<DOC>
[107th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:87387.wais]
CYBERTERRORISM: IS THE NATION'S CRITICAL INFRASTRUCTURE ADEQUATELY
PROTECTED?
=======================================================================
HEARING
before the
SUBCOMMITTEE ON GOVERNMENT EFFICIENCY,
FINANCIAL MANAGEMENT AND
INTERGOVERNMENTAL RELATIONS
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
SECOND SESSION
__________
JULY 24, 2002
__________
Serial No. 107-217
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2003
87-387 PDF
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON GOVERNMENT REFORM
DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut MAJOR R. OWENS, New York
ILEANA ROS-LEHTINEN, Florida EDOLPHUS TOWNS, New York
JOHN M. McHUGH, New York PAUL E. KANJORSKI, Pennsylvania
STEPHEN HORN, California PATSY T. MINK, Hawaii
JOHN L. MICA, Florida CAROLYN B. MALONEY, New York
THOMAS M. DAVIS, Virginia ELEANOR HOLMES NORTON, Washington,
MARK E. SOUDER, Indiana DC
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
BOB BARR, Georgia DENNIS J. KUCINICH, Ohio
DAN MILLER, Florida ROD R. BLAGOJEVICH, Illinois
DOUG OSE, California DANNY K. DAVIS, Illinois
RON LEWIS, Kentucky JOHN F. TIERNEY, Massachusetts
JO ANN DAVIS, Virginia JIM TURNER, Texas
TODD RUSSELL PLATTS, Pennsylvania THOMAS H. ALLEN, Maine
DAVE WELDON, Florida JANICE D. SCHAKOWSKY, Illinois
CHRIS CANNON, Utah WM. LACY CLAY, Missouri
ADAM H. PUTNAM, Florida DIANE E. WATSON, California
C.L. ``BUTCH'' OTTER, Idaho STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia ------
JOHN J. DUNCAN, Jr., Tennessee BERNARD SANDERS, Vermont
JOHN SULLIVAN, Oklahoma (Independent)
Kevin Binger, Staff Director
Daniel R. Moll, Deputy Staff Director
James C. Wilson, Chief Counsel
Robert A. Briggs, Chief Clerk
Phil Schiliro, Minority Staff Director
Subcommittee on Government Efficiency, Financial Management and
Intergovernmental Relations
STEPHEN HORN, California, Chairman
RON LEWIS, Kentucky JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California MAJOR R. OWENS, New York
ADAM H. PUTNAM, Florida PAUL E. KANJORSKI, Pennsylvania
JOHN SULLIVAN, Oklahoma CAROLYN B. MALONEY, New York
Ex Officio
DAN BURTON, Indiana HENRY A. WAXMAN, California
J. Russell George, Staff Director and Chief Counsel
Bonnie Heald, Deputy Staff Director
Chris Barkley, Assistant
David McMillen, Minority Professional Staff Member
C O N T E N T S
----------
Page
Hearing held on July 24, 2002.................................... 1
Statement of:
Belcher, Timothy G., chief technology officer, Riptech, Inc.. 15
Charney, Scott, chief security strategist, Microsoft Corp.... 31
Dacey, Robert F., Director, Information Security Issues, U.S.
General Accounting Office.................................. 70
Dick, Ronald L., Director, National Infrastructure Protection
Center, Federal Bureau of Investigation.................... 136
Jarocki, Stanley R., chairman, Financial Services Information
and Analysis Center, and vice president, Morgan Stanley IT
Security................................................... 159
Leffler, Louis G., manager-projects of North American
Electric Reliability Council............................... 165
Maiffret, Marc, chief hacking officer and co-founder, eEye
Digital Security........................................... 60
Paller, Alan, director of research, SANS Institute........... 23
Thomas, Douglas, associate professor, Annenberg School for
Communication, Los Angeles, CA............................. 8
Tritak, John S., Director, Infrastructure Assurance Office,
Department of Commerce..................................... 150
Weiss, Joseph M., executive consultant, KEMA Consulting...... 43
Letters, statements, etc., submitted for the record by:
Belcher, Timothy G., chief technology officer, Riptech, Inc.,
prepared statement of...................................... 17
Charney, Scott, chief security strategist, Microsoft Corp.,
prepared statement of...................................... 34
Dacey, Robert F., Director, Information Security Issues, U.S.
General Accounting Office, prepared statement of........... 72
Dick, Ronald L., Director, National Infrastructure Protection
Center, Federal Bureau of Investigation, prepared statement
of......................................................... 139
Jarocki, Stanley R., chairman, Financial Services Information
and Analysis Center, and vice president, Morgan Stanley IT
Security, prepared statement of............................ 161
Leffler, Louis G., manager-projects of North American
Electric Reliability Council, prepared statement of........ 167
Maiffret, Marc, chief hacking officer and co-founder, eEye
Digital Security, prepared statement of.................... 62
Paller, Alan, director of research, SANS Institute, prepared
statement of............................................... 26
Shakowsky, Hon. Janice D., a Representative in Congress from
the State of Illinois, prepared statement of............... 5
Thomas, Douglas, associate professor, Annenberg School for
Communication, Los Angeles, CA, prepared statement of...... 11
Tritak, John S., Director, Infrastructure Assurance Office,
Department of Commerce, prepared statement of.............. 152
Weiss, Joseph M., executive consultant, KEMA Consulting,
prepared statement of...................................... 45
CYBERTERRORISM: IS THE NATION'S CRITICAL INFRASTRUCTURE ADEQUATELY
PROTECTED?
----------
WEDNESDAY, JULY 24, 2002
House of Representatives,
Subcommittee on Government Efficiency, Financial
Management and Intergovernmental Relations,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:05 a.m., in
room 2154, Rayburn House Office Building, Hon. Stephen Horn
(chairman of the subcommittee) presiding.
Present: Representatives Horn and Schakowsky.
Staff present: J. Russell George, staff director; Bonnie L.
Heald, deputy staff director; Chris Barkley, assistant to
subcommittee, Michael Sazonov, professional staff member;
Sterling Bentley, Joey DiSilvio, Freddie Ephraim, and Yigal
Kerszenbaum, interns; David McMillen, minority professional
staff member; and Jean Gosa, minority assistant clerk.
Mr. Horn. A quorum being present, the Subcommittee on
Government Efficiency, Financial Management and
Intergovernmental Relations will come to order.
In 1998, a 12-year-old boy successfully hacked into
computer systems that controlled the Roosevelt Dam in Arizona.
He could have opened the dam's floodgates and dumped nearly 500
billion gallons of water on the Arizona cities of Mesa and
Tempe. Fortunately, he did not.
However, in April 2000, an Australian hacker used his
laptop computer and a commercially available radio transmitter
to gain control of a local sewage treatment facility. He
intentionally released raw sewage into nearby parks and rivers
on 46 occasions before he was caught.
It is clear from these and other reports that the Nation's
water, power, financial markets, and telecommunication systems
could be similarly attacked. These systems are essential to the
health and well-being of all Americans, and they are
fundamental to the continued operation of the government. More
than 90 percent of the Nation's critical infrastructure is
owned and operated by the private sector. To protect these
assets, it is important to understand their vulnerability to
cyberattacks, which are increasing in intensity and
sophistication.
During the first 6 months of this year, the Carnegie-Mellon
CERT Coordination Center received reports of 43,000
cyberattacks. In comparison, last year, the Center received
approximately 53,000 reports of attacks for the entire year.
In many cases, businesses may not know when a cyber-attack
is launched and may not gracefully recover from the attack. A
recent survey of Fortune 500 companies by Ernst & Young found
that only 40 percent of those companies were confident that
they could detect an attack on their systems. The same survey
also revealed that only 53 percent of the companies had
business continuity plans to recover from an attack.
To shore up the defense of the Nation's critical
infrastructure, each industry group has formed its own
information sharing and analysis center. These centers face
formidable challenges. The businesses within each sector can
vary widely in size and complexity and in their ability to
safeguard their systems.
For example, the financial service sector includes large
banking corporations as well as small independent banks.
Nevertheless, the financial sector center must develop common
security processes in order to report, respond, and recover
from a cyber-attack. Each center tends to focus on risks that
are unique to its industry, even though the sectors are
increasingly interconnected and interdependent. Damage to one
can cascade to others. The recovery plans of one sector could
affect the ability of other sectors to resume operation.
Today's hearing will examine the roles and limitations of
the information sharing and analysis centers and will explore
what actions may be needed to ensure the security of the
Nation's infrastructure. I welcome today's witnesses, and I
look forward to working with you on this vital concern.
Let me administer the oath, and then we will go into
recess, because I believe we have a vote on the floor. So, if
you will stand, raise your right hand.
[Witnesses sworn.]
Mr. Horn. The clerk will note that all affirmed the oath.
Please sit down and relax. And we are delighted to have Ms.
Schakowsky, the ranking member. And she will use her time to
give her statement to open the hearing, and we will then go in
recess.
Ms. Schakowsky. Thank you, Mr. Chairman.
It is unfortunate that we are having this hearing today.
The issue before us is an important one that should be given
due consideration by Congress. But instead, the majority has
insisted on circumventing regular order and is trying to move
language on this issue as part of the homeland security bill,
language that would probably not become law if considered
separately and openly, and language that is designed not to
improve public safety but to curry favor with the business
community.
There is an attempt on the part of some to exclude from the
Freedom of Information Act all information submitted
voluntarily by businesses in the name of critical
infrastructure protection. One of our witnesses today testified
before the Senate that the government has the ability under the
Freedom of Information Act and under almost 30 years of case
law to protect information submitted voluntarily to the
government by businesses. He goes on to say that, ``If the
private sector doesn't think the law is clear, then by
definition it isn't clear.''
I am puzzled by that logic. I always thought it was the
role of the courts and not the private sector to clarify the
interpretation of the law. By this gentleman's logic, any law
that businesses disagree with, they only have to claim it as
unclear and it becomes incumbent on Congress to change that
law. I wonder if that logic extends to individuals.
Mr. Chairman, I want to draw on the testimony David Sobel
will be submitting for the record, and ask unanimous consent
that his testimony be included in the record.
Mr. Horn. Without objection, it will be put in the record
at this point.
Ms. Schakowsky. I also ask that the letter from Jim Dempsey
at the Electronic Privacy Information Center be included the
record.
Mr. Horn. Without objection, it will be in the record at
this point.
Ms. Schakowsky. The fourth exemption to the Freedom of
Information Act protects information which is a trade secret or
information which is commercial and privileged or confidential.
This information is considered confidential if disclosure of
the information is likely to impair the government's ability to
obtain the necessary information in the future or to cause
substantial harm to the competitive position of the business
from which the information was obtained.
Let me restate this because it is exactly the point that
has been ignored by those seeking this exemption. The Freedom
of Information Act protects information submitted by businesses
if that information is confidential. That information is
confidential if the release of the information would make it
more difficult to obtain that information in the future.
The language in the Freedom of Information Act is quite
clear. It doesn't end there. There are even more protections
for confidential business information. In 1987, President
Reagan issued Executive Order 12600, which provides notice to a
business if the agency determines material submitted by that
business and identified as confidential should be released, the
business has an opportunity to make its case before the agency
and before a court of law.
Furthermore, no proponent of this exclusion from the
Freedom of Information Act has cited a single example where a
Federal agency has disclosed voluntarily submitted data against
the expressed wishes of the industry which had submitted the
information.
On the other hand, the damage this exclusion could do is
legion. The language included in the homeland security bill
would allow businesses and agency officials to hide lobbying
activities under this exclusion. Officials from energy
companies could meet with Federal officials to craft government
energy policy, and all of those conversations could be hidden
from public view. This language would shield these companies
from antitrust law. Even the Attorney General objects to that
provision.
Mr. Chairman, we all agree that the government has
substantial work to do to assure the protection of our critical
infrastructure. I hope that today's hearing will move us down
that path. Unfortunately, the language included in the homeland
security bill does little to improve the security of our
critical infrastructure, but instead is about hiding
information from the public.
Thank you, Mr. Chairman.
Mr. Horn. Thank you.
[The prepared statement of Hon. Janice D. Schakowsky
follows:]
[GRAPHIC] [TIFF OMITTED] T7387.001
[GRAPHIC] [TIFF OMITTED] T7387.002
[GRAPHIC] [TIFF OMITTED] T7387.003
Mr. Horn. And we are now in recess until 10:30. Thank you.
[Recess.].
Mr. Horn. The recess has ended, and we will have peace and
quiet for about an hour and a half just to get your various
agendas.
We will now start with Douglas Thomas, the associate
professor of Annenberg School for Communication at the
University of Southern California. We are delighted to have you
here.
STATEMENT OF DOUGLAS THOMAS, ASSOCIATE PROFESSOR, ANNENBERG
SCHOOL FOR COMMUNICATION, LOS ANGELES, CA
Mr. Thomas. Thank you. I have a longer statement to submit
for the record, and I would like to summarize my comments here.
Mr. Horn. Thank you. Because let me tell all of you, your
full written view goes right into the record, without even
having to say it, the minute I give your name and what you are
now doing.
So, thank you very much, Mr. Thomas. We all had a chance
when we got them last night--a little late--but it is a very
fine job that all of you have done. So, Professor Thomas, if
you can give a summary of 5 minutes, 8 minutes, something, so
we can get to questions, we would appreciate it. Thank you.
Mr. Thomas. Thank you, and particularly for inviting me to
speak before you today.
My name is Douglas Thomas, and I am Associate Professor in
the Annenberg School for Communication at the University of
Southern California. My research focuses on the social and
cultural impacts of new media and technology, with particular
emphasis on the subculture of the computer underground. I have
recently published a book called Hacker Culture about the
computer underground, and co-edited another called Cybercrime:
Law Enforcement, Security and Surveillance in the Information
Age.
