<DOC>
[109 Senate Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:23163.wais]
S. Hrg. 109-402
SECURING CYBERSPACE: EFFORTS TO PROTECT NATIONAL INFORMATION
INFRASTRUCTURES CONTINUE TO FACE CHALLENGES
=======================================================================
HEARING
before the
FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT
INFORMATION, AND INTERNATIONAL
SECURITY SUBCOMMITTEE
of the
COMMITTEE ON
HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED NINTH CONGRESS
FIRST SESSION
__________
JULY 19, 2005
__________
Printed for the use of the Committee on Homeland Security
and Governmental Affairs
U.S. GOVERNMENT PRINTING OFFICE
23-163 WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800
Fax: (202) 512ÿ092250 Mail: Stop SSOP, Washington, DC 20402ÿ090001
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
SUSAN M. COLLINS, Maine, Chairman
TED STEVENS, Alaska JOSEPH I. LIEBERMAN, Connecticut
GEORGE V. VOINOVICH, Ohio CARL LEVIN, Michigan
NORM COLEMAN, Minnesota DANIEL K. AKAKA, Hawaii
TOM COBURN, Oklahoma THOMAS R. CARPER, Delaware
LINCOLN D. CHAFEE, Rhode Island MARK DAYTON, Minnesota
ROBERT F. BENNETT, Utah FRANK LAUTENBERG, New Jersey
PETE V. DOMENICI, New Mexico MARK PRYOR, Arkansas
JOHN W. WARNER, Virginia
Michael D. Bopp, Staff Director and Chief Counsel
Joyce A. Rechtschaffen, Minority Staff Director and Chief Counsel
Trina D. Tyrer, Chief Clerk
FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT INFORMATION, AND INTERNATIONAL
SECURITY SUBCOMMITTEE
TOM COBURN, Oklahoma, Chairman
TED STEVENS, Alaska THOMAS CARPER, Delaware
GEORGE V. VOINOVICH, Ohio CARL LEVIN, Michigan
LINCOLN D. CHAFEE, Rhode Island DANIEL K. AKAKA, Hawaii
ROBERT F. BENNETT, Utah MARK DAYTON, Minnesota
PETE V. DOMENICI, New Mexico FRANK LAUTENBERG, New Jersey
JOHN W. WARNER, Virginia MARK PRYOR, Arkansas
Katy French, Staff Director
Sean Davis, Legislative Assistant
Sheila Murphy, Minority Staff Director
John Kilvington, Minority Deputy Staff Director
Liz Scranton, Chief Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Coburn............................................... 1
Senator Carper............................................... 3
Senator Akaka................................................ 5
Senator Collins (ex officio)................................. 6
WITNESSES
Tuesday, July 19, 2005
Donald (Andy) Purdy, Jr., Acting Director, National Cyber
security Division, Information Analysis and Infrastructure
Protection Directorate, U.S. Department of Homeland Security... 6
David A. Powner, Director, Information Technology Management
Issues, U.S. Government Accountability Office.................. 8
Paul M. Skare, Product Manager, Siemens Power Transmission and
Distribution, Inc., Energy Management and Automation........... 22
Thomas M. Jarrett, Secretary and Chief Information Officer,
Department of Technology and Information, State of Delaware.... 25
Alphabetical List of Witnesses
Jarrett, Thomas S.:
Testimony.................................................... 25
Prepared statement with attachments.......................... 105
Powner, David A.:
Testimony.................................................... 8
Prepared statement........................................... 46
Purdy, Donald (Andy) Jr.:
Testimony.................................................... 6
Prepared statement........................................... 35
Skare, Paul M.:
Testimony.................................................... 22
Prepared statement with attachments.......................... 69
APPENDIX
Questions and responses for the Record from:
Mr. Purdy.................................................... 120
Mr. Powner................................................... 153
Mr. Skare.................................................... 158
Mr. Jarrett.................................................. 164
SECURING CYBERSPACE: EFFORTS TO
PROTECT NATIONAL INFORMATION
INFRASTRUCTURES CONTINUE TO
FACE CHALLENGES
----------
TUESDAY, JULY 19, 2005
U.S. Senate,
Subcommittee on Federal Financial Management,
Government Information, and International Security,
of the Committee on Homeland Security and
Governmental Affairs,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:05 p.m., in
room 562, Dirksen Senate Office Building, Hon. Tom Coburn,
Chairman of the Subcommittee, presiding.
Present: Senators Coburn, Carper, Akaka, and Collins (ex
officio).
OPENING STATEMENT OF CHAIRMAN COBURN
Senator Coburn. The Committee will come to order. This is
the first of probably many hearings on cyber security within
the Federal Government and I am going to have a very limited
opening statement. Being from Oklahoma, we had some significant
events there while I was a Member of Congress that taught us
all a huge lesson in terms of terrorism. But there are several
significant points associated with cyber security in America.
First of all, the United States does not currently have a
robust ability to detect a coordinated cyber attack on our
critical infrastructure, nor does it have a measurable recovery
and reconstitution plan for key mechanisms of the Internet and
telecommunications system.
Second, the Department of Homeland Security has not
completed the National Infrastructure Protection Plan.
Third, cyber attacks on control systems can be targeted
from remote locations around the globe. We know that.
Fourth, DHS is responsible for protecting the Nation's
critical infrastructures. However, 85 percent of all the
critical infrastructures are controlled by the private sector.
And then, finally, there is a lack of stable leadership at
the National Cyber Security Division, which has hurt its
ability to maintain trusted relationships with the private
sector and has hindered its ability to adequately plan and
execute activities.
This is the first of the hearings that we intend to hold to
look at Internet and informational, as well as cyber security
within this Subcommittee.
[The prepared statement of Senator Coburn follows:]
PREPARED STATEMENT OF SENATOR COBURN
On the morning of April 19, 1995, Oklahoma learned firsthand the
horrific effects of terrorism in the homeland. The prevention of
terrorism starts with a proactive plan with cogent, measurable goals
and the development and empowerment of effective moral leaders to
accomplish these goals.
In October 2003, Chairman Adam Putnam of the House Subcommittee on
Technology, Information Policy, Intergovernmental Relations and the
Census, held a hearing where he clearly identified the problem, saying,
``The nation's health, wealth, and security rely on these systems, but,
until recently, computer security for these systems has not been a
major focus. As a result, these systems on which we rely so heavily are
undeniably vulnerable to cyber attack or terrorism.'' Those
vulnerabilities still exist today, only now they are less excusable.
More importantly, the government's plan to secure our critical
infrastructures from a cyber threat remains vague and formative despite
clear legislative and executive mandates.
Since September 11, 2001, the focus of security in the United
States has been on physical terrorist attacks. In contrast, the
government's cyber security efforts have focused on the internet and
networking and desktop functions we all use every day. Unfortunately,
operational control systems, which are at the heart of our critical
infrastructures, do not work like conventional desktop business
computer systems. The President has spoken to this in Homeland Security
Presidential Directive #7 (HSPD-7) and the National Strategy to Secure
Cyberspace, emphasize that our nation's critical infrastructures
provide services which are so vital that their incapacity or
destruction would have a debilitating impact on the defense or economic
security of the United States.
Congress has also spoken through The Homeland Security Act of 2002
which laid clear mandate on cyber security at Department of Homeland
Security. The Act requires DHS to (1) assess our vulnerability to cyber
attack (2) develop a plan to fix it and (3) implement that plan using
measurable goals and milestones. In order to implement the plan the
Department has the admittedly difficult task of engaging and securing
action from diverse players, state and local governments, other federal
agencies, especially key industry actors. Cyber vulnerability is
primarily in the private sector and the Department must find a way to
overcome the challenges there. The nature of terrorists is to attack
private citizens as we recently saw in the horrific attack in the
United Kingdom. There can be no excuse for not effectively engaging the
private sector, even though it is hard. We ask no less of our food
safety, airline security and pharmaceutical industries.
Nobody wants to micromanage the private sector; however, American
expects DHS to take every reasonable measure to protect us from
terrorism. I am not convinced that threshold has been met.
If America is to be safe from the damage of a cyber attack, we will
need a plan, a budget tied to that plan and Congressional commitment to
the implementation of the plan. In particular, I hope we can commit to
the following:
1. The completion of the National Infrastructure Protection Plan,
fully incorporating the cyber component with more than vague
generalities;
2. A way to measure milestones in the NIPP that will be assigned
to a named department head;
3. A budget line item associated with the milestones.
To that end, I look forward to hearing from our witnesses from GAO,
DHS, the State of Delaware, and Siemens Power Transmission &
Distribution, Inc.
Senator Coburn. At this time, I will yield for an opening
statement to the----
Senator Carper. Be careful what you say. [Laughter.]
Senator Coburn [continuing]. Ranking Member, and my friend,
the other ``TC'' on the Subcommittee, for his opening
statement. Senator Carper, thank you for being here.
OPENING STATEMENT OF SENATOR CARPER
Senator Carper. Thank you, Mr. Chairman. I am happy to be
here with you and Senator Collins and to welcome our first
panel of witnesses and look forward to the next panel of
witnesses, which includes an old friend from--not an old
friend, but a good friend from Delaware, one of our leaders.
I would just reflect back. I think some 2 weeks ago now, we
had the devastating terrorist attacks on the London
transportation system and it reminded us once again--especially
those of us who live in the Northeastern corridor of the United
States--it reminded us once again that terrorists are
increasingly able to exploit our vulnerabilities and to cause
an enormous amount of damage, destruction of property and
taking of human lives.
Since September 11, the majority of our Homeland Security
efforts have been aimed to strengthen security of our Nation's
physical infrastructure. A good example of that is the aviation
industry. Some of us are hopeful it eventually will focus more
on rail and transit and subways, too.
Last week, the Homeland Security and Governmental Affairs
Committee held under Senator Collins's leadership--I think it
might have been in this room--held a hearing on protecting
chemical facilities within the United States. The hearing
highlighted the necessary precautionary measures that should be
taken to protect a chemical facility from a terrorist attack.
The importance of cyber security is oftentimes overlooked
in discussions involving homeland security. Cyber security,
though, plays an important role in the protection of our
critical infrastructures. Computers and networks provide an
increasing convenience and effectiveness for the everyday
operation of critical infrastructures. In fact, on a critical
infrastructure such as a railroad, combined with a cyber attack
on the computer system of a major electric utility, it can have
an enormous impact on the emergency response capabilities that
are needed in times of disaster.
It is the Committee's job, this Committee, and I think
specifically this Subcommittee, it is our job to ensure that we
are taking the steps that are needed to minimize the chance and
to minimize the consequences of such an attack if it occurs.
Again, I mention, Mr. Chairman, we have one of my friends
and colleagues from Delaware, Tom Jarrett, not a ``TC'' but a
``TJ,'' who is our Chief of Information. He works in the
Governor's cabinet, heads up the Department in our State called
the Department of Information and Technology and I am just
delighted to hear from Tom and to see him again.
Accompanying Secretary Jarrett, I am told, is a woman named
Elayne Starkey, and I am looking out in the audience. I think
she is sitting right behind--there she is. Elayne, welcome.
When you see Tom Jarrett's lips move, hear his voice speak
later on, you will see Elayne's lips move. When I was
privileged to be Governor, she just did great work, helping us
really to bring technology to bear in our law enforcement
efforts and we will always be grateful for the great work that
she did.
We are going to hear from Secretary Jarrett today about a
Department of Technology Information that is really all too
familiar with the challenges that are facing cyber security.
