<DOC> [106th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:74152.wais] COMPUTER SECURITY: CYBER ATTACKS--WAR WITHOUT BORDERS ======================================================================= HEARING before the SUBCOMMITTEE ON GOVERNMENT MANAGEMENT, INFORMATION, AND TECHNOLOGY of the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED SIXTH CONGRESS SECOND SESSION __________ JULY 26, 2000 __________ Serial No. 106-252 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpo.gov/congress/house http://www.house.gov/reform ______ U.S. GOVERNMENT PRINTING OFFICE 74-152 DTP WASHINGTON : 2001 _______________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON GOVERNMENT REFORM DAN BURTON, Indiana, Chairman BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California CONSTANCE A. MORELLA, Maryland TOM LANTOS, California CHRISTOPHER SHAYS, Connecticut ROBERT E. WISE, Jr., West Virginia ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York STEPHEN HORN, California PAUL E. KANJORSKI, Pennsylvania JOHN L. MICA, Florida PATSY T. MINK, Hawaii THOMAS M. DAVIS, Virginia CAROLYN B. MALONEY, New York DAVID M. McINTOSH, Indiana ELEANOR HOLMES NORTON, Washington, MARK E. SOUDER, Indiana DC JOE SCARBOROUGH, Florida CHAKA FATTAH, Pennsylvania STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland MARSHALL ``MARK'' SANFORD, South DENNIS J. KUCINICH, Ohio Carolina ROD R. BLAGOJEVICH, Illinois BOB BARR, Georgia DANNY K. DAVIS, Illinois DAN MILLER, Florida JOHN F. TIERNEY, Massachusetts ASA HUTCHINSON, Arkansas JIM TURNER, Texas LEE TERRY, Nebraska THOMAS H. ALLEN, Maine JUDY BIGGERT, Illinois HAROLD E. FORD, Jr., Tennessee GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois DOUG OSE, California ------ PAUL RYAN, Wisconsin BERNARD SANDERS, Vermont HELEN CHENOWETH-HAGE, Idaho (Independent) DAVID VITTER, Louisiana Kevin Binger, Staff Director Daniel R. Moll, Deputy Staff Director James C. Wilson, Chief Counsel Robert A. Briggs, Clerk Phil Schiliro, Minority Staff Director ------ Subcommittee on Government Management, Information, and Technology STEPHEN HORN, California, Chairman JUDY BIGGERT, Illinois JIM TURNER, Texas THOMAS M. DAVIS, Virginia PAUL E. KANJORSKI, Pennsylvania GREG WALDEN, Oregon MAJOR R. OWENS, New York DOUG OSE, California PATSY T. MINK, Hawaii PAUL RYAN, Wisconsin CAROLYN B. MALONEY, New York Ex Officio DAN BURTON, Indiana HENRY A. WAXMAN, California J. Russell George, Staff Director and Chief Counsel Bonnie Heald, Director of Communications Bryan Sisk, Clerk Trey Henderson, Minority Counsel C O N T E N T S ---------- Page Hearing held on July 26, 2000.................................... 1 Statement of: Molander, Roger, senior research, RAND; and John Pescatore, vice president and research director, Network Security, Gartner Group.............................................. 152 Schaeffer, Richard C., Jr., Director, Infrastructure and Information Assurance, Office of the Assistant Secretary of Defense (Command, Control, Communication, and Intelligence); Mario Balakgie, Chief Information Assurance Officer, Defense Intelligence Agency, Department of Defense; and Jack Brock, Director, Governmentwide and Defense Information Systems, U.S. General Accounting Office 109 Spotila, John T., Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget........ 49 Vatis, Michael, Director, National Infrastructure Protection Center, Federal Bureau of Investigation; Juris Reksna, chief of State Police, Ministry of Internal Affairs, Latvia; Stefan Kronqvist, chief, Computer Crime Unit, National Crime Investigation Department, Sweden; Juergen Maurer, detective chief superintendent, German Federal Police Office; Elfren L. Meneses, Jr., Anti-Fraud and Computer Crimes Division, National Bureau of Investigation, Philippines; Ohad Genis, advocate, chief inspector, National Unit for Fraud Investigations, Israel Police; and Edgar A. Adamson, chief, U.S. National Central Bureau-- Interpol................................................... 9 Letters, statements, etc., submitted for the record by: Adamson, Edgar A., chief, U.S. National Central Bureau-- Interpol, prepared statement of............................ 87 Balakgie, Mario, Chief Information Assurance Officer, Defense Intelligence Agency, Department of Defense, prepared statement of............................................... 118 Brock, Jack, Director, Governmentwide and Defense Information Systems, U.S. General Accounting Office, prepared statement of......................................................... 130 Davis, Hon. Thomas M., a Representative in Congress from the State of Virginia, prepared statement of................... 6 Genis, Ohad, advocate, chief inspector, National Unit for Fraud Investigations, Israel Police, prepared statement of. 82 Horn, Hon. Stephen, a Representative in Congress from the State of California, prepared statement of................. 3 Kronqvist, Stefan, chief, Computer Crime Unit, National Crime Investigation Department, Sweden, prepared statement of.... 36 Maurer, Juergen, detective chief superintendent, German Federal Police Office, prepared statement of............... 43 Meneses, Elfren L., Jr., Anti-Fraud and Computer Crimes Division, National Bureau of Investigation, Philippines, prepared statement of...................................... 70 Molander, Roger, senior research, RAND, prepared statement of 154 Pescatore, John, vice president and research director, Network Security, Gartner Group, prepared statement of..... 161 Reksna, Juris, chief of State Police, Ministry of Internal Affairs, Latvia, prepared statement of..................... 26 Schaeffer, Richard C., Jr., Director, Infrastructure and Information Assurance, Office of the Assistant Secretary of Defense (Command, Control, Communication, and Intelligence), prepared statement of....................... 111 Spotila, John T., Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget, prepared statement of...................................... 52 Turner, Hon. Jim, a Representative in Congress from the State of Texas, prepared statement of............................ 5 Vatis, Michael, Director, National Infrastructure Protection Center, Federal Bureau of Investigation, prepared statement of......................................................... 12 COMPUTER SECURITY: CYBER ATTACKS--WAR WITHOUT BORDERS ---------- WEDNESDAY, JULY 26, 2000 House of Representatives, Subcommittee on Government Management, Information, and Technology, Committee on Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 10:02 a.m., in room 2157, Rayburn House Office Building, Hon. Stephen Horn (chairman of the subcommittee) presiding. Present: Representatives Horn, Davis, Turner, and Maloney. Also present: Tatjana Antonova, Latvian interpreter. Staff present: J. Russell George, staff director and chief counsel; Ben Ritt, GAO detailee; Bonnie Heald, director of communications; Bryan Sisk, clerk; Elizabeth Seong, staff assistant; Will Ackerly and Davidson Hulfish, interns; Trey Henderson, minority counsel; and Jean Gosa, minority clerk. Mr. Horn. A quorum being present, the hearing of the House Subcommittee on Government Management, Information, and Technology will come to order. I apologize for being a little late. It's the first time it has happened, but we had a party conference this morning and we got a new Member, so that takes a little time. That is Mr. Marty Martinez, who switched parties to come with us because he wanted common sense government. From the ``ILOVEYOU'' virus to attempts to enter the space shuttle's communication system, cyber attacks are on the rise. Every day new viruses and attempted intrusions bombard vital computer systems and networks within U.S. Government agencies and private industries. Sometimes the attackers are simply seeking the thrill of breaking into a supposedly secure system. Other times, however, the motive is far more sinister-- vandalism, industrial espionage, intelligence collection, or creating a doorway for a future attack. As the ``ILOVEYOU'' virus clearly demonstrated, these attacks can originate from nearly anywhere in the world. Many experts say this is only the tip of the iceberg in terms of the number of attacks, their sophistication and their destructiveness. In the United States and in many other countries, law enforcement agencies and private organizations collect and share information on these worldwide computer attacks. However, not all countries have the capability to detect them, warn others, or even prosecute the hackers once they have been identified. In the United States, the Federal Bureau of Investigation and the Departments of Commerce and Defense all have a role in tracking and investigating cyber attacks. Many other agencies and private organizations also track and share this critical information. Other countries also have law enforcement agencies and organizations set up to investigate and share cyber attack information. But among the variety of players, who is coordinating an efficient, effective response to this international problem? Today, we will examine the challenges of coordinating these cyber attack investigations. Our witnesses represent cyber crime investigation units in several countries, including the United States. They will discuss their experiences. There is a great need for a sharing of these experiences daily, weekly and at least monthly. Alliances such as the North Atlantic Treaty Organization should work together if we will be able to win these cyber wars. We welcome each of our witnesses. We appreciate many of you that have taken a long journey to come here, and we look forward to the testimony you will submit, and it will be put through the processes to go to the full House of Representatives after this and other hearings have come by. So we will now turn to the ranking member, the gentleman from Texas, Mr. Turner, for an opening statement. [The prepared statement of Hon. Stephen Horn follows:] [GRAPHIC] [TIFF OMITTED] T4152.001 Mr. Turner. Thank you, Mr. Chairman. We know that the United States and many industrialized nations now depend on the interconnected computer system that we call the Internet. We know that it supports critical operations in the private sector as well as government. And we understand that the increased reliance upon the Internet has caused us to be highly vulnerable to cyber attacks. These cyber attacks know no boundaries and can occur from anywhere in the world. I had the opportunity to visit with some members of the European Parliament a few weeks ago and it came home to me how much we have in common in terms of trying to deal with the new systems that are in place upon which we all know we depend for our very livelihood. It is important for law enforcement agencies throughout the world to work cooperatively in the defense against those who would perpetuate computer crimes. And in order to more effectively fight this battle, we need to coordinate our information sharing and cooperate as an international community to be sure that we are protecting our citizens and our livelihoods. This committee has had three hearings now on this subject and many of you on the panel today have traveled long distances to come and share your thoughts with us, for which we are extremely appreciative and grateful. I look forward to hearing from each of you, and I hope that this can be a part of our continuing effort to work nation to nation to ensure that we can defend against cyber attacks and protect the security of our systems. Thank you, Mr. Chairman. [The prepared statements of Hon. Jim Turner and Hon. Thomas M. Davis follow:] [GRAPHIC] [TIFF OMITTED] T4152.002 [GRAPHIC] [TIFF OMITTED] T4152.003 [GRAPHIC] [TIFF OMITTED] T4152.004 [GRAPHIC] [TIFF OMITTED] T4152.005 Mr. Horn. We thank you very much for all you have done to pursue some of these real questions and we appreciate that. We are now turning to the witnesses. We are notified that we might have to recess for the first vote of the day, and that is one of the problems we have when we are in the middle of a hearing where we would rather keep going. Our duty is to get over to the floor and get back. So that might happen around 10:30. So I would like to begin with this panel. The way this operation works with all presentations, since it is an investigating committee, is that we swear all the witnesses in on a truth oath. And we will call--when we call on you based on the agenda, the full written statement of yours and the resume goes into the record so we don't have to hear the paper you gave us read. We like you to summarize it because that way it permits a dialog within the panel as well as the Members who will be here. So we do not want you to really read your work; just summarize it for us. We will now ask to you stand and raise your right hands. [Witnesses sworn.] Mr. Horn. The clerk will note that all the witnesses have taken the oath. We start with Mr. Michael Vatis, the Director, National Infrastructure Protection Center of the Federal Bureau of Investigation. Mr. Vatis. STATEMENTS OF MICHAEL VATIS, DIRECTOR, NATIONAL INFRASTRUCTURE PROTECTION CENTER, FEDERAL BUREAU OF INVESTIGATION; JURIS REKSNA, CHIEF OF STATE POLICE, MINISTRY OF INTERNAL AFFAIRS, LATVIA; STEFAN KRONQVIST, CHIEF, COMPUTER CRIME UNIT, NATIONAL CRIME INVESTIGATION DEPARTMENT, SWEDEN; JUERGEN MAURER, DETECTIVE CHIEF SUPERINTENDENT, GERMAN FEDERAL POLICE OFFICE; ELFREN L. MENESES, JR., ANTI-FRAUD AND COMPUTER CRIMES DIVISION, NATIONAL BUREAU OF INVESTIGATION, PHILIPPINES; OHAD GENIS, ADVOCATE, CHIEF INSPECTOR, NATIONAL UNIT FOR FRAUD INVESTIGATIONS, ISRAEL POLICE; AND EDGAR A. ADAMSON, CHIEF, U.S. NATIONAL CENTRAL BUREAU--INTERPOL Mr. Vatis. Thank you, Mr. Chairman, Congressman Turner; I very much appreciate the opportunity to testify before you today, particularly in the presence of so many of my international colleagues. I am not aware of any previous hearing that has had so many international law enforcement officials together in one place, especially on an issue where international cooperation is so vital to our success. So I applaud the committee for holding this hearing in this manner. As you know, the National Infrastructure Protection Center was set up in February 1998 and authorized by Presidential Decision Directive 63 to serve as the government's focal point for collecting information about cyber threats and attacks, analyzing that information, issuing pertinent warnings to both government agencies and private industry, and also coordinating the government's response to attacks that do occur. That mission requires cooperative arrangements with a variety of entities, both governmental and in the private sector. We need to have close relationships with other Federal agencies, with State and local law enforcement, with the private sector owners and operators of the Nation's critical infrastructures and, most pertinent to this hearing, with our foreign law enforcement counterparts, and we try to achieve those cooperative arrangements through a variety of mechanisms. With other Federal agencies, the first mechanism is by having those agencies represented in the NIPC, which is, while located at FBI, an interagency center. So we have numerous representatives from various components of the Department of Defense, from the Intelligence Community, from the Department of Commerce, and from other agencies as well. We also have State and local law enforcement representation, as well as foreign liaison representation. That interagency composition allows us to coordinate more effectively when there is an incident or when there is the requirement to share information across agencies and with the private sector as well. We also reach out to the private industry through a variety of outreach initiatives, including our InfraGard program, which is an initiative to share information about incidents in a two- way fashion, both so industry can share information with us that they become aware of and so we can share information with them about incidents that we become aware of through law enforcement or intelligence means. In addition, we reach out to our private industry counterparts through various conferences and outreach initiatives to try to generate awareness and to convince them of the need to raise security in general, because even with all of our warning efforts, if we do not have better security there is no way we can really make headway against this problem. The situation right now is such that vulnerabilities are so rampant throughout the Internet that until the bar is raised against attacks, all of the government's efforts really would be wasted. So we are trying to work in tandem with the private sector to encourage it to raise the level of security while also improving our ability in the government to respond to attacks and issue warnings effectively. Finally, with regard to foreign law enforcement, I think it is commonly understood now that in the area of cyber crime, foreign cooperation is absolutely critical because the Internet knows no boundaries. It is as easy to launch an attack from a foreign country as it is from within