors. I'm somebody
who knows Annapolis well. I welcome you also, Mr. Rich.
Additionally, Mr. Wayne Bennett, Chair of the Commercial
Technology Practice Area of the law firm of Bingham Dana in
Boston and an expert in computer security laws and practice, is
with us today. A pleasure to have you, Mr. Bennett.
So I look forward to everybody's testimony, and I would now
like to turn to our distinguished Co-Chair of today's hearing,
the member from California, Chairman of the Government
Management, Information and Technology Subcommittee, Mr. Horn,
for any opening statement that he may wish to make. Mr. Horn.
Mr. Horn. Thank you very much.
For the past 3 years, these two Subcommittees have been
prodding agencies in the executive branch of the Federal
Government to prepare their computer systems for the year 2000.
Nearly all seem to have made good progress toward avoiding
major computer disruptions at the end of this year. However,
the rush to solve the year 2000 problem may have created
another more insidious and potentially troubling problem.
Today, we will discuss the danger that government agencies,
corporations, and individuals are now more vulnerable to
computer fraud, whether it is in the form of electronic
robberies or information warfare.
The reality is that computer systems can be compromised for
any number of reasons--some far more damaging than the loss of
money. Among them are the threats of industrial or military
espionage and the use of computers and the network systems by
terrorists or organized crime.
Private companies and government agencies alike have opened
up their most sensitive computer systems to outside contractors
who are helping them sort through billions of lines of computer
code to ensure their year 2000 compliance.
Although the vast majority of these contractors are honest
and truthworthy people, even a few unscrupulous operators could
create a significant problem.
The GartnerGroup, which is represented here today, has
predicted that by 2004, there will be at least one reported $1
billion or more theft due to the year 2000 remediation effort.
The concern involves something called ``trap doors,''
computer coding that can give unscrupulous contractors access
to the sensitive information in a computer long after the year
2000 work is completed.
From bank accounts and intellectual property to medical
records and defense secrets, companies and government agencies
have given contractors the keys that unlock an enormous
storehouse of information.
With only 149 days left until the new millennium, we must
ensure that our critical information technology infrastructure
is secure long after the year 2000 has passed away.
So, with Mrs. Morella, I welcome the witnesses we have
today, and I'm sure you will enlighten us in a number of areas.
[The prepared statement of Hon. Stephen Horn follows:]
[GRAPHIC] [TIFF OMITTED] T0842.001
[GRAPHIC] [TIFF OMITTED] T0842.002
Chairwoman Morella. Thank you, Chairman Horn.
I am now pleased to recognize for any opening comments Mr.
Udall, who is our ranking member today.
Mr. Udall. Thank you, Madam Chairman. I want to join my
colleagues in welcoming all of you here today to the hearing.
This hearing focuses on two issues, the way I see it: computer
and network security and then, secondly, whether Y2K-related
computer system upgrades have increased the threat to a
company's or a federal agency's computer security.
I'd like to take a few minutes to speak about the Science
Committee's role in the area of computer security. Going back
into the late 1980s, the members of this Committee were aware
that the first computer networks, such as ARPANET, which became
NSFNET and is now known, of course, as the Internet, had a two-
edged quality: they improved electronic communication but also
compromised computer security.
In 1987, the Science Committee was instrumental in
developing and passing the Computer Security Act. This was the
first effort to improve the security of federal computer
systems. Ever since, the Science Committee has maintained a
high profile in this area.
I mention this issue because many believe that Congress has
not given sufficient attention to this issue of computer
security. I wanted to highlight that at least one Congressional
Committee has worked diligently to raise public and government
awareness of computer security issues for more than a decade.
This was long before most people even knew that the Internet
existed, let alone before related computer security issues
became important.
Today's hearing, as my fellow colleagues have mentioned,
was prompted by recent newspaper stories about a GartnerGroup
report warning that by 2004 there will be at least one publicly
reported electronic theft exceeding $1 billion and that steps
to solve the Y2K problem will be a root cause of the security
lapses that have allowed this step to happen.
This is a serious assertion that raises more questions than
it answers. For example, if it's true there will be at least a
$1 billion theft, what about the likelihood of several thefts
in the range of $100 million or the tens of thousands of
dollars?
Further, how credible are these alarms? After all, the
warnings themselves could undermine public trust in our
financial systems and the government's ability to provide
public services and in our computer-based infrastructure as a
whole.
So, in that spirit, there are several issues that I hope
our witnesses will address today. The first is: What data
substantiates claims that there's an increased risk of fraud as
a result of these Y2K fixes? Secondly, federal agencies,
including Congress, and industry have relied on contractors to
service their computer systems since their first installation.
What has been the past experience of this type of fraud? And
then, finally, if this Y2K-related fraud is a real problem,
what steps can federal agencies and large corporations take to
determine if the malicious code, the so-called trap doors, have
been inserted into their programs?
I want to thank you for being here. I very much look
forward to hearing what you have to say.
Thank you.
Chairwoman Morella. Thank you, Mr. Udall, and thank you for
also mentioning sort of the genesis of the Science Committee's
interest and involvement in this issue.
I'm now going to ask our panelists if they would rise and
raise their right hand. It's the policy of this Committee to
swear in those who will testify.
Do you swear that the testimony you are about to give is
the truth, the whole truth, and nothing but the truth?
Mr. Pucciarelli. I do.
Mr. Miller. I do.
Mr. Rich. I do.
Mr. Bennett. I do.
Chairwoman Morella. The record will reflect an affirmative
response from all. And, again, we'll try to follow a tradition,
to give time for questions and other comments, of asking each
panelist to speak about 5 minutes, and then we'll open it up to
questions. And we'll start off then in the order in which I
mentioned you.
Mr. Pucciarelli, you will start off with the Gartner
report.
STATEMENTS OF JOSEPH C. PUCCIARELLI, VICE PRESIDENT AND
RESEARCH DIRECTOR, GARTNERGROUP, INC., STAMFORD, CONNECTICUT;
HARRIS N. MILLER, PRESIDENT, INFORMATION TECHNOLOGY ASSOCIATION
OF AMERICA, ARLINGTON, VIRGINIA; L. DEAN RICH, VICE PRESIDENT
FOR SECURITY SERVICES, WARROOM RESEARCH, ANNAPOLIS, MARYLAND;
AND WAYNE D. BENNETT, CHAIR, COMMERCIAL TECHNOLOGY PRACTICE
AREA, BINGHAM DANA LLP, BOSTON, MASSACHUSETTS
STATEMENT OF JOSEPH C. PUCCIARELLI
Mr. Pucciarelli. Madam Chairman--Madam Chairwoman, Mr.
Chairman, and Members of the two Subcommittees, I appreciate
the opportunity to testify----
Chairwoman Morella. I think you should either move it
closer or make sure it's on.
Mr. Pucciarelli. Madam Chairwoman, Mr. Chairman, and
Members of the two Subcommittees, I appreciate the opportunity
to testify today on the computer security impact of year 2000
and the expanded risks of fraud. Key points in my testimony we
will discuss: our prediction, the analysts of GartnerGroup,
that by 2004 there will be at least one publicly reported
electronic theft exceeding $1 billion, 70 percent likelihood;
our forecast that year 2000 remediation efforts will be
identified as a root cause of the security lapses that will
have allowed this theft to happen, 70 percent likelihood; and
how input from our clients was factored into these predictions
and caused us to increase the probabilities.
My role is to advise business and financial executives in
the public and private sector on actions they should take to
protect and maximize the effectiveness of their investments in
computer technology. We found medium and large organizations in
the United States spend some 8 percent of sales revenue--that
is, 8 cents of every sales dollar--for computer systems. Ten
years ago, this number was only 1 percent. During the same
period, our financial systems have largely migrated to an
electronically interconnected business model. Best estimates
are that $11 trillion in electronic transfers occurred in the
United States in 1998.
Earlier this year, as part of my ongoing research, I
reviewed those issues that may require action by my clients. I
concluded, by reviewing the technical research conducted by my
colleagues at GartnerGroup, that many firms had not taken
adequate steps to secure and audit a year 2000 remediation
process. Based on these observations, I formulated a
recommendation to our clients.
I reviewed these preliminary findings with some 300 clients
on Tuesday, March 2, 1999, at a conference in New Orleans. Our
clients had differing opinions. Their feedback indicated that
the risk of theft was even higher than I had proposed. As a
result, we formally advised our clients in April that we
believe that by 2004 there will be at least one publicly
reported electronic theft exceeding $1 billion, and that Y2K
remediation efforts will be a root cause of those--that allowed
this theft to happen, 70 percent likelihood.
Predicting what will happen is challenging. Anticipating
how it may happen raises the bar considerably. In the case of
the first $1 billion electronic theft, the motive will likely
be one of greed combined with feelings of underappreciation by
a highly skilled software engineer, especially related to the
stress of the year 2000 remediation effort. The means will be
the tools at hand--the same electronic systems reliably
transact the business of the day will be instructed to transfer
funds beyond the boundaries of the enterprise into the hands of
a thief. The opportunity to perpetrate the crime will come in
an odd moment, a situation outside the bounds of the operating
manual. A system will crash unexpectedly and a single software
engineer could make changes without the normal reviews, due
diligence, or oversight. Further, the incident will likely
occur long after January 1, 2000.