One of Delaware's critical infrastructures is our State
computer network. It is a large target of over, listen to this,
3,000 cyber attacks per day, little Delaware. I can't imagine
what happens in big States like yours, but over 3,000 cyber
attacks per day. I am not sure why that is. Maybe it is because
we are the home of incorporation of over half-a-million
companies, half the New York Stock Exchange, half the Fortune
500. I am not sure what it is, but that is a lot of attacks.
Secretary Jarrett implemented a number of cyber security
initiatives to address the cyber risks associated with our
State's computer network. Delaware's Department of Technology
and Information aims to strengthen and provide proper cyber
security through partnerships with State agencies, multi-state
forums, and a collaborative with Microsoft Corporation.
Secretary Jarrett meets on a routine basis with all cyber
security stakeholders to share cyber threat and vulnerability
information to better protect our State's network from cyber
attacks. Delaware's cyber security initiatives are an excellent
example, we believe, of the processes and partnerships that are
needed to protect against cyber attacks.
In May 2005, at the request of Senator Lieberman, our
colleague, and several Representatives, including Chris Cox,
Representative Davis, Representative Thornberry, Lofton, the
Government Accountability Office released a report that was
titled, ``The Department of Homeland Security Faces Challenges
in Fulfilling Cyber Security Responsibilities.'' That is a
pretty big title. The report criticized the Department of
Homeland Security's efforts thus far in fulfilling its cyber
security responsibilities that are established for in law and
policy.
To fulfill the Department's cyber security
responsibilities, such as assessing national cyber threats and
vulnerabilities, the Government Accountability Office
recommends that the Department of Homeland Security improve
organizational stability and foster better partnerships with
the private security, much as we have done in Delaware.
As demonstrated by Delaware's Department of Technology
Information, partnerships provide education, the technical
expertise, and information sharing outlet that is needed to
effectively secure cyber assets. Proper information sharing
between the Federal Government and the private sector is
instrumental to protecting our Nation's critical infrastructure
from cyber attack.
Last week in this room, Secretary Chertoff laid out a
reorganization plan of the Department that includes a new
Assistant Secretary for Cyber Security and Telecommunications
to strengthen information technology management and cyber
security responsibilities within the Department of Homeland
Security. As that Department sets forth in strengthening
national cyber security initiatives and efforts, I ask that the
Department build cyber security partnerships within the private
sector and provide a road map of priorities and milestones of
cyber security responsibilities and initiatives, much as we
have done in our State and perhaps in your States, as well.
I really do look forward to this hearing and the testimony
from all of our witnesses concerning the challenges that we
face along these lines and the Federal Government's role, our
role, in protecting our Nation's critical infrastructures from
a cyber attack. I hope that the discussion that occurs here
today and following this hearing will lead us to real solutions
to the challenges that we face within the Federal Government
with respect to cyber security.
Mr. Chairman, I thank you, and to our witnesses, welcome.
We look forward to hearing from you. Thanks.
Senator Coburn. Senator Akaka, I understand that you have a
hearing that you need to chair at 2:25. The Chairman has
graciously allowed you to go ahead of her, if you would care to
make your opening statement.
OPENING STATEMENT OF SENATOR AKAKA
Senator Akaka. Thank you very much, Chairman Coburn. Thank
you for permitting me to do it now, and thank you, Chairman
Collins, for letting me do this.
Chairman Coburn, I want to compliment you on holding
today's hearing on cyberspace. I know we both are also
interested in agroterrorism, so these are up and coming issues,
and I thank you so much for giving me this time.
Computers and computer networks reside at the heart of the
systems upon which the American people rely on on a daily
basis. As our witnesses know, many of these systems are far too
vulnerable to cyber attack, which would inhibit their function,
corrupt important data, and expose private information.
The Internet is the backbone of the U.S. economy and our
Nation's critical infrastructures. It is the electronic roadway
of commerce, industry, and defense. Databases stored on
computer networks, in particular, have been an attractive
target for criminal hackers who have breached the networks of
several well-known companies and have stolen the personal data
of millions of Americans. A successful attack on the computer
systems that support our critical infrastructures would
threaten our national security, public health, and, of course,
our way of life.
The former head of the National Infrastructure Protection
Center, Ron Dick, once said, ``The thing that keeps me awake at
night is the thought of a physical attack on the U.S.
infrastructure combined with a cyber attack which disrupts the
ability of the first responders to access 911 systems.'' This
is not an exaggerated fear, as our own military realizes the
power of cyber warfare in destroying an enemy's command and
control.
The Department of Homeland Security is responsible for
protecting the key resources and critical infrastructures in
the United States. In carrying out this role, DHS has a number
of responsibilities established by law and Presidential
directive. We are here today to discuss these DHS issues and
how DHS is fulfilling those responsibilities and the specific
challenges that the Department faces as it moves forward.
One area that is of particular concern to me is the failure
by DHS to complete a comprehensive cyber threat and
vulnerability assessment. This threat assessment should be the
foundation for the Department's risk-based approach to mission
and priorities. A comprehensive threat assessment is needed in
order to be certain that we are adequately protected and to
ensure that precious Federal dollars are well spent.
I want to thank you, Mr. Chairman, for having this hearing
today and thank you for the time and wish you well. We look
forward to our witnesses' testimony. Thank you.
Senator Coburn. Thank you, Senator Akaka.
Now, I am pleased to recognize the Chairman of the full
Committee, Susan Collins from Maine. Thank you, Senator.
OPENING STATEMENT OF CHAIRMAN COLLINS
Chairman Collins. Thank you very much. Let me begin by
thanking you, Mr. Chairman, for convening this hearing today
and shining a spotlight on a critical infrastructure issue.
And your timing could not be better. Just last week,
Secretary Chertoff testified before the full Committee
regarding his Second Stage Review recommendations for the
Department of Homeland Security. As Senator Carper has
mentioned, Secretary Chertoff proposes to create a new
Assistant Secretary for Cyber Security and Telecommunications,
a position that has long been needed.
Clearly, Secretary Chertoff has acknowledged that cyber
security is an issue worthy of much more attention and
resources from within the Department. This hearing will provide
an opportunity to explore some of the challenges that the new
Assistant Secretary will face.
Computers and information systems are key components that
support the operations of critical infrastructure in our
country, whether it is chemical facilities or oil refineries,
dams, power systems, telecommunications, or mass transit
systems. Increasing computer interconnectivity has improved the
quality of daily life for Americans, but unfortunately, this
interconnectivity has also created a weakness that can be
exploited by our enemies in this post-September 11 world.
I am pleased that the Department is placing more emphasis
on this vital component of our Nation's critical infrastructure
sectors and I look forward to working with you, Mr. Chairman,
as well as the Department to strengthen our protections and
defenses in this area.
Senator Coburn. Thank you, Madam Chairman.
Our first panel consists of two witnesses, Andy Purdy,
Acting Director, National Cyber Security Division of the
Department of Homeland Security, and David Powner, Director of
IT Management at GAO.
Mr. Purdy, your complete statement will be made a part of
the record. If you would limit your comments to 5 minutes, I
would appreciate it. Thank you.
TESTIMONY OF DONALD (ANDY) PURDY, JR.,\1\ ACTING DIRECTOR,
NATIONAL CYBER SECURITY DIVISION, INFORMATION ANALYSIS AND
INFRASTRUCTURE PROTECTION DIRECTORATE, U.S. DEPARTMENT OF
HOMELAND SECURITY
Mr. Purdy. Thank you. Good afternoon, Chairman Coburn and
Madam Chairman Collins. My name is Andy Purdy. I am the Acting
Director of the National Cyber Security Division (NCSD) within
the Department of Homeland Security. I am delighted to appear
before you today on behalf of my colleagues to share with you
the work of NCSD and those with whom we are partnering.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Purdy appears in the Appendix on
page 35.
---------------------------------------------------------------------------
In today's world, we recognize that attacks against us may
manifest in many forms, including physical and cyber. We
recognize the potential impact of collateral damage from any
one attack to a variety of assets. As such, our Directorate
takes a holistic view of critical infrastructure
vulnerabilities and works to protect America from all threats
by ensuring the integration of physical and cyber approaches.
NCSD was created in June 2003 to serve as a national focal
point for cyber security and to coordinate the implementation
of the national strategy to secure cyberspace. Our mission is
to work collaboratively with public, private, and international
entities to secure cyberspace and America's cyber assets.
To meet that mission, we have developed a set of goals with
specific objectives for each goal and milestones, and we have
identified two overarching priorities. One, to build a national
cyberspace response system. Two, to implement a cyber risk
management program for critical infrastructure protection.
Focusing on these two priorities establishes the framework for
securing cyberspace today and a foundation for addressing cyber
security for the future.
A core component of our effort to establish a national
cyberspace response system is the US-CERT Operations Center, a
partnership between DHS and the public and private sectors. US-
CERT provides a national coordination center that links public
and private response capabilities to facilitate information
sharing across all infrastructure sectors and to help protect
and maintain the continuity of our Nation's cyber
infrastructure.
To assist Federal agencies in protecting their cyber
infrastructure, we have established the Government Forum of
Incident Response and Security Teams to facilitate interagency
information sharing and cooperation across Federal agencies for
readiness and response efforts.
A key component of our response system is the Cyber Annex,
which we created as part of the recently issued National
Response Plan, that provides a framework for responding to
cyber incidents. To provide a Federal approach to coordinated
cyber incident response, we worked with the Departments of
Defense and the Departments of Justice to form the National
Cyber Response Coordination Group, later formalized by the
Cyber Annex as the principal Federal interagency mechanism to
coordinate preparation for and response to cyber incidents of
national significance.
Under our second priority, we are engaged in a risk
management program to assess threats and reduce the risk to our
critical infrastructure. For the cyber component of the
National Infrastructure Protection Plan, DHS is the sector
specific agency, with our Division as the lead for the
information technology sector, and we are working with the IT
ISAC and the newly formed Information Technology Sector
Coordinating Council to identify critical assets, assess
vulnerabilities, and determine protective measures.
In addition, we are attempting to ensure that cyber is
comprehensive throughout this national plan by providing
guidance to the other critical infrastructure sectors in
analyzing, identifying, and assessing and protecting their
cyber assets and the cyber component of their physical assets.
Within this framework, we are pursuing other priority
vulnerability reduction effort: The Internet Disruption Working
Group, our Control Systems Security Program, and our Software
Assurance Program.
We believe the recent GAO report on critical infrastructure
has provided a fair assessment of the progress to date and we
agree that while considerable work has been done, much work
remains to meet the challenges in this rapidly changing area.
With the proposed appointment of a new Assistant Secretary for
Cyber and Telecommunications Security, we are confident that we
will accelerate our cyber security efforts.
Secretary Chertoff's recent release of the findings from
his second stage review of the entire Department illustrates
DHS's commitment to addressing leadership and organizational
concerns that also have been raised by GAO. We are committed to
achieving success in meeting our goals and objectives, but we
cannot do it alone. We will continue to meet with industry
representatives, our government counterparts at the State and
Federal level, and academia to formulate the partnerships and
leverage the efforts of all, including the private sector, so
that we as a Nation are more secure in cyberspace.
Again, thank you for the opportunity to testify before you
today and I would be glad to answer any of your questions.
Senator Coburn. Thank you very much, Mr. Purdy. Mr. Powner.
TESTIMONY OF DAVID A. POWNER,\1\ DIRECTOR, INFORMATION
TECHNOLOGY MANAGEMENT ISSUES, U.S. GOVERNMENT ACCOUNTABILITY
OFFICE
Mr. Powner. Dr. Coburn, Chairman Collins, and Ranking
Member Carper, we appreciate the opportunity to testify on the
Department of Homeland Security's efforts associated with
securing our Nation's infrastructures from cyber security
threats.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Powner appears in the Appendix on
page 46.
---------------------------------------------------------------------------
Recent attacks and threats have underscored the need to
effectively manage and bolster the cyber security of our
Nation's critical infrastructures. For example, criminal
groups, foreign intelligence services, and terrorists are
threats to our Nation's computers and networks. Regarding
recent attacks in March of this year, hackers gained access to
the electric industry's control systems.