the United States. And as a result, we are increasingly finding that our investigations lead us to foreign countries, where we have to seek the assistance and cooperation of the domestic law enforcement agency because we don't have the authority or the capability to conduct searches or witness interviews or electronic surveillances in a foreign country. So international cooperation is absolutely critical. We have had a number of cases over the last 2 years which have demonstrated, I think, a great improvement in our ability to coordinate with foreign countries. In 1998, we had the Solar Sunrise incident, which involved wide scale intrusions into Department of Defense computer networks. We tracked down the intruders with the assistance of the Israeli National Police and identified two juveniles in the United States and several individuals in Israel who were responsible for those intrusions. This year, we had the arrest of an individual in the United Kingdom who had broken into Web sites and stolen credit card numbers and posted many of those numbers on a Web site. That case was successfully resolved because of close cooperation between the FBI and a local Welsh police service. We also had most notably the denial of service attacks in February of this year--many of those attacks have been attributed to a juvenile in Canada--based in large part on very close working relationships between the FBI and the Royal Canadian Mounted Police. And then finally we had the ``Love Bug,'' or ``ILOVEYOU'' virus in May of this year. And in that case too, a suspect was identified in the Philippines really with unprecedented speed, based again on the very close working relationship between the FBI and the Philippines National Bureau of Investigation. So I think all of those major successes demonstrate that we have made a great deal of progress in improving coordination with foreign law enforcement agencies. There is clearly a long way to go because there are so many countries in the world, and as we see the Internet continue to expand we're not going to need cooperation just from our close allies within the G-8 or within European countries and our traditional allies in Asia, but we are going to need more cooperation from countries that we have not traditionally worked together with, and that will pose even more challenges as we try to continue to expand our network of contacts. So I look forward to answering any questions that you have, but I think that sums up the situation from the U.S. perspective. [The prepared statement of Mr. Vatis follows:] [GRAPHIC] [TIFF OMITTED] T4152.006 [GRAPHIC] [TIFF OMITTED] T4152.007 [GRAPHIC] [TIFF OMITTED] T4152.008 [GRAPHIC] [TIFF OMITTED] T4152.009 [GRAPHIC] [TIFF OMITTED] T4152.010 [GRAPHIC] [TIFF OMITTED] T4152.011 [GRAPHIC] [TIFF OMITTED] T4152.012 [GRAPHIC] [TIFF OMITTED] T4152.013 [GRAPHIC] [TIFF OMITTED] T4152.014 [GRAPHIC] [TIFF OMITTED] T4152.015 [GRAPHIC] [TIFF OMITTED] T4152.016 [GRAPHIC] [TIFF OMITTED] T4152.017 Mr. Horn. Well, thank you very much. We appreciate that, Mr. Vatis. Our next witness has traveled a long way to come here, so we are going to listen very carefully to the gentleman's testimony. It is Mr. Juris Reksna, chief of the State Police, Ministry of Internal Affairs in Latvia. He is accompanied by a translator, Tatjana Antonova. And we thank you very much for coming and sharing your information with us. [Note.--The following testimony was delivered through an interpreter.] Mr. Reksna. Mr. Chairman and members of the subcommittee, I am honored here to represent the Republic of Latvia and I would like to express my gratitude for the invitation to participate in this hearing. The Latvian police and FBI cooperation has been extensive and has helped investigations in the U.S.A., resulting in the identification of violent criminals and the recovery of substantial amounts of funds for possible return to victims of crime in the U.S.A. The cooperation increases every day, and the training that was provided by FBI and other U.S.A. law enforcement agencies has helped greatly. The funds, 500,000 U.S. dollars, provided by the U.S.A. Congress to Latvia for the purchase of equipment to fight organized crime, will allow Latvia to move into the cyber age more rapidly and to allow for the examination and analysis of data, and this will assist the U.S.A. in addressing crimes which have truly become transnational and the attempt to use Latvian banks on the Internet to escape detection. The fight against cyber crimes is the responsibility of the criminal police of Latvia, which is a part of the National State Police. Three percent of our cases have international components. Most are threats that are being sent through anonymous Internet servers that are located outside the territory of Latvia, as well as attempts of hackers to break into financial institution computer systems. As my time is limited, I will ask my interpreter to read the recent cases during the 2 years that took place in Latvia. These are the synopses of criminal cases that have taken place: The so-called Terrorist Victor case. In March 1997, information was received about an explosive device placed in a shop. The police had neutralized this device. Shortly after that, e-mail threats have been sent by an anonymous person who called himself Victor, claiming to continue terrorist acts and demanding ransom. As a result of investigation it was determined that Victor telephoned from a mobile phone that was illegally connected to the networks of Sweden, Norway and Finland. As a result of joint efforts made by law enforcement agencies from Sweden, Norway, Finland, Estonia, Austria, Russia, the U.S.A., Victor was identified. He was sentenced for 7 years in prison. In the Lowes Home Improvement Center bombing case in North Carolina an individual planted several explosive devices in the stores which exploded and injured five persons. The criminal demanded money from the company and stated it should be wired to Paritate Bank in Latvia. The Latvian police, in coordination with the FBI LEGAT and the FBI office in Charlotte, NC, were able to track telephone calls, provide information on the account holder in the U.S.A. and his use of the bank's Internet banking service, which he thought would be difficult to trace because of the Internet and the location of the bank in Latvia. The case of ``stockgeneration.com'' is worth mentioning as well. This pyramid scheme using the Internet was having money wired to Rietumu Bank in Latvia and attempted then to wire transfer it to accounts in Russia and elsewhere. The case is ongoing and being worked in conjunction with LEGAT Tallinn, the Boston division of the FBI, the Securities and Exchange Commission in Boston, and the Internal Revenue Service. Cooperation between the United States and Latvia and Estonia has resulted in the freezing of $5.5 million for potential return to U.S. victims. Cyber crimes have really become transnational. Therefore, the following measures should be taken urgently to ensure our success in battling cyber crimes. Joint international training in order to improve international response to cyber intrusions; close cooperation is necessary with all the partners on an international and national level in order to prevent and investigate cyber crimes more effectively; we should continue to develop and improve the current legislation in this issue; the Internet has become a major aspect of everyday life for the world's society. That is why international cooperation, mutual understanding and support is vitally important in order to improve our capabilities to locate and identify criminals. Thank you for your attention. [The prepared statement of Mr. Reknsa follows:] [GRAPHIC] [TIFF OMITTED] T4152.018 [GRAPHIC] [TIFF OMITTED] T4152.019 [GRAPHIC] [TIFF OMITTED] T4152.020 [GRAPHIC] [TIFF OMITTED] T4152.021 [GRAPHIC] [TIFF OMITTED] T4152.022 [GRAPHIC] [TIFF OMITTED] T4152.023 [GRAPHIC] [TIFF OMITTED] T4152.024 [GRAPHIC] [TIFF OMITTED] T4152.025 Mr. Horn. That is perfect timing if I ever saw it. We just have a vote now, so we are going to have to recess for about 15 minutes here and vote and come back. Two votes, so it might be 20 minutes. So we are in recess. Mr. Davis. Mr. Chairman, could I ask unanimous consent that my statement be put in the record? Mr. Horn. Without objection, the gentleman's opening statement will be put after the ranking member as if read. Thank you. With that, we are in recess for 20 minutes. [Recess.] Mr. Horn. The recess is over and we will go to the next witness, Mr. Stefan Kronqvist, chief, Computer Crime Unit, National Crime Investigation Department, Sweden. We thank you for coming the long flight you did have. So please proceed, and if you could summarize it in 5 to 7, 8 minutes, that would be appreciated. Mr. Kronqvist. Thank you, Mr. Chairman, Congressman Turner. Thank you for the opportunity to appear before you today to describe the situation on combating cyber crime from the Swedish point of view. On the reorganization of the Swedish police force, the National Criminal Investigation Department is the central responsible authority for operational police activities. Responsibilities of the national CID include criminal intelligence service, certain qualified criminal investigations and support to the local police authorities. The NCID is functioning as central level coordinator for the combat against organized crime. Further, the NCID is responsible for operational international police cooperation, operation and serving as National Central Bureau of the Interpol and the national Europol units. The Information Technology Crime Unit of the NCID has instructions to maintain and develop national support activities in order to assist the local police authorities in surveying and investigating IT crime. The unit provides training, developmental tools and techniques and also carries out operational activities by conducting house searches and interviews and analyzing seizures and also by tracing and identifying persons who use the Internet and its services and functions as targets or means in the commission of crime. Recently, we established a 24-hour service, one reason being that Sweden had joined the G-8 Network contact point for high-tech cases. The IT unit at NCID is processing some 500 cases yearly. Of these cases about 50 percent are Internet related. Practically all Internet cases have an international component. The Internet knows no boundaries and no border lines. For a good many years the NCID has enjoyed a state of close and comprehensive cooperation with the FBI. We have had several investigations where we worked with the FBI and perhaps the best known case would be the E911 case in which our unit cooperated with the FBI in an effort to trace and identify a Swedish suspect who, by means of illegal telecommunication, periodically locked the E911 lines in a major area in Florida. One element of this cooperation was to set up a tracing team with Swedish and U.S. telecommunication operators. This was a rather complex operation, which could not have succeeded without the professional skill and dedication of the units and the investigators involved. The E911 case was very instructive, not least because the perpetrator posed a threat to infrastructure functions. FBI Director Mr. Louis Freeh described the incident ``as a dress rehearsal for a national disaster.'' The main problem we are facing in Internet crime is obtaining access to useful information from foreign Internet providers and responsible Web managers. Normally, a provider asks for a court order, subpoena, or other form of domestic disposition before information is supplied. Such a decision must be preceded by an international letter rogatory, a time consuming procedure, as we all know. It is my understanding that certain criminal operators are well aware of this. One way of addressing this problem that suggests itself would be international agreements to release subscriber information and logged IP addresses and other useful information to law enforcement authorities in another country without the requisite of a formal rogatory request. The transmission of information would be handled via special contact points in order to secure authority and make sure that the information does not fall into the wrong hands. In order to ensure the quality of documents or information, probably some kind of authorization or licensing of Internet operators might be a possible alternative. You may probably not get to the actual criminals that way, but what do they care about regulations anyway? Thank you for your attention. [The prepared statement of Mr. Kronqvist follows:] [GRAPHIC] [TIFF OMITTED] T4152.026 [GRAPHIC] [TIFF OMITTED] T4152.027 [GRAPHIC] [TIFF OMITTED] T4152.028 [GRAPHIC] [TIFF OMITTED] T4152.029 [GRAPHIC] [TIFF OMITTED] T4152.030 Mr. Horn. Well, we thank you very much. That is a very fine presentation, and we can learn a lot from it. Our next witness is Mr. Juergen Maurer, detective chief, superintendent, German Federal Police Office. Mr. Maurer. Mr. Chairman, ladies and gentlemen, I am very pleased and sincerely honored to receive the opportunity to address the members of this honorable committee. My name is Juergen Maurer. I am a Leitender Kriminaldirecktor of the German Criminal Police Office, or BKA. I am the head of the Subdivision Central Services within the BKA and, among others, responsible for the undercover program and the foreign liaison program of the BKA. In this context, allow me to give you some short background information about our office. The BKA was founded in 1951. In Germany, based on our Constitution, police work is in general within the jurisdiction of the Federal states. The BKA law constitutes an exemption from this principle. As a result of this exemption, the BKA is, among others, the German National Center Bureau of Interpol and the main law enforcement agency in the field of international organized crime and terrorism cases. The BKA is also the primary police agency dealing with cyber crime. The bulk of cyber crime cases handled by the BKA has an international component. A special reporting system has been set up for information and technology crime and shows that about 50 percent of ICT cases have an international component. Cooperation with partner agencies from abroad is mainly through the 24-hour contact points for international high-tech and computer-related crime established by the G-8 countries. In addition, there are contacts with the United States using our BKA liaison officers at our Embassy in Washington, DC, or the FBI liaison officer posted to Frankfurt, Germany, on a case-by- case basis. Contact with the NIPC on a case-to-case basis has occurred so far only in connection with the distributed denial of service attacks in February this year. The case showed that even though the cooperation was very good, there is still a need to establish a more efficient and effective way of exchanging information. In late June this year, representatives of the BKA and NIPC discussed possibilities to enhance the cooperation. The overall investigative cooperation of BKA and FBI has a long tradition and has proved very successful. We work together in a significant number of organized crime and white collar crime cases. There has also been a very successful cooperation with the FBI concerning fugitive cases. Within the BKA, the IT crime section has about 30 officers and the following tasks: collection and analysis of IT crime information; national reference point on IT crime; assistance and training for other investigative units; analysis of data carriers and storages; Internet investigation; and the so- called data network patrol. In this unit, 15 police officers in an overt, nonconcealed manner are surfing the net and developing criminal cases in identifying the perpetrators. In 1999, around 1,100 cases with the suspicion of crime were detected; 90 percent of these cases were child pornography cases, 81 percent of these cases had an international component; 62 percent of these cases had a connection with the United States. What should have priority in the future? First, victims of cyber intrusions as well as ISPs should keep and make available log files providing information about the IP addresses used by the criminal or other information that may help identify the criminal. It would also assist investigators if the ISP created technical prerequisites for the surveillance of on-line communications comparable to telecommunications interception for them to be conducted straight away if required by law. Second, there is already a variety of training and advanced training courses organized on the international level. However, more training should be provided. There is a need to create uniform training standards for investigators at the international level and establish points of contact for partner agencies from abroad to guarantee a great information flow. Third, many victimized companies in Germany are still hesitant to file a criminal complaint with the law enforcement agencies because they feel loss of prestige. For the benefit of law