For the past 7 years I have studied computer hackers in an
effort to understand who they are, what motivates them, and how
their culture can be understood in relationship to
technological innovation. During that time, I have met with,
spoken to, and interviewed hundreds of computer hackers, and
I've spent time immersed in their literature and their culture,
and I feel confident in saying that I understand for the most
part how they think.
I would like to start off by answering the broad question:
What are the risks that a terrorist organization might seek out
hackers and employ them to carry out attacks on our information
infrastructure?
With the vast majority of computer hackers, I would say
upwards of 99 percent of them, the risk is negligible for the
simple reason that hackers don't have the skill--those hackers
don't have the skill or ability to organize or execute an
attack that would be anything more than a minor inconvenience.
Of the hackers that remain, my experience suggests that the
most talented, who may be able to inflict serious damage, are
neither inclined to do so nor likely to be tempted by financial
incentives. They tend instead to be the most strongly motivated
by an ethic which values security, which values information,
and which puts innovation and learning at the top of those
priorities. In other words, the idea of engaging in terrorism
of any sort does not fit their profile.
In fact, I can think of few perspectives more hostile to
radical Islamic fundamentalism than the ones that most hackers
embrace. The typical hacker--and of, course, there are
exceptions--is motivated by a profound sense of curiosity, by
openness, by freedom and exploration. Hackers like to know how
things work, and they like to make things work better or in
unexpected ways. The hackers of today have a very clear ethic
that shouldn't be overlooked by the committee. Above all else,
they too believe in computer securities; and, most important,
they believe that without constant vigilance, most software
manufacturers will remain content to leave security as a
secondary issue. They believe that in most computer software
use today, security has become an add-on feature rather than a
design principle; and it is that, above all else, which puts us
at risk.
In a new age of corporate responsibility, it may be worth
taking a few minutes to understand why hackers write programs
that expose security flaws in computer software. Many hackers
release public releases of security holes as a result of
companies refusing to fix or oftentimes even acknowledge
security flaws in their products primarily because there is no
regulation for security in software, and, most important, there
is no liability for software companies when their products
create risks for consumers or the public.
At one level, the work that hackers do is not entirely
unlike the work of a watchdog organization or Consumer Reports.
Admittedly, the outlook, style, and demeanor are different, but
the end results are the same. Hackers force computer software
manufacturers to pay attention to security. We need to be
careful to focus on the causes of such vulnerabilities and not
blame the messengers.
When facing a question as weighty as cyberterrorism, a very
serious problem that you face is getting the facts. I have yet
to hear anyone articulate a realistic scenario in which
computer hackers will be able to effect significant economic or
physical damage in order to be considered a terrorist threat.
It is easy to imagine scenarios that sound like terrorism: For
example, hacking into air traffic control and crashing planes,
or hacking into the stock exchange and undermining the stock
market. These things make great Hollywood plots, but there is
no evidence that any such scenario is possible, much less
likely. In fact, most of the research I'm familiar with on this
topic concludes the opposite.
For the foreseeable future, acts of cyberterrorism like the
ones usually imagined, will be very difficult to perform,
unreliable in their impact, and easy to respond to in
relatively short periods of time. In point of fact, there has
never been an act of cyberterrorism committed, nor has there
ever been, to my knowledge, a computer hacking incident that
has resulted in the loss of life. When these scenarios are
proffered, I urge you to ask tough questions about them, about
what additional security measures would have to fail for such
an attack to take place.
Finally, I would like to conclude by saying that should a
terrorist manage to launch a successful attack, it should be
noted that our country has some of the best resources available
to deal with it, diffuse, and neutralize such a threat. The
faculty and students at places like MIT, Berkeley, Stanford,
Purdue, Carnegie-Mellon, places like CERT and the NCSA, provide
our best defense against such threats, but these groups only
provide that advantage as long as the network remains open and
accessible. Security only gets better through testing, design,
and redesign. The real threat to security is closing off
avenues of exploration and examination. The more we know about
our networks, the better we are able to defend them. It is that
openness in testing which is essential.
So, as a result, I would encourage you to think of hackers
not as the enemy but, instead, as an admittedly difficult-to-
manage resource who may be in the best position to alert us of
our vulnerabilities before they can be exploited.
Thank you, and I would be happy to take any questions you
may have.
Mr. Horn. Well, we thank you. And we will get to the
question period once we finish the whole panel.
[The prepared statement of Mr. Thomas follows:]
[GRAPHIC] [TIFF OMITTED] T7387.004
[GRAPHIC] [TIFF OMITTED] T7387.005
[GRAPHIC] [TIFF OMITTED] T7387.006
[GRAPHIC] [TIFF OMITTED] T7387.007
Mr. Horn. The next presenter is Timothy G. Belcher, the
chief technology officer of Riptech, Inc.
Mr. Belcher.
STATEMENT OF TIMOTHY G. BELCHER, CHIEF TECHNOLOGY OFFICER,
RIPTECH, INC.
Mr. Belcher. Chairman Horn and distinguished members of
this committee, thank you for inviting me to provide my
thoughts on the issues of cyberterrorism and critical
information protection. I have already provided you with
written testimony, and I would like to take a few minutes to
outline some key points and issues.
First let me say that the networks that comprise our
critical infrastructure are undoubtedly at significant risk of
cyber-attack and compromise. The nature of these networks
ensure that security is never going to be an absolute, but the
vulnerabilities will always exist. The level of threat is
increasing and, in my opinion, will continue to do so. The
nature, complexity, and motivation of attacks against these
networks have become and will continue to become more
sophisticated over time.
I am the chief technology officer of a computer security
company called Riptech. We perform two services that would be
of interest to this committee in terms of experience. We assess
client organizational networks for vulnerabilities; in effect,
sometimes can become a hired hacker to test their defenses.
Second, we provide a monitoring service that provides 24x7
monitoring of client networks, detecting and analyzing attacks
for effectiveness and severity.
First let me talk about our assessment work. We have done
assessments on over 50 critical infrastructure networks.
Consistently, we have been able to demonstrate the viability of
compromise to the most critical components of those networks.
Those would include connectivity to the most critical
components of power and energy companies, such as SCADA and EMS
networks, financial transaction networks, and the inner
workings of some of our government networks. Those
organizations consistently had defenses in place, firewalls,
intrusion detection systems, and our detections consistently
went, by and large, undetected.
Second let me talk about our monitoring service and some of
the information that is providing today. We are providing
monitoring services for over 500 organizations, or
approximately 500 organizations throughout the world. Our
monitoring service is producing real dividends in terms of
quantifiable numbers of the attacks these organizations are
facing. All organizations are suffering some level of
compromise in their attacks, some significant volume of
increases in the attacks on them. Most notably, power and
energy companies and financial services appear to be the most
targeted sectors. Critical infrastructure companies represent
nearly 20 percent of our clientele and are our fastest growing
segment.
With regard to power and energy companies in our client
base, 70 percent suffered at least some level of compromise
over the last 6 months, up from 57 percent in the prior 6
months.
Again, these companies not only have defenses in place and
have invested in technologies, but have also invested in
obtaining an outsourced expert service to analyze the attacks
against their organizations. They are still suffering. Most
importantly, we have been able to quantify a reduction in the
success rates against these organizations over time, given
proper defense.
Let me sum up by simply saying that critical infrastructure
is at significant risk; and, in order to achieve any successful
and acceptable level of defense, they must establish reliable
detection and response mechanisms which are unavailable today.
Thank you for your attention, and I look forward to any
questions that you may have.
Mr. Horn. Thank you, Mr. Belcher.
[The prepared statement of Mr. Belcher follows:]
[GRAPHIC] [TIFF OMITTED] T7387.008
[GRAPHIC] [TIFF OMITTED] T7387.009
[GRAPHIC] [TIFF OMITTED] T7387.010
[GRAPHIC] [TIFF OMITTED] T7387.011
[GRAPHIC] [TIFF OMITTED] T7387.012
[GRAPHIC] [TIFF OMITTED] T7387.013
Mr. Horn. Our next presenter is Alan Paller, director of
research at the SANS Institute.
STATEMENT OF ALAN PALLER, DIRECTOR OF RESEARCH, SANS INSTITUTE
Mr. Paller. Before I start my remarks, I want to bring
greetings from Bob Chartrand, first, and also tell you that
model that you provided to this body, this model of action, the
model of taking on unpopular causes, what you did in----
Mr. Horn. Move the mic up. It's very important, what you
are saying.
Mr. Paller. You really have set a model, and I hope that
model will follow you. And you are going to be sorely missed
around here. One of the actions that I am going to talk about
today is something that doesn't take more than 6 months;
meaning, if you want to have something similar to the impact on
security that you had on Y2k, I think you actually have it in
your--it would be tough, but you have it in your hands to do
it. So, let me go on.
We train the people who are the frontline soldiers in
security. We have 30,000 of them who have attended SANS
training and go out and try to protect the computers. So we
have to clean up after the messes. And right now, as we speak,
the problem is getting worse. And the reason the problem is
getting worse is that as all of us are sitting here,
approximately 7,000, maybe 10,000 new computers will be
installed and connected to the Internet, and almost every one
of those will be installed with known vulnerabilities. That
means almost every one of the machines being sold while we are
sitting here is going to come in with known vulnerabilities.
And between 2- and 3,000 computer programs are active on the
Internet at all times--not people--programs, searching out
every new address to see if they can take over those machines,
put a Trojan in there, and be ready for an attack later. That
is happening while we are sitting there.
I am happy to be on the first panel, because I think if we
define the problem right, then the actions we take might
actually help solve the problem. And so I would like to give
you the four reasons that I think cause that set of problems to
exist and the two actions I think you could take that would
help solve them.
One is that the vendors actually deliver software that has
known vulnerabilities. The people who install it trust the
vendor, so they install it exactly the way the installation
technique tells them. And, because they are so busy, they don't
change that. So, most of those machines that are being
installed unsafely today will still be unsafe in 90 days and
still be unsafe in 180 days.
Second--and two of these next three are going to be
counterintuitive. The risk-based approach that many people say
is so good, actually is causing part of the problem. While
people are doing risk analysis and writing reports, all these
new machines are getting installed. And, worse, they say
``Let's just fix the ones that are the highest risk.'' But
since all the machines are connected together, if Tim had given
you his demonstration of how you actually break into a utility
company, he would have used the fact that one of the machines
that had been installed that nobody cared about, was weak, to
jump off into the other machines.
So if we are going to solve the problem, we have to start
by stopping the machines from being vulnerable on the day we
install them.
The third cause is that the government--we talk about
critical infrastructure as if it is industry. The government is
a part of the critical infrastructure. We care about
government, and government is doing a not-very-good job of
being a model for the rest of the critical infrastructure. And
it turns out in this arena, because technology is transferrable
so quickly and techniques are transferrable so quickly, it
turns out that here, if the government actually did some good,
the problem could roll over very quickly.
And I think Dick Clarke's announcement last week of
benchmarks is an example of how that can happen almost
instantaneously. But the government hasn't been a great model,
and that has to change quickly if we are going to ask industry
to change. How can you ask a CEO to ``believe me and trust me''
and say to you, ``I'm going to do what you need to help protect
the infrastructure, when you don't do what you need to help the
infrastructure?'' It is really hard for a CEO to take you
seriously.
And the last one I think is the most counterintuitive. And
that's that most of the money being spent by Government on
cyber-security is being wasted, and the money has gone up
radically in the next--in the last 2 years--at least an order
of magnitude. Think of that money as having a huge vacuum
cleaner sucking it out, and that the vacuum cleaner is people
who like to write reports, and they are taking the money and
they are writing reports. And the problem is, none of the money
is left for the people who actually have to secure the systems.
So you get all that security money out there spent on the
studies about why you are so bad and it is so easy to find
fault. And it doesn't take as much skill level to find fault
than it does to fix it. It is much easier to--you can come out
of grade school and run one of these penetration testing tools
and do a pretty good job of delivering the report because the
vendors make it pretty, but the difficulty is there's nobody
there to fix it. So you have got $1 billion telling people what
to do and nothing left fixing it.
OK, two actions and then I'll quit.
Action one--and this is the report card that you are the
father of. Action one is that there are benchmarks, there's
several of them. And NASA is the one actually that's proven
this works. This is not a new idea. NASA has actually
demonstrated beyond a doubt that this approach works. You take
a set of vulnerabilities that matter, and you systemically make
sure every single computer in your entire NASA facility all
across the whole country doesn't have them anymore. And they
took the vulnerabilities down by 93 percent and they took the
number of successful attacks down radically, even though the
number of attempted attacks is up radically.
Dave Nelson, who is the deputy CIO, can give you the hard
data on this. But this works. And if you--if you just take what
they did and apply it to the rest of government over the next 6
months, we could fix somewhere out in the 70th to 80th
percentile of the vulnerable machines real quickly.
The second idea is a little harder. All these consultants
that are spending money on vulnerability testing ought to be
asked--and you are the only guy I can think of who could make
this happen, because OMB doesn't seem to be awake to this. All
these people who are doing vulnerability tests aren't staying
to fix the problem. And if they are so smart that they can tell
you what you are doing wrong, why aren't they staying to make
sure the problem disappears? So solution 2 is some way of
getting an amelioration phase into these consulting contracts
so that the people actually have to fix it, they can't just
send you a pretty, colorful report and tell you how bad you are
and then go on to the next guy, would be very helpful. Thank
you.
Mr. Horn. Thank you. You have given us numerous months. We
can take care of your ideas.
[The prepared statement of Mr. Paller follows:]
[GRAPHIC] [TIFF OMITTED] T7387.014
[GRAPHIC] [TIFF OMITTED] T7387.015
[GRAPHIC] [TIFF OMITTED] T7387.016
[GRAPHIC] [TIFF OMITTED] T7387.017
[GRAPHIC] [TIFF OMITTED] T7387.018
Mr. Horn. We now go to Scott Charney, the chief security
strategist of the Microsoft Corp. Mr. Charney.