To address these threats, Federal law and policy calls for
critical infrastructure protection activities and establishes
DHS as our Nation's focal point. It also designates other
agencies to coordinate with key sectors, including energy,
banking and finance, transportation, and telecommunications.
This afternoon, I will summarize four points, as requested.
First, DHS has many responsibilities called for in law and
policy. Second, although progress has been made in each area,
much work remains ahead. Third, DHS faces many challenges in
fulfilling these responsibilities. And fourth, Several
recommendations remain outstanding that, if effectively
prioritized and addressed, could greatly improve our Nation's
cyber security posture.
Expanding on each of these, first, we recently reported
that based on Federal law and policy, DHS's 13 key cyber
security responsibilities that include developing a national
plan, enhancing public and private information sharing of cyber
threats, vulnerabilities, and attacks, conducting a National
Threat Assessment, facilitating vulnerability assessments, and
coordinating incident response and recovery efforts if, in
fact, an attack occurs. Although DHS has initiated efforts that
begin to address each of these 13 responsibilities, the extent
of progress varies and more work remains on each.
For example, its Computer Emergency Response Team, referred
to as the US-CERT, issues warnings on vulnerabilities and
coordinates responses to cyber attacks. However, our Nation
still lacks a National Threat Assessment, sector vulnerability
assessments, a mature analysis and warning capability, and key
recovery plans, including plans for recovering the Internet.
DHS faces many challenges in building its credibility as a
stable, authoritative, and capable organization that can
fulfill its cyber critical infrastructure responsibilities.
These include achieving organizational stability and authority.
Over the past year, multiple DHS cyber security executives have
left the Department. Establishing the Assistant Secretary for
Cyber may help. However, leveraging this new authority and
recruiting top talent to fill it remains a challenge.
Another challenge is establishing effective partnerships
and information sharing arrangements with other government
entities and the private sector. During our most recent review,
representatives from the banking and finance sector told us
that the level of trust is not sufficient to have productive
information sharing.
In addition, DHS needs to demonstrate value, meaning that
it needs to provide useful and timely information on such items
as threats and analytical products to key stakeholders.
Over the last several years, we have made a series of
recommendations to enhance the cyber security of critical
infrastructure that demand immediate attention, including
conducting important threat and vulnerability assessments,
developing a strategic analysis and warning capability to
identify potential attacks, developing a strategy to protect
infrastructure control systems, and developing recovery plans
to respond to attacks. We also recommended that DHS prioritize
its critical activities and closely monitor progress with
appropriate performance measures.
In summary, Mr. Chairman, DHS has made progress in
planning, in coordinating efforts to enhance cyber security,
but much more needs to be done, including conducting threat and
vulnerability assessments, bolstering our cyber analytical
capabilities, aggressively pursuing threat and vulnerability
reduction efforts, and developing recovery plans.
Our testimony today lays out a comprehensive road map for
what remains to be accomplished in each area. Until DHS
addresses its many challenges and more fully completes critical
activities, it cannot function as the cyber security focal
point intended in Federal law and policy, resulting in
increased risk that large portions of our national
infrastructure are unprepared to effectively manage cyber
security attacks.
This concludes my statement. I would be pleased to respond
to any questions you have at this time.
Senator Coburn. Thank you, Mr. Powner.
I have numerous questions. I will not ask them all at the
hearing, but I would like for each of you to agree to answer in
written form the questions that we will submit for the record
and do that on a fairly timely basis, if you would not mind.
That will spare you some time.
Mr. Purdy, when is it anticipated that the National
Infrastructure Protection Plan will be completed?
Mr. Purdy. Well, Acting Under Secretary Robert Stefan has
told the Hill that he expects to have a version of the plan in
pretty good order by the end of the summer, so we don't have a
precise date on that.
Senator Coburn. Will the reorganization, the stage two
review, move that later?
Mr. Purdy. Oh, I don't expect so. No, sir.
Senator Coburn. If you don't care to comment on this, it is
fine, but will this protection plan be beefed up with
milestones that are linked to the budget line items and the
department heads that are carrying that out?
Mr. Purdy. I am not sure that the plan that is in existence
at the end of the summer will have that, but that is
anticipated to be part of the plan as it rolls forward,
including the specific sector plans that have to be developed
in partnership between the government and the private sector,
yes.
Senator Coburn. It seems that some industry sectors are
more mature with regards to securing their cyber assets than
others. I think that is a true statement. That is probably true
throughout the residential cyber areas, as well. It seems that
the title of the new Assistant Secretary for Cyber Security and
Telecommunications would indicate that some critical
infrastructures have more security needs than others, like the
electric, chemical, telecommunication industries. Which sectors
are more technologically mature and could be used as examples
for sectors that are less mature when building guidance with
which to self-regulate?
Mr. Purdy. Well, until we do a complete assessment by
sector, it is difficult to give a quantitative approach to
that. I certainly believe that the telecommunications and
finance sectors are among the most robust.
Senator Coburn. We did have the penetration of some of the
power companies' data. It kind of scares you when ``24'' is
doing this ahead of the cyber crooks. As this NIPP plan comes
up, one of the questions I think a lot of people are wondering,
why is it taking so long to do that? Why is it taking so long
to have a National Infrastructure Protection Plan?
Mr. Purdy. Well, I think it is a very difficult task. But
on some of the specific items you mentioned, we have
accelerated the prioritization of three major areas that we
believe, although part of the National Infrastructure
Protection Plan framework, deserve accelerated efforts. Those
are our Internet Disruption Working Group that we co-chair with
National Communication Systems, and Department of Treasury and
others are members of that. So that is a high-priority effort,
to identify the assets, the interdependencies, the protective
measures, the response and the recovery, building on the ESF-
II, which as you know has evolved from telecommunications to
communications generally. So that piece of it is fairly robust
and that group will work to accelerate that and respond to some
of the specific areas in the GAO report.
In addition, our control systems effort is a very robust
effort that we brought over from our Protective Security
Division in May 2004. We had the strategic plan. We had our
goals. We have a tremendous partnership with the Department of
Energy, with the Idaho National Lab and other labs.
And finally, our Software Assurance Program is also very
robust, building on a key partnership with the Department of
Defense, co-founding the National Infrastructure--the NIAP
review in terms of the acquisition piece.
So we think those three priority efforts are not being held
up by any time frame of the National Infrastructure Protection
Plan and we believe those are the priorities, and so they are
very important to us.
Senator Coburn. So your testimony is, sometime after the
first of the year, we ought to have this plan intact, the NIPP
plan?
Mr. Purdy. Actually, if I said that, I didn't mean to say
that.
Senator Coburn. You said, by the end of this summer, we are
going to have the structure of it, is that right?
Mr. Purdy. We are going to have a plan that is in pretty
good shape. It is not going to be the final draft of it, yes.
Senator Coburn. But sometime after the first of the year,
we should be able to expect that moving forward? I know you are
implementing sections of that even before you have the NIPP
plan, but for cyber security, where are we within that?
Mr. Purdy. Well, cyber security, we are moving forward in
the work with the emerging Sector Coordinating Council, as you
know, the private sector group, and the Government Coordinating
Council. In fact, I think the organizations of one of your
witnesses, NASCIO is a member of the Government Coordinating
Council of the IT sector. And so we are working to build the
framework for the sector-specific plan and the cyber guidance
that will go to all the critical infrastructures. So that is
moving ahead, and I certainly expect that the cyber piece will
be ready well before the first of the year.
Senator Coburn. Now, you have an Internet Disruption
Working Group.
Mr. Purdy. Yes.
Senator Coburn. Would you mind providing the Subcommittee a
list of the achievements of that group, where you started and
where you are now? One of the things that Mr. Powner said that
really bothers me is that some of the limitation is because
there is a lack of a level of trust. Those were his words just
a moment ago. Do you perceive that is real? Is it founded on
real actions? In other words, do they perceive a threatened
loss of some technologic advance or proprietary information by
working with you as we try to do this?
Mr. Purdy. Well, I think we are moving ahead very
successfully in trying to facilitate information sharing with
the private sector. As you may know, our secure portal, our US-
CERT portal that involves approximately 200,000 government and
private sector folks, we are working to integrate into the
Homeland Security Information Network. In addition, we are very
excited by our partnership with the IT ISAC and the eight other
ISACs that supply them cyber information so that we can
incorporate that flow among those nine ISACs with the
government into the HSIN structure.
In addition, the private sector is standing up an
information sharing group and we will be sending some members
to it to try to facilitate the exchange of value and
incorporation of private sector input into the articulation of
a threat. So the information can be shared among groups and
move out in a way that efficiently gets to folks in a timely
fashion. So we think that is very substantial progress.
In addition, we are reaching out to the private sector to
convene some meetings that will be in the early fall to bring
in the incident response teams from major private sector
entities from across the country to engage in training and
moving forward to really target the information sharing,
building on the existing information sharing of US-CERT and the
efforts in information sharing from the ISACs that I just
mentioned.
Senator Coburn. Are those web portals that you mentioned
100 percent secure?
Mr. Purdy. Well, we believe they are secure. I am not sure
that there is a standard in current technology to say that
something is 100 percent secure.
Senator Carper. I want to back up if we could just a little
bit and take a somewhat different approach. I don't care who
leads off, but talk to us about the nature of the threat that
we face. Talk to us about where the threat is coming from. Talk
with us about whether the threat is rising, and if so, in what
respect.
And you have touched on this a little bit, Mr. Purdy, but I
mentioned in my remarks about our folks that were here from
Delaware who will testify shortly, how we partner with the
private sector, and I just want to hear your thoughts about
those kinds of partnerships.
Mr. Purdy. The cyber assessment of threat was completed in
the form of the National Intelligence Estimate for Cyber that
we partnered with the intelligence and the law enforcement
community on. Subsequent to that--and there are classified and
unclassified versions of the NIE for cyber--subsequent to that,
we have worked through our Information Analysis Division to
provide intelligence collection requirements to the
intelligence community for cyber, and those include information
that would provide indicators of attacks against critical
infrastructure, including control systems.
Senator Carper. What kind of control systems are we talking
about?
Mr. Purdy. Across the critical infrastructure.
Senator Carper. Just give me some examples.
Mr. Purdy. Well, we have them in power, in chemical, in
water. There are some in telecommunications. There are some in
the finance industry. Most of the critical infrastructure
sectors, pipelines, have control systems, and that is why it is
one of the major priorities in our effort and in our funding.
Senator Carper. Is it fair to say that those different
critical infrastructures are under attack on a daily basis,
weekly basis, monthly basis, or some never under attack?
And if so, where are the attacks coming from? What is the
source of those attacks?
Mr. Purdy. The National Intelligence Estimate for Cyber
identified some particular Nation States that are the source of
particular kinds of attacks. There are attacks that are rampant
throughout cyberspace. Within minutes, as you probably know,
when you hook up a new computer, you can see different levels
of attack. Obviously, we are more focused, particularly focused
on attacks against major critical infrastructure, attacks,
whether successful or otherwise, targeted against control
systems, for example, and that is a major effort for us.
Working with the Process Control System Forum, hundreds of
private sector owners and operators that we are partnering with
with DOE to try to make sure we build access to the information
and provide protective guidance, such as we issued last week,
Control Systems Information Bulletin for guidance to the
control systems owners and operators to help raise the bar in
terms of those efforts.
A lot of the activity, the malicious activity in cyberspace
right now, as you know, is targeted toward financial gain. The
use and exploitation of vulnerabilities, the use of trojans and
worms, there was an ABC news report last night on the use of
keystroke loggers, the malicious code put on people's computers
that log the personal identifying information, much of which is
related to phishing and spam and identity theft. It is a major
problem to our e-commerce in general, our financial community
in particular, even though I think they are one of the most
robust sectors in terms of financial security.