Clearly, a billion dollars is a huge sum of money. However,
compared with the $11 trillion in annual volume of financial
electronic data interchange transfers during 1998, which are
growing some 40 percent annually, it represents only 0.0009
percent. To use a metaphor, a $1 billion theft compared to the
$11 trillion in throughput equates to 48 minutes over the
course of a year. In this context, a billion seems somewhat
less significant. Opposing all this money is the unbounded
creativity of the human mind--which has proved the world round,
produced Einstein's theory of relativity, placed a man on the
moon, and committed countless crimes throughout history. From
the Brinks armored car robbery through the Great Train Robbery,
to the most recent financial scandals including BCCI and
Barings, each generation adapts theft and fraud to the
technological circumstances of the day.
Given the enormity of the year 2000 remediation process,
the scope of the cash flowing through these systems and the
resourcefulness of the human mind in finding different ways to
steal, a large theft seems much more likely perhaps inevitable.
Specific steps need to be taken now and continually re-
emphasized to minimize risk. Specifically, we recommended:
One, the most effective theft and fraud deterrent is
maintaining the perception that there are high levels of
security. To accomplish this, we advise our clients to
collaborate to create a year 2000 security team with the
requisite technical and auditing skills to review procedures,
assess the threats, and implement a containment plan.
Second, procedure reviews must limit the ability of a
single individual to make changes or initiate activities
without a second person participating in the process.
Third, risk assessment must include reviewing all
enterprise insurance coverage as well as contracts with
external service providers and independent (programmer)
contractors.
Four, risk management plans should include careful
reconsideration of all existing theft and fraud deterrence
activities in light of this expanded threat profile.
The law of very large numbers dictates that we will have a
vastly increased risk of theft after the year 2000 remediation
efforts. In the rush to aggressively solve one problem,
enterprises need to ensure appropriate resources have been
rededicated to protecting the enterprise from the increased
risks of electronic theft and fraud--possibly the most
important artifact created by year 2000 remediation. These
nonlinear consequences of the year 2000 computer maintenance
effort may have a more profound implication than the linear
consequences such as a failure of a specific computer system.
Thank you.
[The statement of Mr. Pucciarelli follows:]
[GRAPHIC] [TIFF OMITTED] T0842.003
[GRAPHIC] [TIFF OMITTED] T0842.004
[GRAPHIC] [TIFF OMITTED] T0842.005
[GRAPHIC] [TIFF OMITTED] T0842.006
[GRAPHIC] [TIFF OMITTED] T0842.007
[GRAPHIC] [TIFF OMITTED] T0842.008
[GRAPHIC] [TIFF OMITTED] T0842.009
STATETEMENT OF HARRIS N. MILLERMr. Miller. Thank you,
Chairwoman Morella and Chairman Horn and other Members of the
Subcommittee. It is an honor to appear before your joint
Subcommittees, and I want to commend you and your colleagues
for holding this hearing on computer security as attention
moves from the Y2K problem to the next and even greater
challenge--Information Security or Critical Information
Infrastructure Protection, as it is often called.
Just as your two Subcommittees were among the leaders in
educating Congress and the Nation on the year 2000 challenge, I
know that you will play the same role on Information Security.
Make no mistake about it: Information Security is the next Y2K
issue for the IT community and its users.
The evildoers are not just unscrupulous Y2K repair firms.
The infosec threat comes in numerous guises: mischief-minded
hackers, disgruntled employees, corporate spies, cyber
criminals, terrorists, and unfriendly nations.
Virus episodes like Melissa and Chernobyl are becoming more
frequent. The Symantec Anti-Virus Research Center estimates
that new viruses are being launched at a rate of 10 to 15 per
day and that over 2,400 currently exist, and 35 percent of
those are considered to be intentionally destructive.
And, of course, there are the unintended consequences
associated with our new dynamic information technology
evolution, and, of course, year 2000 is the exhibit number one.
Assessing the ultimate infosec roles for government and the
private sector is really very simple. Our new information-based
assets must be protected and preserved. Participants and users
must understand that along with the obvious benefits of
information technology are corresponding commitments to protect
information technology. With rights--the right for IT to become
the firmament on which most of our society, our government, and
our economy are built--come responsibilities. And the primary
responsibility is to ensure the security of our information
society. The societal stakes involved compel government and
industry to seek common ground on the issue.
Security is much more challenging in the digital world
because it is not the traditional security of wire fences,
thick walls, and guard dogs. And it is not an activity just to
be left to the experts, for all of us are part of the
information age and must be sensitive to protecting it.
The road to a common ground between government and industry
will never be a straight line. On the contrary, while the ends
are commonly shared, the policies that government and industry
will develop in order to provide this protection are likely to
be quite different. Again, I remind the Subcommittees that the
year 2000 is the wake-up call. A well-prepared and well-
informed private sector can work with government to find the
proper balance which optimizes the government's needs to
protect the critical infrastructure with business' needs to
manage risks appropriately.
Significant reservations exist, however, on the part of
both private industry and government, and ITAA is attempting to
address both from a theoretical and practical standpoint.
In developing industry positions on national infosec
issues, ITAA has established a list of general principles that
will guide the development of our policy. They emphasize
industry leadership, communication and collaboration, infosec
commensurate with the true threat involved without
embellishment or magnification, and international
collaboration. My written statement provided to the Committee
outlines these principles in more detail.
But there are also many questions that must be addressed,
including the question, for example: What should be the
mechanism for sharing information between government and the
private sector, or even within the private sector itself? What
type of threat and intrusion reporting will be required as
opposed to optional? What type of organizations should plan and
execute the strategy for critical information infrastructure
defense? And what kind of legal and regulatory obstacles are
there to information sharing and information security?
And, of course, a less tangible concern must be addressed,
particularly development of trust, both within the private
sector and between the private sector and government. So as you
can see, there is much to be done.
We are working with our customers and with our government
to build the necessary bridges. ITAA is taking a number of
actions to focus on this issue. Following, for example, the
issuance of Presidential Decision Directive 63 last year, ITAA
was appointed as the sector coordinator for the IT sector along
with two other high-tech trade associations. We are involved in
massive education efforts, including White Papers, and we have
held frequent meetings with representatives across the
government to educate, discuss, and provide input.
Education and outreach will be critical to the success of
our efforts collectively. This past March, ITAA created the
framework for a new Cybercitizen Partnership in conjunction
with Attorney General Janet Reno. The partnership will focus on
promoting individual responsibility in cyberspace and creating
a private-public sector forum for exchange and cooperation.
In all honesty, we at ITAA face a daunting job of
convincing the IT industry and our customers to work with
government on these initiatives. But it is a challenge we must
step up to if we are to achieve any degree of success in
opening lines of communication.
The United States and much of the world are building their
economic house on an information technology foundation. This is
an extremely positive approach to take, delivering tangible
benefits to a fast-growing percentage of the world's
population. If year 2000 is the first challenge to place our
economic house at risk, failure to adopt a rigorous approach to
infosec will be the second and even more dangerous. ITAA and
its member companies are committed to a private sector
leadership role in ensuring that the necessary, timely, and
cost-effective solutions are implemented.
Thank you, and I would be happy to answer any questions you
may have.
[The statement of Mr. Miller follows:]
[GRAPHIC] [TIFF OMITTED] T0842.010
[GRAPHIC] [TIFF OMITTED] T0842.011
[GRAPHIC] [TIFF OMITTED] T0842.012
Introduction
[GRAPHIC] [TIFF OMITTED] T0842.013
[GRAPHIC] [TIFF OMITTED] T0842.014
[GRAPHIC] [TIFF OMITTED] T0842.015
[GRAPHIC] [TIFF OMITTED] T0842.016
[GRAPHIC] [TIFF OMITTED] T0842.017
[GRAPHIC] [TIFF OMITTED] T0842.018
[GRAPHIC] [TIFF OMITTED] T0842.019
[GRAPHIC] [TIFF OMITTED] T0842.020
[GRAPHIC] [TIFF OMITTED] T0842.021
[GRAPHIC] [TIFF OMITTED] T0842.022
[GRAPHIC] [TIFF OMITTED] T0842.023
[GRAPHIC] [TIFF OMITTED] T0842.024
[GRAPHIC] [TIFF OMITTED] T0842.025
[GRAPHIC] [TIFF OMITTED] T0842.026
Chairwoman Morella. Thank you, Mr. Miller. And I want all
of the panelists to know that the entirety of their statements
as submitted to us will be included in the record, and I know
that you have submitted extensive statements, and we appreciate
that.
Mr. Rich, I now recognize you, sir. May I indicate that we
have been joined by Mr. Bartlett from the great State of
Maryland. Mr. Rich is from Maryland, Mr. Bartlett.
STATEMENT OF L. DEAN RICH
Mr. Rich. Thank you. Chairwoman Morella, Chairman Horn, and
Members of the Subcommittees, I appreciate the opportunity to
appear before you and I thank you for continuing to address the
problems associated with information assurance and national
critical infrastructure. As a lead into Y2K, I'd like to submit
that Y2K, while a problem in itself, is a manifestation of a
much larger issue--overall infrastructure assurance. We can
look at Y2K as a wake-up event to better understand and manage
those systems that are increasing in control or influencing
every aspect of our lives.
I come to this Committee with a background of information
security as a Naval Reserve Officer in the Naval Cryptologic
community and as a businessman working with industry to address
the very issues we are discussing today. I support the Naval
Criminal Investigative Service in my reserve capacity
addressing threat issues. In my civilian position, I am
currently with WarRoom Research as Vice President of Security
Services, addressing both threat and vulnerability issues.