STATEMENT OF SCOTT CHARNEY, CHIEF SECURITY STRATEGIST,
MICROSOFT CORP.
Mr. Charney. Mr. Chairman, thank you for the opportunity to
appear today at this important hearing on cyberterrorism and
critical infrastructure protection. My name is Scott Charney,
and since April 1st, I've been Microsoft's Chief Security
Strategist.
Microsoft works with industry leaders and governments
around the world to identify threats to computer networks,
share best practices regarding computer security, and prevent
computer attacks. While we have worked diligently on cyber-
security for several years, this effort accelerated after
September 11th, and was crystallized for Microsoft when Bill
Gates launched our Trustworthy Computing initiative in January.
Today I would like to address IT security issues broadly,
and then use the Trustworthy Computing initiative as an example
of how one company can take steps, both on its own and with
others in industry and government, to address cyber-security.
And finally, I will propose several things that Congress can do
to address cyber-attacks.
By way of background, prior to joining Microsoft I served
as the Chief of the Computer Crime and Intellectual Property
Section at the Department of Justice where I helped prosecute
nearly every major hacker case in the United States, and
international hacking cases as well, from 1991 to 1999. Based
on those experiences, Mr. Chairman, I know two things with
certainty:
First, operating systems software is one of the most
complex things we have ever built, and it may always have
vulnerabilities.
Second, society has always grappled with a criminal
element, and this criminal element can be smart and malicious
and will seek ways to exploit vulnerabilities in software. As a
result, it is impossible to completely prevent cyber-attacks,
and it places the IT industry in a perpetual race against
cyber-criminals to maintain Internet security.
We take our cyber-security responsibility very seriously,
and perhaps most importantly, Bill Gates spearheads our
Trustworthy Computing initiative. This is not a one-time event,
but rather a change in the way we do business. It has four
pillars: reliability, security, privacy, and business
integrity. And those four pillars go to the heart of our
culture and the way we create products and services.
Today I want to focus on the security pillar, where we are
working to create products and services that I call S D3:
secure by design; secure by default; and secure by deployment.
Secure-by-design centers on creating products that are
inherently more secure. To do this, we recently provided
advanced training for several thousand developers, and
conducted extensive code reviews and threat modeling. In fact,
we stopped Windows development for over 2 months to do that.
Secure-by-default entails shipping products to customers in
a lockdown position. This means that customers must consciously
decide to enable features, leaving other unused services off,
and thereby narrowing the attack surface of a production.
Secure-by-deployment focuses on making it easier for
consumers and IT professionals to maintain systems. For
example, any Windows XP user can be automatically notified when
critical updates are available for download. In fact, as Allan
Paller has noted, when people first deploy software, they may
already be at risk because there is some time from development
to market. But with this kind of technology, the minute you
load the software, the first thing you may get is that little
notification that a patch is ready to be deployed. So we are
working hard to automate that process.
But we do not work alone in this effort. For example, the
announcement last week of a baseline security configuration for
Windows 2000 demonstrates the positive results that flow from a
voluntary public/private partnership involving a broad range of
organizations. Microsoft reviewed the proposed settings, and we
expect that some Federal CIOs will incorporate these promptly.
This work stands besides our coordination with entities
such as the Partnership for Critical Infrastructure Security,
John Tritak's Critical Infrastructure Assurance Office, the
National Cyber Security Alliance coordinated by Dick Clarke's
White House Office of Cyberspace Security, the FBI's National
Infrastructure Protection Center, and, of course the IT-ISAC,
which we helped create.
There is also a strong roll for government in this area,
and I would like to close by addressing some areas where more
work can be done. As you consider creating the Department of
Homeland Security, please know that we support the effort and
we would like to see a strong cyber-security component in the
new Department. Our support extends to language that
facilitates cyber-security information sharing by granting an
exemption from the Freedom of Information Act.
We also applaud the House for passing H.R. 3482, the Cyber
Security Enhancement Act of 2002. We are pleased that this bill
strengthens law enforcement's ability to deter cyber-crime by
permitting the U.S. Sentencing Commission to grant Federal
judges more flexibility in sentencing cyber-criminals.
There are other steps that Microsoft respectfully suggests
the government take to help protect our critical
infrastructures. First, we support the forfeiture of personal
property such as computer equipment used in the commission of
cyber-crime.
Second, we strongly support increased funding for law
enforcement. These hardworking individuals, many of whom were
former colleagues of mine when I was at the Justice Department,
are chronically overworked, understaffed, undertrained, and
underequipped.
Third, we support increased funding for cyber-security
research and development, and we look to the government to lead
by example in securing its own systems through the use of
reasonable security practices, an issue that Allan has already
touched on.
Fourth, we believe that greater cross-jurisdictional
cooperation among law enforcement is needed for investigating
cyber-attacks, since cyber-criminals may reside anywhere.
In conclusion, Microsoft pledges to remain a leader in
industry efforts to secure products and services. Americans,
their government, and the critical infrastructures they depend
on every day face growing cyber-security challenges. Working
with our government partners and industry peers, we are
committed to preempting, catching, and prosecuting cyber-
criminals to protect the computing experiences of our customers
and the cyber-security of our Nation.
Thank you.
Mr. Horn. Thank you. And we will have a lot to ask you
about, with one more presenter.
[The prepared statement of Mr. Charney follows:]
[GRAPHIC] [TIFF OMITTED] T7387.019
[GRAPHIC] [TIFF OMITTED] T7387.020
[GRAPHIC] [TIFF OMITTED] T7387.021
[GRAPHIC] [TIFF OMITTED] T7387.022
[GRAPHIC] [TIFF OMITTED] T7387.023
[GRAPHIC] [TIFF OMITTED] T7387.024
[GRAPHIC] [TIFF OMITTED] T7387.025
[GRAPHIC] [TIFF OMITTED] T7387.026
[GRAPHIC] [TIFF OMITTED] T7387.027
Mr. Horn. And Mr. Weiss, we are delighted to have you here.
He is an executive consultant at KEMA Consulting. Thank you.
STATEMENT OF JOSEPH M. WEISS, EXECUTIVE CONSULTANT, KEMA
CONSULTING
Mr. Weiss. Thank you. Mr. Chairman and committee members,
thank you for the opportunity to address you about an area I
consider vitally important to the economic and national
security of America, the cyber-security of our critical
infrastructures.
I am a control system engineer. I have spent the past 2
years as the technical lead for the electric power industry,
developing and understanding of what is known, and, more
importantly, what is not known, about the cyber-security of
control systems. The control systems I will be referring to are
supervisory control and data acquisition, commonly known as
SCADA, distributed controlled systems, DCS, and programmable
logic controllers, PLCs.
I have been working with all of the organizations that have
a role to play in this area including the government, end
users, equipment suppliers, standards organizations, and all
other relevant organizations. There are several points I would
like to make.
One, control systems are vulnerable to cyber-security
intrusions, and in fact have been impacted by electronic
intrusions.
Two, cyber-security of control systems affects all
industries, not just the critical infrastructure.
Three, IT security technology does not protect control
systems.
And, finally, cyber-security technology needs to be
developed for control systems, and we do need immediate
government funding to make this happen.
Cyber-security has been viewed as an IT or Internet issue.
Awareness of control system vulnerabilities is very low. The
basic design premise inherent in every control system is the
control system would be a stand-alone system, and all control
system users would be trusted users. Consequently, these
systems have been designed inadvertently to be vulnerable to
cyber-intrusions. As long as the control systems are not
networked, they are not vulnerable to cyber-intrusions.
However, in order to make these systems more productive, these
previously stand-alone systems are being networked, including
to the Net, making them vulnerable to cyber-intrusions. They
are not legacy systems anymore.
Additionally, the vast majority of power plants and
substations do not have technology to detect electronic
intrusions. There have been more than 20 documented cases where
control systems have been electronically impacted either
intentionally or unintentionally. At least two cases have
resulted in damage to the industrial system and environment.
Those are the two you had mentioned.
There have been several confirmed cases of inadvertent
denial of service in control systems, including one in a
nuclear facility. These weaknesses could be exploited by an
intentional adversary. Existing cyber-monitoring technology has
not detected any of these cases, and I have had discussions
with Carnegie-Mellon CERT; they have not detected any of these
incidents.
There are only a handful of suppliers of these systems, and
they supply the primary industrial applications: power, water,
oil, gas, chemicals, metal refining, paper, pharmaceuticals,
food, beverages, etc. Not only are the systems common, but so
are the control system architectures. Consequently, if one
industry is vulnerable, they all could be.
Additionally, because you were talking about ISACs, this
means that the information on control system vulnerabilities
from the different industries could be of interest to the
individual industry ISACs. Now, existing cyber-security
technology has been developed for business functions in the
Internet. Control systems require a degree of timing and
reliability not critical for business systems. Because of this,
employing existing IT security technology in a control system
can range from lack of protection to actually creating a denial
of service condition. This has actually occurred in attempting
to employ encryption in these systems.
Myself and others working with me have developed an
understanding of what is needed to make control systems more
secure from cyber-intrusion, but additionally to also make
these systems more reliable. Cyber-security technologies need
to be developed for control system applications. They include
firewalls, intrusion detection, encryption, event logging, etc.
They don't apply to control systems. The types of cyber-
security projects at university classes Congress has identified
to fund, are not applicable to control systems. Understanding a
business system is different than understanding a control
system.
Government funding is needed to establish test beds. DOE
can help be a lead on this. It also requires extending existing
NIST-NSA methodology for procurement of desktop computing
systems' common criteria to industrial control systems. But
this is a very difficult task. There are a number of entities
waiting to participate when funding is made available. These
include DOE, NIST, NSA, several electric utilities control
systems suppliers, and IT security suppliers. We also need to
make sure that the transition team from Homeland Security
addresses control system cyber-security.
I hope you now have a better understanding of control
system vulnerabilities and what technologies are needed to make
them less vulnerable.
Thank you for your time and interest. And I would be happy
to answer any questions.
Mr. Horn. Thank you very much, Mr. Weiss.
[The prepared statement of Mr. Weiss follows:]
[GRAPHIC] [TIFF OMITTED] T7387.028
[GRAPHIC] [TIFF OMITTED] T7387.029
[GRAPHIC] [TIFF OMITTED] T7387.030
[GRAPHIC] [TIFF OMITTED] T7387.031
[GRAPHIC] [TIFF OMITTED] T7387.032
[GRAPHIC] [TIFF OMITTED] T7387.033
Mr. Horn. We now will have the questioning of this Panel
One, and later Panel Two. Mrs. Schakowsky has numerous
commitments here, and so she can use as much as she wants for
questioning.
Ms. Schakowsky. Thank you. I'm sorry that I've been
erratically here, and I also have to leave in a moment. But I
wanted to thank you all for your testimony.
I wanted to ask Mr. Weiss one question before I left. I
represent a district in Illinois which is the most nuclear
State in the country; we rely on nuclear power plants more than
any. Your testimony said that even nuclear power plants have
had a history of some problem with cyber-security.
And I am curious, I know that nearly 50 percent of all the
plants that were tested for mock terrorist attacks failed those
tests; that they are vulnerable. My understanding is that did
not even include testing for cyber-security and cyber-terrorism
that could occur.
First of all, do you know if that is true? And I am
wondering if you could elaborate a little bit on the
vulnerability of nuclear power plants, and what that might mean
in terms of a terrorist intrusion into such a plant.
Mr. Weiss. OK. Let me try and answer a number of those
questions. First of all, the issue with the nuclear facility I
mentioned was actually in a university reactor. It was one that
also has the same type of technology as used in commercial
nuclear plants, and it was a procedural issue. Nuclear plants
originally were designed to be stand-alone systems. They
weren't to be connected anywhere else. The non-nuclear safety
systems are starting to be connected to the corporate networks
because corporate wants to get information. That is starting to
make them vulnerable whereas before they were not vulnerable.
Ms. Schakowsky. That's non-nuclear.
Mr. Weiss. Pardon?
Ms. Schakowsky. You said non-nuclear?
Mr. Weiss. In other words, on the non-safety side of the
nuclear power plant.
Ms. Schakowsky. I got you.
Mr. Weiss. The safety side of a nuclear power plant is
really not vulnerable, because they are not electronically tied
to anything. So you are talking about the non-safety portion of
the nuclear power plant. To the best of my knowledge, there has
been no cyber-testing of any nuclear plant in the United States
to date. That is correct.
Ms. Schakowsky. Thank you.
Mr. Horn. Thank you very much.
Let us start with Dr. Thomas of the University of Southern
California. Do you believe there are any cyber-terrorist threat
scenarios that are realistic? If so, how do you believe an
attack would occur under those circumstances?
Mr. Thomas. I think there are two important aspects to
that. I think the complexities of a cyber-terrorist attack
really warrant our attention in that we are not talking about a
16-year-old kid simply hacking into a secure system. In order
to make a cyber-attack happen, a lot of other things have to
happen, too. Other security measures have to fail. Those
hackers or terrorists need not only to understand how to
penetrate a computer system, but they also have to understand
how to work a power plant, how to work air traffic control.
They need to have a fairly sophisticated understanding of those
kind of aspects in order to make an attack successful.
The second thing I would add to that is that our
vulnerabilities are not simply technological. And, in fact, my
experience has been, in talking to hackers, that in most cases
the way a hacker will invade a system is not by getting online
and not by typing in passwords, but is generally by calling up
somebody in that organization and conning them out of enough
information to get access. It is not uncommon for them to call
up a secretary and say, I can't get onto the network, my
password isn't working; what is your password? And they give it
to them, believing that they are a member of the organization.
There's also reports, in terms of air traffic control, of
attacks I think in the U.K., which were not cyber-attacks but
rather people who got radios and were able to broadcast signals
to planes.