And so we are working with Treasury. We met with the FBIC,
that is the governmental group, 2 weeks ago to try to
accelerate the information sharing in the financial sector, and
we are also monitoring the black market in those malicious
tools, because there is a black market in those tools.
We are concerned and trying to help raise the bar because
of the potential ability to use those vulnerabilities, to use
those exploits to launch targeted, sophisticated attacks
against our critical infrastructure, and that is why one of the
priorities that I reference in my written testimony is trying
to engage more effectively with the private sector on the
priority areas that we need to focus on, and the one that we
are suggesting to them is the identification of the major cyber
attack scenarios, the serious cyber attack scenarios that we
need to identify so we can mitigate, prevent, we can have our
responses, in some cases automate it, and we can have the
reconstitution in place to bring the systems back up and
running.
Senator Carper. Give us an example, if you will, of what
you called a serious attack scenario.
Mr. Purdy. Well, we would consider an effort that appears
to be attempting to access the control mechanism of a control
system, say in a waste treatment plant. We would consider that
a serious attack because of the ability to change either the
manipulation of the activity that it is manipulating and/or the
monitoring that could be used to hide if there was a change or
a problem. It might affect the sensors' ability to check that
out.
More serious situations that you see referenced in last
Friday's alert about e-mail trojans that we put out is the
exfiltration of data. We are very concerned about--which is
basically stealing data from government and the private sector.
We believe that is a very significant issue that we are
addressing.
You asked a question in terms of some of the activities
with the private sector. We are working closely, as I said,
with the Process Control Systems Forum. We have had discussions
with Siemens, one of the companies that will be testifying
later, on some activities in the control systems area and
trying to use some of the test beds where we can test the real
world activities and capabilities that folks are using and test
them in terms of their vulnerability to cyber attack and what
kind of measures can be used to help protect them.
So that kind of real world activity--and frankly, some of
the activities are not very visible. One of the key things
about being a focal point for cyber security is we get
classified information, we get law enforcement sensitive
information, we get information from the CERT community and
from others, and what we try to do is provide real protective
measures.
So, for example, there was an attack not too long ago
against a private provider that affected a Federal Government
customer, and so what we did, when we understood the----
Senator Carper. Say that again. There was an attack from--
--
Mr. Purdy. There was an attack against a private sector
provider and there was a government account on that system, so
we took that information and identified, working with the
company, working with law enforcement, identified what we
thought was the zone of danger in that situation in terms of
the other Federal entities that had access to the same servers
in separate accounts. So we had a conference call with about 15
Federal agencies that had not been attacked yet, but to make
sure they knew and had specific information they needed so that
they could act on it.
Then we issued what is called a Federal Information Notice.
That goes to 1,400 Federal agencies. A little less sensitive
information, but still, evidence that nonetheless could be used
by folks to protect themselves. And finally, a general alert
that goes more broadly so that folks could know what to do to
secure their systems.
But we don't publicize those kinds of activities. Now, when
there is, for example, an attack against a major State that we
had to fly a team in to help, we don't publicize that
information. We work with law enforcement, the intelligence
community to try to bring value, and I share the point from my
colleague from GAO that we want to provide value, and as part
of this information effort, trying to figure out how to get the
value to the private sector and our government partners and our
State partners in a way that really is important is something
that is very important to us and it builds that trust that you
need for people to share, that if you don't go to the press and
if you don't publicize these things and you provide real value,
that kind of synergy is going to help us all.
Senator Carper. Thanks very much.
Senator Coburn. Just a couple other questions. Part of your
statement was a major priority funding on control systems. Can
you elaborate on that for me?
Mr. Purdy. Yes. Our budget for fiscal year 2005 is in the
high $70s of millions. The control systems funding is $11
million in 2005. The President's budget, which calls for
approximately $88 million for us in 2006, includes between $15
and $16 million for control systems. So it is a major effort
for us.
Senator Coburn. One other question. Did your Department
send a representative to the DOE road mapping exercise?
Mr. Purdy. I don't know offhand.
Senator Coburn. You have got some staff shaking their heads
yes. Did DOE send a representative to DHS's framework meeting
in Salt Lake City today? I get ``yes,'' too. All right. Thank
you.
One of the things that----
Senator Carper. Mr. Chairman, how do we know that just
wasn't members of the audience shaking their heads? [Laughter.]
Mr. Purdy. Yes. I am told that the answer to those
questions was yes. I do know that NASCIO, for example, has
participated in some of our meetings, building for our national
cyber exercise, Cyber Storm, in November, and that kind of
outreach is obviously fundamental to the success of these
efforts.
Senator Coburn. One other question for you and then a
couple more for Mr. Powner. GAO has pointed out that DHS's
efforts to promote a trusted two-way communication information
sharing have been found lacking by the private sector and some
other Federal agencies. In fact, your testimony reflects that
the National Cyber Security Division's second priority is cyber
risk management, or assessing the threat and reducing the risk.
However, you state, with regard to assessing the risk, NCSD
collaborates with law enforcement intelligence communities in a
number of ways.
My concern is, is your role law enforcement or is it cyber
security and prevention, and with a prevention plan? Which is
it? Which hat do you all wear?
Mr. Purdy. We are about the business of critical
infrastructure protection, and what we have found in our
discussions with the major executive agencies, law enforcement
agencies, is when there is law enforcement information about an
attack, for example, against the control systems, my
discussions, for example, with the Assistant Director of the
FBI for Cyber was, if you get information in the field about
something which is obviously a crime, when there is a
successful penetration of a control system or even a targeted
attack against a control system, we would appreciate it very
much if we would get that information so that we can work the
critical infrastructure protection so we can understand what is
involved, what is the vulnerability being exploited, so we can
share the information, not referring to it in its law
enforcement sensitive way, but we can give guidance out.
In addition, we have had situations where law enforcement
finds out that there is an attack. We get information about,
for example, the source IP addresses of the apparent source of
the attack. We work with the intelligence community to have
them work the international piece to see if they can trace it
back to see what is involved. So it really is critical
infrastructure protection, but we have to share that
information with law enforcement intelligence and the CERTs to
make sure we can all do our jobs better.
Senator Coburn. But do you then share that with the private
sector so that they can enable themselves?
Mr. Purdy. And that is what I am saying that we do in terms
of the information bulletins and the alerts that we send out.
And as we build our portal into the Homeland Security
Information Network, we are going to be able to improve our
real-time information sharing, and the best example of that is
bringing those nine ISACs in that our information will go into
that mix and theirs, as well, and we will share that much more
quickly.
Senator Coburn. Mr. Powner, just share with us your view of
how serious the threat is to us in terms of our cyber security.
Mr. Powner. Well, years ago, if you looked at the situation
here, we were more focused on hackers who were attempting to
break into systems for the sheer challenge or for bragging
rights. I agree with Mr. Purdy's analysis. We have organized
crime groups that are focused on monetary gains from using
cyber tools. We have foreign intelligence services that are
using cyber tools for espionage activities. I think the real
question out there is where are the terrorist cells in terms of
their cyber capabilities. If these folks have the capabilities
that we are aware of right now, where are the terrorists?
I think Senator Akaka put it nicely when he mentioned some
of the FBI's concerns, which date back many years, looking at
what is referred to as swarming attacks, combined attacks where
it is not just a cyber attack, but if you have a physical
attack where you disrupt the response capabilities via some of
the cyber tools, you could then have a very serious situation
at hand. So it is real and that threat is growing.
Senator Coburn. Your report was fairly critical of the
efforts that are ongoing, and DHS in the response letter to you
all states that it has a strategic plan with milestones and
performance measures. Where are they insufficient and why are
they insufficient?
Mr. Powner. There is a strategic plan. There is the
National Infrastructure Protection Plan. Some of those plans
lack milestones. Some of those plans lack key activities. We
made recommendations in areas where we saw some weaknesses in
their plans. You look at the National Cyber Threat Assessment,
vulnerability assessments by sector, and also response plans,
not only response plans for the individual sectors, but also
when you start looking at combined plans where we have multiple
sectors that play in a certain arena.
Probably the best example is if you look at the Internet.
If we had a major disruption in the Internet today, the
question is, who is in charge of leading that effort to
reconstitute the Internet?
Senator Coburn. Who is?
Mr. Purdy. Multiple players, I think, is the answer today.
NCSD would play a role. The National Communication System----
Senator Coburn. Let me ask Mr. Purdy that. Who is
responsible for putting it back together?
Mr. Purdy. Well, the Secretary of DHS is the incident
manager for all incidents in the country. The National Cyber
Response Coordination Group that we co-chair helps provide
input to the Secretary and provides input to the Interagency
Incident Management Group. With NCS, National Communication
System, as part of that effort, we would coordinate the efforts
across the Federal Government for reconstitution in partnership
with the private sector.
Senator Coburn. Two last questions for Mr. Powner. DHS is
going to move from $11 to $18 million, I believe that was Mr.
Purdy's testimony, in 2006, on cyber security.
Mr. Purdy. Eleven to between $15 and $16 million.
Senator Coburn. Eleven to $15 and $16 million out of $70 to
$88 million. Is there a problem with priority or is there a
problem with funding, in your assessment, as you look at what
is going on?
Mr. Powner. Clearly, there is an issue with priority and
there is also an issue with delivery on the budget that is
currently allocated. As we pointed out in several areas in our
report, there is a situation here where we need to take
additional steps--there have been steps in each of the areas
that we looked at but there needs to be further steps.
One good example is the National Threat Assessment. In
working with the other intelligence organizations, if you look
at the FBI Cyber Crime Division and other organizations across
the Federal Government, there is a lot of information out there
that exists today on the situation associated with the national
threat. If we put out, as one example, a National Threat
Assessment that the Department agreed to update annually and to
provide information on an as-needed basis throughout the area,
I think that would go a long ways into building credibility and
adding value, where the private sector would clearly view them
as a partner in this.
So I think when you look at the current budget, and I think
folks up on the Hill--we have had many discussions with them--
would like to see more value coming out of the budgets that are
currently allocated today.
Senator Coburn. So this threat assessment would be one way
to engage the private sector. What are other ways that DHS
could engage the private sector?
Mr. Powner. One other way, I think if you go back to the
Internet reconstitution, I think Mr. Purdy talked about or
mentioned that NCSD would take a leadership role. There are
many folks in the private sector, when you are looking at
Internet service providers and telecommunication companies,
energy companies, they also would play a major role in that,
and if the NCSD, as one example, put together some initial
plans, I think the working group that Mr. Purdy mentioned is a
step in the right direction, but there needs to be further
progress in putting in place response plans that are
comprehensive, where the private sector views the Federal
Government as a partner.
Senator Coburn. Is there a backup hardware infrastructure
in place now if, in fact, the Internet--they would successfully
challenge and shut it down, without reprogramming it and
everything else, is there a backup infrastructure with which
that could be reassembled quickly on a short-term basis? Do
either one of you want to answer that?
Mr. Purdy. Well, I think ESF-II, the communications plan
for recovery, is a very robust effort and the
telecommunications backbone is the foundation for the Internet.
We have done a lot of modeling work in terms of potential
disruptions of the Internet and what it would take to carry it
out for a long period of time. So I think we are in pretty good
shape on that.
I do echo the point that in terms of the priorities, we
want to partner more effectively with the private sector on the
recovery piece, on the response piece and the information
sharing and threat piece. We recognize and we support those
conclusions and we are working hard to do that.
Senator Coburn. Have you sent a letter to them saying, how
can we do that? Has DHS gone to the private sector and said,
how can we partner with you better?