You might recall that WarRoom research services the U.S.
Senate's Permanent Subcommittee on Investigations under the
1996 Security in Cyberspace Hearings where we collected
information security risk profiles of 205 Fortune 1,000
corporations.
As we move even further into the digital age, those
elements that comprise electronic commerce, networked systems,
and national infrastructure are increasingly at risk. In order
for this networked world to be viable and to be able to operate
without concern and with all the worries transparent to the
user, there must be an underpinning of robust security. Often
we take security for granted or, using traditional cost
analysis, will accept a certain level of risk as a cost of
doing business. However, in today's environment, the cost of
doing business without a strong security posture is too high.
Yet many are unaware of these costs. In order to understand the
new requirements of the digital age, governments and businesses
must understand that security can no longer be an afterthought
or redlined when budgets get squeezed. Security must be
integral to one's overall management picture.
To effectively manage security, one must manage risk. I
believe in the formula risk equals threat multiplied by
vulnerabilities and apply it to my own business decisions. You
can see that with zero threat no matter the vulnerabilities,
you will have zero risk. Likewise, if you have zero
vulnerabilities and a world of ``bad actors,'' you have zero
risk. Unfortunately, we have a great number of both, which is
driving the risk index skyward.
Vulnerabilities within our infrastructure are exposed on
almost a daily basis. The scale of the infrastructure affected
magnifies the impact of these vulnerabilities. Popular computer
programs that get larger distribution have a larger impact.
This has been demonstrated recently by a vulnerability that
allows the promulgation of Macro viruses via e-mail. Using the
risk formula, this vulnerability would not be an issue if it
were not for the immense threat we live with on a daily basis.
I believe the threat to our infrastructure is real. During
the hearings on security in cyberspace in June of 1996, Mr.
John Deutch did a great job of summarizing the threat and the
need for increased public awareness. Many companies and
government agencies have taken a skeptic's approach when
discussing threats. They will say, ``My network and systems are
running fine. I don't see any threat here.'' They lack the
ability to see the threat and, therefore, deny it exists. They
would be surprised to see, with an intrusion detection
package--or intrusion detection application on their Internet
perimeter, they would detect at least one unusual occurrence a
day.
A number of years ago, while on active duty in the Navy, I
was deployed aboard a submarine for a couple of months. Having
an interest in the sonar system, I asked one of the crew to
give me an overview. The young officer was very proud of the
system and said, ``If something were out in the water, we would
hear it.'' I caught him by surprise when I said, ``So, let me
get it straight. If you don't hear, it isn't there?'' I think
that overconfidence in current capabilities and the
unwillingness to ``think out of the box'' will lead to
complacency. You need to look before you can see the threat. I
support innovated efforts to look where no one has looked
before.
I'd like to share a couple of short stories, and I will
keep it to the first one in the interest of time. In early
1995, I was running a vulnerability assessment on a large
number of Internet connected systems operated by the Department
of Defense--a Department of Defense organization. During the
assessment, I entered a computer that was used by software
developers to maintain the source code for a communications
package. The source code was clearly unclassified, but it was
disturbing for me to know its only use was on a classified
network. A ``total systems'' approach was not used when
implementing a support structure for the communications
package.
Others have demonstrated similar events over the last
couple of years, and we'll still continue to have these
problems.
I'd like to address the Y2K vulnerability issue. A recent
newspaper article brought to light a problem of outsourcing Y2K
remediation and the threat of foreign nation states inserting
backdoors for future year. I believe this is a valid threat and
agree it needs to be addressed today. On the other hand, many
Fortune 500 companies have been outsourcing source code
development and maintenance for years. A large number of these
U.S. companies have permanent network connections into their
corporate networks to facilitate the work from overseas. I can
tell you that without intrusion detection or traffic analysis,
these foreign companies have the potential to run free and
obtain unauthorized access to U.S. corporate proprietary
information.
In summary, I would recommend programs that support a total
risk management approach to infrastructure assurance. I
recommend protecting the critical path and the life cycle of
high-value infrastructure, not just the end product. Keeping
vigilant in the search for vulnerabilities and new threats. I
fully support the requirement for collaboration between
government and commercial organizations. We will not survive as
a country without a framework of trust, dialogue, and
collaboration. I look forward to working with this Subcommittee
and others on this issue within the months to come.
Again, thank you for the opportunity to speak, and I'd be
happy to answer any questions.
[The statement of Mr. Rich follows:]
[GRAPHIC] [TIFF OMITTED] T0842.027
[GRAPHIC] [TIFF OMITTED] T0842.028
[GRAPHIC] [TIFF OMITTED] T0842.029
[GRAPHIC] [TIFF OMITTED] T0842.030
[GRAPHIC] [TIFF OMITTED] T0842.031
[GRAPHIC] [TIFF OMITTED] T0842.032
Chairwoman Morella. We thank you very much, Mr. Rich, and
it's now my pleasure to recognize Mr. Bennett.
STATEMENT OF WAYNE D. BENNETT
Mr. Bennett. Thank you, Chairwoman Morella, Chairman Horn,
members of the Subcommittee. My name is Wayne Bennett. I'm a
partner at the law firm of Bingham Dana, and I chair the
Commercial Technology Practice Area at our firm. Thank you for
inviting me to this hearing.
The nearly boundless creativity of the criminal mind will
likely one day result in a billion dollar computer fraud. But I
believe the apparent increased risk presented by the Y2K
remediation effort is more than offset by the improvements in
remediation procedures that have been implemented at large and
mid-sized companies precisely to deal with the behemoth Y2K
effort. When the billion dollar fraud occurs, its connection to
the Y2K remediation effort will be more in the nature of
serendipity than statistical inference, and law enforcement
will be in a better position to identify the perpetrator
because of the changes that the Y2K effort has brought.
Consider the recent testimony of Gary Beach, Publisher of
CIO Magazine, before the Senate Special Committee on the Y2K
Technology Problem. I'm a member of the CIO Magazine editorial
advisory board, and I can attest to the efforts that
organization has made to look past the Y2K hype and its
coverage. While the purpose of Gary's testimony was to report
the results of a Y2K tracking poll, Gary added a particularly
incisive thought at the conclusion of his remarks that one
positive legacy of the Y2K exercise is that many companies were
finally moved to undertake comprehensive inventories of their
information technology systems.
I would expand on that notion of a positive legacy. The
learning at many corporate IT departments, particularly at mid-
sized corporations, has been greatly enhanced since the Y2K
wake-up call went out. My clients are from diverse industries,
including banks, mortgage companies, manufacturers,
distributors, broker dealers, grocers, IT hardware, software,
and services lenders, and e-commerce companies. Many of them
contacted leading experts to teach their IT personnel the best
industry practices for implementing their Y2K projects, and
they're applying that learning to their maintenance activities
generally.
Before the Y2K exercise, systems maintenance was in some IT
shops just a tedious chore that was relegated to anonymous
junior programmers. Maintenance was a stepchild, and many IT
departments struggled with version control, documentation, and
accountability. Often IT personnel would open a source code
file and find no written clue regarding who worked on the code
last, what changes had been made, or even when or why it was
changed.
The best maintenance practices recently introduced by
consultants have a by-product. Many systems environments are
now more secure than they were just a couple of years ago. For
example, the introduction of project notebooks requiring formal
sign-offs by responsible employees and contractors have
employees staking their reputations on their work. Each sign-
off indicates that a software routine is ready and that it
successfully integrates into the larger system. Testing
naturally becomes more comprehensive. Validation efforts are
enhanced to ensure that no unwanted changes have been
introduced into the system. Internal and external auditors
review project notebooks as part of their Y2K and technology
operations audits. Reports are generated at each management
level until a summary is presented to the board of directors.
Visibility and accountability at every level has increased.
Security has been enhanced.
Trap doors and the attendant risk of major fraud have been
around since shortly after the beginning of commercial
computing.
Then you enacted the Computer Fraud and Abuse Act of 1986,
the Information Infrastructure Act of 1996, the Economic
Espionage Act of 1996, and the No Electronic Theft Act of 1997.
The criminal laws are in place. Now, with the introduction of
better maintenance practices, the forensic evidence is more
likely to be available to track down a wrongdoer.
A billion-dollar fraud is inevitable at some point since no
security system is completely airtight. But is it more likely
now as a result of the Y2K effort? I don't think so.
Consider the current criminal opportunity. With increased
scrutiny of every line of code, choosing this juncture to hide
nefarious software in systems is akin to the decision of a
second story man choosing to burglarize the police chief's
house. Some burglars may find the prospect challenging, but
most won't and those that do will find the going rather rough.
At the July 22nd Senate Y2K hearing, Senator Bennett put
the question of the reported increased security risk to a panel
of IT executives. The panelists acknowledged that the security
risk is increasing every day because of the increase in
computer usage generally. But they also responded that the
procedures implemented to perform Y2K remediation make them
more confident today that while they can never fully prevent a
security problem, they can at least better now detect a
security problem.
These procedures can fail, so we need to be ever vigilant
about security. But we should also be careful about any message
that we send to those thousands of employees and contractors
who are honestly and diligently trying to solve the Y2K
problem.