So I think the question of vulnerability, what hackers
teach us is we should not just look for the most
technologically sophisticated way in, but for the easiest way.
And I believe that our vulnerabilities are really, in terms of
the design of the system, and what is easy to attack in that
system is the place where we really need to shore up and make
sure that we have access barriers and so on.
So I foresee, if an attack is going to come, that it is not
going to come through some sophisticated programming technique
or cyber-attack necessarily, but through a much less
technologically sophisticated kind of means.
Mr. Horn. What kind of additional expertise do you believe
a hacker would need to control a power grid or a financial
transaction?
Mr. Thomas. I think in order to do that, they are going to
have to have some understanding--going to have to have some
understanding of how that power plant works, how the financial
systems work. We tend to forget when we are talking about
cyber-attacks that there are people involved on the other end.
And when they see things happening that look suspicious or
wrong, they tend to look at those things and understand that,
if something is askew, that it needs to be examined more
carefully.
There is an example, I think, with SCADA of hackers that
were in a system for something like 17 days, and one of the
lessons that they learned from that is that once hackers got
into this control system for power, they had no idea what to do
once they were in there. They had the access, but they had no
kind of knowledge or sophistication about how that system
worked in order to do anything with it.
So, I think that becomes another critical question of a
level of expertise that includes the system they are invading
as well as the way to get in.
Mr. Horn. Why do you believe that it is unlikely that a
hacker could obtain this additional expertise?
Mr. Thomas. From what I know of the culture itself, hackers
are much more interested in access than they are in what they
find once they get into a system. I suppose that there are
exceptions. But for them, the challenge mainly lies in getting
in and then moving onto another system and another system and
another system.
If they do want something from inside a system, it is
usually--when we are talking about the culture itself, they
want evidence they have been there. They want something for
bragging rights. They want a document. One of the things I
write about is the fact that while hackers may be pretty smart
about technology, they tend to make terrible criminals. They
make a lot of mistakes; they are easily caught. When they do
things, particularly involving money, they are oftentimes
tracked down very quickly and prosecuted very severely for the
crimes that they commit. So I think they tend to not have a
kind of criminal frame of mind, even though what they are doing
are crimes.
Mr. Horn. In your testimony, you indicate that human
intervention is required to control important operations of the
Nation's critical infrastructure. Could you provide some
specific examples of this?
Mr. Thomas. One of the examples that I think is worth
thinking about that's often cited is air traffic control. And
in point of fact, air traffic control information that's passed
over a network doesn't control anything. It provides
information to controllers who then speak to pilots. Pilots
have onboard radar. There are a lot of things that have to go
wrong in addition to being hacked in order for a plane to
crash.
Another example that was cited in the literature was the
idea that terrorists could hack into a cereal manufacturing
plant like Kellogg's and dump enormous amounts of iron, for
example, in children's cereal and poison our children. The
number of things that would have to go wrong in that scenario
are myriad. For example, the plant would have to notice--or,
not notice that they are running out of iron at an incredible
rate. There would have to be no one doing any kind of quality
testing to see that the cereal, in fact, tastes like iron. It
would have to get out on the shelves and not be recalled.
So those kind of human factors, that kind of testing and
that kind of observation doesn't necessarily make that kind of
attack impossible, it just makes it highly unlikely that it
would succeed or have the kind of impact that people would want
it to have if they were engaging in terrorism.
Mr. Horn. Mr. Belcher, you point out the dangers of linking
all the components of a company's network together under a
single protocol. Do you believe that it is practical to unlink
infrastructure control systems from the rest of the company's
business systems?
Mr. Belcher. It probably would not be practical, given
other business considerations. They're linking for synergies
and deficiencies; they are not linking for security. So, in
most cases, probably impractical.
Mr. Horn. In your testimony, you indicate that critical
infrastructure companies are experiencing attacks that may be
specifically targeting them. Can you describe the type of
attacks that they are experiencing?
Mr. Belcher. The attacks that we monitored over the 6
months alone, for instance, we quantified about 180,000 attacks
against the client base and analyzed the characteristics of
those attacks. There are numerous attacks that appear targeted,
and we're able to quantify some statistics. Approximately 40
percent of all attacks appear to be going after an individual
organization rather than searching the Internet for
vulnerabilities. It gives a little bit of insight into the
motivation. The attacks run the gamut of intent. Some are
inconsequential. Some are done by, obvious, children or other
miscreants. Some appear to be going after internal networks,
for instance, to go after financial information, credit card
numbers, commit fraud, commit theft of property. So they run
the gamut.
Mr. Horn. In your testimony, you indicate that critical
infrastructure companies are experiencing attacks that may be
specifically targeting them. Can you describe any type of
these, besides what you had mentioned, quantification?
Mr. Belcher. Sure. Absolutely. If you look at the profiles
of attacks coming across the Internet to individual
organizations--for instance, if you look at the activity coming
from certain countries within the Middle East, they do by and
large favor power and energy as an industry. You can read into
the motivations all you want. All we are simply providing is
quantifiable numbers in association with those activities.
Mr. Horn. You state that information on the inner workings
of the system control and data acquisition is available from
public sources. Can you describe those sources and what, in
your opinion, can or should be used to limit the availabilty of
this data?
Mr. Belcher. This is relating to some of the questions to
Dr. Thomas. We have done assessments, as I mentioned, in both
written and verbal of many power and energy companies, probably
in the magnitude of 40, assessing their corporate
infrastructures and their control systems. And while I agree
with the majority of the testimony by the entire panel,
anecdotally speaking, showing and demonstrating the viability
of connecting to these critical networks, sometimes we get
resistance along the same lines of Dr. Thomas saying that even
giving access it would be difficult to manipulate the systems,
and we completely agree.
In the past we have demonstrated the ability to collect
open source information on the systems, including their design
all the way to a protocol level to do analysis. We demonstrated
the ability to watch the operators in those environments. And
more importantly, when asking the people that manage those
environments, if I give you access to a foreign utility could
you manipulate it, and almost every time they say absolutely.
Could you manipulate it to cause damage? Absolutely.
So why would we consider threats against our critical
infrastructure not at that level of expertise? If you could
hire a professional service team of information security
experts to go after an organization and they can demonstrate
viable access to the most critical components, why would that
not be our threshold to consider for attacks coming from other
organizing sponsors?
When you are talking about cyber terrorism, you're talking
an absolute sliver of the general volume of attacks that an
organization is likely to receive, a very, very small
percentage. You have to consider that their expertise would be
somewhere in the same range of our expertise.
Mr. Horn. Mr. Alan Paller of SANS Institute, you have
identified some of the pressures on commercial software
developers that impede their ability to produce secure
software, including their manufacturing and distribution
processes and their desire to make user friendly products. What
actions can developers take to eliminate these pressures and
remain competitive?
Mr. Paller. Scott Charney of Microsoft, laid out a plan
that ought to be a model for every one of the software
companies and the only reason we don't all stand up and cheer
and say we are done is that it is all prospective. You have to
buy Microsoft's new systems to get this stuff. So we have maybe
150 million people who we still have to help. So the question
is what can they do for the rest of us? And I think the key
answer came out in an FTC hearing. A person from Sun described
it and it is actually the right answer, and I think Microsoft
is doing this with the Defense Department. The key is to have
all software delivered for agencies that matter, delivered from
a local server where the server is kept up to date with the
latest patches. And whenever anyone in that organization needs
it--that is the way you do externally, too--whenever anyone
needs the software, they get it off that local server. And if
they'd set that up so all the rest of the infrastructure could
use that, we could move quickly. But again, that is
prospective. We still have 150 million boxes we have to fix.
Mr. Horn. What are the risks associated with having a
common security configuration benchmark for all Federal
systems?
Mr. Paller. Let me tell you the benefit first and then the
risk. There were some tests last week--and before that--that
took a regularly installed system and then ran one of the good
vulnerabilities testers on it. And they found a certain number
of high priority, medium priority and low priority
vulnerabilities. Then it installed the minimum benchmark and
ran the same tests over again and several tests were run. The
average was 80 to 88 percent of all those vulnerabilities
disappeared. So that's why you want to do a minimum benchmark.
Then the question is what breaks? The answer is that you
don't want to do is break things. The absolute key is you can't
install this and cause a critical application to break. And so
the difficulty is making sure that something doesn't break. And
the next step in these benchmarks is to set up test beds so all
application vendors can run their application against the test
bed and make sure their customers' applications won't break.
But the answer to your question is the cost is breaking
applications. We can't let that happen.
Mr. Horn. You state that so much emphasis has been placed
on a risk based approach that many organizations fail to make
any investments in security until a risk assessment is
completed.
Mr. Paller. It is true. It is sad. GAO and congressional
language is so emphatic that you have to do this risk
assessment that people just get at big meetings and say ``We
can't do anything until we have done a risk assessment and they
take a long time and they're buying computers every day. So it
is not that they're not buying the computers and installing
them. You've just got this huge consulting contract going on
and on and on and you are not hardening the boxes you're
installing today.
Mr. Horn. What type of security investments do you believe
should be made prior to completing a risk assessment?
Mr. Paller. I think it is very much like living in a really
rough neighborhood. You ought to lock the doors at night and
maybe all the time when you're in your house and have locks on
the windows. And there is a certain small set of things that
every computer should have before we allow it--we as users,
allow it to be connected to the Internet. If you think of this
as unsafe cars on the road, that car could hurt all of us,
there ought to be some little thing you do, and the vendors
will help. They are coming around and willing to help. But
before anyone hooks a machine to the Internet, they need to
just lock the doors and lock the windows.
Mr. Horn. Well, you give us some very interesting physical
matters rather than just electronic. Mr. Scott Charney of
Microsoft might have some ideas on this. Do you have a
cascading effect that an attack on one sector of the
infrastructure can affect other sectors? And what are some of
the challenges in identifying cascading effects across
industries?
Mr. Charney. We actually did have such a case when I was at
the Justice Department involving a juvenile who had the
telecommunications switch in the Town of Worcester,
Massachusetts. The switch actually serviced the regional
airport where the tower was unmanned. As planes were coming in
they would radio the tower and a signal would be sent
automatically across the telecommunications network to turn on
the landing lights on the runway. As the next plane came in and
radioed the tower, because the telecommunications switch was
disabled, the landing lights did not go on, the plane was
diverted and the airport was closed. So we had a transportation
failure based upon an attack on a telecommunications network.
The huge challenge is I don't think anyone would say we
fully understand all the interdependencies between all these
networks at a granular level. Yes, we all understand if the
power supply dies a lot of things won't work. If we don't have
telecommunications a lot of things don't work. But how these
things actually work in a more granular level where they share
vulnerabilities is not entirely clear yet, and there are a lot
of groups like the Partnership for Critical Infrastructure
Security that are studying that to figure that out.
Mr. Horn. With regard to cascading, please describe the
unique problems in recovering from an attack that has cascaded
into other sectors.
Mr. Charney. The difficulty, I think, will be in the scope
of the problem and integrating all the pieces back together and
making sure that all the relevant pieces are in fact considered
as we recover from the event. The thought that comes to mind
was when I was at PricewaterhouseCoopers, you know, after the
September 11th attacks, there was a lot of concern about when
the stock markets would be up and operating again. And a lot of
people were talking to the exchanges, for example, and the
telecommunications carriers. It turns out no one was talking to
the exchanges in the back that actually did the actual trading,
the clearinghouses for the exchanges, and since then they have
become more involved. But people were focused on the obvious
visible problem and not some of the substructures that actually
make it all go. So it is really important to understand how the
different parts of the infrastructure functions, including the
parts that are less visible, and make sure they are all
integrated into the recovery plan.
Mr. Horn. What challenges has the Information Technology
Information Sharing and Analysis Center encountered in its
efforts to coordinate interdependency analysis and recovery
efforts with other sectors?
Mr. Charney. I think we have a couple of challenges. One
is, of course, that sectors have certain commonalities and
therefore we have divided the ISACs into different sectors, but
it is important that we not stovepipe the information because
of these interdependencies. As a result, in fact there is a
meeting later this week, a cross-ISAC meeting where we are
starting to coordinate better in that regard. And there are the
issues I referred to in my example, the FOIA exemption, and
creating an environment where the ISACs can share information
far more freely with the government.
Mr. Horn. You mentioned there are these separate
organizations and processes to prosecute cyber crimes depending
on whether they appear to be intelligence related or law
enforcement related. Can you give us a description of some of
the differences and how they can affect the outcome of a case?
Mr. Charney. Yes. And some of this goes back to my years at
the Justice Department. As you know, historically the
government has had different organizations with different
authorities to counter different threats. So if you believe you
are under attack from a criminal, you launch criminal
investigative authorities using things like pen registers, trap
and tracers, and wiretaps. When you believe that say an
intelligence gathering operation, for example, you have foreign
counterintelligence authorities and other tools such as FISA,
the Foreign Surveillance Intelligence Act, which, for example,
when I was at Justice requires links to an agent of a foreign
power, some sort of governmental action. And then of course
when you have war, you have U.N. Charter 51 and you have rules
for how you engage in warfare.
The difficulty is that all of those mechanisms and
procedures depend upon who is attacking you and why. And in an
Internet attack, what you normally do not know at the outset is
who is attacking you and why. So there is an issue about what
kind of response would be appropriate. And let me give you a
real life example.
Many years ago when we were gearing up for air strikes
against Iraq, we found we had a massive penetration coming from
the Middle East into the U.S. Department of Defense, and there
was concern this might have been a preemptive strike against
our information systems to disrupt our military activities in
the area. Fortunately, the military people involved and the
Justice involved knew enough to know that where the attack
looks like it is coming from may not be where the attack is
coming from. But if you see that kind of attack, the question
is, is it a foreign state and does it constitute an act of
information warfare? And if it does, does that mean you can
drop bombs in response? Is that a proportional response under
the rules of war?