enforcement, it seems important to forge cooperation partnerships with the system administrators of the victims to obtain the required information more quickly. In urgent cases; for example, extortion and danger to life and limb, access to the raw data should be possible without having to go through the time consuming standard formalities under international law. Also some types of computer crime and cyber intrusions in particular require an immediate response by the law enforcement community since data needed as evidence are usually stored for a short period of time only. That was pretty much I wanted to stress. Thank you very much for your attention. [The prepared statement of Mr. Maurer follows:] [GRAPHIC] [TIFF OMITTED] T4152.031 [GRAPHIC] [TIFF OMITTED] T4152.032 [GRAPHIC] [TIFF OMITTED] T4152.033 [GRAPHIC] [TIFF OMITTED] T4152.034 [GRAPHIC] [TIFF OMITTED] T4152.035 [GRAPHIC] [TIFF OMITTED] T4152.036 Mr. Horn. Thank you very much. We will go out of order because we are trying to help on a situation that a member of the executive branch has here. So if you might, we are going to start with his testimony, since he has to be elsewhere. John T. Spotila is the Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget, which is part of the President's Executive Office of the President. STATEMENT OF JOHN T. SPOTILA, ADMINISTRATOR, OFFICE OF INFORMATION AND REGULATORY AFFAIRS, OFFICE OF MANAGEMENT AND BUDGET Mr. Spotila. Good morning, Mr. Chairman. Thank you for inviting me here to discuss administration efforts in the areas of computer security and critical infrastructure protection. The President has given high priority to cyber security and the protection of our Nation's critical information assets. He understands the growing risks that our Nation faces from cyber threats and has taken a series of steps outlined in my written testimony to develop our cyber defenses. In his fiscal year 2000 budget, the President proposed some $2 billion for agency critical infrastructure protection and computer security programs. This would be an increase over last year's enacted total of $1.8 billion. It would include funding to detect computer attacks, coordinate research on security technology, hire and train more security experts, and create an internal expert review team for nondefense agencies. These initiatives are vitally important. Regrettably, many of our requests for security funds face an uncertain future in the appropriations process. We critically need funding for the National Institute for Standards in Technology and the Critical Infrastructure Assurance Office at Commerce, for the Federal computer incident response capability, and the Federal intrusion detection network at GSA, for public key infrastructure work at Treasury, and for the scholarship for service effort at the Office of Personnel Management and the National Science Foundation. It has been particularly difficult to gain support for crosscutting initiatives, despite their importance to our computer security efforts. We should be more open to innovative approaches in this area and look for opportunity for synergy and interagency cooperation. OMB plays a key role in government computer security efforts. In February, we issued important guidance to the agencies on incorporating security and privacy requirements in each of their fiscal year 2002 information technology budget submissions. In the future, when requesting approval for information technology funds, agencies must demonstrate how they have built adequate security and privacy controls into the life cycle maintenance and technical architectures of each of their systems. Without an adequate showing, the systems will not be funded. OMB Circular A-130 sets forth governmentwide policies for a wide variety of information and information resource management issues. It addresses agency management of information and information systems, including capital planning and investment control. Appendix 1 sets privacy policy. The soon to be issued appendix 2 defines policy for information architectures and implementation of the Government Paperwork Elimination Act. Appendix 3 sets security policy. Importantly, appendix 3 requires Federal agencies to adopt a minimum set of risk-based management controls. Four controls are described: assigning responsibility for security, security planning, periodic review of security controls, and management authorization. These controls are intentionally not technology dependent. Instead, they focus on the management controls agencies need to assure adequate security. Technical and operational controls should support these management controls. We believe, as GAO has said, that our computer security policies are properly focused on a risk-based cost-effective approach and reflect the right balance between strong security and mission needs. Good design and good planning are the keys to successful security. For good design, security must be compatible with and enable, not unnecessarily impede, system performance, business operations, and the mission. When security unnecessarily slows the system or hinders the mission, users often work around it or ignore it completely. To work effectively, security must be part of the system architecture, built in so that users will buy in. Good planning requires that we fund security and privacy as part of the life cycle costs for each system. To identify a true system cost and adequately plan for future system or program operations, we must account for all of the resources necessary to operate the systems, including security. Our approach provides maximum flexibility for agencies so that they can make appropriate informed choices in applying necessary security controls that are consistent with their unique circumstances. Most security problems come not from a lack of policy, but rather from ineffective or incomplete implementation of existing policies and guidance. We are very much aware of this risk in the Federal context. There is much more to be done before we reach full implementation of our existing security guidance. As my written testimony describes, we are working on a number of specific projects to assist the agencies and enhance governmentwide security. These include testing a systematic process of identifying, assessing, and sharing effective security practices; finalizing security performance measures against which agencies can assess their security programs; creating a formal process for coordinating our governmentwide response to cyber incidents of national significance; and promoting more timely agency installation of patches for known vulnerabilities. These are innovative efforts that show great promise. They need congressional support if we are to fulfill that promise. We appreciate your interest in all of these matters and look forward to continuing our close cooperation with the committee in this important area. We value our partnership with you and hope that this hearing will mark a further strengthening of our joint efforts on behalf of the American people. Thank you. [The prepared statement of Mr. Spotilla follows:] [GRAPHIC] [TIFF OMITTED] T4152.037 [GRAPHIC] [TIFF OMITTED] T4152.038 [GRAPHIC] [TIFF OMITTED] T4152.039 [GRAPHIC] [TIFF OMITTED] T4152.040 [GRAPHIC] [TIFF OMITTED] T4152.041 [GRAPHIC] [TIFF OMITTED] T4152.042 [GRAPHIC] [TIFF OMITTED] T4152.043 [GRAPHIC] [TIFF OMITTED] T4152.044 [GRAPHIC] [TIFF OMITTED] T4152.045 [GRAPHIC] [TIFF OMITTED] T4152.046 [GRAPHIC] [TIFF OMITTED] T4152.047 [GRAPHIC] [TIFF OMITTED] T4152.048 [GRAPHIC] [TIFF OMITTED] T4152.049 [GRAPHIC] [TIFF OMITTED] T4152.050 Mr. Horn. Thank you, Mr. Spotila. I would like to ask a few questions before you leave. OMB Circular A-133, section 3, so forth, requires that agencies have an incident response capability to address security incidents in a system and to share information concerning common vulnerabilities and threats. The incident response capability shall share information with other organizations and assist the agency in pursuing appropriate legal action consistent with the Department of Justice guidance, is our reading of that. Have all the agencies complied in developing an incident response capability? Mr. Spotila. Mr. Chairman, to varying degrees, all of the agencies have sought to comply. One of the areas of focus, and I go into a little more detail in the written testimony, and we certainly would be happy to work very closely with you on this--that we in OMB have been focused on is how to get all the agencies to do a better job at this. And again some are better at it than others in the nondefense area. We think that part of the answer is integrating it into their overall approach to information technology, not just an add-on, in other words, approach, but to integrate it into all of their planning. And although we are making progress, we also recognize there is much we need to learn, including how it is we assess how well they are doing. We are working with the CIO counsel and the agencies to develop popular metrics performance measures. We know there is a lot more work to be done here. Mr. Horn. Are all agencies fully participating in the sharing of information on shared threats and vulnerabilities? Mr. Spotila. To my understanding, they all are. I am not aware of any that have resisted that, for example. Mr. Horn. What, if any, guidance will OMB issue that outlines a framework for sharing such information in an international context? Is there some thinking going on that? Mr. Spotila. We have discussions under way. I don't know that we have made a decision as to what type of guidance would be appropriate in the international context. Our focus has been clearly with nondefense agencies and our focus has been obviously threats can come from anywhere in the globe. We are aware of that. But in terms of communicating outward in the international context, I think that is something that remains to be discussed and we are open to suggestions from you if you think we should do more. Mr. Horn. Are we looking at the Embassies to help in this regard? I know in some cases we have appropriate security people. Or are you thinking of doing that and/or also direct contact with our security people and a particular nation's security people? Mr. Spotila. There is obviously here an area where the State Department has had a lead in terms of focusing on security, particularly relating to the Embassy, and the Defense and National Security Agencies have been addressing this for some time. One of the questions is whether there is more that needs to be done beyond that and, if so, to what extent OMB should issue guidance. I think this is an area where we need to work on it in a continuing way. The threat is evolving. The nature of the technology is evolving, and I think that we need to continually look at whether there is more that should be done. Mr. Horn. Well, as you have suggested here, the computer security policy development and oversight that OMB has, and I take it then will plan some policy on international information and sharing and coordination? Mr. Spotila. I would be happy to get back to you, Mr. Chairman, with a written response if you like and could perhaps elaborate on this more. Mr. Horn. That is fine. Does the FBI's Carnivore program provide information and data to the National Infrastructure Protection Center? I would like to ask you and Mr. Vatis where we are on that. Mr. Spotila. Mr. Vatis is probably much more familiar with the details of that than I am. Mr. Horn. So OMB has not really been involved with that? It has been left to Mr. Vatis's organization? Mr. Spotila. We have not been directly involved in that to my understanding. We're aware of it now and I know that we have asked for further information on it. Mr. Vatis. Mr. Chairman, the Carnivore technique and other methods for electronic surveillance are the province of the FBI's Laboratory Division. The NIPC is one of the consumers of those techniques, just as the Organized Crime Program, the Counterterrorism Program, etc., are users of that technique. And my understanding is that we have had a small number of computer intrusion cases that have used that technique through the Laboratory Division. Mr. Horn. Before you leave, Mr. Spotila, I was obviously interested in the $1.8 billion last year and now $2 billion this year. Did representatives of the administration make their case before either the authorization committees or the appropriations subcommittees? Mr. Spotila. My understanding is they have. And I think that some of these decisions remain out there in the initial markups. A number of these areas are not being funded, which has been raised certainly to a level of concern internally. Sometimes that reflects perhaps less of a willingness to deal with crosscutting initiatives that affect lots of agencies, particularly in a context of relatively lean resources at the subcommittee level. This is a transition area. That is one of the reasons that I refer to it in my testimony. We are all in a position of change here and as we try to work with the agencies to look for crosscutting approaches, one of the realities is that the appropriations process is not always set up to look at it the same way. We obviously have not been effective enough in making the case because the record thus far in terms of how the appropriations subcommittees are dealing with it is not as good as we would like it to be. But the process is not over, which is one of the reasons we wanted to call it to your attention as well. Mr. Horn. I am delighted that you did. And if you want to give me a letter that I can play postage man with the appropriators, I would be glad to do it. Mr. Spotila. Certainly, we will do that. We will followup with that. Mr. Horn. Thank you very much and I know that you have---- Mr. Spotila. Thank you very much, Mr. Chairman. Thank you for your courtesy. Mr. Horn. OK. Back to the regular order. Our next speaker has come a long way also, and that is Mr. Elfren Meneses, the Antifraud and Computer Crimes Division, National Bureau of Investigation of the Philippines. Mr. Meneses. Mr. Meneses. Mr. Chairman, members of this committee, good morning. I am Elfren Meneses. I come from Manila, Philippines and am presently employed in the National Bureau of Investigation. My agency is under the Department of Justice, and its history is that it started as a Division of Investigation in the Department of Justice and later on organized as the National Bureau of Investigation under Republic Act 157 in June 1947. Under the Republic Act 157, as amended, the NBI is empowered to investigate crimes and other offenses against the laws of the Philippines both at its own initiative and as public interest may require; to assist when officially requested in the investigation or detection of crimes and other offenses; to act as national clearinghouse of criminal records and other information for use of all prosecuting and law enforcement entities in the Philippines; to give technical help to all prosecuting and law enforcement officers, agencies of the government, and courts which may ask for its service. Its added functions include to investigate Tanodbayan cases; to actively participate in the activities of the ICPO- Interpol; and to perform such other related functions as the Secretary of Justice may assign from time to time. The NBI is composed of six services; namely, the Special Investigation Services, which is based in Manila and charged with the investigation of common crimes, heinous crimes, white collar crimes, and transnational crimes. The other services are the Regional Operation Service, the Domestic Intelligence Services, the Technical Services, the Administrative Services and the Controller Services. The investigator in the National Bureau of Investigation is called an NBI agent with the qualification that he must be a member of the Philippine Bar or he must be a lawyer or a Certified Public Accountant. He must be between the ages of 24 and 35 years old and must not have a derogatory record. On the issue of computer law of the Philippines, a week after the start of the investigation of the ``ILOVEYOU'' virus by the National Bureau of Investigation, the 11th Congress of the Republic of the Philippines and the Senate started reviewing pending bills in both houses. On June 14 of this year, President Joseph Ejercito Estrada approved Republic Act No. 8792, entitled ``An act providing for the recognition and use of electronic commercial and noncommercial transactions, penalties for unlawful use thereof, and other purposes.'' It is also called as our E-commerce Act. Prominent in this law is section 33 of Republic Act 8792 wherein it states: The following acts shall be penalized by fine and/or imprisonment, as follows: Hacking or cracking, which refers to unauthorized access into or interference in a computer system/server or information and communications system, or any access in order to corrupt, alter, steal or destroy, using a computer or other similar information and communication devices without the knowledge and consent of the owner of the computer or information and