The Nation's IT personnel are right now working at a
breakneck pace doing thankless, yeoman's work against an
unforgiving deadline. If they succeed in their Herculean task,
some--perhaps even some here today--will question why we spent
billions of dollars on a crisis that never came about. If they
fail, they will be blamed.
At this point, I suggest that we let the security officers
quietly pursue their jobs while we lend all necessary support
to the employees and contractors working on the Y2K effort--
without any inadvertent suggestion from any quarter that any of
them might be criminals, even in the face of continuing risk.
The job of fixing the Y2K problem and the consequences of
failure are so enormous that the ongoing risk of fraud pales by
comparison. We should keep our focus over these next critical
few months.
Thank you for your time.
[The statement of Mr. Bennett follows:]
[GRAPHIC] [TIFF OMITTED] T0842.033
[GRAPHIC] [TIFF OMITTED] T0842.034
[GRAPHIC] [TIFF OMITTED] T0842.035
[GRAPHIC] [TIFF OMITTED] T0842.036
[GRAPHIC] [TIFF OMITTED] T0842.037
[GRAPHIC] [TIFF OMITTED] T0842.038
[GRAPHIC] [TIFF OMITTED] T0842.039
[GRAPHIC] [TIFF OMITTED] T0842.040
[GRAPHIC] [TIFF OMITTED] T0842.041
[GRAPHIC] [TIFF OMITTED] T0842.042
Chairwoman Morella. Thank you very much, Mr. Bennett. I'm
glad we, you know, ended with you because then you put another
perspective on the concept of computer security being
important, but not necessarily, I was going to say, increased
because of Y2K. I understand also you were at the--what used to
be called the National Bureau of Standards.
Mr. Bennett. Yes, I was.
Chairwoman Morella. Which is now NIST, which has been very
much involved with our computer security system and more
legislation coming up on that.
As you could tell, we do have a vote coming up. Maybe I
could start off by asking one question, and then we could
recess for about 15 minutes, if you'll all be here, and then
continue with questions. Unless you wanted to start off with a
question, Chairman Horn?
Mr. Horn. I'll be glad to, if you'd like. I don't know if
you want to go vote and then I can go vote and keep the show on
the road. Whatever you'd like.
Chairwoman Morella. All right. He's got a great idea. I
will go vote, and then he will keep this--keep it going, and
then I'll come back.
Mr. Horn. Mr. Bennett, I was interested when you said the
criminal laws seem to be in place. Is that true in every state?
Have we done an analysis of that? Mrs. Morella and I can
request the American Law Division to look at that now that
you've raised the question.
Mr. Bennett. Well, I think the federal laws are in place.
In fact, there was just a recent article in, I believe,
Computer World where a defense attorney based in San Francisco
was complaining that the federal laws are set up so that her--
this is not surprising--that her clients are having a tough
time going and are pleading out instead of going to trial
because they risk very severe criminal penalties. I do not
know, however, on a state-by-state basis what the answer is.
Mr. Horn. Any comments from anyone else here on that point?
Well, the $1 billion does catch a headline, and that's, I
think, more likely to be banks. What will happen with the non-
banks where you could not have money to move, is blackmail. And
the question would be: To what degree can we already cope with
blackmail, the disgruntled employee that was mentioned? No
question about it. You could--with a smart programmer, you
could have chaos within a computer system.
Mr. Miller. Mr. Chairman----
Mr. Horn. Mr. Miller.
Mr. Miller. Mr. Chairman, we had Mr. Scott Charney, who
heads the Criminal Division area of computer crimes speak at a
conference we cosponsored last week with George Mason
University. And Mr. Charney indicated in his public comments,
at least--and maybe the Subcommittee would want to contact him
directly, but I think I would agree with Mr. Bennett--that the
federal laws are pretty strict.
The challenge is finding the miscreants and prosecuting
them. But I think they feel that the laws are pretty strict,
and they've been fairly successful in prosecutions. State laws,
I don't have any information on them.
Mr. Horn. If it is blackmail and it isn't moving money
around from accounts here to accounts abroad and so forth, how
do we deal with the blackmail aspect?
Mr. Miller. They're both federal statutes, as I understand
it. I'm not a lawyer.
Mr. Horn. Have we had much computer security blackmail?
Mr. Miller. I've been told of stories anecdotally.
Nothing's been reported publicly.
Mr. Horn. Well, I realize it's like rare-book libraries.
They don't want to talk about it, and that was the mistake of
their life because now that they started talking about it, you
find these people. And the thief just had a field day, can walk
off with all the precious books, and they did it at Harvard and
Yale and my own university and so forth. But it just seems to
me we need a strategy here in educating chief executives. As we
went through the Y2K bit in the last year, one of the things
that discouraged me was the bad advice that their lawyers gave,
which was, Chief, don't say anything, then they can't do
something to you in court. Well, that's utter baloney because
they'll do you for not doing anything, and we really needed
CEOs to provide some leadership, which they finally woke up and
did.
But how would you deal with this in this way to get top
management to understand that they've got to do some strategies
and tactics here to protect themselves in the interest of their
stockholders?
Mr. Pucciarelli. Congressman Horn?
Mr. Horn. Yes?
Mr. Pucciarelli. If I could just say, in my opinion,
security is to computers what safety was to automobiles in the
1960s. We have a relatively immature technology, relatively in
the context of 20 and 30 years versus 100 years. And what goes
with a new technology is a certain exuberance and a denial of
some of those risks.
And I think what happens over time, the experience of using
the technologies, of understanding the consequences, and
understanding the implications will bring to light to the
executives and to the leadership of the organizations that use
these tools the risks. So rather than delegating the leadership
and management of these systems to technical specialists, the
executives will become more involved and more active in
establishing security procedures for the overall enterprise.
Mr. Horn. Now, with the Presidential Directive--by the way,
if you have your mikes still on, turn them off so we don't get
a feedback
On the Presidential Directive, how active has the security
community and the information technology community been helpful
in that? And where are we in the progress under the
Presidential Directive?
Mr. Miller. I think there's some good news and there's some
bad news there. I think the good news is that the various
government agencies are trying to come up with a plan. We saw a
leaked version of it in the New York Times very recently, an
article by Mr. Markoff which focused on just the privacy issue.
But there has been extensive consultation, and I do commend the
people in the government for trying to get as much industry
input as possible into the process.
As an example of bad news, though, Mr. Chairman, I'll give
you one specific example. We were designed by the Department of
Commerce, as I mentioned in my testimony, as the sector
coordinator for the information technology sector along with
the Telecommunications Industry Association and the U.S.
Telephone Association. That office within the U.S. Department
of Commerce is probably going to be defunded in the year 2000.
So, on the one hand, we are trying to undertake activities in
conjunction with the Department of Commerce agency. On the
other hand, the Department of Commerce, even though they did
request some money, apparently it's not a very high priority.
Congress hasn't seen it as a high priority. So we're going to--
may find ourselves on October 1st being designated by the
sector coordinator of an office that no longer exists.
Mr. Horn. Well, we thank you for alerting us because we
ought to keep on top of that.
I'm going to have to declare a recess now so I don't miss a
vote. So we're in recess until Mrs. Morella returns to chair
the meeting. Thank you very much.
[Recess.]
Chairwoman Morella. Thank you, gentlemen and others, for
bearing with us as we had two votes instead of one vote. And
matter of fact, one was on----
Mr. Horn. Patent policy.
Chairwoman Morella. Yeah, patent policy, which might
interest some of you.
Ms. Rivers is here from Michigan, and I guess I'll start
off with a question or two and then let Ms. Rivers ask any
questions.
Mention was made--I think you, Mr. Miller, mentioned the
Presidential decision, Directive 63, which was issued in May of
1998, and that explains the Administration's policy on critical
infrastructure protection. Incidentally, we had the first House
hearing on the critical infrastructures report. The
infrastructures include telecommunications, banking and
finance, and all the essential government services. The
directive requires immediate Federal Government action,
including risk assessment and planning to reduce exposure to
attack.
Maybe I'd start off with you, Mr. Miller, in responding to
this, but I want to hear from the others, too. In your opinion,
has the implementation of this directive been effective? And
why or why not? Does more need to be done?
Mr. Miller. The process has been a little slower than I
think many of us anticipated, but maybe that's all for the
good. The trial CIAO office, which everyone sort of chuckles
at, but the Critical Information Assurance Office, which has
coordinated the development of the longer-term plan, has been
somewhat slow, but they have to engage numerous federal
agencies. They have done a good job, Madam Chair, I believe, of
trying to engage industry and academia in getting input in the
development of that plan. So I think they are moving forward in
a reasonable pace to come up with a plan.
It's very tricky, though, because the exact lines of
responsibility between the private sector and government--there
may be differing views, as I suggested in my testimony. The
private sector may believe that the government needs to be less
involved, and some people in government want to be more
involved.
The point I mentioned to Chairman Horn while you were away
was some of the things that disturb us, for example, is the
government, to industry, is not necessarily someone we like to
work with all the time. I have a little bit of concern about
it. One of the departments, however, I think industry is most
comfortable with is the Department of Commerce. The Department
of Commerce in the National Telecommunications Information
Agency, headed by Assistant Secretary Irving, has
responsibility for this critical information issue, and we were
designated, along with two other associations, as a sector
coordinator for the IT industry.
But now it looks like they are going to have no money for
FY 2000. There was a request for a small amount of money, I
believe $3.5 million, for FY 2000, but, candidly, I don't think
it's very high on the Administration's priority list. And from
what I understand, with all the pressures that you all have to
cut domestic spending, that money may disappear.