Of course we didn't do that. We did investigate the case as
a criminal matter, and it came back to two juveniles in
Cloverdale, California who were looping through the Middle East
and hacking the Department of Defense with help from an
Israeli.
So we have this problem in that we set up these processes
and procedures, but we are in a completely new threat model.
And I simply think the government has to really start thinking
about this and figuring out what constitutes the right response
in an environment where you don't have the facts you need to
make the traditional decisions.
Mr. Horn. What lessons learned did Microsoft take away from
the company's intensive scrutiny and security analysis of
millions of lines of code?
Mr. Charney. That we need to do a lot better and we are
going to do a lot better. You know, I have people who say to me
now Microsoft is issuing a lot of bulletins about
vulnerabilities and an awful large number of patches. Well, if
we looked at our code reviews and threat modeling, I would hope
that we are issuing a lot of bulletins and patches because we
are making the systems more secure and what we have learned is
we have to do this right. And the good thing is that markets
are now demanding it. National security and public safety
concerns are now demanding it. There is a confluence of events
that really rewards, I think, companies that recognize that
this has to be an industry initiative and a government industry
initiative.
Mr. Horn. Thank you very much for enlightening us on that.
Our last questions will be for Mr. Joe Weiss. And what can the
Federal Government do to improve the security of the SCADA
systems and why don't you explain what S-C-A-D-A is?
Mr. Weiss. SCADA--I think it has been used too much now as
a euphemism. What I believe we need to worry about are what's
called control systems. These are the real-time systems that
control processes, whether they are for a power plant, an
assembly line, etc. For whatever reason, the term SCADA came
out early. It stands for supervisory control and data
acquisition. It's simply a type of control system. It is used
in certain types of industries. It is usually used where you
are trying to gather data from very dispersed facilities. You
are not really trying to do significant calculations.
If you are in a refinery, a power plant or a steel mill
where you are more concentrated and you are doing much higher
levels of calculation, you have things called distributed
control systems. If you are in a discrete type of a facility
like an assembly line or a parts manufacturer, you are actually
using programmable logic controllers. SCADA has been used as a
term to lump them together.
Mr. Horn. A lot of it is with inventory movement in the
Japanese----
Mr. Weiss. No. If you will, that is really a manufacturing
execution system. What we are worried about is the physical
control aspect that occurs in real-time. You want to open or
close a breaker in a substation. You want to move a valve. You
can even think of your sprinkler system at home. The purpose of
a control system is to be able to do that in an automated way.
It is going to take, for example, a pressure or a temperature
and to make a change in order to keep my process moving the
right way.
What has happened is with the net, it has allowed us to get
information from so many different places and to use these new,
mathematical algorithms to make this adjustment of different
signals better and smarter and quicker. And in a sense that's
what's opened us up because we can.
Now to the question you asked originally. We have a problem
with the chicken and the egg. The chicken and the egg are
vendors, and not just in electric utilities, but generally the
control system suppliers aren't producing secure control
systems because they feel there's no market. It would take
development--like I say, the technology isn't even there yet
because they are different. It would take development and it
would take a lot of other things. So the vendors are not
supplying that secure control system.
On the other hand, the end users, be they utilities, oil
companies, etc., because the vendors don't have one they don't
even put it in their specs. So what's happening is we are in
this chicken and egg scenario that we are not moving at all,
and that is one area of the government can help us is in a
sense getting this market to occur or the fact that there needs
to be a market so the technology will even occur.
The other piece is literally the technology development
itself. There's an awful lot of technology that's being
developed in DOD that may have some relevance to us. The
converse is if you look at a ship, the ship is a power plant
with a rudder. So there's an awful lot, if you will, of synergy
in between. But if the government helps, for example, and is
involved with the test beds, the way it will move this forward
is to actually have facilities where you can go in and try out
and test out and find out what happens when I do put this in,
what is my incremental security benefit, what is my either
incremental improvement of reliability or possibly decrease in
reliability. So I have some intelligent way of saying, what
should I do? We don't have that right now.
Mr. Horn. What sectors are most vulnerable and why?
Mr. Weiss. All, because we all have the same control
systems from the same vendors using the same architectures. The
vulnerability--I am not talking threat. Again, I am a control
system engineer talking about the systems. From a vulnerability
perspective, the same control system from the same vendor is in
power plants, is in refineries, is in water treatment plants,
is in steel mills. So in a funny sense, the vulnerability is no
different. The threat may be different, but the vulnerability
isn't.
Mr. Horn. Let me ask this one last question to this panel.
How available are hacking tools? Mr. Weiss, let's just go down
the line.
Mr. Weiss. They are available. What we didn't realize is
their applicability to a control system. We had originally
assumed that it wouldn't impact a control system. We are
starting to find out that they can. But let me just add one
other thing. In order to impact a control system, you don't
need a hacking tool. That, to me, is something that's
different. There are other things that you can use to impact,
via cyber, the operation of a control system and it doesn't
have to be a hacking tool.
Mr. Charney. The tools are widely available. And what that
means, of course, is that when you're under attack and under an
attack that appears to be sophisticated, it may not be a
sophisticated attacker. It may be a novice.
Mr. Paller. Just to reinforce that, I was the expert
witness in the Mafia Boy trial where he attacked Yahoo and eBay
and he used a tool that he got from somebody else. He had no
clue how the tool worked. And as I said earlier, there are at
least 2,000 programs running at all times searching on the
whole Internet. And finally there are Web sites now where you
can do either of two or three things. You can actually type in
what you want a virus to do and it will write the virus for
you. You can type in who you want to attack and it will run the
attack. Anybody can use those Web sites.
Mr. Belcher. I think everyone in the panel is going to say
I think the tools are readily available. I think the concern
would be that for cyber terrorism issues you are really worried
about the perpetrator that does not need or does not want the
tool.
Mr. Thomas. I would agree that tools are widely available.
And I may have a different perspective in that I would suggest
that the availability of tools is not necessarily a bad thing.
I think it does force software companies to be responsible in
updating their product, in analyzing their own networks and
analyzing their own software. And as a result we get better
security because those tools are out there, not worse.
Mr. Horn. Well, I want to thank each of you. You have
educated all of us in many ways, and so thank you very much and
we will now bring panel two forward. If you would like to stay,
fine.
Robert Dacey is the Director U.S. General Accounting
Office; Ronald Dick, Director, National Infrastructure
Protection Center, Federal Bureau of Investigation; John S.
Tritak, Director, Critical Infrastructure Assurance Office,
Department of Commerce; Stanley Jarocki, Chairman, Financial
Services Information and Analysis Center, and Vice President,
Morgan Stanley IT Security. The last part of this is Louis G.
Leffler, Manager-Projects, North American Electric Reliability
Council. And as you know, gentlemen, a lot of you have been
here before. If you have any aides with you just get them to
take the oath, also. And Mr. Marc Maiffret, we are glad to have
him here.
[Witnesses sworn.]
Mr. Horn. Mark Maiffret will join this panel and there is a
sign already for him and a chair and we are glad you made it
here. Chief hacking officer and co-founder of eEye Digital
Security. And then we will start with you if we might.
STATEMENT OF MARC MAIFFRET, CHIEF HACKING OFFICER AND CO-
FOUNDER, eEYE DIGITAL SECURITY
Mr. Maiffret. Thank you. Thank you for having me. My name
is Marc Maiffret, Chief Hacking Officer and Co-Founder of eEye
Digital Security. We focus on creating computer security
products, and we are also heavily involved in vulnerability
research.
Much debate has been given to the security of our
infrastructure. Some are peddling doom and gloom. That sounds
like a script to the next cheesy sci-fi movie. Others, however,
are ignoring the problem to say it is overhyped. I personally
believe that it is pointless to debate whether our
infrastructure is secure or not. At the heart of it all we have
the basic understanding that as a Nation we wish to be secure.
If our infrastructure is vulnerable, then we are not secure.
Therefore, more time needs to be put into creating guidelines
of how to secure infrastructure rather than debating whether it
is secure or not. With proper guidelines in place and enforced
by our government, we will be that much closer to securing our
infrastructure.
The current level of security within our infrastructure
cannot be judged as a whole. There are too many systems run by
too many organizations, therefore making it very hard to
quantify how secure or insecure our infrastructure is. The fact
does remain, though, that there are vulnerable systems within
our infrastructure. It is also a fact that many of the software
solutions controlling our infrastructure are vulnerable. This
includes the various software that controls SCADA systems.
SCADA systems are probably one of the most vulnerable parts
of our infrastructure because of the link created between
software and hardware allowing engineers in infrastructure
companies to easily manage their systems. A lot of times it is
possible to gain access to the networks which House SCADA
systems. Once on these networks, it is entirely possible to
take control of an infrastructure site and start performing
functions just as an operator of the site would.
I will not go into a ton of detail in possible ways of
taking over SCADA systems as I have done so in my written
testimony. In the end though, it is entirely possible to take
control of SCADA systems. Taking control of a SCADA system is
not something that any two-bit Internet hacker is going to be
able to do. Hacking SCADA systems should not be equated to
teenage hackers breaking into Web sites and then mysteriously
being able to control a power grid. That is not to say that
technology is not moving to make that type of scenario totally
unrealistic. However, hacking a SCADA system does take more
skill than an average teenage hacker will have.
Security of our Nation's infrastructure is a complex
problem because of the integrated nature of our systems even
beyond their technical aspects. It is security meets business,
meets usability and meets politics, everyone's opinion of how
things should be. Albert Einstein once wrote that if we have
the courage to decide ourselves for peace we will have peace. I
believe the same goes for security. Only when we as a society
decide we truly wish to be secure and then follow through in
that decision shall we begin to start to attain security.
Once again, I suggest that in order for us to start to
secure our infrastructure, we must create guidelines that
critical infrastructure companies must follow. These guidelines
must be enforced by our government. We must move quickly on
securing our infrastructure for I fear if we do not act soon
then we will be forced to thrust our infrastructure through
nihilistic rebirth, as the only means of becoming secure would
be to start over.
Thank you.
[The prepared statement of Mr. Maiffret follows:]
[GRAPHIC] [TIFF OMITTED] T7387.034
[GRAPHIC] [TIFF OMITTED] T7387.035
[GRAPHIC] [TIFF OMITTED] T7387.036
[GRAPHIC] [TIFF OMITTED] T7387.037
[GRAPHIC] [TIFF OMITTED] T7387.038
[GRAPHIC] [TIFF OMITTED] T7387.039
[GRAPHIC] [TIFF OMITTED] T7387.040
[GRAPHIC] [TIFF OMITTED] T7387.041
Mr. Horn. Thank you. That is very helpful and we go now
with Robert Dacey, the Director of Information Security, U.S.
General Accounting Office, which is under the Comptroller
General of the United States. And we always use GAO in one way
or the other, beginning or end. You are on the beginning but we
will probably ask you what did we miss at the end. And so, Bob,
nice to have you here.
STATEMENT OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY
ISSUES, U.S. GENERAL ACCOUNTING OFFICE
Mr. Dacey. Mr. Chairman, I am pleased to be here today and
thank you for your continuing interests and efforts to provide
oversight over this critical area. Today I would like to
discuss the challenges that our Nation faces concerning
critical infrastructure protection, or CIP, and Federal
information security. As you requested, I will briefly
summarize my written statement.
We have made numerous recommendations over the last several
years concerning CIP and Federal information security
challenges that need to be addressed. For each of these
challenges, improvements have been made and continuing efforts
are in the process, including a number of efforts by other
members of this panel. However, much more is needed to address
them. These challenges include, No. 1, developing a national
CIP strategy. A more complete strategy is needed that will
address specific roles, responsibilities and relationships for
all CIP entities, clearly define interim objectives and
milestones and set timeframes to achieve them and establish
appropriate performance measures.
Last week, we issued a report that further highlights the
importance of coordinating the dozens of Federal entities
involved in cyber CIP efforts. The President's National
Strategy for Homeland Security, also released last week, calls
for interim cyber and physical infrastructure protection plans
by September of this year to be followed at an unspecified date
by a comprehensive national infrastructure plan.
The second major challenge is improving analysis and
warning capabilities. More robust analysis and warning
capabilities are still needed to identify threats and provide
timely warnings. Such capabilities need to address both cyber
and physical threats. The National Strategy for Homeland
Security calls for major initiatives to improve our Nation's
analysis and warning capabilities that include enhancing
existing capabilities within the FBI and building new
capabilities at the proposed Department of Homeland Security.
The third major challenge is improving information sharing
on threats and vulnerabilities. Information sharing needs to be
enhanced both within the Federal Government and between the
Federal Government and the private sector and State and local
governments. The National Strategy for Homeland Security
identifies partnering with non-Federal entities as a major
initiative and discusses the need to integrate information
sharing within the Federal Government and among the various
levels of government and the private industry. Information
sharing and analysis centers, which will be discussed today,
continue to be a key component of that strategy. The strategy
also discusses the need to use available public policy tools
such as grants and regulations.
The fourth challenge is addressing pervasive weaknesses in
Federal information security. Despite the importance of
maintaining the integrity of confidentiality and availability
of important Federal computer operations, Federal computer
systems have significant pervasive information security
weaknesses. A comprehensive strategy for improving Federal
information security is needed in which roles and
responsibilities are clearly delineated, appropriate guidance
is given, regular monitoring is undertaken and security
information and expertise are shared. As I testified earlier
this year before this subcommittee, continued authorization of
government information security reform legislation is essential
to sustaining agency efforts to identify and correct these
significant weaknesses.
The President's draft legislation on the creation of a
Department of Homeland Security and the National Strategy for
Homeland Security acknowledge the need to address many of these
challenges. However, much work remains to effectively respond
to them. Until a comprehensive and coordinated strategy is
developed for all CIP efforts, our Nation risks not having an
appropriate and consistent structure to deal with the growing
threats of attacks on its critical infrastructures.