communication system, including the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, attack or loss of electronic data, message, or electronic documents, shall be punished by a minimum fine of 100,000 pesos and a maximum commensurate to the damage incurred and a mandatory imprisonment of 6 months to 3 years. Now, on the issue of international cooperation, the cooperation between the National Bureau of Investigation and the FBI Legal Attache in Manila in the investigation of cyber intrusion is excellent. Fast and constant exchange of information by both offices is always assured. Technical people from the FBI are immediately sent to the Philippines upon need to confirm evidence gathered by the NBI agents. To update the NBI agents in their investigation of cyber intrusions, Legal Attache in Manila recommends the training of agents at the FBI Academy in Quantico, VA or any FBI-sponsored training conducted in the Philippines. An example of this is the investigation of the ``ILOVEYOU'' virus wherein both offices, the NBI and FBI Legal Attache, worked closely from the startup to the termination of the investigation and even after the filing of the case before the Department of Justice of the Philippines. Another example of cooperation by both offices is the arrest and deportation of U.S. fugitives in the Philippines. As of the end of June this year, there were 15 U.S. fugitives arrested, 13 of which were deported to the United States, two are still in the process of extradition. At this point in time, we also coordinated during the Y2K millennium bug. And in line with its international relations, the NBI is actively participating in tracing perpetrators of cyber intrusions, as well as personalities known for bank fraud and other electronic commercial offenses. These efforts the NBI will continue to pursue as it honors its commitment to the global community. At this stage I would like to thank you, Mr. Chairman, for inviting us here and to give our statement. Thank you very much. [The prepared statement of Mr. Meneses follows:] [GRAPHIC] [TIFF OMITTED] T4152.051 [GRAPHIC] [TIFF OMITTED] T4152.052 [GRAPHIC] [TIFF OMITTED] T4152.053 [GRAPHIC] [TIFF OMITTED] T4152.054 [GRAPHIC] [TIFF OMITTED] T4152.055 [GRAPHIC] [TIFF OMITTED] T4152.056 [GRAPHIC] [TIFF OMITTED] T4152.057 [GRAPHIC] [TIFF OMITTED] T4152.058 [GRAPHIC] [TIFF OMITTED] T4152.059 [GRAPHIC] [TIFF OMITTED] T4152.060 Mr. Horn. We definitely appreciate all you have gone through and we are delighted to have you share those experiences with the rest of us. So we will get to some of that more in the question period. We will now go to Mr. Ohad Genis, advocate, chief inspector National Unit for Fraud Investigations, Israeli Police. Welcome. Mr. Genis. Good morning and shalom to everyone. And by the way it is Genis, not Jenis. On behalf of the Israel Police, I would like to thank you for this tremendous opportunity to appear before you and discuss our point of view concerning cyber crime and international cooperation. Of the 50 cyber crime cases dealt with by our department, 20 cases had an international component. I would like to stress that our department does not handle all the cyber crime cases in Israel. Cases that are of local interest or that do not require intensive organization are done by the field units and, unfortunately, I don't have their data. However, I can estimate that more than 30 percent of our cases require international cooperation and there is definitely a growing number of cases--of requests, sorry, for international assistance. In the global arena when referring to the Internet as a borderless scene of a crime, an effective international cooperation is the key to success. And when I say effective, I mean both the accuracy of the data received from abroad and the time it takes to be transferred. Today, all of the Israel ongoing cooperation is with the United States, which we warmly welcome since you always deliver the goods with the help of the great and most efficient legal attaches in Israel, Special Agents Kerry Gleicher and Scott Jessey, and we enjoy an excellent working relationship with the FBI. However, during an investigation when we are obliged to request for international assistance, due to the complexity of the legal process, we know for sure that we have lost the time momentum and that the entire investigation will be put on hold for weeks and sometimes for months until we receive the relevant information, and I'd like to elaborate briefly on that. We all know that in order to transfer data from one computer to another we must use a protocol, and the protocol used on the Internet is the Transmission Carrier Protocol, known as the TCPIP. This protocol identifies each and every computer connected to the Internet by a number called IP address, Internet Protocol address. And theoretically, each and every computer connected to the Internet receives a unique IP address. We all use this IP address to trace our suspects. And most of our requests are for the identity of the user who used this specific IP address, or what was the IP address used by the user who sent a specific e-mail message. For this data we still have to wait weeks and months and we believe that what is required today is the establishment of a central organization which will handle all requests for international assistance with on-line access, which will accelerate all the legal process--all the process of requesting international assistance. Another matter that I'd like to mention is conducting international conferences. International conferences have proved themselves as being most efficient in all aspects of international cooperation, including sharing of experience, views and assumptions of solutions to common problems, etc. I had the privilege of participating in a conference held at the FBI Academy in March this year, and I can state categorically that our investigations have--our investigations benefited significantly from that conference in many aspects. I would also like to mention that most of the foreign investigators, including the FBI investigators, felt that meeting face-to-face would assist us in our future cooperation. I'd like to mention the time it takes for us to receive requested assistance from abroad now can be used by the hackers and they can to their advantage gain from this complication of law enforcement and use it to their own benefit, where in these investigations the time is of the essence. In summation, I would like to say that in the high technology era, the establishment of an international center that would handle requests--international requests with on-line access and conducting international conferences and trainings would be the key to a successful joint effort in fighting cyber crime. Thank you very much. [The prepared statement of Mr. Genis follows:] [GRAPHIC] [TIFF OMITTED] T4152.061 [GRAPHIC] [TIFF OMITTED] T4152.062 [GRAPHIC] [TIFF OMITTED] T4152.063 Mr. Horn. We thank you very much. That's very helpful case study. We now go to Mr. Edgar A. Adamson, the Chief of the U.S. National Central Bureau, Interpol. Thank you for coming. Mr. Adamson. Mr. Chairman, thank you for providing me the opportunity to participate in today's subcommittee hearing on computer security issues. I am currently assigned to the position of Chief of the U.S. National Central Bureau of Interpol. I am a U.S. Treasury Special Agent with 30 years of experience with the Customs Service Office of Investigations. The Interpol U.S. National Central Bureau is a component of the Department of Justice with representatives from 16 different U.S. Federal law enforcement agencies, including a management team from both the Department of Justice and the Department of Treasury. As you are well aware, the information revolution has changed the world forever, transforming the way we think and the way we use information. Our dependence on these new sources and methods grow daily, and at least some part of nearly every interaction we undertake now occurs within this virtual world. Of course, this widespread dependence increases our vulnerability to criminal activity. The ease with which criminals can access the means necessary to commit cyber crimes, the multiple jurisdictions in which these crimes are committed and the lack of adequate legislation for computer-related crime and the seemingly risk- free environment for the cyber crime perpetrator are all factors that point to a likely increase of this type of crime in the future. Cyber crime is truly international in character as the electronic frontier has no bounds. It demonstrates that the need for international law enforcement cooperation has never been greater. To respond effectively, the U.S. law enforcement authorities must be able to overcome some very real cultural, linguistic, legal and digital barriers that complicate the positive exchange of criminal investigative information across national administrations and sovereign boundaries. Interpol exists to facilitate this critical exchange among its 178 member countries and provides the necessary framework, rules of police cooperation, and essential tools and services that promote the adoption and use of international standards, foster best practice, and permit investigative results. Interpol recognizes the severity of the cyber crime challenge and is committed to achieving effective computer security and cyber enforcement through the development and delivery of operational programs and training and the establishment of international standards and the promotion of best practices worldwide. Interpol is in the unique position to facilitate timely and reliable notification concerning intrusion attempts and information on the widespread computer viruses through its worldwide communications network. The strength of the Interpol organization lies in the frame of law enforcement information exchange. Interpol has established rules for police cooperation in its 178 countries. Interpol has been around for 75 years. It is the only global police organization. Worldwide on-line communications network links its membership. It is reliable, immediate, global, and it overcomes all the cultural, linguistic, and legal barriers. The Interpol organization participates with other international organizations and national regional bodies. It participates and is a member of the G-8 Subgroup on High-tech Technology. It participates in the Council of Europe, and has observer status at the United Nations. Regarding cyber crime, Interpol is a means again as to whereby we can exchange information on the varieties of cyber crime. We have a point of contact in all countries for immediate notification of security computer alerts, etc. We again work with the G-8 High-tech Subgroup. We coordinate training programs and we have various neutral forum meetings to develop best practices. In recent years, the United States has made a strong commitment to Interpol. The U.S. Customs Commissioner Raymond Kelly has served for the last 3 years as Vice President for the Americas on Interpol's 13-member guiding Executive Committee, and FBI Deputy Director Tom Pickard has announced his intention to continue U.S. leadership in the organization and will stand for election to the Interpol Executive Committee this November. Also this November, Ronald K. Noble will become the first non-European and the first American to hold the position of Interpol General Secretary--Secretary General in Lyon, France for a 5-year term. His candidacy was strongly supported by the heads of U.S. law enforcement organizations and prevailed on a platform of change to realize the organization's full potential. His vision for Interpol advocates greater inclusion for all its member nations and better use of electronic communication tools to increase the speed, accuracy and reliability of law enforcement exchange. In conclusion, Interpol membership and participation increases the likelihood for detection, timely notice and law enforcement response to cyber intrusions. It also permits access to a 24-hour network of international experts and over 40 countries in a secure and confidential manner. Our ability to deal effectively and efficiently with cyber crime can be enhanced through competency building for less experienced enforcement agencies worldwide and through continued coordination and cooperation among U.S. law enforcement agencies dealing with various aspects of this emerging crime area. I thank you again for permitting me the opportunity to address the subcommittee, and I am happy to answer any questions. [The prepared statement of Mr. Adamson follows:] [GRAPHIC] [TIFF OMITTED] T4152.064 [GRAPHIC] [TIFF OMITTED] T4152.065 [GRAPHIC] [TIFF OMITTED] T4152.066 [GRAPHIC] [TIFF OMITTED] T4152.067 [GRAPHIC] [TIFF OMITTED] T4152.068 [GRAPHIC] [TIFF OMITTED] T4152.069 [GRAPHIC] [TIFF OMITTED] T4152.070 [GRAPHIC] [TIFF OMITTED] T4152.071 [GRAPHIC] [TIFF OMITTED] T4152.072 [GRAPHIC] [TIFF OMITTED] T4152.073 [GRAPHIC] [TIFF OMITTED] T4152.074 [GRAPHIC] [TIFF OMITTED] T4152.075 [GRAPHIC] [TIFF OMITTED] T4152.076 [GRAPHIC] [TIFF OMITTED] T4152.077 [GRAPHIC] [TIFF OMITTED] T4152.078 [GRAPHIC] [TIFF OMITTED] T4152.079 [GRAPHIC] [TIFF OMITTED] T4152.080 [GRAPHIC] [TIFF OMITTED] T4152.081 [GRAPHIC] [TIFF OMITTED] T4152.082 [GRAPHIC] [TIFF OMITTED] T4152.083 [GRAPHIC] [TIFF OMITTED] T4152.084 [GRAPHIC] [TIFF OMITTED] T4152.085 Mr. Horn. Thank you very much. That is a very helpful statement. We now move to Mr. Richard Schaeffer, Jr., Director, Infrastructure and Information Assurance, Office of the Assistant Secretary of Defense for Command Control Communication and Intelligence. Join us up here, and we will join the others also. If we might get you all around that table, we would appreciate it, if the staff would do that. Might get another table over here. But we like to have a dialog once we are done with all of the presenters, and I would just as soon have everybody at the same table if that is possible. Mr. Schaeffer, please proceed. STATEMENTS OF RICHARD C. SCHAEFFER, JR., DIRECTOR, INFRASTRUCTURE AND INFORMATION ASSURANCE, OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE (COMMAND, CONTROL, COMMUNICATION, AND INTELLIGENCE); MARIO BALAKGIE, CHIEF INFORMATION ASSURANCE OFFICER, DEFENSE INTELLIGENCE AGENCY, DEPARTMENT OF DEFENSE; AND JACK BROCK, DIRECTOR, GOVERNMENTWIDE AND DEFENSE INFORMATION SYSTEMS, U.S. GENERAL ACCOUNTING OFFICE Mr. Schaeffer. Thank you, Mr. Chairman. I appreciate the opportunity to be here today to discuss this very important topic. To set the stage for my remarks, I'd like to say a few words about the environment in which the Department of Defense [DOD], conducts its daily operations during peacetime, during crisis, and even during war. The Department's steadily increasing dependence on a global information environment over which it has little control heightens its exposure and vulnerability to a growing number of increasingly sophisticated internal and external threats. Globally internetworked and interdependent information systems tend to level the playing field between allies and adversaries and offer adversaries access to potentially high value, low risk information infrastructure targets. These targets, if successfully attacked, have the potential to impact the full spectrum of DOD operations. To attack a large number of systems, an adversary need only find and attack a single exploitable connection to the system. Once inside the system, an adversary can exploit it and the systems networked to it. Further, with every advance in information technology, new vulnerabilities are created that must be quickly discovered and effectively neutralized. Providing for the protection of the defense information infrastructure is one of the Department's highest priorities and most formidable challenges. Within the DOD, we have established detailed procedures for the coordination of all cyber events. The Joint Task Force-Computer Network Defense [JTF-CND], was formed on December 30, 1998, to provide a single command with the authority to coordinate and direct the defense of the DOD computer systems and networks. Prior to the formation of the JTF, no single entity had the authority to coordinate and direct a DOD-wide response to a computer network attack. The JTF-CND and the NIPC, the National Infrasfructure Protection Center, form a strong collaborative team for dealing with attacks on DOD systems. Over the past 18 months, the JTF-CND has developed processes for identifying attacks against DOD networks, assessing the importance of those attacks, notifying appropriate headquarters of the information, developing and implementing responses to them, and coordinating with external organizations such as the NIPC. The DOD relies on the NIPC to coordinate cyber attack indications and warning with the Nation's critical infrastructure elements--communications, power, etc.