So that's an example of where we thought there were good
plans in place to try to move forward, and we were excited
about the opportunity to be the sector coordinator for the IT
industry. But if that agency funding goes away and there's
nothing in Commerce for us to work with, then in some sense
industry's role is back to square one. At least my sector's
role is back to square one.
Chairwoman Morella. Would any of the other panelists like
to comment on that? I'm going to ask a question also that you
might want to respond to at the same time. Do you think we need
a computer security czar? I don't mean to overuse that term,
but somebody in the Federal Government such as the role that
John Koskinen has played with Y2K that will be an oversee also
of critical infrastructures, computer security. Mr.
Pucciarelli?
Mr. Pucciarelli. Congresswoman, first a quick comment on
the Presidential Policy Directive 63. In general, the entire
area of cyber warfare and security is moving extremely quickly.
It's very difficult to design a solution, just from an
engineering perspective to design a solution to address a
threat, and to do it and get it implemented in a timely
fashion.
If you look at the typical procurement cycle right now,
from the time an engineering solution is designed until it's
presented, run through for hearings, funded and implemented, it
could take 2 years. The problem is, is that it's difficult to
anticipate--it's virtually impossible to anticipate 2 years
ahead of the threat what needs to be done because this area is
moving so quickly.
So just one comment on that is just I would counsel you to
look at the time lines to actually acknowledge the threat,
design a solution, and implement it.
As far as your question on the computer security czar, I
think there's a plus and a minus. My own personal perspective
and the perspective of the GartnerGroup is that security is an
enterprise issue. It is not an issue that belongs dedicated to
somebody who sits in the back room of the organization or off
to the side in an ancillary role. So I think there's a risk
with setting up a czar in that it might be viewed as something
that is the domain of the technical specialists.
I think the challenge is how do we elevate security to an
executive issue and an executive priority, and if a computer
security czar was able to portray the issue with that type of
presentation, I think there's an opportunity to have a very
positive impact.
Chairwoman Morella. Mr. Rich.
Mr. Rich. I support his statement. I think having a
computer security czar would probably be not a good idea, that
security is part of an infrastructure, an enterprise
implementation, and that we need to support the current
infrastructure assurance directives that have been put out
there.
Chairwoman Morella. Mr. Bennett, would you like to comment
on----
Mr. Bennett. I think that anything that's done has to draw
some very clear lines between government and corporate
enterprises. I think that the prospect of a czar might actually
frighten some corporations who may have some operations that
are even part of what you might consider infrastructure. I
mean, I think that there are a lot of large corporations out
there that would be happy to just have government approve their
international use of very strong encryption methods and then
stay out of the picture as far as their own security is
concerned until such time as there is--where their own security
procedures fail, and then they'll want the help of law
enforcement officials to try to track down whoever did it.
Their biggest issues right now do not involve a billion-
dollar fraud. If they look past Y2K and they're talking about
people taking things from them, they're worried about
competitive intelligence.
Chairwoman Morella. Would either of you like to comment on
Directive 63?
Mr. Rich. I haven't been myself involved a great amount
with the directive. From what I've observed and talking with
others, I support Mr. Miller's comment on that it's moving
maybe not as fast as some would expect, but I think it's moving
in the right direction. And I've seen a lot of corporations now
starting to talk to the government. I like the idea of
collaboration and trust. Unless we can get the point across to
the commercial organizations that the government can help and
not mandate or dictate and more or less work together, I think
we'll get longer--further down the path.
Chairwoman Morella. I didn't mean to be rigid when I said
computer security czar. I guess I'm thinking to implementation
of current policies in terms of coordinating. There is no doubt
in my mind we lack that in the Federal Government, but we can
get into that in some other questioning.
I would like to now recognize Ms. Rivers.
Ms. Rivers. Thank you, Madam Chair.
Mr. Miller, I have a question regarding funding you raised
in your written commentary, and I apologize that I wasn't here
for the testimony. But in your written statement, you raised
concerns that the $3.5 million that is now being allocated for
CIIAP is inadequate in your view or barely adequate. Are you
aware that the Commerce, Justice, State bill, appropriations
bill that we're going to vote on this afternoon, zeroes out
that program? And what will the effects be of that decision?
Mr. Miller. I heard--I haven't actually seen the language
of the legislation, Congresswoman Rivers, but I heard that they
were going to zero it out. I think that would be most
unfortunate from the perspective of private industry.
Clearly, the issue of information security has spread
throughout the government--the Department of Defense, the
Department of Justice, National Security Agency, et cetera, et
cetera. And, by the way, in response to Congresswoman Morella's
question, I would support a czar for exactly that reason.
But, clearly, the government is perceived by many people in
industry as kind of threatening, particularly if you're talking
to national security people or law enforcement people. To the
extent the industry is comfortable, I think they're most
comfortable talking to the Department of Commerce, and so
that's a logical place for business to communicate. And zeroing
out that budget item from within NTIA I think would be most
unfortunate. Even a relatively small amount, $3.5 million, is
better than nothing, and I think the problem is--I've spoken to
Assistant Secretary Irving about this--is he's already had
severe budget cuts over the last 2 or 3 years, and if this
money gets cuts down, he can't find it to take out of hide
somewhere else. So I'd hope that the Congress would take
another look at that, and whether $3.5 million is exactly the
right number or not, I don't know. But I hope the Congress
would take another look at that and put some funding in there
because that would make industry much more comfortable in terms
of working with government.
Again, there's no disrespect to the FBI or the Defense
Department, but if we have to talk to somebody, it's a lot
easier to talk to the Commerce Department.
Ms. Rivers. Thank you.
Mr. Pucciarelli, I have a question for you. In your
comments, you talk about a 70 percent probability that there
would be at least one electronic theft of a billion dollars,
which--I may not have it right, but that would seem to be the
biggest theft in our history. I mean, I don't think we've ever
had a billion dollar theft. And you use the terminology that
really reflects sort of the science of statistics.
How did you arrive at that?
Mr. Pucciarelli. What we do, Congresswoman, is, as part of
our recommendations at GartnerGroup, we have a practice of
assigning a probability to a particular prediction. And the
reason that we assign probabilities is so that our clients have
an ability to take these predictions and appropriately factor
them into their business plans. The probabilities were not
scientifically derived. They were arrived--derived based on
judgment, and there is an explanation of the probability
process in my formal written testimony which has been submitted
to the Committee.
Ms. Rivers. How do you translate a probability--or a
judgment into a 0.7 likelihood?
Mr. Pucciarelli. A 0.7 likelihood, in terms of how we
explain that to our clients and advise that to our clients, is
we would say that you should assume that this is likely to
happen. If you--if it had a 0.8 probability as an example, we
would say assume it will happen. So with a 0.7 probability
there is still some risk that it won't happen. The range of
probabilities that we publish goes from 0.6 to 0.9.
The whole notion and the whole purpose of this piece of
research was to advise our clients to escalate their risk
management practices. And in the context of that, what we are
really saying with the probabilities is that we believe it's
likely that there will be at least one large outrageous theft.
Ms. Rivers. So what you're saying is it's really not a
scientific tool, it's a sales tool?
Mr. Pucciarelli. No. That's--not at all, Congressman. What
my point was, it's not a sales tool at all. What it is is it's
a way for management within our client organizations to
appropriately weigh the probability.
Ms. Rivers. That's what I'm trying to understand, given my
training, is how you are creating your probabilities, what you
are actually using that can be replicated by someone else.
Looking at the same data, can they come up with the same
conclusion?
Mr. Pucciarelli. The way that we actually create the
probabilities is based on--first of all, it is not data. It
is--it is qualitative interactions with our clients and
qualitative assessments of what's going on in the environment.
The intention of the probabilities is to factor them into the
management process within our clients. So the idea is that we
can give our clients a degree of confidence as to how sure we
are that this will happen.
Ms. Rivers. What are the elements that you weigh in coming
to this conclusion?
Mr. Pucciarelli. We look at three different major aspects
in forming a probability. First we do primary research, which
is to look at the specific area. And as I testified earlier, we
did that based on direct examination and in conversations with
our clients, what was going on in terms of the process itself.
We then review preliminary findings with our clients and ask
their opinions and their assessments of our recommendations.
Then the third and most important thing is, before we publish a
recommendation and assign a probability, we--as a community of
analysts, GartnerGroup has over 700 analysts review the major
policy statements, and as a community of analysts, we have to
agree on what those probabilities are, and we have to agree
what the major statements are.
So this forecast represents a consensus position of
literally hundreds of people within our organization to
support--and it has to agree with their qualitative and
quantitative observations as well.
Ms. Rivers. Okay. Thank you.
Thank you, Madam Chair.
Chairwoman Morella. Thank you, Ms. Rivers.
Chairman Horn.
Mr. Horn. I've had 5 minutes, so let everybody else go, and
then I'll have one question.
Chairwoman Morella. Mr. Turner from Texas.
Mr. Turner. I will yield to Mr. Horn.
Chairwoman Morella. Chairman Horn? I mean, I'll ask a
question.
Mr. Horn. Let me just ask one question. I've appreciated
the various papers you four gentlemen have submitted.
You've suggested, Mr. Miller, that we grade federal
agencies on computer security, much like we currently do for
the year 2000 work. And I'm just curious, What categories of
criteria in relation to this subject would you suggest and use?