Mr. Chairman, this concludes my oral statement, and I would
be pleased to answer any questions that you or members of the
subcommittee might have.
[The prepared statement of Mr. Dacey follows:]
[GRAPHIC] [TIFF OMITTED] T7387.042
[GRAPHIC] [TIFF OMITTED] T7387.043
[GRAPHIC] [TIFF OMITTED] T7387.044
[GRAPHIC] [TIFF OMITTED] T7387.045
[GRAPHIC] [TIFF OMITTED] T7387.046
[GRAPHIC] [TIFF OMITTED] T7387.047
[GRAPHIC] [TIFF OMITTED] T7387.048
[GRAPHIC] [TIFF OMITTED] T7387.049
[GRAPHIC] [TIFF OMITTED] T7387.050
[GRAPHIC] [TIFF OMITTED] T7387.051
[GRAPHIC] [TIFF OMITTED] T7387.052
[GRAPHIC] [TIFF OMITTED] T7387.053
[GRAPHIC] [TIFF OMITTED] T7387.054
[GRAPHIC] [TIFF OMITTED] T7387.055
[GRAPHIC] [TIFF OMITTED] T7387.056
[GRAPHIC] [TIFF OMITTED] T7387.057
[GRAPHIC] [TIFF OMITTED] T7387.058
[GRAPHIC] [TIFF OMITTED] T7387.059
[GRAPHIC] [TIFF OMITTED] T7387.060
[GRAPHIC] [TIFF OMITTED] T7387.061
[GRAPHIC] [TIFF OMITTED] T7387.062
[GRAPHIC] [TIFF OMITTED] T7387.063
[GRAPHIC] [TIFF OMITTED] T7387.064
[GRAPHIC] [TIFF OMITTED] T7387.065
[GRAPHIC] [TIFF OMITTED] T7387.066
[GRAPHIC] [TIFF OMITTED] T7387.067
[GRAPHIC] [TIFF OMITTED] T7387.068
[GRAPHIC] [TIFF OMITTED] T7387.069
[GRAPHIC] [TIFF OMITTED] T7387.070
[GRAPHIC] [TIFF OMITTED] T7387.071
[GRAPHIC] [TIFF OMITTED] T7387.072
[GRAPHIC] [TIFF OMITTED] T7387.073
[GRAPHIC] [TIFF OMITTED] T7387.074
[GRAPHIC] [TIFF OMITTED] T7387.075
[GRAPHIC] [TIFF OMITTED] T7387.076
[GRAPHIC] [TIFF OMITTED] T7387.077
[GRAPHIC] [TIFF OMITTED] T7387.078
[GRAPHIC] [TIFF OMITTED] T7387.079
[GRAPHIC] [TIFF OMITTED] T7387.080
[GRAPHIC] [TIFF OMITTED] T7387.081
[GRAPHIC] [TIFF OMITTED] T7387.082
[GRAPHIC] [TIFF OMITTED] T7387.083
[GRAPHIC] [TIFF OMITTED] T7387.084
[GRAPHIC] [TIFF OMITTED] T7387.085
[GRAPHIC] [TIFF OMITTED] T7387.086
[GRAPHIC] [TIFF OMITTED] T7387.087
[GRAPHIC] [TIFF OMITTED] T7387.088
[GRAPHIC] [TIFF OMITTED] T7387.089
[GRAPHIC] [TIFF OMITTED] T7387.090
[GRAPHIC] [TIFF OMITTED] T7387.091
[GRAPHIC] [TIFF OMITTED] T7387.092
[GRAPHIC] [TIFF OMITTED] T7387.093
[GRAPHIC] [TIFF OMITTED] T7387.094
[GRAPHIC] [TIFF OMITTED] T7387.095
[GRAPHIC] [TIFF OMITTED] T7387.096
[GRAPHIC] [TIFF OMITTED] T7387.097
[GRAPHIC] [TIFF OMITTED] T7387.098
[GRAPHIC] [TIFF OMITTED] T7387.099
[GRAPHIC] [TIFF OMITTED] T7387.100
[GRAPHIC] [TIFF OMITTED] T7387.101
[GRAPHIC] [TIFF OMITTED] T7387.102
[GRAPHIC] [TIFF OMITTED] T7387.103
[GRAPHIC] [TIFF OMITTED] T7387.104
[GRAPHIC] [TIFF OMITTED] T7387.105
Mr. Horn. Thank you. We appreciate that.
Our next presenter is Ronald L. Dick, the Director of the
National Infrastructure Protection Center, Federal Bureau of
Investigation. I want to express the feelings of the Committee
on Government Reform and this subcommittee in particular about
what you have done to help us in many ways, and so thank you
very much, Mr. Dick. You do a fine job down there.
STATEMENT OF RONALD L. DICK, DIRECTOR, NATIONAL INFRASTRUCTURE
PROTECTION CENTER, FEDERAL BUREAU OF INVESTIGATION
Mr. Dick. Thank you, Mr. Chairman, for this opportunity to
discuss our government's important and continuing challenges
with respect to critical infrastructure protection. But before
I begin my statement I would like to express my appreciation to
you for your service in the House and note that everyone
concerned with infrastructure protection will miss your
leadership.
Mr. Horn. That is kind of you.
Mr. Dick. Thank you, sir.
And ITC representatives have testified several times in
front of this committee, most recently in September of last
year. Since that time, while the Nation has focused on the war
against terrorism, the NIPC has forged ahead on several fronts.
I have been asked many times about what keeps me up at
night and I think about a scenario that combines a serious
physical attack with a concurrent cyber attack which would tie
up 911 systems or stop the flow of electricity and water during
the crisis. We work to prevent such a scenario through two-way
information sharing. Because approximately 85 percent of the
Nation's critical infrastructures are owned by the private
sector, we rely heavily on private sector information sharing.
In the written statement, I discuss some of the challenges
we must overcome in two-way information sharing. I will focus
on two areas in which we have made substantial progress in the
last year.
First, we have built many trusting relationships with
members of the private sector, particularly those through our
government-private sector infrastructure protection
partnership, known as InfraGard, and with information sharing
and analysis centers. For example, InfraGard membership has
grown by more than 600 percent in the last 14 months from 800
to nearly 5,000.
Second, our news unit, the ISAC's Support and Development
Unit, was designed to assist in the development and expansion
of ISACs. Since formation of that unit, information sharing
agreements have been signed with ISACs for telecommunications,
information technology, food, water supply, emergency services
like fire, banking and finance, chemical sectors and the
Aviation Administration. Tomorrow I am scheduled to sign
another agreement, adding the National Association of State
Chief Information Officers to our list of infrastructure
protection partners.
One of the most recent agreements was with the ISAC for
fire emergency services led by the U.S. Fire Administration, an
organization which has been a model for mutual benefits of two-
way information sharing. Since that agreement, we have shared
intelligence on scuba diving threats to waterfront facilities,
suspicious attempts to purchase an ambulance in New York and
the theft of a truck with 10 tons of cyanide in Mexico. In
turn, they have told us of suspicious foreign nationals
attempting to gather information on emergency services.
However, more work still needs to be done. The annual
Computer Security Institute and FBI Computer Crime and Security
Survey, released in April, indicated that 90 percent of the
respondents detected computer security breaches in the last 12
months. Only 34 percent reported the intrusion to law
enforcement. On the positive side, that 34 percent is more than
double the 16 percent who reported intrusions in 1996. This
nonreporting impairs the government's ability to analyze
threats and vulnerabilities and take appropriate action. The
two primary reasons for not reporting were the fear of negative
publicity and the belief that competitors would use the
information against them if it were released.
First, I assure you that the Department of Justice and the
FBI, Office of General Counsel will be happy to discuss with
your staffs the issues more thoroughly regarding information
sharing because it always must be kept in mind that sharing of
information is voluntary. Therefore, it becomes the
government's burden to demonstrate it can and will protect
information.
One of the issues we have heard for years is that companies
are concerned that information they provide to the government
will be released by the government under the Freedom of
Information Act. We looked at the Freedom of Information Act
and discussed it with the private sector. Under exemption
(b)(4) of FOIA, the government is not required to disclose,
``trade secrets and commercial or financial information
obtained from a person and privileged or confidential.''
On the face of that statute, you find the definite--you
don't find, rather, the definition of those key terms.
Companies asked us what ``trade secrets'' meant under FOIA as
well as the scope and terms of information. They asked, for
example, is vulnerability information considered commercial or
financial? They also asked whether under the statute
information gets different protection if it is voluntarily
provided to the government.
We worked with the Department of Justice and also did our
own legal research. In doing so, we found a number of important
cases that discuss these issues. The most important, I am told,
is a case decided by the D.C. District Circuit Court of Appeals
called Critical Mass Energy Project vs. the Nuclear Regulatory
Commission. Nonetheless, despite these cases and some others
like it, companies want clear statutes with straightforward
language. They do not want to be kept up to date on the latest
cases or have to keep up to date on the latest cases. They want
a simple statute they can understand. Without that, many
companies will not share information.
The question of whether in the abstract we can protect the
information becomes meaningless if the companies will not give
us the information in the first place. Many companies seek
certain outcomes and they don't want to rely on a judge's
decision. They also don't want to face even the possibility of
having to go to court to litigate the protection of their
information whether under FOIA or under the Trade Secrets Act.
Finally, they are also concerned about the State open records
laws. Many have told us that they want to be able to share
sensitive information with the Federal Government and they
would like the Federal Government to be able to share
information with them and would like to be able to share
information with the States. But they are equally clear that if
the sensitive information becomes public, they will not share
it. Sharing a lot of this information publicly would weaken the
Nation's security, not strengthen it.
The NIPC has been asked to engage in a constructive dialog
with industry in order to promote information sharing. For over
4 years we have heard this same message. We would like the FOIA
issue resolved in a manner that industry is convinced of the
government's ability to protect their information.
At a recent Senate hearing before Senator Lieberman, the
NIPC, myself and the Department of Justice committed to work
with Congress on these concerns so as to resolve them.
And let me conclude. Faced with the hard fact that most
companies are not reporting, the NIPC has promoted an
aggressive outreach program and is seeing results. The system
of information sharing amongst ISACs, the NIPC, government
agencies and the private sector is beginning to work. At the
NIPC we continue to seek partnerships and means which promote
two-way information sharing. As Director Mueller stated in a
speech on July 16, prevention of terrorist attacks is by far
and away our most urgent priority. We can only prevent attacks
on our critical infrastructures by building an intelligence
base, analyzing that information and providing timely,
actionable, threat-related products to our private and public
sector partners.
Therefore, we will continue our efforts with your committee
in improving information sharing and infrastructure protection,
and I welcome your comments.
[The prepared statement of Mr. Dick follows:]
[GRAPHIC] [TIFF OMITTED] T7387.106
[GRAPHIC] [TIFF OMITTED] T7387.107
[GRAPHIC] [TIFF OMITTED] T7387.108
[GRAPHIC] [TIFF OMITTED] T7387.109
[GRAPHIC] [TIFF OMITTED] T7387.110
[GRAPHIC] [TIFF OMITTED] T7387.111
[GRAPHIC] [TIFF OMITTED] T7387.112
[GRAPHIC] [TIFF OMITTED] T7387.113
[GRAPHIC] [TIFF OMITTED] T7387.114
[GRAPHIC] [TIFF OMITTED] T7387.115
[GRAPHIC] [TIFF OMITTED] T7387.116
Mr. Horn. Thank you very much. We will now hear from John
S. Tritak, Director of the Critical Infrastructure Assurance
Office in the Department of Commerce. Now that is partly, with
NIST, also involved in standards and that kind of thing. Very
good, if you want to give us a better view of that, start in
with it.
STATEMENT OF JOHN S. TRITAK, DIRECTOR, INFRASTRUCTURE ASSURANCE
OFFICE, DEPARTMENT OF COMMERCE
Mr. Tritak. Thank you for the opportunity to be here today.
I submitted my written remarks, and I would be more than happy
to talk about the move to the Department of Homeland Security
and our respective roles as you would like, but I would like to
touch on a few themes that have arisen during the course of
this hearing and give some reflection on those in my brief
remarks now.
I want to begin by focusing--homeland security differs
fundamentally from what I would call classic national security.
And by classic national security, I am referring to those
things the government more or less did on its own on behalf of
the United States and its citizenry. We are now confronted with
a unique challenge. And that is because, as we have heard from
al Qaeda and others, is that the terrorists have indicated that
the economy is a target, particularly the pillars of that
economy, and the vast majority of those are privately owned and
operated. Terrorists' followers have been urged to attack these
pillars of the economy wherever vulnerabilities exist, whether
they are in the physical domain or in the cyber domain.
And we know they're looking at the cyber domain as well.
And we have heard a little bit earlier that attacking SCADA
systems or major facilities through cyberspace is not easy and
is not something that the average hacker can do, and I would
completely concur in that. It is not easy, but I will submit
the terrorists are not lazy. And it wasn't easy to orchestrate
the hijacking of four aircraft and turn those aircraft into
cruise missiles.
The point of all of these terrorist activities is to force
the United States to look inward and change and rethink its
global commitments overseas, particularly in the Persian Gulf
and the Middle East. Their goal was to create serious impact
and force us to redo and rethink our commitments overseas.
So I would submit to you it is not a question of whether
cyber terrorism exists or whether it is overblown. I think to
the extent that our economy relies on information systems and
networks to function and to the extent there are
vulnerabilities of the kind that could be exploited to cause
harm in combination with other forms of attack--Ron Dick just
mentioned one. I think he is right on this. We don't
necessarily have to envision terrorism playing out like a war
game or Nintendo. We are talking about a situation where
perhaps in combination with a devastating physical attack
certain key information systems networks are disrupted and
therefore exacerbate an already terrible situation because that
is the impact they are seeking. It is their goal we have to
keep an eye on when we are talking about this problem.