--upon which the Department depends for mission success. In closing, I would like to say a few words about where we are today and where we need to be in the future. Today it takes us at best hours to transition from detection to warning. At worst this could be days. The attacks are perpetrated and executed in milliseconds. We must develop the technology, capabilities, processes, and legal framework to respond to cyber events in real-time. There will come a time when our capabilities will be tested, and national security or the economic security of the Nation will depend on components like the JTF-CND, NIPC and others working collaboratively in response to the event. I want to thank the subcommittee again for providing an opportunity for the Department of Defense to present its views on this very important issue, and we look forward to continuing to work with Congress to ensure that we are able to meet these ever increasing challenges. [The prepared statement of Mr. Schaeffer follows:] [GRAPHIC] [TIFF OMITTED] T4152.086 [GRAPHIC] [TIFF OMITTED] T4152.087 [GRAPHIC] [TIFF OMITTED] T4152.088 [GRAPHIC] [TIFF OMITTED] T4152.089 [GRAPHIC] [TIFF OMITTED] T4152.090 Mr. Horn. Thank you very much. That is a helpful statement, and I am delighted to see that they have got some depth over there under that Assistant Secretary, because we worried through Y2K after the general retired. So we now go to Mario Balakgie, Chief Information Assurance Officer, Defense Intelligence Agency, Department of Defense. Mr. Balakgie. Thank you, Mr. Chairman and members of the committee. I am honored to be here to have this opportunity to speak on the challenge of coordinating response to computer security threats. I am here to present the views and opinions of the Defense Intelligence Agency within our role for information assurance mission of the Defense Intelligence Community. The business of intelligence is unique because of what we do. But when it comes to how we operate, we are driven by the information age. We rely on a global information infrastructure using technology as an integral tool to carry forward our mission of intelligence. Unlike in the past we now operate in an interconnected and interdependent environment, giving us tremendous benefit but not without security risk to our information infrastructure. Today's challenge is to ensure the protection of those infrastructures against the cyber threat and requiring a community-wide approach to a coordinated and active defense. Whether it is the Intelligence Community, the larger Federal Government or the private industry, each face common impediments to conducting a coordinated response. The interconnected environment has opportunities and risks. The worldwide nature of threats, the attacks from anyone at any time, does not discern organizational boundaries. The reality of threat presents fundamental challenges and they are: our ability to detect the cyber event through the use of real-time sensors; discerning if the event is an attack or an anomaly; conducting timely analysis to determine attribution and finally reacting. To further complicate a coordinated response there are existing varying protection policies within interconnected communities, making it difficult to execute an all encompassing defensive action. For example, the various owners of networked infrastructures do not necessarily agree on what may or may not be constituted as an attack, how to respond to a cyber attack or what defensive measures are required. The most significant issue we face in conducting coordinated response of cyber threat is the demands for skilled and qualified personnel who have an understanding of information and security technologies. In particular, intrusion detection systems require specialized skills to monitor networks for incident detection, conduct analysis of anomalies and ultimately react. While we can implement sophisticated security technology, without these trained professionals, even our best security defenses will not be effective. The Defense Intelligence Community has several initiatives under way to ensure our incident response and defensive efforts are coordinated. Those initiatives are described in my statement, but I would like to point or highlight at least one of them, and that is risk management. For us to understand our infrastructure strengths and weaknesses, we are integrating risk management as a business practice to determine critical assets, protection requirements, and establishing priorities. Risk management will enable us to emphasize the business process whereby resource decisions are made in a consistent and methodical manner. Finally, our response to cyber threats shouldn't be misconstrued as a one-time issue but rather a never ending challenge. We must commit to the information assurance mission constant vigilance and protecting the information infrastructure. Our defensive efforts must be comprehensive in nature and include coordinated strategies within the government as well as private industry. This challenge is best characterized as a long-term business of risk management balanced against threats, vulnerabilities and ultimately the return of our investment. On behalf of the Defense Intelligence Agency, thank you for the opportunity to present our views and opinions. [The prepared statement of Mr. Balakgie follows:] [GRAPHIC] [TIFF OMITTED] T4152.091 [GRAPHIC] [TIFF OMITTED] T4152.092 [GRAPHIC] [TIFF OMITTED] T4152.093 [GRAPHIC] [TIFF OMITTED] T4152.094 [GRAPHIC] [TIFF OMITTED] T4152.095 [GRAPHIC] [TIFF OMITTED] T4152.096 [GRAPHIC] [TIFF OMITTED] T4152.097 [GRAPHIC] [TIFF OMITTED] T4152.098 [GRAPHIC] [TIFF OMITTED] T4152.099 Mr. Horn. I am going to take the chairman's right to ask a question at this point. I would be curious as to the biometrics--I am very interested in your insider bit because that is what often does and has a real problem in either the private sector, the public sector, whatever, to what degree are we moving fairly rapidly to that so we would be able to at least deal with where the insider is and either to lock him out or lock him in? Mr. Balakgie. Well, the first challenge for us is to detect the insider and we are relying on the use of intrusion detection systems to be able to do that. Those technologies are currently implemented with a variety of sensors, what we refer to as sensors, throughout our infrastructure. They are--the sensors are gauged, if you will, to detect certain events. Those events trigger a warning and then we in turn pursue what could be an insider. I would tell you that the technology is mature; however, against a sophisticated insider, this still presents a challenge in determining who they are and what they're doing. Mr. Horn. Well, thank you very much. I am sure my colleagues will have questions later. Our next presenter is Mr. Jack Brock, well-known to this subcommittee. He is the Director of Governmentwide and Defense Information Systems for the U.S. General Accounting Office, an arm of the legislative branch. Mr. Brock. Mr. Brock. Thank you very much, Mr. Horn. It is always a pleasure to be here. I feel like I am at my grandmother's dining room at Christmas time. It is good to have a seat at the table. It is crowded. Mr. Horn. I apologize that we did not think about it to start with. Mr. Brock. I think you heard from most of the witnesses that we live in a world where we are talking about a cyber threat that is not defined by geographic boundaries, and the lack of traditional boundaries really presents a challenge to nations to consider new strategies and new ways of dealing with this. No longer are you dealing in a physical world where you can more easily recognize the threat, but where you frequently have more time to react to the threat. The threat is there. It is sudden, it is real, and you have to react immediately. Further, the ownership of the problem is not just with the national governments. It resides with all elements of the critical infrastructure. And that can be public utilities, it could be the financial sector, as well as Federal agencies, but a whole variety of players are involved here and they all need to be at the table. I think today you got a good overview from the law enforcement agencies, but if you had a different panel tomorrow and you had people from the financial sector or people from the telecommunications, you might be getting a slightly different perspective. The problem might be the same, but the response and the reaction to it could well be different. Further, this infrastructure that these organizations deal in is complicated by the exponential spread and support evolution of information technology. And frequently the technology and the ability to exploit that technology runs ahead of the ability to detect and respond, and that is a very serious problem. There are three elements to this issue. First, do we need to be concerned about it? Second, if we do need to be concerned about it, what are the challenges that have to be overcome to have an effective response? And then, third, how do we begin to address the challenges? First on the threat, I don't need to repeat what these gentlemen have all told you. There is a very real threat and that threat can come from an insider. That threat can come from a lone hacker who is out for a joy ride, from an organized group of hackers, from a terrorist group or, as NSA estimates, from 1 of over 100 countries that now have the capability of launching an offensive cyber attack. I think the potential for real damage has been highlighted by the ``ILOVEYOU'' virus, the denial of service, the Melissa virus. While none of these caused catastrophic damage in an overall sense, it demonstrated the very real potential for damage by cyber attack. The challenges, we have identified in the statement four challenges. First of all, establishing trust relations. You have so many people that are at the table, just like we are at this table, that have to work with one another. And even though law enforcement people might work together, share information, frequently the private sector do not want to share information with the law enforcement. They see it as a one-way street. You give information but you don't get anything back. You have to establish a trust relationship between different government entities, some who have less than friendly relationships with each other. You have to establish relationships between the government and the private sector. You have to balance off national security versus economic threat. There are a whole series of relationships that have to be established, and it is really not realistic to assume that everyone shares the same perspective or views the threat in the same way or views the response in the same way. The second challenge is related to that, but it goes to reporting needs and mechanisms. What kind of information do you need to be responsive? How do you best share it? What's the protocol for sharing it and how do you do it in a timely manner so that it is effective? Third, and this was touched upon by several panel members, are the need for technical capabilities. We have a real lack of technical skills within the government, and I think elsewhere, for dealing with this. Computer security is clearly underfunded and underrepresented in most agencies. Most agencies or many agencies do not have the skills that are necessary to provide a level of protection. We lack intrusion monitoring systems. The Department of Defense has taken a real leadership role in moving out on this, but this is still a very new area where we don't have the systems in place that can effectively monitor intrusions. And last, and I think the thing that bothers us the most right now is what the national plan calls for in making the Federal Government a model. And as you know from prior statements before you, the Federal Government is far, far away from being a model. Virtually every Federal agency has severe computer security problems that put their operations at risk. And if the Federal Government is going to be in a position to speak about the need for developing national and international infrastructures, it needs to get its own house in order and we are far from that. In terms of addressing the challenge, as you heard today, a lot is being done. There are a lot of organizations that are sharing information. These organizations certainly exist within the United States and they certainly exist internationally. But within our own government, that's done without an effective framework. The national plan for information systems protection, which the first version was issued earlier this year, lays out the beginning of a framework dealing with Federal Government. The next version is supposed to bring in the international and private sector, but a framework is a long ways away from having an effective implementation of the policies that are needed to in fact do the balancing act that you need between the various sectors to establish the trust relationships, to develop the effective coordination mechanisms that are required to address the challenge. So the challenges to be addressed is a comprehensive framework. This needs to be developed, it needs to be vetted, it needs to be bought into. It needs to allow each of the components to clearly define their individual needs. There needs to be an opportunity to balance these needs against the national need and, last, to develop and implement strategies to meet those needs. This is going to take leadership. This is going to take a real commitment, a prolonged commitment, it will take time and undoubtedly take a great deal of money. That concludes my summary, Mr. Chairman. [The prepared statement of Mr. Brock follows:] [GRAPHIC] [TIFF OMITTED] T4152.100 [GRAPHIC] [TIFF OMITTED] T4152.101 [GRAPHIC] [TIFF OMITTED] T4152.102 [GRAPHIC] [TIFF OMITTED] T4152.103 [GRAPHIC] [TIFF OMITTED] T4152.104 [GRAPHIC] [TIFF OMITTED] T4152.105 [GRAPHIC] [TIFF OMITTED] T4152.106 [GRAPHIC] [TIFF OMITTED] T4152.107 [GRAPHIC] [TIFF OMITTED] T4152.108 [GRAPHIC] [TIFF OMITTED] T4152.109 [GRAPHIC] [TIFF OMITTED] T4152.110 [GRAPHIC] [TIFF OMITTED] T4152.111 [GRAPHIC] [TIFF OMITTED] T4152.112 [GRAPHIC] [TIFF OMITTED] T4152.113 [GRAPHIC] [TIFF OMITTED] T4152.114 [GRAPHIC] [TIFF OMITTED] T4152.115 [GRAPHIC] [TIFF OMITTED] T4152.116 [GRAPHIC] [TIFF OMITTED] T4152.117 [GRAPHIC] [TIFF OMITTED] T4152.118 [GRAPHIC] [TIFF OMITTED] T4152.119 [GRAPHIC] [TIFF OMITTED] T4152.120 [GRAPHIC] [TIFF OMITTED] T4152.121 Mr. Horn. Well, thank you very much. If Mr. Pescatore would join us over there and, staff, see if we could turn around one of those heavy awful tables that we suffer through here, and we have Mr. Molander already at the table. And we are going to move to Mr. Molander. He is the senior researcher for the RAND Corp. that does a lot of good work domestically and foreign. So it is nice of you to appear here. So where is Mr. Molander? There we are. He moved to the right place to make sure he could get recorded. STATEMENTS OF ROGER MOLANDER, SENIOR RESEARCH, RAND; AND JOHN PESCATORE, VICE PRESIDENT AND RESEARCH DIRECTOR, NETWORK SECURITY, GARTNER GROUP Mr. Molander. Thank you, Mr. Chairman. Mr. Chairman and members of the committee, the RAND Corp. has done a large number of studies on the problems that are being addressed here today, including conducting many national and international strategy policy and operational exercises, you might call them cyber war games, in the area of critical infrastructure protection as well as in the cyber crime arena, looking at the impact of the Internet on things like Internet banking, Internet gambling, and the whole impact on money laundering. My testimony today is a distillation of that experience put together by myself and two RAND colleagues, Robert Anderson and Richard Mesic. In light of the comments that have already been made, I am going to offer a few overview perspectives, hypotheses, lessons learned from about 5 years of doing research in this area. First, to enable and motivate a more effective dialog between government and the private sector, the government needs, as was mentioned, a specific and much improved framework for targeting the interests of individual infrastructure sectors and companies. You might say in a sense, Mr. Chairman, it's the private sector that is the key here at the present time. The private sector wants the government to provide threat intelligence, the government wants the private sector to share sensitive vulnerability information. To date neither can or will deliver in a manner that the other deems adequate. A second point, the companies that are running the critical infrastructure systems all have quite significant risk analyses and contingency plans for various outages and problems; however, for this kind of threat the balance between risk and cost chosen by individual companies may not be deemed best for overall national security interests as judged by the government in carrying out its responsibility. Additional resources are undoubtedly going to be required. This cost gap-filling challenge must be addressed by the Federal Government. The expectation that the private sector will carry all of these costs is terribly misleading. Third, for those critical infrastructures which are potentially under attack it is prudent to assume that the threat actors, whoever they might be, wherever