Mr. Miller. I think, Mr. Chairman, your grading system the
last 3\1/2\ years or so for the government's reliability and
readiness for Y2K has been a tremendous tool toward driving
them toward the successes that you mentioned in your statement
earlier today, and you deserve a great deal of credit, as does
Congresswoman Morella, for focusing attention.
A similar system, I believe, could be developed. I'm not
prepared to give you the exact criteria, but things like the
percentage of spending on IT devoted to computer security, the
attention paid by senior management to computer security;
reports of intrusions and detections of intrusions could be
another metric that you could look to. So I think you could
get--probably put together a fairly straightforward and easily
agreed upon list of indicia that you could use to use your
excellent grading system, and I think that would help drive the
agencies toward more attention to this problem.
Mr. Horn. Where do--where are the data on intrusions kept?
Is it simply by agency? Does OMB have any information that
they've collected over the years?
Mr. Miller. There are two sets of data. There are data from
the private sector, which are reported to what's called CERT,
the Computer Emergency Response Team, at Carnegie Mellon
University. They're, of course, voluntary reports. And to go
back to Congresswoman Rivers' question about hard data versus
theoretical data, I do note that the number of incidents
reported to CERT has increased dramatically over the last few
years.
Within the government, my understanding is that they don't
necessarily share information among agencies, and that's one of
the issues being looked upon--looked at within the PDD-63, is
to exactly how do you make sure that all the information is
being shared appropriately among the agencies.
Mr. Horn. Are the Carnegie information--are those data
accessible?
Mr. Miller. In some cases, the specifics are accessible,
and sometimes it's just the generic numbers. I think one of the
biggest challenges that this issues faces, as Mr. Pucciarelli
was suggesting in his earlier comments, is how much willingness
is there among companies as they mature to share information.
Certain industries such as the financial services industry have
already been exposed. Citibank had a relatively large potential
theft several years ago, and so Citibank is now wanting to talk
about this publicly. You can get them to go to any conference,
any open meeting, and they'll come and talk about it. But if
you ask 99 percent of all financial institutions or other types
of organizations, ``Do you want to admit times that you've had
intrusions or thefts or breakdowns?'' most of them are going to
be totally silent, totally mum.
So one of the challenges we've had as an industry, Mr.
Chairman, is figuring out how to get companies to share
information in a way that will help everyone fight off other
potential intrusions and threats, but at the same time not be
concerned that proprietary information will leak out or that
their competitors will get an advantage or it will leak to the
press and hit the stock price, et cetera. So companies are
always trying to balance these two things off. It's not just
the legal issue which you raised before in regard to the Y2K.
It's a whole set of potential down sides to exposing
information as opposed to the one up side, which is to sort of
be a good citizen and by reporting the information about an
intrusion that you had, you may save somebody else or you may
help to protect the entire economy. And we are not yet at a
position, I think, where the leadership of business in this
country has made that balance of that equation and said in all
cases we will share information. And one of the reasons is that
they're not sure about sharing information.
Let me just bring one more specific problem to your
attention, is the Shelby amendment. I think industry supports
the Shelby amendment generally. We believe that federally
funded research results should be available to the public. And
what Senator Shelby has done is good. But my companies have
come to me and said, Now, what if we share information and
there's some kind of federal grant involved with the
organization that has that information and we believe it's
confidential and then a FOIA request comes in? Government FOIA
exemptions can't be used because it's a private sector
organization. Then what do we do?
So I think that's not--it's an unintended consequence of
the Shelby amendment which is something we're trying to puzzle
through right now.
Mr. Horn. Yeah, well, as you know, we're going to struggle
through on that, and you have to protect the people that, let's
say, are trying to win the Nobel Prize or something. We
shouldn't have their data all around and polluted. That will
get tested soon enough. And we don't want to discourage
science. On the other hand, we don't want to--in this
situation, we're talking about, we don't want to have sitting-
duck targets because they say, boy, look at all the entries
there, let's see if we can do it. And I suspect that's worrying
some. The Good Samaritan law has helped on the year 2000 a bit,
and industry plants have been working with each other, from the
best we can understand on that. I don't know if that's your
feeling or not. There's much sharing of information.
Mr. Miller. Definitely. But it took legal action to do it.
But, again, if Long Beach State, your former institution, set
up a classified center and encouraged companies to provide
information and they got Federal funding somehow, what does the
Shelby amendment do to that data? It supposed to be sanitized.
It's supposed to be protected within this research center
within the university. But can someone use--I don't know, but
the questions have been asked. Can someone use the Shelby
amendment to come in and say I want access to all that data?
And suddenly the whole confidentiality system breaks down, the
trust breaks down, and no one supplies information to the Long
Beach State center. We've lost the whole purpose of the
organization in the first place.
Mr. Horn. Are there any questions and thoughts that none of
you have mentioned that you now would like to make? This is at
least my wrap-up question. Mrs. Morella might have many more.
But just what are we missing that we haven't really focused in
on?
Mr. Rich. Mr. Chairman, I'd like to make a quick comment
there. In the spirit of PDD-63, rather than requiring--or
asking people to give you their particular data on break-ins,
if we take a baby step and say how about sharing threat
information-these are people that are trying to touch you and
look at your networks but not successful in getting in--that
would be a first step in establishing the trust relationship.
Mr. Horn. That's a good suggestion.
Chairwoman Morella. Thank you, Chairman Horn. That's great.
This is so reminiscent of Y2K when we talk about failure to
and concern about sharing information and the coordination that
is necessary. And, of course, we're talking about computer
security that is troubled particularly because of Y2K
compliance.
With regard to the Shelby amendment, it's interesting that
here we are in the room where the ranking member, George Brown,
is the one who's introduced the legislation to get rid of the
Shelby amendment, and, of course, I've heard from National
Institutes of Health and a number of other institutions like
that that are hoping that--Mr. Miller, that you can--we can
work out some kind of a compromise.
I--in terms of where information may come from, I can
remember years ago, GAO, you know, when they came out with
their list of high-risk areas, they had Y2K there, and they've
had computer security there for some time. That maybe another
source of information to have GAO do further reporting. And, of
course, they've done a number of reports on problems with
computer security, particularly in DOD. And I wonder, the
inspector generals, would they not also be looking at this, or
should we be telling them to begin to look at this? I don't
know if any of you are cognizant.
Mr. Pucciarelli.
Mr. Pucciarelli. Congresswoman, I think that the whole
issue of computer security could clearly fall into the domain
of the inspector generals, and I think that depending on which
agency is looked at, I think you'll see different degrees of
activity in the area. I think that there's clearly an
opportunity to raise the issue on the agenda of the IGs, and,
again, I'll come back to my point earlier. The real challenge
is how do we get the leadership of the organizations involved
as well.
Yes, the IG is the means by which to do it, but the
challenge is how do we get it to the executives.
Chairwoman Morella. And you mentioned--Mr. Miller, you
wanted to comment.
Mr. Miller. I agree exactly with what Mr. Pucciarelli is
saying. That's why I endorse your idea of the czar, as long as
the czar is conceptualized the way Mr. Koskinen has
conceptualized the role, not that the czar----
Chairwoman Morella. Right.
Mr. Miller [continuing]. Is to fix everything himself or,
if it's a czarina, herself; but that, number one, that person
has the authority to go directly to Cabinet officers and make
sure that the Cabinet officers personally are paying attention
to the issue; that that person has the ability to work with the
private sector by organizing them by sectors, as Mr. Koskinen
has done very effectively. He's not trying to fix the problems
with the electricity industry or the retail industry, but he's
working with the appropriate private sector groups to do that.
Also, he or she would be able to coordinate among the
different agencies, and, frankly, it's a little confusing to
the private sector to know whether we should talk to people at
the CIAO or Mr. Hamre at DOD or people at the NIPC or people at
Commerce. It would be a little bit easier to, if there were
someone who had a central role and also had access directly to
the President and Vice President, as I believe Mr. Koskinen
does on Y2K issues.
Chairwoman Morella. And looking at the private sector, Mr.
Pucciarelli, you mentioned in your statement that many firms
have not taken--you used the term ``adequate steps''--to secure
and audit the year 2000 remediation process. I wonder, what do
you mean by adequate steps?
Mr. Pucciarelli. Congresswoman, in forming this scenario
that I identified, one of somebody stealing a large amount of
money, I started from the premise that somebody would do it.
And then I posed the question back to my clients and said how
likely is this to happen. And the response back from the
practitioners in the field was that, in general, the level of
security in their opinion was not very high. And that was one
of the reasons why I went forward with this research and deemed
it appropriate to recommend to the executive leadership of the
various organizations to take as a given that this is a likely
event and to implement risk management activities, which was
really the underpinning of what my research was.
It basically said you as leaders of these organizations
need to implement risk management because the details--the
people that are actually doing it, the practitioners, believe
that there is a relatively high risk.
Chairwoman Morella. Is implementing an independent
verification validation process going to mitigate the problems
and the trap doors?
Mr. Pucciarelli. To implement a comprehensive security
program, we have to cover three specific areas. We have to
cover people, process, and products. And when talk about
people, a metaphor might be to look at the bar exam. If we were
to look at process, it might be the equivalent of the FDA
certifying a surgical procedure, or a process might be the
certification of a particular software development process. And
a product might be the equivalent of the regulation that DOT
has for automobiles to meet safety standards or, in the public
domain, the UL underwriting seal of approval.