Mr. Purdy. We had two large meetings with the private
sector over the last 2 weeks. We had a meeting with the
representatives of the Sector Coordinating Council yesterday.
We will be meeting within DHS after July 26 to lay out how we
are going to move forward to engage. We have had meetings with
our lawyers to figure out how we can comply with the Federal
Advisory Committee Act, to have private sector folks actually
tasked on a working group or a task force.
So we expect to have some concrete progress in setting up
those groups, and for each of those groups, identifying
milestones and metrics, because the metrics piece is the other
big piece that we are moving forward on with our internal and
external metrics, and we want the private sector involved with
us. So it is not just performance, it is cyber security
preparedness, metrics that folks can follow over time to see
where we stand, and that is going to help impact the whole
National Infrastructure Protection Plan cyber piece.
Senator Coburn. Senator Carper.
Senator Carper. Just a couple more, if I could. I think I
will direct these to Mr. Powner, if I may. I am going to read
you something that was prepared in my briefing papers here.
Cyber attacks are launched for monetary gain, for
intelligence information, or for the thrill of a challenge. The
most commonly used cyber attacks are viruses and worms that are
transmitted through the networks and systems to disrupt
computer files and programs.
Go back to the first part. Cyber attacks are launched for
monetary gain, for intelligence information, or for the thrill
of a challenge. In the work that you have done, the study that
you have--the time you have invested in this, which of those
three, monetary gain, intelligence information, or the thrill
of a challenge, seem to predominate?
Mr. Powner. We don't have specific numbers on that, Ranking
Member Carper, but I would say that the monetary gain, when you
look at some of the surveys that are done by some of the
institutions out there that track this on an annual basis, for
monetary gain, those numbers continue to grow year to year. The
hacking community, I think they are always going to attempt to
hack for the thrill of hacking. The underground community is
strong and vibrant. But clearly, when you look for monetary
gain, also if you look at recently with online fraud and
identity theft, that is also a growing area where there is
great concern with security vulnerabilities.
Senator Carper. I don't know if it was a football coach
from someplace in Oklahoma, Oklahoma State University, OSU, or
the other OSU, Ohio State University, but one said that----
Senator Coburn. I happen to be an alum of both.
Senator Carper. I know. I am an alumni of Ohio State.
Somehow, I got on the list from Oregon State University. They
send me solicitations for money, so I hear from a lot of OSUs.
But one of them once said that the best defense is a good
offense. It sounds to me like we play a lot of defense, trying
to fend off these cyber attacks. Talk to us about the offense
that we are playing, as well. I will start with you, Mr.
Powner, and then I will go back over to Mr. Purdy.
Mr. Powner. Ranking Member Carper, I think if you look at
our offensive capabilities, it is probably best if we talked
about that in a closed setting.
Senator Carper. All right. Should we ask our guests to
leave? I am just kidding. We won't do it here.
Mr. Purdy>
Mr. Purdy. Let me say the piece of it that I can respond
to, because the point is well taken, we are attempting, and I
say in my written testimony, to leverage the capabilities of
the Federal Government from a cyber defense perspective. That
is situation awareness. That is the ability to attribute the
source of attacks, the ability to coordinate and prepare for
responding to specific attacks and the reconstitution piece. So
we are mapping those capabilities across the Federal Government
and we are going to identify of those capabilities what do we
need to tie into US-CERT?
And third, when there is a cyber incident of national
significance, we want to in advance identify the surge
capacities and resources that we need brought to bear so we
have the full resources of the Federal Government coordinated
in partnership with the ISPs and the telecommunications
providers, as well. And if you have a good defense, you don't
have to respond to other alternatives. We would prefer to try
to make ourselves as safe as possible, dealing with the threat
as was discussed, but we need to reduce the vulnerabilities
because too often, we are not going to know the specific threat
information as to who is going to attack us. So we need to
prioritize the vulnerabilities under the risk management
framework of the Secretary to help mitigate the risks that we
face.
Senator Carper. Sometimes when folks commit crime for
monetary gain, they do so because they feel that--there is a
risk-benefit situation here. People are willing to take a risk
and in return they feel they get a certain potential payoff or
a benefit from it.
When it comes to folks that are doing this for monetary
gain, I don't know how likely it is that they feel they are
going to get caught, prosecuted, go to jail, be fined. Talk to
us a little bit about the likelihood that the folks who are
doing this for monetary gain are going to be punished and
whether or not the punishment is commensurate with the crime.
Mr. Purdy. Who are you directing the question to?
Senator Carper. Either one of you. Let me start with Mr.
Powner.
Mr. Powner. Would you repeat that, please?
Senator Carper. I sure will. What I am trying to find out
is, somebody is out there. They are going to commit one of
these crimes, one of these cyber attacks for money, for
monetary gain, and they are thinking through, does this really
make sense? Am I going to get something that is worth taking
the risk to commit this crime? How likely is it that we are
going to catch them, and if we do, is it fair to say that the
punishment, the level of punishment, is enough to make them
think twice about committing the crime?
Mr. Powner. A couple comments. One is GAO does not have
specific numbers on that, but a lot of these activities go
undetected to begin with. So if you start there and say that
there are a large number of these attacks that we do not
detect, then I think the chances are high that, in fact, they
will not get caught because they may not even be detected.
Consistent with Andy's comments, I think that is why we are
trying to reduce our vulnerabilities, increase our intrusion
detection capabilities so that, in fact, we can detect more on
a going forward basis.
Senator Carper. Same question. Mr. Purdy, what I am trying
to get at is sometimes when criminals are contemplating a
crime, they actually think about, well, what if I get caught?
If I get caught, what is likelyhood that I will be convicted.
If I am convicted, do I go to jail or pay a fine? Is it worth
it? And what I am trying to get at is how likely is it that we
are going to catch these guys and is the punishment
commensurate with the crime.
Mr. Purdy. Well, most of those questions, I would prefer to
defer to the Department of Justice. They really have the
responsibility in that area.
The point that Mr. Powner referenced, though, in terms of
the seriousness with which we view the criminal activity that
is occurring in cyberspace and the difficulty of attributing
the source of some of the largest attacks we have ever seen,
that is all the more reason why we want to focus on reducing
the vulnerabilities and working with law enforcement and in the
R&D space to try to do a better job of figuring out who is
doing these things to us, because obviously in the dynamic of
if you don't think you are going to get caught, it doesn't
matter what the punishment is.
Senator Carper. The last question I want to ask is to go
back to Mr. Powner. I think it was the May 2005 report called
``Department of Homeland Security Faces Challenges in
Fulfilling Cyber Security Responsibilities.'' GAO identified, I
think you called it a road map of 13 key responsibilities that
were established, both in law and in policy. And my question of
you would be, what priorities--and I think the Chairman
actually mentioned this before--what priorities, and if you are
GAO, should the Department focus on first?
Mr. Powner. First of all, that was our recommendation, that
you take these 13 areas and that they prioritize. But one thing
that you could--that could help with the prioritization, I
think Mr. Purdy has clearly mentioned a number of their
priorities, priority areas on a going-forward basis with
building trust relationships and tackling the threat and
vulnerability reduction. There are certain areas that the
government, and in particular NCSD, controls more than others.
So if you compared threat assessment to vulnerability
assessment, vulnerability assessment, they can facilitate the
vulnerability assessments, but that really has to be done by
the infrastructure owners of the private sector, for the most
part. Threat assessment, they control most of that. So in terms
of the priorities, there are perhaps some quicker hits with
areas that the government controls more than the private
sector. So that could be a factor in their prioritization
efforts.
Senator Carper. All right. Gentlemen, thank you.
Senator Coburn. Thank you very much. Thank you for your
testimony.
We will now have panel two. Our first witness will be Paul
Skare. He is the Product Manager of SCADA, Substation
Automation Products for Siemens Power Transmission and
Distribution, Energy and Management Automation Division.
With us, also, I will let Senator Carper introduce Thomas
Jarrett.
Senator Carper. Thank you, Mr. Chairman.
I am going to ask Mr. Jarrett when he speaks to just take a
moment and introduce the members of his team that are with us
here today.
I would just say, because I already talked a good bit about
Tom earlier in my opening comments and I appreciate the
opportunity to introduce him here today. I was fortunate to
serve as Governor for 8 years and one of our real challenges in
State Government was to put together at the cabinet level an
agency that could help us take our information systems really
into the 21st Century, and we struggled with that. We actually
had an overall sort of top-to-bottom review of State Government
in, I want to say, 1993. We looked at our Information Services
Agency, OIS, and tried to determine how we should change it,
how we could make it better and to enable us to better serve
the folks in our State. I am never convinced we got it quite
right.
I think one of the very good things that has been done
under the administration of my successor is, I think they have
pretty much gotten it right. Part of getting it right is really
having the right person to lead that effort, and in Tom
Jarrett, I think we have that person.
He brings us to today the perspective of one who has worked
in the private sector in these areas, one who has provided
great leadership, not just for our State, but I think for
others who do his work, his job, his counterparts in other
States across the country, and I am really proud of him and the
agency and the men and women that he leads.
I thank you for the chance to say those nice words about
him.
Senator Coburn. I am struck by the fact that we lost 75
percent of the people that are here, and I am just wondering if
all those worked for GAO and DHS, and if they did, no wonder we
are not getting where we need to be.
Senator Carper. They are doing the security for the two
witnesses.
Senator Coburn. Thank you both for coming. Mr. Skare, if
you would.
TESTIMONY OF PAUL M. SKARE,\1\ PRODUCT MANAGER, SIEMENS POWER
TRANSMISSION AND DISTRIBUTION, INC., ENERGY MANAGEMENT AND
AUTOMATION
Mr. Skare. Good afternoon, Chairman Coburn, Senator Carper.
I am Paul Skare, the Product Manager at Siemens Power
Transmission and Distribution. My role is, as we said, managing
many of the products that we are talking about here. I am also
involved in many standards groups relating to SCADA, or
Supervisory Control and Data Acquisitions Systems.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Skare with attachments appears in
the Appendix on page 69.
---------------------------------------------------------------------------
Siemens is a very large company in this product space and
we operate in over 190 countries worldwide. In the United
States, we have over 70,000 employees and we have operations in
all 50 States.
In energy management and automation, we provide software
and technologies for the energy market, and these SCADA systems
are systems that collect data from all the remote places, the
substations, the power plants and other expensive pieces of
power equipment, bring them to a central location, and do
analysis on this data and turn this data into information so
that the operators can then make the right, appropriate actions
to correct problems in the field. Obviously, this is a key
point for power reliability. Adding more smart applications to
these SCADA systems allows you to then do even more detailed
analysis and really look at preventing--proactive approaches to
preventing blackouts and things.
My testimony today is focusing on identifying some of the
potential security vulnerabilities of a SCADA system, some of
the activities related to this, and some recommendations to
better protect these systems.
While our customers primarily use these systems in the
electric sector, many also use the same basic technology for
gas, water, and transportation. With some background on this
information, I have prepared some appendices that can be
submitted into the public record to help the----
Senator Coburn. Without objection, they will be. Thank you.
Mr. Skare. And I would like to say that in the last few
years, I have seen industry and government working better
together. What is really noticeable is that a lot of this type
of discussion has moved away from the art, or the world called
art into a more firm science approach to the issues. and it
helps spread awareness and get everyone to speak the same
language.
But nonetheless, some of the SCADA vulnerabilities that are
issues to look at are obviously remote access. Anytime you have
remote access to make it easier to access these devices
remotely, it is going to present a vulnerability or the
potential for a vulnerability.
Network configurations, the way that you would remotely
access these things, of course is very important, to make sure
that they are secured, and any minor misconfiguration can
create a vulnerability.