Therefore, because the economy is largely privately owned and
operated, we have to see homeland security as a shared
responsibility, and this is going to require redefining our
respective roles between government and industry and how we go
about achieving this new goal, and that is going to require a
level of collaboration that frankly we've never had to have
before.
And that is why I think it is very important when we create
this new department that the culture of partnership and
collaboration suffuse that organization. It has to actually
build on the premise that government and industry together need
to achieve this goal and that neither government nor industry
alone can do it.
Information sharing is deemed one very important way in
which we actually operationalize homeland security, and
information sharing is taking place now. Ron Dick will tell you
and many of the ISAC people will tell you they are sharing now.
But the real goal here is to create an environment where
dynamic sharing can take place on an ongoing basis to deal with
problems as they arise in real-time. And I would submit to you
that the question with respect to FOIA or any other question is
whether the current statutory and regulatory environment is
conducive to promoting voluntary acts of information sharing.
Now, this is not an easy issue and I know there are very
important public interests and public goods at stake here and
honest people can disagree over the challenge of open
government on the one hand and the need to secure information
and how it could come into conflict. And frankly, it is the
Congress who is going to have to resolve these problems.
I also want to make clear that any change in the FOIA is
not going to be a silver bullet because the one thing you can't
do through the regulation or statutory reform is create trust
and legislate trust. That has to come out of experience. What I
would suggest, however, is that to the extent that the current
environment is viewed as an impediment that we very carefully
narrow reform to actually create an environment that induces
that collaboration and that kind of dynamic information sharing
which I think everyone agrees needs to take place if we are
going to achieve the mission of securing our homeland.
And I thank you for the opportunity to be here, Mr.
Chairman. You will be deeply missed by all of us who have
respected your work over these last few years.
[The prepared statement of Mr. Tritak follows:]
[GRAPHIC] [TIFF OMITTED] T7387.117
[GRAPHIC] [TIFF OMITTED] T7387.118
[GRAPHIC] [TIFF OMITTED] T7387.119
[GRAPHIC] [TIFF OMITTED] T7387.120
[GRAPHIC] [TIFF OMITTED] T7387.121
[GRAPHIC] [TIFF OMITTED] T7387.122
[GRAPHIC] [TIFF OMITTED] T7387.123
Mr. Horn. Well, thank you very much. Let us now move to
Stanley Jarocki, chairman of the Financial Services Information
and Analysis Center and vice president of Morgan Stanley IT
Security.
STATEMENT OF STANLEY R. JAROCKI, CHAIRMAN, FINANCIAL SERVICES
INFORMATION AND ANALYSIS CENTER, AND VICE PRESIDENT, MORGAN
STANLEY IT SECURITY
Mr. Jarocki. Mr. Chairman and members of committee, thank
you for this opportunity to testify about the importance of
information sharing and the protection of this Nation's
critical infrastructure. It is an honor to appear before you as
we discuss these matters in our efforts to further the
protection of our great Nation. My name is Stash Jarocki and I
come before you to speak from a perspective formed by three
decades of experience in the information security field and
also as founder and present chairman of the Financial Services
Information Sharing and Analysis Center. The FS-ISAC is the
first of the private sector's Information Sharing and Analysis
Center created in response to PD-63. This directive called for
the establishment of these centers to assist sector efforts in
the protection of critical infrastructure components from the
cyber and the physical world.
I have come before you today to speak about terrorism, both
the cyber and the physical, and one of the successful
approaches for mitigating its risks. I will also discuss the
obstacles to this approach and the steps necessary to address
impediments that will slow our successful battle against
infrastructure threats. I would like to begin by asking us all
to consider the nature of cyber terrorism. It is not merely a
creation of an attention hungry, sensationalized media, or the
result of panicked public outcry. Cyber terrorism is as much of
a threat to us as the painfully realized danger of its
counterpart, physical based terrorism. Its implications are far
reaching, as the potential for cyber-based terrorism is
directly proportional to the pervasiveness of possible targets.
Due to the utter saturation and dependence on a technology-
based infrastructure, the realities of the dangers of cyber
terrorism must be acknowledged. We may begin with the sad fact
that our information technology systems are already under
attack and we have every reason to believe that these threats
will worsen as we go forward. Also, it lives and depends on a
physical environment that has been harshly attacked and could
be attacked again and again, not only by man but by the natural
forces that exist.
We must act, and we must act quickly. Furthermore, we are
not powerless. Just as it is our physical and cyber
infrastructure systems that are subject to these attacks, it is
our ability to share and exchange information that can provide
us with a strong foundation for defense.
Today, there are some 57 of the largest financial
institutions, banks, brokerages, insurances and SROs, which
represent more than 50 percent of all the credit assets who are
members of the FS-ISAC.
Our mission is straightforward: Through information sharing
and analysis, provide its members with early notification of
computer vulnerabilities and access to subject matter expertise
and other relevant information such as trending analysis for
all levels of management and first responders. In fact, we are
embarking on a major effort to be the information dissemination
pipeline for the entire financial sector, comprised of clients
that use our systems to the family run bank to the largest
multinational financial institutions. We are joined in this
endeavor by other organizations with similar missions. These
include the National Infrastructure Protection Center, NIPC;
U.S. Secret Service, especially their New York Electronic
Crimes Task Force; the Department of Defense's Joint Task Force
for Computer Network Operations and others trying to create an
effective and trusted network of government and private sector
entities sharing information to collectively benefit critical
infrastructure protection.
Unfortunately, I am here today to tell you that we cannot
succeed in this mission without your help. Legitimate concern
has arisen among members of the private sector that has
directly affected information sharing, the result of a
legislative environment that is not conducive to our best
infrastructure protection efforts. We believe there are three
actions that must be taken in order to remove legislative
obstacles that block effective, robust sharing:
One, provide a narrowly written exemption to FOIA for
critical infrastructure information voluntarily shared from
private companies or private sharing groups to the Federal
Government.
Two, provide an exemption or guidance under the antitrust
laws on both a Federal and State level to critical
infrastructure information voluntarily shared in good faith
within the private sector, especially with a formal structure
like the ISACs.
And, finally, provide safe harbor legislation similar to
that provided for Y2K to protect the disclosure of
infrastructure information within the private sector as long as
such disclosure is made in good faith.
We have heard a lot. The risk is too great. Better to keep
your mouth shut. Better safe than sorry. These statements
represent the danger we face today because that is the kind of
advice by general counsels throughout the Nation. We faced this
danger before, preparing for the Y2K turnover. In the Y2K
effort we avoided it through thoughtful and balanced
legislation. We must avoid that danger again. While legislation
alone will not solve all the challenges in information sharing,
it will go a long way in providing the protection industry
needs as well as demonstrating the government's commitment and
desire to be an active member of the information sharing
process.
As a founder and supporter of the ISAC concept and
practitioner in the information security world, I can state
that information security is essential.
Finally, effectively robust information sharing becomes the
foundation for mapping trends and developing actuarial tables
needed to create a factual basis for risk management and a
stabilized, insurable environment, thereby reducing the risk
that industry sectors must manage on a daily basis.
Mr. Chairman, I would like to thank the committee for
permitting me to testify on this important subject. I will be
pleased to answer any questions you may have at this time.
Thank you.
[The prepared statement of Mr. Jarocki follows:]
[GRAPHIC] [TIFF OMITTED] T7387.124
[GRAPHIC] [TIFF OMITTED] T7387.125
[GRAPHIC] [TIFF OMITTED] T7387.126
[GRAPHIC] [TIFF OMITTED] T7387.127
Mr. Horn. Thank you, Mr. Jarocki. The last presenter is
Louis G. Leffler, the Manager-Projects of North American
Electric Reliability Council. I am very fascinated by your
companion councils around the country, so you might just like
to tell us a little bit about it before you start in on the
substance of all this.
STATEMENT OF LOUIS G. LEFFLER, MANAGER-PROJECTS OF NORTH
AMERICAN ELECTRIC RELIABILITY COUNCIL
Mr. Leffler. Thank you, Mr. Chairman, and thank you for
this opportunity to present some of the work of the electricity
sector directed at securing our critical infrastructure from
cyber and/or physical attack with specific emphasis on the
Electricity Sector, Information Sharing Analysis Center.
Regarding NERC, the North American Electric Reliability
Council was formed in the aftermath of the 1965 power system
failure in the Northeast; it was formed actually in 1968. There
are currently 10 regional councils which includes all of the
United States, virtually all of Canada and a very small part of
Mexico.
One of the points that is made in the testimony, and I will
make it here, is that electricity is unique. All the critical
infrastructures have their own unique characteristics. One of
the uniquenesses of ours is that electricity is an on-demand
product. It is made the moment it is required. And one other
point that is extremely important in what we are trying to do
here, is that we are all connected. We are all interconnected.
Virtually every single power producer, power transmission
system and distribution grid one way or another is connected
with every one. So what happens to one may very well impact
what happens to another.
Therefore, it is imperative and absolutely essential that
we coordinate and have the policies in place on how we operate
the system so this system is operated reliably to avoid another
cascading power system failure, be it due to any myriad of
possible things like bad weather, equipment malfunction or a
terrorist attack. That is a little bit of a sum-up as to what
NERC is.
Mr. Horn. Thank you. We will now go into the question
period.
Mr. Leffler. I am not done.
Where interdependencies were mentioned before, I mention
them now within our sector, and of course they exist between
our sector and the others. We did an exercise years ago on
Governor's Island in New York, and it was interesting. It was
10 years ago or more, brought together all these same critical
infrastructures and we sat around a table and the challenge
was, here it is Sunday morning, snowstorm coming, terrorists
have come in and shut down a major power system and you are all
here. President is at Camp David and he is coming back to the
White House at 3 o'clock in the afternoon, what are you going
to tell him? So we sat around and looked at ourselves and
started to come up with solutions. Some interdependency
problems, some of the things that one of the other presenters
spoke about regarding this intricate linkage of the
interdependencies and so on.
Our sector is well equipped for a panoply of events. I
already said that. We established--and then we really
established right after the PDD-63 was promulgated by the last
administration--a group to start dealing with this, and we
began meeting with our sector liaison, which is the Department
of Energy, and immediately following that we found out about an
organization called the National Infrastructure Protection
Center and began working with Ron Dick and his people over
there. We established excellent relationships.
In order to do this for the electricity sector so it was
done once and done well for the entire sector, we created a
thing called the Critical Infrastructure Advisory Group and it
represents the subject matter experts in physical security,
cyber security and operations from all the industry segments.
And it is working pretty well; it reports directly to the NERC
board of trustees.
We also worked with--I mentioned the Department of Energy
and the NIPC, the Department of Defense, the Critical
Infrastructure Assurance Office, the Nuclear Regulatory
Commission and the Federal Energy Regulatory Commission, the
FERC. The testimony goes into a lot of what we have done. I am
not going to repeat that here.
We do have a set of security guidelines, both physical and
cyber. We have one on security of data that we think is
extremely important and we are working with the FERC on
including appropriate security measures in the standard market
design for electricity.
Our ISAC was established about the same time that we
initiated the IAW--Indications, analysis, waring program--with
the NIPC. That was in October 2000. The mission is to receive
information for analysis, provide interpretive analytical
support to the NIPC and other government agencies, and
disseminate threat warnings together with interpretation to
guide the sector. The staff with NERC personnel is available to
any electricity sector entity at no charge.
What can the government do to encourage information
sharing? We already talked quite a bit around this table about
the need for some considerations to FOIA. I am not an expert in
this area, but it has been said very well that we want to
voluntarily share this information. We need to voluntarily
share this information, and we need some additional limited
protections in that area.
We request faster granting of U.S. clearances. We have a
number of clearances. The ISAC people have them. A number of
people in the industry do, and we need them to enhance our
capabilities for analysis and understanding.
The very essence of ISAC operations requires
communications. We must increase the availability of reliable
and secure telecommunications for use among sector
participants, the government and the ISAC. The electric
industry operates in a constant state of preparedness planning,
training and operating synchronous grids, requires preparedness
for natural disaster energy emergencies and the attacks of
sabotage or terrorism.
We greatly appreciate our working relationships with the
government agencies and look forward to answering any questions
you may have for us. Thank you.
[The prepared statement of Mr. Leffler follows:]
[GRAPHIC] [TIFF OMITTED] T7387.128
[GRAPHIC] [TIFF OMITTED] T7387.129
[GRAPHIC] [TIFF OMITTED] T7387.130
[GRAPHIC] [TIFF OMITTED] T7387.131
[GRAPHIC] [TIFF OMITTED] T7387.132
[GRAPHIC] [TIFF OMITTED] T7387.133
[GRAPHIC] [TIFF OMITTED] T7387.134
[GRAPHIC] [TIFF OMITTED] T7387.135
[GRAPHIC] [TIFF OMITTED] T7387.136
[GRAPHIC] [TIFF OMITTED] T7387.137
[GRAPHIC] [TIFF OMITTED] T7387.138
[GRAPHIC] [TIFF OMITTED] T7387.139
Mr. Horn. Thank you. We will now have the question period,
and it will alternate between Ms. Schakowsky, the ranking
member, and myself, and we will do 5 minutes each so everybody
gets a chance here. So Ms. Schakowsky, 5 minutes.
Ms. Schakowsky. Well, I am hearing the drum beat of FOIA
and while there are many other things to focus on, I want to
focus on that because I am very disturbed about what I am
hearing. I was particularly concerned and I quoted in my
opening statement, Mr. Dick, a remark of yours that talks--that
says, ``if the private sector doesn't think the law is clear,
then by definition it isn't clear.''