To get true security, we're going to have to approach it
from all three fronts.
Chairwoman Morella. I'm glad you wanted to respond, Mr.
Bennett, because I really felt I had to give you an opportunity
to engage since your point is that it's not Y2K that is the big
problem with computer security. So, sir?
Mr. Bennett. Well, I think I stated my point on the
relationship. I think they're both very important issues. I
just don't see them--the statistical inference there. But with
respect to the independent audit and the IG's role, it seems to
me that the independence of both an IG or an outside auditor is
one piece and the only piece that should be independent of line
management. While auditing on the one hand has to be
independent, someone has to come in and say how good a job
you're doing, there are a couple of stages that have to come
before that, and those, if you're ever going to make this work,
it seems to me, have to be done by line management because they
have to believe in what they're doing.
Now, in defense, there may be a different weighing that
takes place. How much--there's a certain drag on productivity
that's going to happen when you implement extra security
procedures. You try to minimize it, but it happens. That--
where--how much of a drag on productivity you're willing to
tolerate may be different if I'm trying to keep secret the
Nation's defense secrets. At the same time, if I'm a
corporation and I am trying to keep competitive information out
of my competitor's hands, which is very important, there's a
different drag on my productivity that I might accept.
So line management, first of all, has to decide how
important is it and to what level are we going to protect it or
try to protect it. And then there has to be an implementation
process, all of which should stay within line management. And
only then, after you've done those two steps, it seems to me,
without sort of alienating line management, who you need to do
those two steps, then there's a role for an outsider to come in
and say, okay, how good a job are you doing?
Chairwoman Morella. Prioritize, organize, then verify.
Mr. Rich. I'd like to recommend that we take a look, as was
mentioned here earlier about process, that over a period of
time in my time working in the government we had process,
accreditation for systems for security. And over a period of
time, the accreditation process failed to work because it
wasn't updated, that we would do the checklists and everything
was great. I think as the IG goes through the process of
checking, somebody should be checking the IG. Maybe that's the
computer security czar that you mentioned, as an oversight
position, that we have to keep up with the technology that
we're looking at as we go through that.
Chairwoman Morella. Thank you.
Mr. Turner.
Mr. Turner. I was really interested in knowing what
suggestions any of you might have regarding how we might
strengthen law enforcement in this area. It seems that it's an
area that we're really very ill equipped to deal with. We don't
have the expertise in local district attorney's offices. I'm
not even sure we have it in the Department of Justice.
But I think we really--there seems to be a need to take a
good look at the existing criminal laws. Obviously, some of the
laws fit. Theft is theft, I guess, no matter how you accomplish
it. But in any of the intrusions that don't result in outright
theft of dollars, I'm just not sure that the penalties are out
there, the laws are out there to really effectively deal with
this, nor is there the expertise available to fully prosecute
what appears to me, from listening to your testimony, to be a
growing area of criminal activity.
Am I correct on that? And do any of you have any
suggestions you might----
Mr. Miller. I think that's a very important point, Mr.
Turner. We're working very close with the Justice Department
Criminal Division on this, and they have asked, for example, to
help us help them put together a list of experts, cyber
experts, that they can call upon for--when they need to do
prosecutions so that the Assistant U.S. Attorneys around the
country, when they're referred these cases, frequently do not
have the kind of expertise that they may have in securities
fraud or other kinds of more traditional non-digital fraud. And
so we are working with Mr. Scott Charney and Attorney General
Reno to help put together a list of those experts that the
Assistant U.S. Attorneys can call upon.
Also, I have been told that the Justice Department is doing
training for state and local officials on cyber crime,
detection, investigation, prosecution. But how extensive that
is, I don't really know. You can contact the Justice
Department. I don't have any data on how many--how many
training sessions have been done.
I understand that when they do offer them, they are heavily
subscribed, that there's clearly a lot of interest among law--
local law enforcement officials to get this kind of training.
But how extensive the training is currently, I don't know.
Mr. Bennett. Congressman?
Mr. Turner. Yes?
Mr. Bennett. I believe you have the laws. You have got your
Computer Fraud and Abuse Act. You have the Espionage Act, which
covers trade secrets, and both of those have attempt parts to
them.
You also have a fair amount of expertise. It is growing
within the Department of Justice, but there's a fair amount of
expertise. When we call up on behalf of our clients and there's
been a problem, we do not get a befuddled person who has either
no interest or expertise in the area. We're generally directed
to somebody who does that for a living.
I think the only problem we're running into is the usual,
and that is, you've got to have enough time and so you've got
to allocate scarce resources even in the Department of Justice.
And the way they've allocated it, to use one example, one of my
clients called up, and someone had scanned their ports looking
for a way in, and they were very concerned that some--a
specific competitor, in fact, might have been the one doing it.
And they wanted to get to the bottom of it. And when we called
up, it seemed to us that there was a bright line from the
United States Attorney's Office, and that was, really, if you
can show us that they got in, then that's going to put it into
one basket over here and we're going to have the time to be
able to address it. If, on the other hand, you don't know
because your firewall software maybe only tracks unauthorized
attempts and maybe perhaps doesn't track authorized entries
that might have been fraudulent, then we're--maybe you ought to
go the civil route and try to discover this by suing the ISP
and getting the name and then going after them and finding out
who it is on your own.
And, clearly, you don't want to go down both those paths,
and we could really understand it. We ended up going down in
this last instance, which was only a few months ago, going down
the civil route and finding out that it was some teenage
hackers attempting to get into a corporate--past a corporate a
firewall. But the laws are certainly there. The expertise is
there and growing, at least at the Federal level, and now it's
just a matter of putting in a priority because I think they
have enough to do with the actual break-ins at this point.
Mr. Miller. Mr. Turner, my staff reminds me that Senator
Leahy has introduced a bill to provide $25 million a year to
the Department of Justice for state and local cyber crime
training. So obviously Senator Leahy at least believes there's
not currently sufficient funds and is trying to increase that.
Mr. Turner. Thank you, Mrs. Morella.
Chairwoman Morella. Thank you, Mr. Turner.
It seems to me there could be a problem with companies
overseas and the kind of security because they haven't had a
check to do--an opportunity to do background checks of--and
this made by the more prone to computer security problems with
Y2K. Would any of you like to comment on that, maybe what we
could do about it? You look ready, Mr. Bennett, then Mr.
Miller.
Mr. Bennett. I believe this problem's been with us for a
while, and to try to put it in perspective, if you got three
different levels of folks you might engage--and they've been
engaged over the course of time, at least in corporate America,
to work on IT systems there, your own employees, your domestic
contractors, and then foreign contractors, and I would suggest
that at this moment in most states in the United States you can
learn not very much about your own new employees for starters.
So, yes, it is true that there could be foreigners or
contractors who could pose a definite threat to your IT.
But right now, in the position of any ordinary employer--
not the government but an ordinary employer, we're just not
permitted to get the kind of information you can get, and so I
have a live threat right with my employees.
A second quick point is that--put aside just for a moment--
I know it's not the scope here, but to try to put this in
perspective, you've got the threat to your IT systems, and yet
in many, many companies today, the most valuable information
that they have walks out the door every single day with their
employees. It is not sitting on their computer system.
So when they put this whole thing into perspective for, you
know, the billion dollar fraud over here and then the foreign
threat and then even the domestic contractor threat, then the
employee threat, what they're really worried about is: How can
I find out information about the people who are here? And,
moreover, where are they going to go? In the State of
California, for example, companies cannot use non-competes for
some good and wholesome reasons. And so that means that my
employee can leave today, go down the street to my competitor,
and use that information.
Mr. Horn. I missed the word there. Companies cannot use
what?
Mr. Bennett. They cannot use--in California, as an example,
one cannot include a non-competition clause in a contract with
an employee to say, look, for 6 months after you leave here
please don't go down the street--or you may not go down the
street to our competitor to do the same kind of thing.
Mr. Horn. As you were talking, I was thinking, the whole
evolution of Silicon Valley is when somebody walked out and
started their own firm. American productivity.
Mr. Bennett. Absolutely correct. And now--and we've gotten
a lot of great things from that. In addition, we've gotten
ourselves a rash of trade secret lawsuits.
Chairwoman Morella. It seems to me--you know how we have
the metal detectors going into buildings such as ours? What we
really need is a mental detector, and a mental detector would
probably take care of a lot of that problem that you mentioned.
Mr. Bennett. God forbid.
Chairwoman Morella. Okay. Right.
Mr. Miller.
Mr. Miller. Two brief points. One is that there's
currently, in addition to the overall challenge of the shortage
of information technology workers in our country, there's a
specific subset of that. There's a huge shortage of people with
sophisticated security training or the ability to carry out
these jobs. Going back to Mr. Pucciarelli's earlier point about
people being one of the critical three elements, it's very
important. I know a very large, sophisticated firm which is
doing a lot of work on a contract basis for the government has
1,500 positions to fill, and they have 1,000 people, and they
can't find the other 500 because, first of all, you can't use
foreign workers 99.9 percent of the time so you can't fall back
on H(1)(b)s or anything like that. You can't even fall back on
permanent residents. Most of the time they have to be U.S.
citizens. They have to have security clearance. They have to
have sophisticated training, et cetera, et cetera.