they might operate, whatever their motivation, are likely to eventually find vulnerabilities. Nature abhors a vacuum. They will be found. We need to assume almost that any major vulnerability will be found by some malevolent actor. To the extent that actions to protect the infrastructure cannot for cost, political or other technical reasons be implemented fully on a day-to-day basis, alert and warning and response systems are critical. Effective AWR, as we call them, architectures are likely to involve a hierarchy of intersected alert and warning systems where the best role for the government probably is to try and take the lead in creating and coordinating almost a system of alert and warning systems and then independently provide sort of motivation for response plans being well vetted and well organized so that people understand what will happen when some alert and warning comes. The fifth point, any significant attack of a kind that might be characterized as strategic in character would almost certainly be proceeded by various testing and probing activities by the attacking party. This is going to be an ongoing active process, as we have heard. Any data is likely to become dated from an offensive or defensive standpoint, and possibly obsolete quickly. We need to adapt to this kind of dynamic situation. Six, given our current knowledge base the CIP problem is probably too complex and dynamic at this stage for any single unified strategic concept framework or approach. That means that we have to break the problem down in manageable pieces nationally and internationally and attack the pieces. The kind of unified framework that we would also like to have is something that at best will take place over time. It is clear, I think, that there is no simple solution silver bullet for enhancing U.S. or global critical infrastructure protection. It is not clear how vulnerable key sectors are, how widespread the effects of a major attack might be, how various responses to that attack, how effective they might be, how well an adversary could marshal the next knowledge and resources to mound a strategic level attack as opposed to what you might call duck bites without extraordinary preparation. At this time the best approach probably both nationally and internationally is to get down into the details for each individual infrastructure. Every infrastructure is different in terms of their preparation, their risk assessments and their planning. One needs to look at the particular attack modes that are going to be--classes of attack modes that are going to be most troublesome for individual infrastructures, electric power, telecommunications, etc.; the particular generic vulnerabilities that are most worrisome for that sector that can be projected with time even though technology changes; the type and extent of effects of the damages the sector might suffer, the importance to the Nation of those effects, and finally the types and effectiveness of responses that might be expected by the private sector and the government. Let me reiterate as a close, it is the private sector, Mr. Chairman, that is the real challenge at this point for government. Thank you. [The prepared statement of Mr. Molander follows:] [GRAPHIC] [TIFF OMITTED] T4152.122 [GRAPHIC] [TIFF OMITTED] T4152.123 [GRAPHIC] [TIFF OMITTED] T4152.124 [GRAPHIC] [TIFF OMITTED] T4152.125 [GRAPHIC] [TIFF OMITTED] T4152.126 Mr. Horn. Well, we thank you and your colleagues for that fine presentation. Mr. John Pescatore is the vice president and research director, Network Security for the Gartner Group. Mr. Pescatore. Good morning and thank you, Mr. Chairman and the committee, for this opportunity. It looks like I am batting cleanup here. You have heard from a lot of constituencies. In my 22 years working in information security, I have actually worked for the Intelligence Community, the law enforcement community, private industry, in developing fire walls and public key encryption, and now with Gartner Group, working with thousands of our clients across the world addressing their security problems. Add the citizens to the stakeholders in this, and it is a complex problem, and the key is sharing across those communities. The Internet definitely rewards sharing, it actively rejects attempts at hierarchal command and control and routes around them, to paraphrase a famous Internet saying. What within this mix can the government do to facilitate sharing is the key issue we have touched on I think in a number of ways here. First, we have heard several times, and I will certainly second it, that the government should first clean up its own act in computer systems and make sure that government computer systems are secure and well managed. We've seen an explosion in use--business use of the Internet that really vastly outpaces the growth of crime against the business use of the Internet today. We see companies like Cisco and Intel and Intuit getting the majority of their revenues through sales over the Internet. They figured out how to do it securely and still run leading businesses. So the solutions, the technologies and the processes are there. They need to be emulated and replicated across all systems, and government systems are a prime example. We estimate it takes anywhere from three to five times more effort, more total cost of ownership to secure an Internet exposed application than one that has traditionally been inside a closed environment. If you use today's point solutions and antiquated processes that we see many government agencies trying to use, if you use architectural solutions, redefined, reengineered processes, those costs can be halved and become much closer to what it takes to do so behind the fire wall. So first point, government effort to secure government systems, that is one key inhibitor to private industry willing to share the threat information with the Federal Government. Will it be protected when it is stored by the Federal Government? Second key point, the government certainly plays a role in defining security standards and can put its buying power behind those standards. We see the National Institute of Standards and Technology [NIST], with the National Information Assurance Program putting together protection profiles for various technologies and systems. Some very good efforts there. Not quite working on Internet time, more bureaucratic time; need to move up to Internet speeds, and not quite so focused on a prioritized list of what makes the most sense to e-business and the needs of all these various constituencies. I think that can be improved. The government can certainly learn some lessons from what it did in the Y2K period. There were many things that others put together for Y2K; for example, in the National Security Telecommunications Advisory Council [NSTAC], is an example of a very workable way of sharing threat information between private industry on the critical infrastructure side and the government. Did a lot of good work for Y2K. Another suggestion that we have, we saw the Securities and Exchange Commission require publicly traded companies issue Y2K status information in their quarterly and annual reports. Let's see that for security information. Let's see the government help make security part of the bottom line versus an afterthought for many of these companies. I think that would go a long way. I want to point out we don't see a need for more alphabet soup of committees and task forces to address this problem or coordinate this problem. We see plenty of those. We see many successful examples, things like the Forum of Incident Response Security Teams, the Carnegie-Mellon Computer Emergency Response Team, things starting up in the Federal Government like FedCERT to share information. We have enough mechanisms. We need to move them forward and increase sharing. I will sum up, with that buzzer going off, to say we see a lot of successful use of the Internet increase the bottom line of companies, make things more convenient for citizens. Certainly we know cyber crime and information warfare will follow and it will require leadership by the government to address those. I think the government can learn from what private industry has done successfully and adopt best practices on government systems and sponsor leading practices and standards that will apply across the infrastructure. Thanks for your time. [The prepared statement of Mr. Pescatore follows:] [GRAPHIC] [TIFF OMITTED] T4152.127 [GRAPHIC] [TIFF OMITTED] T4152.128 Mr. Horn. Thank you very much. We will begin the questioning with the ranking member, Mr. Turner. Each of us will take 10 minutes. And as you can see by the ruckus on the bells, we have another vote so we will both have to get there. But we will get started here with 10 minutes to the gentleman from Texas. Mr. Turner. Thank you, Mr. Chairman. Mr. Pescatore, I wanted to followup with you. You made a comment there that we did not need any more task forces or study groups, and then you also made a comment that we had the necessary entities. You referred to the Carnegie-Mellon Institute. I guess it is a similar operation to what we do at the Federal level. Did I gather you said those were sufficient that we had in place? Mr. Pescatore. Well, we have the mechanisms, things like CERT teams and FIRST and across DOD and the civilian government and private industry for sharing the--for coordinating response. We need a number of things to help make information sharing easier. Many have been addressed in the testimony. Things like the Freedom of Information Act being addressed to make sure that information shared will stay private, will not be releasable. Making sure information sharing is bidirectional between these communities as much as possible. So there are ways that we can increase the sharing between these mechanisms, but I don't think we need more mechanisms. Mr. Turner. We have a number of people here from various countries around the world. What would you see as the greater need internationally in this area? We all talk about and everybody has mentioned we need greater cooperation. What does that translate into in terms of actual activity? Mr. Pescatore. Well, I think what you see the most need for is increased communication between the different layered communities. For example, Interpol between law enforcement, the various NATO and other mechanisms between DOD, and there are existing mechanisms like FIRST that interoperate between companies across countries. The flow between those three communities is near zero. That needs to be increased. And the mechanisms are there, again, but the oomph behind them is not. Mr. Turner. I was interested, Mr. Molander, in your comment. You said the problem is the private sector, not the government, and yet I get the impression from listening to the testimony that the government is increasingly going to be required to play a greater role, that the private sector is going to basically say there is a point beyond which we don't really want to go. We don't want to spend the money to go further, but that our national security needs will require us to go further. So you might want to expand on that thought a little more because I was getting the impression earlier that the direction that we needed to take was that we are going to have to recognize that the government is going to have a greater responsibility, not a lesser responsibility. Mr. Molander. I think that is probably right. But in the end, I think the real challenge right now is to bring the private sector to the table in seeking solutions to this problem. As yet, the kind of information that we would like to get from the private sector in terms of, for example, the kinds of probes that they are seeing right now, how they are organizing themselves for responding to certain kinds of attacks, classes of vulnerabilities that they can see from their own experience with natural sort of events and things of this character, these kinds of things have not yet been part of a dialog between the government and the private sector largely because the government has not been successful in making the case--and it's not an easy case to make at this early stage-- that there is out there perking along, you might say, the kind of strategic threat capability that truly would be more than just a cause for the kinds of problems that we saw with the ``ILOVEYOU'' virus and things of this character. The private sector is, if you will, the frontier. That is where things are happening in terms of attacks against the infrastructures, more so perhaps than the attacks against the Defense Department. The private sector--all boats have to get in and start rising here, but the private sector is really missing in terms of aggressive participant in the larger strategic challenge. Mr. Turner. What's it going to take to get the private sector to move more rapidly in terms of their willingness to cooperate? Mr. Molander. Other people could comment on that as well, but I would say a persuasive case made by the government, barring some actual events, of the kinds of vulnerability that the private sector sees could be exploited by a malevolent actor who you might say catches up with the information revolution and catches up with the software and what not, changes that are being made by the infrastructure. So you might think of this as somebody doing a high speed merge, the malevolent actors doing a high speed merge on the highway. But the threat is that they will catch up and the kinds of dialog where the government makes a persuasive case for threat really haven't taken place yet. Mr. Turner. I'm not sure we do understand the threat, and maybe we need to have more opportunities for experts like we have on this panel to tell us the worst case scenarios that might be out there for us. We have two panelists here from the Department of Defense, but when we talk in terms of national defense we usually can identify the threat and talk about it. Sometimes we talk about it in top secret meetings, but we talk about it and that's what we try to address. Maybe we don't have a good perception of the real threat. Do any of you, particularly panelists from the Department of Defense, have any suggestions on how we might better educate ourselves on the nature of the threat? Mr. Vatis with the FBI, I'm sure you have some thoughts on that you could share with us. Mr. Vatis. I think I agree with the point that one of the things we need to do is to raise awareness about the nature of the threat. And, in fact, a lot of that has been going on. We have provided numerous briefings to different committees of Congress and also to many different parts of the private sector. As one example, I've provided a classified briefing to the owners and operators of the electrical power infrastructure because of their centrality to the functioning of all the other infrastructures. And I think those briefings, as well as real live events such as the various viruses that we have seen and denial of service attacks, have all done a great deal to raise the level of awareness. And I think they've contributed to the progress that actually has occurred over the last 2 years in terms of the private sector taking steps that it hadn't taken before to secure its systems. But I think all the awareness raising in the world is only going to get you so far. And then you still run up against the fact that companies are not going to do anything until they see that it's necessary to protect their bottom line and their ability to make profits. And I think companies are going to make different decisions about the probability of something happening. They will look at the cost of taking steps to prevent it from happening versus the cost of something happening, discounted by the probability and going through that sort of cost-benefit analysis. And so I think that's really where we need to make progress. The other thing that I see happening is a bit of a free rider problem. That especially affects the whole problem of information sharing. There has been a lot of talk for 2 and more years about the importance of information sharing. We have set up numerous mechanisms, some of the ones that Mr. Pescatore has mentioned as well as ones that the government has set up, including through the NIPC, to share information from the government to the private sector. And that's all been going on. But what's principally been lacking, I think, is information coming from the private sector to the government and information being shared among private sector companies. The free rider problem that I mentioned comes from the fact that companies are willing to get information that might help them become aware of vulnerabilities, but they're very wary of sharing their own vulnerability information, not just with the government but with their competitors in industry, because companies see a possible competitive advantage if they're aware of a vulnerability and others aren't. And so that's where I see the principal hindrance to information sharing. Mr. Horn. I will have to interject now. At 12:25, we go into a formal recess. We will be back at 2 o'clock for the questioning. Other Members will be here. And I believe your host, the Federal Bureau of Investigation, already has other things for you to do during this period. So we are now recessed formally. If you want to ask some more questions fine, but you can also ask them at 2 p.m. [Recess.] Mr. Horn. The recess is over, and I hope you had a good lunch, and we thank the Federal Bureau of Investigation for that hospitality. Since none of us on Capitol Hill except the Speaker have a representational allowance, we don't have any. But let us ask a few questions. We won't keep you that long but there are a few things we did want to talk about. To the Department of Defense, let me ask this. Has the lack of an international policy on critical infrastructure protection impeded the Defense Department's efforts to address mutual concerns on infrastructure protection? How would you answer that? Mr. Schaeffer. No, sir, I believe that with respect to our international partners we have worked on an individual basis to ensure that where we are reliant upon the infrastructure of the nations where we reside. That is not to say that all the problems are fixed and everything is wonderful, but we are working U.S.