Disgruntled employees, whether they are current employees
or ex-employees, are a big factor, whether they are mad and
they go immediately and do something they still have access to,
or whether they have just been terminated but they still have
access privileges to the system will allow them to go out and
do a malicious act.
The discussion earlier about security holes and patches and
viruses, worms and so on, is going to be always an issue for
this industry because of our high reliance on commercial off-
the-shelf technology. Our systems are based on all the standard
computers that are available on the market.
Communications should be encrypted. This means if you are
using a wide-area network approach, you should have a public-
private key infrastructure with encryption and authentication
to make sure the data is private and can't be hacked into. You
should also make sure that for a lot of these remote devices
you are talking to, that you have valid encryption and
authentication in place for those, as well.
One of the things that we have talked about in the previous
testimonies today is incident reporting, really. How do you
know how bad it is when it is unclear how you measure? What are
the real incidents? Are you getting a false positive on an
attack report? Are the companies that use these systems, are
they reporting actual incidents to anybody? Certainly as a
SCADA vendor, most of our customers do not want this
information public. They don't want to tell us, and they would
prefer not to tell anyone because of the potential harm the
publicity could bring.
So some of the challenges for these SCADA systems is making
sure that all user activity is audited by the individual doing
the activity, making sure that there is upgrade kits for older
systems to make them secure without having to replace the whole
system, making sure all the third-party products involved in
these systems are also set up for security and the latest patch
is built into those. Again, making sure that we have the secure
communications, both over WANs and over slower dial-up-type
access.
And finally, making sure that a lot of the low, weak
devices that you are talking to have the ability to have
encryption between them so that when you are talking from a
control center out to an RTU or a remote device that is
bringing the data in, even if it is a really old one, that you
can still get a secure communications and not have concerns
from that regard.
Some of the recommendations that will help achieve securing
these systems is making sure that business processes are
aligned with security in mind. Now, NERC has done a lot to
create some security policy where it is sent to foster
requirements for security policies, but not necessarily--with
the energy bill now, the enforcement becomes a possibility for
NERC to be able to address these issues. Today, the enforcement
is only a voluntary enforcement, and so for a utility to have a
security manager and a security awareness program and making
sure there are no little yellow sticky notes with user names
and passwords laying around is an important aspect of security.
Types of SCADA systems also have some challenges on the
different types of security because an electric SCADA system
will be processing information every one or two seconds,
pulling that information in and doing analysis on it, while
something on a gas pipeline system might only need to pull that
data in once every 10 minutes. So a gas pipeline system can
have a higher level of encryption and still get its data in
time, but for an electric power system, when you are talking
about collecting data at perhaps once every second, you can't
block the access of the data by having so much encryption that
it slows down the availability of the data.
So with that regard, one of the recommendations is to
foster some research into that area so that for these low-
powered devices, that includes some of the wireless devices
that are out there now, too, because more and more, you are
seeing sensors connected into the system through a wireless
connection before they come upstream to the control center, and
right now, there is a need for research in the security of
these wireless communications.
Another recommendation is to have a secure way of reporting
both the threats and the incidents in these systems. So, for
example, whether someone has a threat available, it is not
necessarily accurate that everyone is aware of that threat, and
also, if a utility is faced with an attack or a security
incident, there is no mandate that says they have to report
that to anyone. And if there was a way for these incidents to
be shared along with the vendors that make these systems, it
would allow us to more rapidly respond to fixes for these
incidents.
Another issue is incentives for the utilities when they
secure their systems. If there was an approach that would
ensure that the culture at these utilities had the mindset of
securing their systems in a way to help their cost recovery on
those through either tax incentives or some such mechanism,
would be helpful, I think, for the electric utilities.
Federal and State cooperation, it is not just the people we
have talked about today, but each State Public Utility
Commission is also involved in the operation of these electric
utilities and the cooperation and perhaps public outreach in
these areas with the Public Utility Commissions would be of
benefit.
And then there is also non-jurisdictional utilities also
could be useful to be brought into the fold with the security
discussion.
Another recommendation is Department of Homeland Security
and Department of Energy have some similar programs and it
would be useful, I think, to have them perhaps a little more
coordinated or merged together.
We heard earlier today about the Control System Security
and Test Center, and there is also the National SCADA Testbed,
both out at Idaho National Laboratory. And while Siemens has a
system out there, I think that it would be useful to have these
programs combined and have a longer-term funding approach for
them so that you can see that as these vendor systems get out
there and the vendors produce fixes and patches for them, that
over time, you can verify that these systems are really getting
secured. But this is not a one-year type of approach. This is a
multi-year activity.
The other thing that would be useful is if the different
national laboratories were a little bit more in sync and didn't
appear to be competing. For example, Idaho National Lab, Sandia
National Lab, specific Northwest National Lab and Oakridge,
which all have some relevance to this subject, in fact, three
of them do have a partnership for the National SCADA Testbed,
but in overall, there has still in the past been some confusion
as to who is taking what role in this activity.
The various management changes and reorganizations have had
an impact, also, on making sure you know who you are talking to
in order to accomplish various tasks in this arena.
Senator Coburn. Let me get you to summarize, if you would.
Mr. Skare. OK. Absolutely. The final point is that a risk-
based approach is, I think, the most effective approach to
these issues.
Finally, I would like to say that Siemens is very
supportive of these activities and will continue to be made
available and to assist and to work in the area to secure the
Nation's critical infrastructure. Thank you.
Senator Coburn. Secretary Jarrett.
TESTIMONY OF THOMAS M. JARRETT,\1\ SECRETARY AND CHIEF
INFORMATION OFFICER, DEPARTMENT OF TECHNOLOGY AND INFORMATION,
STATE OF DELAWARE
Mr. Jarrett. Thank you. At Senator Carper's request, first,
I will introduce the folks that came along with me. First is
Elayne Starkey, the Chief Technology Officer for the
Department; Michele Ackles, who is my Deputy in the Department;
and I would also like to introduce Shay Stautz, who is here
with me from NASCIO, so I am glad that they joined me today.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Jarrett with attachments appears
in the Appendix on page 105.
---------------------------------------------------------------------------
Thank you for inviting me to appear before you today. I
appear in two capacities, first representing the great State of
Delaware as Secretary of Delaware's Technology and Information
Agency, and second, as the current President of the National
Association of State Chief Information Officers, or NASCIO.
First, I would like to thank Chairman Coburn and a special
thanks to Delaware's Senator Tom Carper for inviting me to
speak with you today. As Delaware's CIO in charge of all State
Government information and communications technology, my
highest priority is cyber security.
The security of Delaware's information technology system is
critical to the well-being of our State as a whole, not just
the business of the State, but also its economy. Further, from
a Federal perspective, Delaware's information system is key to
providing Federal services to our citizens and supports
homeland security efforts.
In the most simple of terms, keeping those who would wish
to do us harm out of our network and systems is the primary
challenge of IP security staff in Delaware and across the
Nation. Delaware's State network may be small in comparison to
some other States, yet we are responsible for over 130,000
users, representing all three branches of government, including
our law enforcement, first responder, and educational
communities.
We have recently deployed new software that permits us to
check network events on a daily basis and we fend off nearly
3,000 daily attempts at entering our network. I would like to
repeat that, nearly 3,000 attempts a day to invade our network.
As you will see in the documentation that I have attached to my
statement, these numbers are not out of line with what other
States are seeing.
Because of our extreme diligence, we have not had a
significant intrusion into our network. Keeping those that
would wish to do us harm out of our network requires multiple
layers of protection. While it is rarely a terrorist in the
traditional sense of the word that threatens the State network,
we do not focus specifically on who is trying to infiltrate our
network. Rather, our goal is to keep all those with bad
intentions from entering our system.
Without lapsing into too many technical terms, we deploy a
number of different hardware and software products to protect
our networks. We scan, scan, and scan again all traffic coming
into the network. We search for viruses, spam, spyware, and
other recognized problems.
Delaware is proactive in establishing collaborative
partnerships at the Federal and local level. We have a working
relationship with the FBI, who performs vulnerability audits
and scans for us. We collaborate with the private sector, as
well. Delaware was the first State to become part of an
extensive security cooperation program that Microsoft has
established.
During times of heightened security alerts, like that
resulting from the recent terror incidents in London, we also
raise the bar on cyber security. We increase our vigilance and
our monitoring because we are well aware that a virus that
begins in Asia can propagate to the United States in a matter
of a few short hours. In a very short period of time, it is
possible for a system that has been not hardened or properly
maintained to be completely overrun.
Now, what does the future hold? Unfortunately, I have to
state that I believe that threats to cyber security will only
increase and we will face continuing attacks and attempts on
multiple fronts. State IT officials must continually adjust how
and what is filtered, blocked, and monitored. New threats
appear almost daily and they can, in a matter of seconds,
render services we have all come to depend upon, like e-mail
and web browsing, completely unusable. In the worst case
scenario, without proper protection, an attack could
potentially cripple or completely shut down an entire State
Government.
While we must understand that all critical infrastructure
is the same by its very nature, critical, whether it is a
roadway system or an information network, infrastructure is
about moving people and information and a State's network
infrastructure is equally as important as its highways,
electric power grid, or mass transit system.
I will conclude my remarks with a few words about what
NASCIO is doing. NASCIO is working with the States to get a
comprehensive picture of the challenge that cyber security
represents. We have produced a series of snapshots into what a
few States are doing. Let me share just a few experiences from
my CIO colleagues.
Michigan reports that nearly 32 percent of its incoming e-
mail carries viruses, while Montana reports a rise from 93
attempted virus infections in 1997 to nearly 45 million in
2005. Kansas blocked 600,000 intrusion attempts over a 3- to 4-
hour time period during one recent attack.
Protecting critical IT infrastructure does not come
cheaply. We estimate that my Department spends $5 million
annually, or 15 percent of my annual budget, on cyber security.
A recent Statewide assessment in North Carolina revealed that
approximately $50 million was needed to implement a statewide
security plan.
NASCIO believes that the Federal Government and the States
must increase collaboration in facing these threats which we
share in common. NASCIO applauds last Wednesday's announcement
by Secretary Chertoff that he will create an Assistant
Secretary for Cyber Security within the reorganized Department.
NASCIO supported the calls for such a position and has endorsed
past legislative efforts seeking to create the position. In
fact, State CIOs have made addressing deficiencies in public
sector cyber security their No. 1 item on our Federal agenda.
We believe that the creation of a higher-profile position for
cyber security within DHS is an important statement to the
Nation as a whole.
Having provided you with this background, NASCIO comes
prepared to offer the Subcommittee one substantive step that it
can take forward toward improving intergovernmental cyber
security. NASCIO has provided Subcommittee staff with language
that encourages the Secretary to have DHS revise the existing
strategy and assessment process to include requiring a cyber
security preparedness plan from each State and each State's
CIO. We feel that closing the cyber security planning gap in
the near term, and especially before the next round of grant
making gets underway, is the single most important issue facing
our sector today.
Finally, NASCIO points out that information systems in
general are the only part of the Nation's critical
infrastructure that is under attack everywhere, all the time,
and these attacks are inflicting millions of dollars in damage.
Cyber attacks, even those without terroristic intent, could
disrupt government's operations in general or homeland security
mission critical systems specifically. It is our duty to secure
these systems from all types of threats, regardless of the
intent behind them, and as soon as possible.
As the CIO for the State of Delaware and the President of
NASCIO, I appreciate the work that the Subcommittee is doing in
confronting this national challenge. Thank you.
Senator Coburn. Thank you, Mr. Jarrett.
Senator Carper has to leave and I am going to defer to him
for the first set of questions.
Senator Carper. Thank you very much, sir.
Again, to our witnesses, thanks a lot for coming and for
really excellent testimony in ways that even I could almost
understand. Sometimes when we have people testify on these
subjects, I am not sure I understand the words. As Mrs.