So that's a big job. I know Attorney General Reno and other
people are trying to focus on some kind of a cyber corps idea
where there'd actually be government incentives, scholarships
or a sort to encourage people to get the kind of sophisticated
training that they could become specialists in information
security. So I think that's an issue.
Also, on the international front, Chairwoman Morella, I
know that this is a huge issue in terms of laws. How do you
enforce the security laws? And right now the U.S. Government is
engaged in discussions with the G-8. Attorney General Reno I
know is discussing with other members of the G-8, but it gets
to be a huge issue in cyberspace. Let's talk about things like
child pornography and getting access. What laws do you use? Do
you let Muammar Qadhafi start issuing subpoenas for information
that it wants to get from AOL because it believes somebody in
Libya who's an AOL customer is violating the laws of Libya? How
do you enforce those kind of laws? So there's some incredibly
open-ended questions out there right now in terms of our cyber
crimes on the international front which are just at the
earliest, earliest stages of discussion right now.
Chairwoman Morella. Mr. Rich.
Mr. Rich. Yes. I'd like to mention a couple of months ago I
went to a national infrastructure protection conference out in
Denver, and I support the idea of Mr. Miller mentioning the
cyber corps approach. I think that would go a long way, similar
to the Peace Corps, in incentivizing those to bring up the
awareness within the security area. And then they have a little
payback to the government for helping them through school, or
similar.
Mr. Horn. If I might be yielded to for a question, I
probably haven't unloaded on you my feelings on when that visa
deal comes up. I was outraged by it. Why am I outraged by it?
Very simply, we've got a community college system--certainly in
California where it was founded, there's 107 campuses in
California and we've got a Silicon Valley and San Diego, Orange
County, and Santa Clara County, and popping up hopefully in
other counties. And they need to work together, and we should
not be importing people. We should be training our own people.
When I think of the classrooms I go to where students are
now exposed to computing, and it seems to me we're derelict
both in education in California--and I've unloaded on many of
the community college presidents and said, Where are you on
this? And where are the CEOs in Silicon Valley that ought to be
sitting down with them saying this is the kind of curriculum we
need if they're going to be helpful to us? That was the whole
purpose of the community college, was both vocational and
academic. And you need both to be a good programmer.
And I would hope that they would be working together so
they could get the trained force. These are $60,000 jobs, and
there are a lot of bright kids. Escalante showed that in the
Los Angeles schools, you can teach young people to be as good
as anybody, as good as they are at Harvard. And these students
proved they could do it. And that's what we ought to be doing,
but we need the equipment, which is--the state is always
behind, every state in the Nation is behind when it comes to
giving and granting and providing computer equipment. And if
you're going to work on new generations, this is where Silicon
Valley can take a tax writeoff, or wherever, and get something
out of it.
But your associations, it seems to me, would be very
helpful to be where you get these people together, both the
community college president and the CEO of a computer firm. We
shouldn't have to be importing people from all over the world,
and we shouldn't have to need a government program. I mean, the
best education deal in America are the community colleges.
There's very little tuition. At least in California it is; in
Texas it is. So why aren't we taking advantage of that? Are we
still going to just keep importing thousands of people? They're
all wonderful people, but what about our own people? That's
where I'm coming from.
Mr. Miller. Did you want a comment, or is that just an
observation?
Mr. Horn. Well, I'm just saying--I'd like a comment, and I
think--you know, where is that industry and where are those
educators to be linked up to get the job done?
Mr. Miller. Well, I do disagree with you on the immigration
question, but I don't disagree with you on your fundamental
point, Mr. Chairman. Our educational system is still an
educational system designed for the industrial age, not the
information age. And we are trying to work with community
colleges. In fact, I recently met with the President of the
American Association of Community Colleges to discuss potential
collaborative activities. We're also working with particular
outreach to minority communities. I think as you know, in the--
even though--for example, African Americans are 11 or 12
percent of the overall U.S. workforce; they're only about 5 or
6 percent of the IT workforce. So we're involved in some
initiatives in that area, also.
The challenge is to do both at the same time, though. It
does take time for people to be trained and educated, and we
have to incentivise them to come in. And I think that's why I
was suggesting that government, cyber corps or IT tax credit
training such as the legislation that Senator Conrad and
Congressman Moran have introduced to try to create incentives.
I do believe, Mr. Chairman, that community colleges are
much more responsive than universities are in terms of
adjusting their curriculum. And you have several in California
which have done--moved relatively quickly. But it's--I think
the late Governor of Florida once said, the only thing harder
to move than a cemetery was the university faculty. So I think
they find that trying to change, getting rid of Russian history
and political science department for computer science
departments isn't always easy; whereas, at community colleges
they can move quite quickly. And certainly you see places like
Contra Costa Community College. The one that's usually thrown
up as the best example is Maricopa Community College in the
Phoenix area where they work very closely with Motorola, Intel,
and other semiconductor manufacturing firms for training.
So I think we're getting there, Mr. Chairman. It's just
slower than we'd like.
Mr. Horn. Well, that's where you have to take these massive
systems because most of that is done at the local college, and
that's why I suggested the community college. There's more
flexibility for the reasons we all know than in the major
research universities around.
But if you're doing it, I think that's wonderful. We don't
need a government program to do it. We just need you guys on
the phone, and gals, to work it out.
Chairwoman Morella. I think we also need the partnerships
of academia and the business sector and even government, you
know, state government, maybe Federal Government in some way,
also being kind of part of that partnership. But we have,
Chairman Horn and I and Ranking Member Turner, been aware of
the personnel needs throughout this whole thing, Y2K, now
computer security, and we're trying to do something even
legislatively on that, too, to increase fellowships and, as you
mentioned, the cyber corps. We'll continue to work on that with
your help.
Just a wrap-up, if there are any comments from any one of
you, real briefly, in terms of what we should be doing now
since we have only that 149 days left to the end of--until we
reach 2000, recognizing whether Y2K has been remediated or not
with regard to computer security. Any final comments for us?
Mr. Miller. My only concern is--and I don't think this is
Mr. Pucciarelli's intention in releasing his report--is that
people don't move more slowly on Y2K because they're concerned
about information security. He's correct that information
security has to be part of your Y2K, but I hope no one who
reads that article uses that as an excuse not to do their Y2K
remediation. I certainly know that wasn't his intent. I know
that Gartner has been one of the strongest advocates for Y2K
remediation. But one could imagine a situation where someone
would misinterpret that message instead of the message being to
be more conscious of security and say, well, that's one more
excuse not to get my Y2K solution done. So I hope this hearing
will help to send the message that that is not the intention. I
assume Mr. Pucciarelli would agree.
Chairwoman Morella. Thank you.
Mr. Pucciarelli. Yes, Mr. Miller. I appreciate your
comments.
Congresswoman, one final thought that I have is that simply
reminding folks, reminding organizations, enterprises, and the
leaderships of those organizations of the need to redouble
their efforts and maintain the appropriate risk management
criteria while they complete their Y2K remediation activities.
And I think that even having this hearing on this matter has
served a very important purpose to that end. I think that
encouraging the various federal agencies and departments along
the same lines would also be of benefit.
Again, clearly our intention was not to suggest that you
should--that organizations should go slower, but to merely
point out that risk management activities have a role as well.
Chairwoman Morella. Thank you.
Mr. Rich, a final comment?
Mr. Rich. Yes, ma'am. I'd like to basically agree here with
both of the gentlemen here in that people shouldn't slow down,
they should pick it up a little bit and keep vigilant as we go
toward the year 2000. And I hope these hearings will allow
people to look at other aspects rather than just focus on Y2K
remediation.
Chairwoman Morella. Good point.
Mr. Bennett.
Mr. Bennett. I believe that if there are companies out
there that are still doing serious remediation and are not now
doing contingency planning, then they probably have even more
serious issues than worrying about that trap that's probably
been set somewhere in one of the other companies that's now
doing contingency planning.
Certainly a call has been made to the security officers,
and they need to pay attention, as they always have. I think
the message from this Subcommittee ought to be to keep focused
on the Y2K effort.
Chairwoman Morella. I want to thank all of you, and before
we adjourn, I just want to mention the staff that have been
very helpful always in contacting you and putting some things
together: J. Russell George, who's with the Government Reform
Subcommittee, Matt Ryan, Bonnie Heald, Grant Newman, Chip
Ahlswede, and Seann Kallagher; our Technology Subcommittee,
Jeff Grove and Ben Wu, and the clerk, Joe Sullivan. And there
are others: Michele Ash, Trey Henderson, Earley Green, Jean
Gosa; and the court reporter, Chris Bitsko. I think I covered
everybody. Good.
Thank you. You were just a splendid panel. I hope you'll
feel free to contact us at any point with any of your
suggestions or recommendations. And as usual, if we could--have
other members who may have questions and any other questions we
may have, if we may forward them to you. Great. Thank you.
The Committee is now adjourned.
[Whereupon, at 12:06 p.m., the Subcommittee was adjourned.]
[GRAPHIC] [TIFF OMITTED] T0842.043
[GRAPHIC] [TIFF OMITTED] T0842.044
[GRAPHIC] [TIFF OMITTED] T0842.045
[GRAPHIC] [TIFF OMITTED] T0842.046
[GRAPHIC] [TIFF OMITTED] T0842.047
[GRAPHIC] [TIFF OMITTED] T0842.048
[GRAPHIC] [TIFF OMITTED] T0842.049