-to-host nation to address those issues. Mr. Horn. In an unclassified setting, can you tell us what countries do you see as having the most developed information warfare and computer attack capabilities? Mr. Schaeffer. I cannot address that in this forum, sir. Actually, that question would probably be addressed better to a member of the Intelligence Community than to this portion of the Department of Defense. Mr. Horn. We will have Mr. Goss ask that. How concerned are you in the Defense Department about the proliferation of weapons of mass destruction, viruses, hacking, exploited denial of service, and will increased information sharing improve the response posture of the United States? Mr. Schaeffer. Well, sir, I believe I can state categorically that we're very concerned. Certainly as one can read in the paper every day, the Department is subjected to a substantial number of probes, attempted intrusions, attacks, however one wants to categorize that. Last year, or in 1999, the Joint Task Force-Computer Network Defense registered over 22,000 attacks on DOD systems. Now, it's very, very difficult to say what portion of those came from within the United States, what portion may have been foreign sponsored, which portion may have been foreign generated. I mean, there's a number of those situations that we continue to pursue. But the volume and the anonymity with which an attacker can operate unimpeded from around the world sort of states the situation that we are dealing with. Mr. Horn. In my opening statement, I referred to NATO as a possibility to be able to share information in this area. To what degree--well, let's put it this way. The European Parliament, the various sovereign nation parliaments, and the Council of Europe and all of those groups, everything, the OECD, all overlap each other. But I wondered, since NATO has a working relationship, and one of the reasons was to have a defense group in relation to the Western world, so to what extent, if any, is NATO involved in cyber attack problems? Mr. Schaeffer. In March 1998, Dr. John Hamre made a visit to NATO. We actually visited several individual nations and NATO as a body, the C-3 board, within the NATO structure. And we gave several presentations on U.S. experiences in the area of cyber issues, problems. We laid out our experiences in our own exercise environment, Eligible Receiver 97, which was really the watershed event that got the Department's attention. Mr. Vatis spoke briefly to the Solar Sunrise incident, which I refer to as a live fire exercise, and we shared those experiences with our NATO partners. Subsequent to that, we have continued to expand our relationship in terms of sharing experiences, training material, approaches to address information assurance issues both with NATO nations and non-NATO nations as well. We have done that DOD to MOD, the Ministries of Defense of the various nations. And so our relationships have been constrained pretty much within the context of our military partners. In some cases, some nations have sent non-MOD delegations to DOD to get our perspectives on critical infrastructure issues, information assurance issues, and the Department's approach at dealing with those. So, I think since the March 1998 timeframe, we've had substantial interaction with our foreign allies and partners to try to convey what we see as rather substantial problems. And I'm pleased to see the progress that NATO has actually made in addressing a number of these issues. Again, there's a long way to go, but it begins with awareness and understanding and common appreciation of the problems. Mr. Horn. Now, what do we do for those countries that are not in NATO and that rim on the NATO alliance? How do we deal with that? Mr. Schaeffer. We have, on a bilateral basis, exchanged understanding of issues, problems, approaches, with non-NATO nations within Europe. But we've done that again, DOD to MOD. Sweden is an example of a non-NATO nation that we've had information exchanges with. Mr. Horn. Are the French now in or out of NATO? Mr. Schaeffer. The French are in NATO. And we've had exchanges with them as well. Mr. Horn. OK. Mr. Genis said this morning, and I'm just wondering what the reaction is of all of you, the suggestion of an international coordination center. Is there an existing organization suited for that purpose? We have a lot of League of Nations groups in Geneva and other parts of Europe and other parts of the world, and we have U.N. possibilities and all that. But I'm just curious if we can go down the line and where do we see for having an international coordination center where you could relate to them and they would keep up on a lot of this and share information. Mr. Reksna. Mr. Vatis. If I may, Mr. Chairman, I think Mr. Reksna would rather pass on this, if that is OK with you. Mr. Horn. That's fine, but if he has some thoughts we would welcome them. Because we need to have countries involved, no matter what their size. They're important people to us. Mr. Reksna. Actually, we should think always the possibility, if it's possible, we would answer you in a return letter. Mr. Horn. Well, thank you. Mr. Vatis. Mr. Vatis. I think the need for a much more efficient and quick mechanism for sharing information internationally is apparent. That is one of the things that the G-8's High-tech Crime Subgroup has been discussing over the last year or two. The problem that we bump up against is that of national sovereignty and the fact that countries are not willing to let foreign law enforcement agencies conduct investigative activities within their own borders for national sovereignty reasons. And so what the G-8 has been trying to do is come up with a system where countries at least agree to freeze information at the request of another country, and then let the normal mutual legal assistance treaty process take effect. As some of my colleagues had mentioned this morning, that is typically a lengthy process, because in the past in traditional crimes, speed was not always of the essence the way it is in cyber crimes. And so it wasn't of great concern to people that requests would take weeks and months. Now when evidence can be lost, that sort of delay is simply not tolerable and so we are trying to come up with methods, first within the G-8 and then on a broader scale once we have a model developed, to try and share information more quickly. But the idea of a single international body that would have powers that might transcend national sovereignty I think would pose difficulties not just for the United States but for most countries. Mr. Horn. Mr. Kronqvist, any thoughts on this? Mr. Kronqvist. Thank you. I think such kind of center should be very useful. But as a law enforcement person, I would like to express that participation of law enforcement agencies should be very manifest and I think probably should be by law enforcement organizations so secure handling of information would not come in the wrong hands. Mr. Horn. Mr. Juergen Maurer. Mr. Maurer. I'm not convinced that there is a need for a specific institution to be established. If it comes to law enforcement, I think it would be a much better way to use the existing channels and make them aware of the specific needs. Especially when it comes to Europe, we have to face how many years you need to establish a new police institution, for example, like Europol, and it will need another 10 years to have a real operative institution. So I would prefer to stick with the existing channels and use these channels. Mr. Horn. Mr. Meneses, what is your thinking on this? Mr. Meneses. Your Honor, I think Interpol is a good bureau within which law enforcement could properly coordinate and cooperate, considering that it is already existing. I believe what is already needed is to refocus some of these people to concentrate especially on cyber intrusions. They should be given--these people should be directed by the leaders that priority should be given on cases under investigation, especially on cyber intrusions. Mr. Horn. Thank you. Mr. Genis. Mr. Genis. Well, ditto. And I'd like to mention that Interpol would be an appropriate body. But it should be more similar to the NIPC, but which would have control over European countries and other countries than within the United States. Mr. Horn. Mr. Adamson. Mr. Adamson. Yes, Mr. Chairman, Interpol does have the framework to do this, but what they are lacking is the resources and expertise. There are about 300 police officers from around the world assigned to the General Secretary at Lyon, including 10 Americans. But cyber crimes is just something that has started. Interpol has always been years behind. I think with the new Secretary General coming this year with a renewed interest in Interpol by the United States, and renewed interest by all the first world countries, I think things could change. The framework is there and you still have the sovereignty aspect but at least the framework for communications is there. Mr. Horn. Mr. Schaeffer, any other thoughts on this? Mr. Schaeffer. Mr. Chairman, I think the only thing I would add is that while existing organizations and mechanisms--or mechanisms do exist, I think we are a long way from a consistent taxonomy in an international sense. What is an attack? What constitutes an attack? What is an event? What is an intrusion? And so I think there is work that has to be done there before we could vest the responsibility for coordination in any one body or any group of organizations. I think there is much that could be done to create a consistent view of the problem and then some sort of international convention of what gets reported, how, and in what context. Mr. Horn. Mr. Balakgie, is the Defense Department unified? Mr. Balakgie. Absolutely, sir. I would say that there might be some information that would be difficult to share but that's my intelligence. I think you're talking about certain levels where you know something is going on, sharing of information needs to be done in a rapid manner. It's what happens before you get to that point that I think is challenging for us. Mr. Horn. Mr. Brock, any thoughts on that, looking around the world and around the United States? Mr. Brock. I think there is a need for more international sharing. I think at least initially it would be difficult to see one body doing that initially. Much as in the Y2K, people that have already established trust and working relationships in particular sectors, it might be feasible for them to begin sharing information among themselves and at some point look for opportunities for improving sharing among those different groups. Mr. Horn. Mr. Molander. Mr. Molander. I was going to say that same thing. I think Y2K was something special, and those people who paid for it by drinking champagne in paper cups did over the period leading up to that establish a precedent that one could build on even if you can't very quickly even think about how to get started on international law enforcement institutions. I think the precedent set by ICAO and IATA and international ITU should be built on before both personal relationships are lost and the experiences are lost because you can do a lot of work in that area. And as I testified earlier, I think bringing the private sector through the individual infrastructure, treating them independently, into this problem effectively is a very important thing to do. And this would be a good place to start. Mr. Horn. Mr. Pescatore. Mr. Pescatore. I think I will echo one comment I believe Mr. Schaeffer made, that the important piece is the consistent taxonomy and lingua franca for defining what is an incident in different times and we see nascent standards in that area, work within the DOD and private industry, to come up with a common language. That would be the first step to get that in use across these communities and that would facilitate information sharing, be it any of these difference mechanisms that we talked about as a coordinating body. Mr. Horn. Now the private sector sort of was in and out of your testimony, depending on the situation. Is the private sector here, Europe, Asia, wherever, in computing, are they aware of the problems that the viruses create, are they working on ways to block that in the computers that they sell? You don't have to name any names, if you don't want to. But does that occur somewhere? It seems to me this is a wonderful market for someone if they can figure out how to attract people who are virus experts and all the rest of it. So what's your feeling on that? And do they realize the size of this problem and what it could do to the free world as well as the nonfree world? Mr. Brock. Mr. Brock. Every time I testify on computer security, I get several calls the following day from vendors saying we have the answer and they want to come over and do a demo or whatever. And many of them I think, in fact, do have good products. But the problem that we've seen at the agencies we've reviewed is that using a tool, that many agencies have tools but they don't use them effectively. And that's the secret. You can buy a tool that is very effective and we have gone into agencies where they have great firewalls but they haven't turned on all the features of the firewall, or where they haven't trained the people to use it or they haven't updated it and it is two generations back and viruses and other attack methods have progressed. So I think there are opportunities. But you just can't use a tool without knowledge of how that tool is supposed to work and without continual training to make it work. Mr. Horn. Is there any other feeling from those of you that live in Europe as to whether your manufacturing industries see this as a real opportunity, if they can block out the type of viruses or whatever it is? Are they not interested or are they interested in doing this? I think that's where some brain power ought to be given to it. It's like anything in defense, everybody--you get it done, somebody has something that's bigger and then so forth and so on. So it seems to me this would be a very good market for everyone there. The other thing is do the antitrust laws in the case of the United States, does that keep manufacturers and others from getting in at the top of this problem? And is that type of sharing, should that type of sharing be exempted if it in any way is a problem for the antitrust laws? I don't know the GAO has looked at that and we don't have anybody really from Justice on the legal side. But I think we need to pursue that with the Department of Justice and see if something needs to be done to amend the law. Mr. Brock. My colleague, Joe Williamson, testified last month on H.R. 4246, the Cyber Security Information Act, which was very similar to a Y2K legislation that eased some of the concerns that companies had about sharing information so they wouldn't violate various antitrust provisions, and we were very positive about that act and thought that anything that would alleviate concerns between companies about sharing information was a positive step forward. Mr. Horn. Well, I think you're absolutely right on that and we need to pursue that a little more perhaps with the Judiciary Committee. Let me just ask on the cyber attacks that have been investigated, is there a single point of contact in the United States that all of you who are not in the United States use as your contact point? Is it the FBI's center or are there other places you can also--Carnegie-Mellon has not really come up this morning and Carnegie-Mellon has been doing a lot of work on how to deal with this problem. So I don't know if any people that are--are you primarily relating to Mr. Vatis and the center there? Or are there others that can help you in this country? Because we'd like to know where they are and we know about Carnegie-Mellon. Is there any? Yes? Mr. Maurer. Our