Einstein used to say, Albert Einstein's wife, ``Mrs. Einstein,
do you understand what your husband is saying or talking
about?'' And she said, ``I understand the words, but not the
sentences.'' I think for your testimony, for the most part, I
understood not only the words but, in many cases, the
sentences.
I want to return to a question I asked the last panel and
never got the answer I was looking for. I raised the issue of a
football coach who is looking for ways to provide a good
offense, and not just a good defense. We had a big middleweight
championship fight out in, I think it was Las Vegas, this past
weekend. A guy who defended his title, I think 20 times, was
unsuccessful in title defense No. 21.
Senator Coburn. Fighting is not good for you.
Senator Carper. That is what I have heard, at least
fighting against those guys wouldn't be good for us. But as I
listened to this testimony, I am reminded of a boxing match,
maybe even a football game, where one side is on defense the
whole time and you never get the ball to go on offense. I am
reminded of a fight where you have got one guy is permitted to
throw all the punches and the other guy just basically has to
take them. Am I misreading this? Are there ways that we can
fight back effectively? It seems that all we do is play
defense, and I think we are pretty good at it, it sounds like
we are very good at it, but I like to play offense, too. Are
we? Should we be?
Mr. Jarrett. Well, I would say from a State perspective, I
think we are beginning that process. We have spent considerable
dollars over the last several years building a very strong
defense. But the real issue here is more in trying to identify
the people that are actually trying to get into our networks,
they hide themselves very effectively. So you need to have the
resources and the money to then go after them, and I happen to
be a believer that we should be going after them, but they are
very difficult to find. In our case, as quickly as we make
changes to our system, we see changes that have already
countered those changes. So very definitely, I would hope that
we will begin to take a much more offensive approach, but it is
very difficult.
Mr. Skare. I think that we have a very large installed
knowledge now with intrusion detection systems, but now the
latest thing that is coming along is intrusion prevention
systems. So what it is, it is trying to take a look at the
known signatures of some of these attacks and try and prevent
them as they are happening, or the so-called zero day defense
that is really happening. And when you combine that with a
defense in depth approach to your control system, you have a
much better chance of really trying to proactively stop them as
it happens, although I would say that there is still a long
ways to go there.
But, for example, when you look at some of these control
systems, they use quite common standardized protocols so that
all the different systems can talk to each other and these are
mostly publicly available, so we are taking a look at how do
you scan real time these data communications and prevent things
from happening real time.
Senator Carper. All right. A question, if I could, this
would be for Secretary Jarrett. I believe in your testimony, I
think I heard you say that some 15 percent of your Department's
budget is just for cyber security initiatives. Last week,
Secretary Chertoff said, I believe in this hearing room, not
only the establishment of the Assistant Secretary for Cyber
Security and Telecommunications, but he talked about dedicating
some Federal resources to help the efforts across the board.
Let me just ask, what additional resources do you believe that
the Federal Government, if any, should allocate, if any, for
cyber security initiatives?
Mr. Jarrett. Well, I think there are two pieces of that. I
have read some of the numbers as far as dollars that they are
talking about appropriating to that. When I compare them in
direct comparison to what I spend, my comment would be that I
don't think it is enough. So I would hope that the
appropriations that they are going to put towards cyber
security would be much larger than what I, at least from what I
have currently seen.
Senator Carper. It would also be great if, whether the
allocations are huge or large or moderate, it would be great if
they were doing something that sort of complemented what you
were doing with this data, not necessarily duplicate or
replicate.
Mr. Jarrett. And that was going to really be my second
thought, which is I heard the comments and what was honestly
striking to me was the fact that though there was a lot of talk
about connections between agencies and all that, there was no
mention of connection really to the States. And I would argue
that the States are really the first line of defense when it
comes to, whether it is first responders and those kinds of
things. We are kind of out front on a lot of areas, working in
the area of cyber security. So we would like to work much more
effectively with them in the future. I think that would be a
tremendous approach if we could finally, or at least
ultimately, reach that point.
Senator Carper. One other thought, Mr. Chairman, comes to
mind. I think it was Lincoln who used to say, the role of
Government is to do for people what they cannot do for
themselves. Maybe a reasonable role for the Federal Government
here, for the Department of Homeland Security, is to do for
States what you cannot do for yourselves, or for the private
sector, for that matter.
One last question, if I could, for Secretary Jarrett. I
believe your first task, as I recall, as Secretary was to
transform Delaware's Office of Information systems to this
Department of Technology and Information. You hand picked and
hired an entirely new organization that is built on a market-
based compensation plan where individuals are compensated based
on their performance within the Department. You also did away
with many middle management positions. You enabled employees to
be more connected with the end result.
I would just ask what suggestions you might have, really
for the Department of Homeland Security, for our Federal
agency, for your big brother, if you will--that probably has
the wrong connotations--but for Homeland Security in finding
and retaining the most highly qualified individuals to protect
our Nation's critical infrastructure.
Mr. Jarrett. I have a pretty basic thought about that and
it comes down to the most basic thing, which is pay. One of the
key approaches that Delaware took was to be able to pay our
people within the Department what the market, and what they
would literally get in the market if they were to go outside of
working in State Government. We found that to be very
effective, because in the end, if you are going to be effective
in managing, working these kinds of issues, then you have to
have very good people, and if they are going to be accountable,
then you have to be willing to pay them, or otherwise very
likely they either won't come to you in the first place, or if
they do, they won't remain very long.
So we have found that our pay structure has been probably
one of our greatest assets because it has allowed us to hire
very excellent people who are more than willing to stay because
we are very competitive.
Senator Carper. Great. Mr. Chairman, thanks for letting me
lead off here. And again to Secretary Jarrett, it is great to
see you.
Mr. Jarrett. Thank you.
Senator Carper. Thank you for you and your team, who are
representative of the great work you are doing on behalf of our
State and for, I think, the wonderful example you are providing
to a few other States. Congratulations. He is not only
Secretary, Mr. Secretary, but he is also Mr. President of his
national organization. It is not ever day we get to do that.
Thank you both.
Senator Coburn. The Senator from Delaware, are you
proposing waiving government parameters limiting the ability to
increase pay and pay for performance in Homeland Security? That
is something our President has been trying to do here for some
period of time.
Senator Carper. When we have a private conversation with
our earlier panel on the matters they couldn't discuss, let us
bring that one up, too.
Senator Coburn. OK. Good answer. [Laughter.]
Senator Coburn. Mr. Skare, here is how my staff assesses
you. He is a world class operational control systems technology
expert. He works for one of the world's largest manufacturers
and leaders in control systems. So I want to ask you very
frankly, do you have a good working relationship with DHS? Are
they communicating the way they should with you? Are you
allowed to get information that is helpful to you when you
should, and do you feel comfortable sharing information with
them?
Mr. Skare. Well, that is a very good question. I think that
there has been some changes in management. I originally was
contacted and had been working with Mike Lombard in the
Department of Homeland Security, and then that had shifted over
to David Sanders. I think as some of the activities go on--for
example, the DHS did invite me to the road map meeting we had
last week in Baltimore, and I think that it was a very good
meeting for sharing ideas with the DHS people.
My experience with DHS is that they are very focused on
moving quickly. But as far as sharing any detailed information,
I do not have any specific threats shared with me of any sort.
Senator Coburn. So, in other words, there may be a threat
to one of the systems that you are looking at that they know
about that you don't know that could maybe enhance your ability
to do the job better as a vendor for those items, yet you are
not seeing the feedback loop coming on that.
Mr. Skare. That is right. I have seen no feedback in that
area.
Senator Coburn. Is that not something that we want to
happen?
Mr. Skare. I believe it is. I know that I actually had this
discussion with one of the DHS people last week and we
discussed if it meant that we should get security clearance, or
maybe there is a new type of clearance that could be created, a
trusted type of information sharing line that could go on. But
the discussion was still an ongoing discussion.
Senator Coburn. Well, if 85 percent of our cyber is in
private hands, we are going to have to talk to the private
sector. That would mean 15 percent is in the State and Federal
hands and other entities. We are going to have to communicate,
and I was most concerned about GAO's testimony as this lack of
confidence, because if there is not confidence with DHS, then
you as a spokesman or lead individual for your company are
going to be somewhat hesitant to share with them information.
And so if we can't get past the--it is kind of like marriage.
If you can't get past the trust deal, you never get anywhere.
So if we can't get there, this can build and this can grow if
we have a working relationship. I am concerned.
Have you noticed anything, Secretary Jarrett, in terms of
your ability to relate and a level playing field and
informational exchange that you could offer us?
Mr. Jarrett. We have found that the information exchange
has been very difficult. That is why we have built strong
relationships with most of our business partners. I can tell
you that most of the threat data that we get today, we get from
those business partners and through US-CERT, but not directly
from the Department.
Senator Coburn. Through the US-CERT?
Mr. Jarrett. Right.
Senator Coburn. OK. And did either of you gentlemen happen
to see the article yesterday in the Wall Street Journal where
they talked about the trojans? I thought it was a very
informative article for the public because it is us and our
personal computers that are being used to scam everything else
in the world and used to, what do they call it, bot----
Mr. Jarrett. Bots and zombies and----
Senator Coburn. Yes. I would also note that DHS is not in
here anymore for them to hear your testimony, which is
concerning for me, because that is one of the areas, we are
sponsoring this, we have 15 people from DHS attend a hearing,
but when they are through testifying, then they are not here to
hear what the rest of the panel says so we don't get the
information. So that says you don't build trust if you can't
communicate, and if you aren't going to listen, you are never
going to be able to communicate. So I am somewhat critical of
that.
Mr. Jarrett, does your office have regular contact with the
National Cyber Security Division at DHS?
Mr. Jarrett. We do not. We do on a kind of hit-or-miss
basis. We do a lot of things. We are members of the MS ISAC,
which is the 50-State group that has come together, but not
directly with them.
Senator Coburn. Did I hear you right a moment ago that you
thought there should be a requirement for each State to have a
preparedness plan?
Mr. Jarrett. A cyber security preparedness plan,
absolutely.
Senator Coburn. And should that be contingent on their DHS
grant?
Mr. Jarrett. I think it should be tied directly to the
grant process. What has been difficult in the current grant
process is that little of that money is going towards cyber-
related issues. I can tell you, in the 3 years that monies have
come out in my State, I just for the first time got a small
amount of those dollars for some cyber work that we are doing.
It has been driven toward other directions, and though I
understand that and respect that, I think that we need to also
understand that the cyber aspect of this is absolutely
critical.
All of our systems and everything that--I run all of the
systems for all the first responders, the State police,
everyone, so during time of greatest need, if my systems go
down, they literally have no access to any of the information
that they will require.
Senator Coburn. And you already answered this somewhat, but
I want to ask you again, and I find it strange. Fifteen to $16
million of this next year's budget for DHS, and you are going
to spend $5 million, and you say to set a State up, it is going
to take $50 million just in programming the structure and
observations and diligence. I am kind of appalled that that is
the priority. Are you?
Mr. Jarrett. I am concerned about the priority, absolutely.
I mean, we are very happy to see that they have established the
Assistant Secretary for Cyber Security. That is something that
we have pushed for for a long time. But with it must come the
right funding to be able to do the job correctly and the amount
of money, at least that I have seen, concerns me.
Senator Coburn. How are you all at the State of Delaware
informed of a fast-moving cyber threat? How do you find out,
other than your own observation and blocking and monitoring
technique?
Mr. Jarrett. Two primary ways today, neither of which are
the Department. One is through the MS ISAC structure that was
created about 2 years ago----
Senator Coburn. Is that fast? Do you get that on a real
time basis?
Mr. Jarrett. We get that on a real time basis. It has
become a very dynamic group. We meet once a month, and so we
have built a structure within the States that allow us to share
information on a very rapid basis.