first partner in these cases would be the FBI. If it comes to a legal assistance request, we should have to go through the Department of Justice, but they refer us always then back to the FBI. So our main partner would be the FBI. Mr. Horn. Is that the general feeling of most of you, that you relate to the FBI essentially? Yes? Mr. Kronqvist. Yeah, normally we have contact with the FBI through the Legal Attache's office. But we have also other contacts with them, some of the other parts of the FBI, because we have training exercises with the FBI also on projects like that. Mr. Horn. Well, they're a good group to deal with. Do each of your countries have decent legislation now to combat the cyber attacks? I know the Philippines has. I wish our Congress could move as fast as yours did, because you seemed to move very rapidly. Is there a model law that would fit for every country on that? I realize there is different legal practices under the laws. But do you feel that there's some of the countries that maybe surround you don't have any laws on this and maybe some don't even care to have any laws about this, because some of them might be doing the things that we are trying to block. So is there a feeling that there is a weakness of laws in some of your countries? Yes? Dr. Maurer. Mr. Maurer. I'm not that familiar with this part of our work, but it seems that there's a feeling that there is a lack of the law passage. There is an effort by the European Community to harmonize the different laws. So the European Council or the members of the European Council or delegation located here in Washington, DC, they might be a good place to go and get more information on that. Mr. Horn. Any other thoughts on that? Well, let's get to the point of should there be a global treaty on this? And does it even make any sense, given all the diversity and all the complexity that's involved in this? Should that be either pursued bilaterally and signing or having the Europeans deal with that, the Asians on their continent, whatever it is? That if a global treaty is needed? What is the feeling on that? The gentleman from Latvia might want to respond on this one because I would think that would be in your interest in terms of Europe and that area to have some sort of a relationship. Any thoughts on it, as we would say in this institution, the gentleman from--in your case you're the gentleman from Latvia, and we are glad to have you here. Mr. Reksna. Without doubt, we'll need agreements on cooperation. But we should say openly that actually all the countries, there is much bureaucracy in each country and any more agreements--any other agreement also like needs more bureaucratic work and papers. In order to solve, to detect a crime, the main thing is time--to shorten the time. And because of that, I would agree to that said by our colleagues that at the present moment, maybe one of the most effective ways to work in this direction is personal contacts, to have more personal contacts and to have really good working relationship and contacts with LEGAT, with FBI liaison officers. And for sure, there should be present such a thing as trust. Trust as on the level of law enforcement institutions in the country, between different countries, and the trust between--we are to build the trust between the law enforcement agencies and the private sector. Because if there is a trust, there would be an effect. Mr. Horn. Thank you very much. Mr. Vatis, what do you think on this? Mr. Vatis. I think one of the most pressing needs internationally is for harmonization. Or if not quite harmonization, at least some minimal level of substantive criminal law in all the countries around the world to specifically address computer crimes because one of the problems that we have seen is if we have an incident and we determine that the perpetrator is located in a country where there is no applicable law, there is no chance for prosecution oftentimes in that country and there is also no chance for them to provide assistance to us because they don't have the legal basis to even engage in an investigation. But I think our approach has been that the best and most likely way to achieve that gradual creation of laws around the world is not by jumping right to a global treaty of some sort, because I think that would take a considerable amount of time, given the great differences in perspectives and priorities among the different countries, but instead to try to encourage the passage of new laws on a bilateral basis, and on a multilaterally basis first to deal with smaller groups of countries that have common interests. So we've been doing that through the G-8 and then Europe has been doing that through the Council of Europe. And I think if we start with those types of smaller groups of countries with common interests we'll eventually create some momentum and eventually see most, if not all countries around the world have applicable laws. Mr. Horn. Any thoughts on this, Mr. Kronqvist? Mr. Kronqvist. Yes, I think international agreements can be very useful because even domestic legislation can be organized very rapidly if there is--international work is the issue. Mr. Horn. Dr. Maurer. Mr. Maurer. Just would like to support the thoughts Mr. Vatis just told us. That is exactly our position too. Mr. Horn. Mr. Meneses. Mr. Meneses. I agree with the observation of the honorable chairman that there should be an international or global treaty, considering that information technology moves so fast. And the Web site would be on the other part of the world and the suspect or the culprit may be on the other side of the world and there may be a problem on how to get some of this evidence. But if everybody--if there is a treaty, at least the investigators or the law enforcers would have a chance to call on such country or nation to give in some of the evidence that we need. Of course the recommendation of Mr. Vatis could also be a preparatory step to that global treaty. Mr. Genis. I'd like to stress sir that an international treaty will allow us or will give us the ability to address foreign countries, besides the United States, where we speak in the same legal terms. And it will simply make the process accelerated. Mr. Horn. Mr. Adamson. Mr. Adamson. Yes, I mentioned that Interpol works with a number of organizations and, as I previously mentioned, the Council of Europe has been doing this with a draft convention on cyber crime recently. And they are putting together, this will probably be the first international treaty to address this problem of cyber crime. As I understand it, the text will be finalized by the end of this year. The Committee of Ministers may adopt it as early as autumn 2001. Again this is piecemeal, this is Europe. But it is the first step probably to do something worldwide. Mr. Horn. What is the process in terms of Interpol in developing a document such as that? Mr. Adamson. Well, Interpol isn't doing it. Interpol is only supporting it. It is really the Council of Europe. It is again one of the many organizations that we belong to. But we are listening, we are watching what they are doing and perhaps through our mechanism we can show the rest of the world that this can be done. Mr. Horn. That is good. I am sure that is a publication that will be sought in a lot of places. Any other thoughts on this? Mr. Adamson. Not from me, no, Mr. Chairman. Mr. Schaeffer. I think I find what Mr. Adamson says very interesting. I wasn't aware that there was such work going on. But I think, from a Department perspective, I think Mr. Vatis articulated our position very well. Mr. Horn. Well, which reminds me on this situation, if that's so, are our defense attaches educated and trained that this is a real problem? Where in our Embassy should we have somebody that can deal with this? Mr. Schaeffer. I think we are continuing to educate and raise the awareness of the defense attaches around the world. But--there are levels of understanding to the problem and many of the issues that we deal with are down in the nuances of exactly what happened and how and where, and that takes a depth of understanding that is much, much greater than just awareness. We continue to pursue that, but--again, we are a ways away from having a completely trained and educated cadre of folks around the world. Mr. Horn. Thank you. Any other thoughts? Mr. Balakgie. Just one other comment to the defense attache question. Since they are managed out of a difference intelligence agency, we do have some procedures that they are provided on how to deal and address some cyber issues in terms of their role in the Embassies. So there--just to reinforce that there is an awareness. On a previous question on an international treaty, I would echo what some of the other panelists have already stated, and that is it would go a long way in at least having the ability to reach into some of these other countries when a problem occurs and see some legal or law enforcement activities kick into gear to help us address some of these issues. So I would definitely think that would be highly recommended. Mr. Horn. Well, that's a very good point that we cannot wait until it happens, we need to get ahead of the game. Mr. Brock. Mr. Brock. I think you're raising a very interesting point. I think there needs to be all sorts of avenues for international cooperation. And sometimes if you have a good relationship informal things that are flexible work very well when you have a good understanding, but when you don't have a good understanding that sometimes more formal arrangements really force you to lay out the issues in ways of dealing with them. Another area that could lead to interesting discussions as well, just as you have arrangements, treaty arrangements on weapons of mass destruction for chemical and biological warfare, there might be a point some time where you would want to consider such treaties that would prevent using cyber warfare as a weapon of mass destruction, which it certainly has that capability. Mr. Horn. It certainly has the capability of scooping up a lot of money in one place or the other also. It is amazing what can be done. Mr. Molander. Mr. Molander. We have tended to call--use the term ``weapons of mass disruption'' for the context that Mr. Brock spoke about. I think the proposed convention would go a long way in a dimension that Mr. Schaeffer mentioned, which was get a taxonomy that could be used by someone. There is an extraordinary language problem. One sees it in law enforcement and in critical infrastructure protection. It also will help to get ready for the point where one deals with the difference between is this crime or is this war? And I think that's an interface that is a real challenge for I think every country because every country handles matters differently. We have a fourth amendment; other countries don't. And the possibility of having an international convention that covers acts of war through or using cyber space was introduced a couple of years ago at the U.N. by the Russians. One of the reasons it probably did not go anywhere is that unlike biological weapons and chemical weapons, where there is an international consensus on not using those weapons as weapons of warfare, there is no such consensus on nuclear weapons. What consensus might emerge on using cyber weapons or whatever you want to call them against infrastructures, for example, is a long way off, and I think until there is some common goal that people can all endorse trying to write a treaty, and we ran an exercise one time that said write me the first article of the treaty, I've had treaty experience. Write me the first article and then tell me what goal that article is going to advance you toward. And that left everyone mute. Mr. Horn. Well, that reminds me in my university President days, I learned do not be the Alpha project in a computer operation. Go way back and be the last one, the Zebra project. And a lot of our problems in our own domestic government have been because they did not have good management at it and they are constantly reinventing the wheel and this is too dangerous to be reinventing the wheel unless it is going in a decent direction. Mr. Pescatore, any thoughts on this? Mr. Pescatore. I would echo the importance of a global treaty or agreement on the difference between crime and warfare. We can certainly spin a scenario of an environmental group in India attacking U.S. banking systems in cyber warfare that appears to come from China, what is the response? Is it crime? Is it warfare? What is the common definition between the two and agreed upon responses? I think that will be a major problem in the future. Mr. Horn. In our closing here, if there is any questions that any of you would like to ask others while they are here, this is a pretty talented group, so if say the General Accounting Office that works for Congress throughout the world, if you have any questions, Mr. Brock, that we've missed along the line, feel free to ask something, and the same with our guests. Mr. Brock. We are actually doing a review of both Mr. Schaeffer's operation and Mr. Vatis's operation now. So we have been exercising our opportunities to introduce them and the results of those should be available next spring, and hopefully we will have another opportunity to share the results of that. Mr. Horn. We would be glad to see it. Let me just thank the staff that have helped on this J. Russell George, our staff director, chief counsel. Ben Ritt is to my left, your right, he is on detail to us from the General Accounting Office. Bonnie Heald, director of communications, Bryan Sisk, clerk, Elizabeth Seong, staff assistant, William Ackerly and Davidson Hulfish, interns, and for Mr. Turner's staff, Trey Henderson, counsel, to my right and your left, and Jean Gosa, minority clerk, and Joe Strickland, we thank you and your colleague, Colleen Lynch, our court reporters. I think that this has been very productive, at least for us, and I hope it has to some degree for you. I thank each of our witnesses today. Some of you have traveled great distances to be here. Your testimony has been very helpful to this subcommittee as we continue our oversight of computer security issues in the United States. As all of you are aware, the national and international remediation efforts associated with Y2K were well coordinated and highly successful, but that was after congressional oversight when they finally got around to it and it worked out. But this is a situation where you can't drift for the years that we had drifted on Y2K. Y2K provided us with a snapshot of our Nation's interdependence, and intradependence. This soaring number of cyber attacks provides us with an entire photo album and we need the same, in the United States at least, Y2K-type of focus on this issue that we did on that issue. Each of our governments must have a matrix in place to ensure the security of its critical infrastructure. This subcommittee is in the process of developing a system to gauge the progress of our Federal agencies in protecting their computer systems against these attacks. We will be examining that progress in September. We have asked the Comptroller General of the United States, who heads the General Accounting Office, to be looking at all of the computers's hardware as well as the software throughout the Federal Government. We are way behind in a lot of computing. We are still in the sixties in some parts, and many of you are way ahead of us. So each of our governments must have a matrix in place to ensure the security of its critical infrastructures. This subcommittee is in the process of developing a system, as I said, to gauge the matter, just as we did on Y2K, and when we come back from the August recess we'll be looking at this matter again. Beyond this domestic challenge, we all must begin addressing the need for well-coordinated, international structure that can provide timely and accurate information to those who need it. On behalf of the subcommittee and the Committee on Government Reform generally, I thank you for your insight, your time, and your participation. So have a wonderful trip home and we appreciate your coming and spending your talents with us. We are now adjourned. [Whereupon, at 3:03 p.m., the subcommittee was adjourned.] [Additional information submitted for the hearing record follows:] [GRAPHIC] [TIFF OMITTED] T4152.129 [GRAPHIC] [TIFF OMITTED] T4152.130 [GRAPHIC] [TIFF OMITTED] T4152.131 [GRAPHIC] [TIFF OMITTED] T4152.132 [GRAPHIC] [TIFF OMITTED] T4152.133 [GRAPHIC] [TIFF OMITTED] T4152.134 [GRAPHIC] [TIFF OMITTED] T4152.135 [GRAPHIC] [TIFF OMITTED] T4152.136 [GRAPHIC] [TIFF OMITTED] T4152.137 [GRAPHIC] [TIFF OMITTED] T4152.138 [GRAPHIC] [TIFF OMITTED] T4152.139 [GRAPHIC] [TIFF OMITTED] T4152.140 [GRAPHIC] [TIFF OMITTED] T4152.141 [GRAPHIC] [TIFF OMITTED] T4152.142 [GRAPHIC] [TIFF OMITTED] T4152.143 [GRAPHIC] [TIFF OMITTED] T4152.144 [GRAPHIC] [TIFF OMITTED] T4152.145 [GRAPHIC] [TIFF OMITTED] T4152.146 [GRAPHIC] [TIFF OMITTED] T4152.147 [GRAPHIC] [TIFF OMITTED] T4152.148 [GRAPHIC] [TIFF OMITTED] T4152.149 -