We also get it from our vendors through our cooperative
program with companies like Microsoft and Oracle and others.
And all of my key security folks are obviously also connected
to the US-CERT process, as well.
Senator Coburn. Is that timely, the US-CERT process, or
does it come hours or days after the fact?
Mr. Jarrett. We are actually finding the US-CERT process to
be quite timely----
Senator Coburn. Good.
Mr. Jarrett. So we have been very pleased with that at this
point. Timeliness, obviously, in our business, is absolutely
critical, given the fact that we are talking about threats
that--we are not talking about days, we are talking about
minutes and hours.
Senator Coburn. And going back to your testimony, Mr.
Skare, if you are talking about a power generation facility and
they are monitoring sequentially, there is not the technology
for encoding or encrypting instantaneously that information so
that you can stay on a real time basis without putting that
facility at risk?
Mr. Skare. There are ways to do that for network
connections, although a lot of the standards are still lacking
in approval from an approval perspective, and many utilities
are reluctant to roll out technologies like that until they
have been standard and approved.
Senator Coburn. And who holds that approval?
Mr. Skare. It depends. In this case, there is international
approval as well as U.S. approaches. In the international
arena, it is the International Electrotechnical Commission. On
the U.S. side, the standard that most U.S. utilities are going
to be looking toward is one set by NERC.
Senator Coburn. OK. I can't help but think about the
television show ``24'' and how closely you were involved in
that. Part of our risk--there has been $60 billion spent by the
U.S. Government on IT in this last year, $60 billion by the
Federal Government. That is a big sum of money. And yet it
doesn't seem that we are a whole lot more secure. We may be
faster and we may be moving information around, but the more IT
we have, the more risk we have if it is vulnerable.
What is the budget for the State of Delaware on IT? Do you
have any idea?
Mr. Jarrett. Well, about $300 million.
Senator Coburn. A year?
Mr. Jarrett. A year.
Senator Coburn. And that is both hardware and software, the
whole----
Mr. Jarrett. That is everything.
Senator Coburn. That is the whole thing. All right.
Mr. Skare, you talked about business process. What
motivates, or what would motivate a company to make an
investment in cyber security to protect their critical
infrastructures, those that have not?
Mr. Skare. I think those that have not, any type of
business case where you can show them where the loss or the
damage to their business due to such an incident would result
in a negative impact on their business. For example, if an
attack took down a particular substation and those customers
were without power for a certain amount of time, you would have
not only the lost revenue due to the power outage, but you
would also have then the damage to the reputation. And
quantifying those in terms of a business case would go a long
way to help.
Senator Coburn. And so you all are seeing more that your
business is good, is that correct?
Mr. Skare. Interestingly enough, common sense might dictate
that after a major event, such as the blackout in 2000, it
would spur investment in these areas. However, there was a
certain amount of reluctance to spend purely so that it wasn't
seen as a reaction or as a sign of weakness. So it is kind of a
balancing act.
Senator Coburn. I want to thank both of you for your
testimony and for staying as long as we have. I appreciate you
coming and giving this information.
We may submit some questions to you in writing. We very
much appreciate if you would be timely in your response to
those.
Thank you very much for attending. The meeting is
adjourned.
[Whereupon, at 3:44 p.m., the Subcommittee was adjourned.]
A P P E N D I X
----------
[GRAPHIC] [TIFF OMITTED] T3163.001
[GRAPHIC] [TIFF OMITTED] T3163.002
[GRAPHIC] [TIFF OMITTED] T3163.003
[GRAPHIC] [TIFF OMITTED] T3163.004
[GRAPHIC] [TIFF OMITTED] T3163.005
[GRAPHIC] [TIFF OMITTED] T3163.006
[GRAPHIC] [TIFF OMITTED] T3163.007
[GRAPHIC] [TIFF OMITTED] T3163.008
[GRAPHIC] [TIFF OMITTED] T3163.009
[GRAPHIC] [TIFF OMITTED] T3163.010
[GRAPHIC] [TIFF OMITTED] T3163.011
[GRAPHIC] [TIFF OMITTED] T3163.012
[GRAPHIC] [TIFF OMITTED] T3163.013
[GRAPHIC] [TIFF OMITTED] T3163.014
[GRAPHIC] [TIFF OMITTED] T3163.015
[GRAPHIC] [TIFF OMITTED] T3163.016
[GRAPHIC] [TIFF OMITTED] T3163.017
[GRAPHIC] [TIFF OMITTED] T3163.018
[GRAPHIC] [TIFF OMITTED] T3163.019
[GRAPHIC] [TIFF OMITTED] T3163.020
[GRAPHIC] [TIFF OMITTED] T3163.021
[GRAPHIC] [TIFF OMITTED] T3163.022
[GRAPHIC] [TIFF OMITTED] T3163.023
[GRAPHIC] [TIFF OMITTED] T3163.024
[GRAPHIC] [TIFF OMITTED] T3163.025
[GRAPHIC] [TIFF OMITTED] T3163.026
[GRAPHIC] [TIFF OMITTED] T3163.027
[GRAPHIC] [TIFF OMITTED] T3163.028
[GRAPHIC] [TIFF OMITTED] T3163.029
[GRAPHIC] [TIFF OMITTED] T3163.030
[GRAPHIC] [TIFF OMITTED] T3163.031
[GRAPHIC] [TIFF OMITTED] T3163.032
[GRAPHIC] [TIFF OMITTED] T3163.033
[GRAPHIC] [TIFF OMITTED] T3163.034
[GRAPHIC] [TIFF OMITTED] T3163.035
[GRAPHIC] [TIFF OMITTED] T3163.036
[GRAPHIC] [TIFF OMITTED] T3163.037
[GRAPHIC] [TIFF OMITTED] T3163.038
[GRAPHIC] [TIFF OMITTED] T3163.039
[GRAPHIC] [TIFF OMITTED] T3163.040
[GRAPHIC] [TIFF OMITTED] T3163.041
[GRAPHIC] [TIFF OMITTED] T3163.042
[GRAPHIC] [TIFF OMITTED] T3163.043
[GRAPHIC] [TIFF OMITTED] T3163.044
[GRAPHIC] [TIFF OMITTED] T3163.045
[GRAPHIC] [TIFF OMITTED] T3163.046
[GRAPHIC] [TIFF OMITTED] T3163.047
[GRAPHIC] [TIFF OMITTED] T3163.048
[GRAPHIC] [TIFF OMITTED] T3163.049
[GRAPHIC] [TIFF OMITTED] T3163.050
[GRAPHIC] [TIFF OMITTED] T3163.051
[GRAPHIC] [TIFF OMITTED] T3163.052
[GRAPHIC] [TIFF OMITTED] T3163.053
[GRAPHIC] [TIFF OMITTED] T3163.054
[GRAPHIC] [TIFF OMITTED] T3163.055
[GRAPHIC] [TIFF OMITTED] T3163.056
[GRAPHIC] [TIFF OMITTED] T3163.057
[GRAPHIC] [TIFF OMITTED] T3163.058
[GRAPHIC] [TIFF OMITTED] T3163.059
[GRAPHIC] [TIFF OMITTED] T3163.060
[GRAPHIC] [TIFF OMITTED] T3163.061
[GRAPHIC] [TIFF OMITTED] T3163.062
[GRAPHIC] [TIFF OMITTED] T3163.063
[GRAPHIC] [TIFF OMITTED] T3163.064
[GRAPHIC] [TIFF OMITTED] T3163.065
[GRAPHIC] [TIFF OMITTED] T3163.066
[GRAPHIC] [TIFF OMITTED] T3163.067
[GRAPHIC] [TIFF OMITTED] T3163.068
[GRAPHIC] [TIFF OMITTED] T3163.069
[GRAPHIC] [TIFF OMITTED] T3163.070
[GRAPHIC] [TIFF OMITTED] T3163.071
[GRAPHIC] [TIFF OMITTED] T3163.072
[GRAPHIC] [TIFF OMITTED] T3163.073
[GRAPHIC] [TIFF OMITTED] T3163.074
[GRAPHIC] [TIFF OMITTED] T3163.075
[GRAPHIC] [TIFF OMITTED] T3163.076
[GRAPHIC] [TIFF OMITTED] T3163.077
[GRAPHIC] [TIFF OMITTED] T3163.078
[GRAPHIC] [TIFF OMITTED] T3163.079
[GRAPHIC] [TIFF OMITTED] T3163.080
[GRAPHIC] [TIFF OMITTED] T3163.081
[GRAPHIC] [TIFF OMITTED] T3163.082
[GRAPHIC] [TIFF OMITTED] T3163.083
[GRAPHIC] [TIFF OMITTED] T3163.084
[GRAPHIC] [TIFF OMITTED] T3163.085
[GRAPHIC] [TIFF OMITTED] T3163.086
[GRAPHIC] [TIFF OMITTED] T3163.087
[GRAPHIC] [TIFF OMITTED] T3163.088
[GRAPHIC] [TIFF OMITTED] T3163.089
[GRAPHIC] [TIFF OMITTED] T3163.090
[GRAPHIC] [TIFF OMITTED] T3163.091
[GRAPHIC] [TIFF OMITTED] T3163.092
[GRAPHIC] [TIFF OMITTED] T3163.093
[GRAPHIC] [TIFF OMITTED] T3163.094
[GRAPHIC] [TIFF OMITTED] T3163.095
[GRAPHIC] [TIFF OMITTED] T3163.096
[GRAPHIC] [TIFF OMITTED] T3163.097
[GRAPHIC] [TIFF OMITTED] T3163.098
[GRAPHIC] [TIFF OMITTED] T3163.099
[GRAPHIC] [TIFF OMITTED] T3163.100
[GRAPHIC] [TIFF OMITTED] T3163.101
[GRAPHIC] [TIFF OMITTED] T3163.102
[GRAPHIC] [TIFF OMITTED] T3163.103
[GRAPHIC] [TIFF OMITTED] T3163.104
[GRAPHIC] [TIFF OMITTED] T3163.105
[GRAPHIC] [TIFF OMITTED] T3163.106
[GRAPHIC] [TIFF OMITTED] T3163.107
[GRAPHIC] [TIFF OMITTED] T3163.108
[GRAPHIC] [TIFF OMITTED] T3163.109
[GRAPHIC] [TIFF OMITTED] T3163.110
[GRAPHIC] [TIFF OMITTED] T3163.111
[GRAPHIC] [TIFF OMITTED] T3163.112
[GRAPHIC] [TIFF OMITTED] T3163.113
[GRAPHIC] [TIFF OMITTED] T3163.114
[GRAPHIC] [TIFF OMITTED] T3163.115
[GRAPHIC] [TIFF OMITTED] T3163.116
[GRAPHIC] [TIFF OMITTED] T3163.117
[GRAPHIC] [TIFF OMITTED] T3163.118
[GRAPHIC] [TIFF OMITTED] T3163.119
[GRAPHIC] [TIFF OMITTED] T3163.120
[GRAPHIC] [TIFF OMITTED] T3163.121
[GRAPHIC] [TIFF OMITTED] T3163.122
[GRAPHIC] [TIFF OMITTED] T3163.123
[GRAPHIC] [TIFF OMITTED] T3163.124
[GRAPHIC] [TIFF OMITTED] T3163.125
[GRAPHIC] [TIFF OMITTED] T3163.126
[GRAPHIC] [TIFF OMITTED] T3163.127
[GRAPHIC] [TIFF OMITTED] T3163.128
[GRAPHIC] [TIFF OMITTED] T3163.129
[GRAPHIC] [TIFF OMITTED] T3163.130
[GRAPHIC] [TIFF OMITTED] T3163.131
[GRAPHIC] [TIFF OMITTED] T3163.132
<all>