It seems like that's the theme of the day--have talked
about not a conducive atmosphere for the private sector to
share, and therefore we should change FOIA. I would just want
to suggest there is another option, and that is to say this
information isn't voluntary, that we require it; that this is a
time of a war on terrorism, and that we are calling on
individuals and businesses to be patriotic and to provide
information. I just--I'm not suggesting I am going to introduce
anything of the sort, but I wanted to just say that this is a
critical time, we all agree, that's why we are here today to
discuss it. That we could, in fact, just say that because this
is so critical to our national security, our homeland security,
we could simply require this rather than, in my view, pander to
the desires of businesses to keep information secret, an item
that's been on that agenda for many years, not just now.
And when I see public officials saying that individuals--
because that's what we're saying--individual citizens should be
deprived of information that is--now, we have a Freedom of
Information Act, and I want to talk to you about that, that has
nine exemptions to protect information from the public when
necessary. And such exemption b(4) deals with trade secrets,
confidential business information, protecting--and I know, Mr.
Dick, you don't think that's sufficient. And, so in addition,
we have Executive Order 12600 that says if information is to be
released and a business objects, there is a whole procedure to
stop that information from being released.
And it astounds me that at a moment in history when
transparency in business is on the headlines every day, the
need for us to know what is going on in our private sector,
which has deprived many of our citizens of their ability to
retire and employees of their future retirement plans, sends
the stock market diving because of this lack of transparency,
cooking the books, that now we want to offer, in my view--and I
want your opinion on this--not a narrowly constructed exemption
to FOIA, but a loophole big enough to drive any corporation and
its secrets through, in my view. One that says that if they
simply declare it to be--to need to be secret, that not only in
an amendment that would--I think may be part of the bill--is
that 12, Department exemption now, the Davis amendment?
Homeland Security.
So now if a company wants to protect information from
public view, they could dump it in the Department of Homeland
Security and say we don't want anyone to have access to it
because it's critical information, and it could be something
that communities need to know, about pollution of a chemical
plant or etc.
I think we ought to be concerned about these abridgements
of individual rights to information, and have a little more
concern about that than we seem to be exhibiting today about
the lack of interest of private businesses at this time of war
to share critical information.
If I seem outraged, it is only because I am. So I would
like some response.
Mr. Tritak. I would like to take this, if I may just
comment on a couple things. One is the administration's
position has been very clear. One--this is supposed to be a
narrowly crafted exemption.
Ms. Schakowsky. And do you think this one is?
Mr. Tritak. Well, let me--what I would like to say is what
the administration's position has been. Right now, you are in
the give-and-take process of creating law. If things aren't as
clear as they need to be, this is the time to work on them. I
can tell you what the President has made clear about what the
intentions are: It is to be narrowly crafted. It is not to be a
permit or a process for data dumping--if I may finish, please.
Also, we are talking about voluntary information, as we
said before. Now, you just presented an alternative to that.
But the point is, right now, today, there is information of the
kind that right now is not mandatorily required that could help
safeguard the homeland through a voluntary sharing regime? I
think the answer is yes. But no one is talking about creating a
safe haven for negligence or a safe haven for criminal
activity.
Now, what I said before, that we are talking about a
culture collaboration, I don't want that to be viewed as a
synonym for a culture of coddling. What we are talking about
here is we have a shared responsibility, and we have got to
manage it properly. If the existing provisions that have been
put forward suggest otherwise than what the President has made
clear and has been his position before, then it seems to me
this is the give-and-take process----
Ms. Schakowsky. What does the administration think about
it? Is it narrowly focused enough for the administration, the
current language that we are going to be considering tomorrow
or Friday? This is not imaginary language. There is language.
Mr. Tritak. No. Look, I am aware of the concerns that have
been expressed, and they have been expressed quite a bit. I am
also aware that there has been a fairly active dialog to
address those concerns and to bring this into--my sense is that
the new provision is going to look a lot different from the one
that exists today. So that's why----
Ms. Schakowsky. That's not my understanding.
Mr. Tritak. Well----
Ms. Schakowsky. We're going to try, certainly.
Mr. Tritak. Well, but I think this is in fact an active
dialog that's happening between the administration and the
Congress as we speak.
Ms. Schakowsky. No, I think that's really a copout, because
there is language, as was proposed by the administration, that
is currently in the bill. I will be offering an amendment, I
hope it will get bipartisan support, that will change that
language. But it's not theoretical or--I mean, it is written
right now in a piece of legislation. And I want to know if that
is the language that you think is narrowly crafted enough, and
that's the administration's language.
Mr. Tritak. I think the position the administration put
forward is the one that it believes would advance the issues I
have just addressed. I also think that people recognized going
in that this was going to be a provision that was going to be
worked. So the real question at the end of the day is, the
final bill that is going to pass both the House, the Senate,
and the administration, is going to reflect a consensus on this
matter. And I can only tell you that what the administration
has been fairly clear on is that this is not intended to be an
open-ended, overly broad information sharing process; it is
meant to provide clarity and certainty to the stakeholders of
the infrastructure as to what is in and out of bounds in terms
of what is protected under FOIA.
Ms. Schakowsky. So the language in the Armey bill--that's
the bill right now--came out of the select committee. That's
the bill, that's the language. Is that the--does the
administration support that language currently?
Mr. Tritak. You know, what I have to tell you, I think that
there currently is a review about that language as part of the
administration's response, and I would rather not say anything
about it at this time. But I take the point, and----
Ms. Schakowsky. OK.
Mr. Tritak [continuing]. All----
Ms. Schakowsky. But, no. Let me ask--can I ask another
quick question?
Mr. Horn. Certainly.
Ms. Schakowsky. What efforts have been made to let the
private sector that might have this critical information know
about how to use the existing FOIA act, about the Executive
order, and to create a sense of comfort--which, I guess, is
what we need to do. It seems to me that the tools are here. It
doesn't surprise me that the private sector might want to go
further. But have there been efforts, particularly post-
September 11th, when we are trying to get this information, to
encourage that information and to make it clear how to use the
current tools?
Mr. Dick. I will take that one. Since the inception of the
ITC, one of the issues that has continually come up, as I said
in my oral statement, is this very issue. We have had a
continual dialog with the ISACs, the InfraGard members, which,
as I said, total over 5,000, and anyone else that we can get in
front of, and try and clarify and explain how the government
would be able to protect information under the FOIA exemptions.
The reality is, though, for example, in the Trade Secrets
Act, one of the things that I am told--I am not a lawyer--that
if there is a request for that, the industry would have to come
forward and discuss in court what it had done to protect that
information. So therefore, they would have to go into court and
prove, I assume beyond some standard, that they had adequately
protected it in the first place.
One of the things you have to keep in mind is that the
information that we are talking about is owned by the private
sector, and FOIA does not apply to the private sector; it only
applies to the executive branch.
So we are talking about information that the private sector
believes is sensitive and are concerned about it being
disclosed, and they have questions as to whether the government
can adequately protect it. And what we are recommending is not
some broad loophole, but a measured response in the language
that provides them the assurances that will provide better
information sharing.
Ms. Schakowsky. Well, first of all, my understanding is
that you are wrong about the protection of that information. If
it is voluntarily provided to the Federal Government and then
there is a FOIA request, it is not because it is in that
category of voluntary information that it is automatically
released and not covered by FOIA; it is now covered by FOIA,
and all of those nine exemptions and the Executive order apply
to that information.
But I think perhaps a more central question is, do any of
you know of any instance, even one, where confidential
information has been released by the Federal Government in
response to a FOIA request over the objection of the business
that supplied that information?
Mr. Dick. The answer is we are not--meaning the NIPC and
the FBI--aware of that. But on the flip side of that, because
of these concerns, I can't tell you that we are getting an
extremely high volume of information either. So it hasn't
really been tested.
Mr. Horn. We will move from 5 minutes to 10.
And Mr. Tritak, again, when is the Comprehensive National
Infrastructure Protection Plan expected to be completed?
Mr. Tritak. Well, as you know, the overall homeland
security strategy was just released last week. And the next
step is that there will be two, what I would consider to be
baseline strategies, one dealing with the concerns of the
cyberspace security, which is being overseen by Dick Clarke,
and the other is the challenges to the physical
infrastructures--critical infrastructures, which will be coming
out sometime in September or October as well.
It is then the intention of the homeland security effort to
create one integrated approach, which would follow sometime
thereafter. I think the real answer is as soon as possible, but
there hasn't been that date set. But given--frankly, given the
pace with which things have been moving, I wouldn't expect it
to follow much longer from those releases.
Mr. Horn. Will the proposed plan address specific roles,
responsibilities, and relationships for all the critical
infrastructure protection entities, establish interim
objectives, and set milestones for the achievement, and
establish performance measures?
Mr. Tritak. Yes, that is the intention.
Mr. Horn. OK.
Mr. Tritak. And I will also add, more infrastructure
sectors have been added since PDD-63 to take into account the
homeland security issues of food protection and the rest. So,
yes.
Mr. Horn. What are the incentives for the private sector to
share information with the Federal Government?
Mr. Tritak. They're a target. And there is also I think a
recognition that there are certain pieces of information that
the government can provide, once it knows more about the
challenges that the private sector is facing, that can help
them better do their jobs.
Mr. Horn. What can we do to do anything to improve these
various incentives?
Mr. Tritak. I think one of the purposes of the strategy is
to actually--by the way, the strategy that will be coming out
in September is actually the product of industry and government
working together. And I think what will be extremely important
is as we find obstacles to homeland security, some of them may
very well raise issues, statutory concerns or otherwise, and
then we will be coming to people like you to discuss how we go
about dealing with them. And so I think it is the constant
vigilance of the Congress as these public issues come to the
fore, in which government has to play a role in order to get to
advance the cause of homeland security that you will provide
the most helpful function in that regard.
Mr. Horn. Do you think the private sector in the State and
local governments are willing to fund the efforts required to
adequately secure our critical infrastructures?
Mr. Tritak. I think they are. I think the question is
always going to be, particularly with State and local
governments, how much of this is quintessentially the roles and
responsibilities of the State and local government, and how
much is the homeland security proposition at the State and
local level really a Federal issue as well.
Governor Ridge has made it very clear that at the end of
the day, homeland security is won in the hometown, which is
exactly what happened in New York. We were much, much better
off because of the brilliant work that was done by New Jersey,
Arlington, Virginia and the rest, and the contingency plans
that they had done. And we would have been in a lot worse shape
if they hadn't been thinking through this problem before.
Mr. Horn. How long will the move to the new Department of
Homeland Security improve the Critical Infrastructure Assurance
Office's ability to fullfil its mission? Will it stay with
Commerce, essentially?
Mr. Tritak. No. The idea is that it will actually be under
the Department of Homeland Security. And I think what it will
do is allow us to leverage our resources along with the co-
location of people like Ron Dick and others, so that we--
basically, we could be more focused. We give industry, for
example, single points of contact as opposed to multiple points
of contact. It will be more efficient and effective, Mr.
Chairman.
Mr. Horn. Well, thank you. That's a good response.
Mr. Leffler, do you believe that the private sector is
willing to fund the efforts necessary to adequately secure our
critical infrastructure?
Mr. Leffler. Absolutely. I think that with--with some help.
I think that we have to define very clearly and very carefully
what securing this infrastructure really means, and we have
begun that dialog. Cyber is one perspective. We heard a lot of
discussions on the earlier panel about process control systems.
It's an issue that we have on our--under our purview right now.
We are seriously considering what needs to be done. It's a big
issue, and it does need to be addressed, and we are in the
process of commencing that process.
The other one on cyber controls or cyber perspective is the
cyber business commerce. And this, I mentioned in my testimony,
this is--we are working with the FERC in developing a security
standard for the standard marketing design, and we will work
with them in establishing that, promulgating what needs to be
done by everybody. Basically anybody who is going to be
participating in this industry, will need to step up to the bar
on that one.
And then, securing everything in the cyber world, we have
another project called Public Key Infrastructure, which we have
embarked upon received approval from our board to commence, and
we are working that one to do it as well.
Now, we get to physical. And we say, OK, how do we secure
this system from physical--from any kind of physical attack? It
is everywhere, as everyone knows. And that's an extremely
difficult thing to do. So part of the answer is in knowing
where critical things are, knowing what things are critical,
knowing what we need in the way of spares. Perhaps we can get
some support there in establishing spares, locating spares,
transporting spares when they are needed to be used. Those are
some of the things that we may need some assistance in. And
then, finally having excellent--I mean excellent--plans for
reconstitution in place, as did ConEd in New York City. Their
restoration of that city's electricity, gas, and steam
infrastructures was just fantastic.
Mr. Horn. Mr. Jarocki, you probably ought to be in on this
dialog here. Any thoughts with what Mr. Leffler thought?
Mr. Jarocki. I think a lot of the things that are already
being done are helpful and an expansion. For instance, let me
give you some examples. During--obviously, during the September
11th scenario, the FS-ISAC opened up the ISAC to the entire
industry, and we created an eBay type environment that says,
what is available? Is there space available? Is there product
available? And everything else.
We also found that in order to communicate readily with
each other, we needed the exact thing that Lou said. Where is
the emergency communications? Through John's office we were
able to get a lot of guest cards immediately issued to our
executives to start that process, because it is key. When all
fails--in New York City, I was a participant in the September
11th exercise. Unfortunately, what worked--it was strange. Two-
way pagers worked; cell phones and everything else just went
out. And I saw the fear in people's eyes. You know, what do we
do? It was a war. It was a definite war, and communications
breaking down. I mean, we were lucky at Morgan Stanley because
of the redundancy in everything else, our communications did
not break down internally; but externally, we were there. So I
think there is a lot there.
Wearing my old hat from many, many years ago as an
intelligence officer at Fort Meade and working with that group,
I think one of the things that we could get from the government
is we learned a lot about taking large volumes of data,
analyzing it, and being able to extract the fine points that
are necessary to make an operation valid and give us value
information. I think a lot of that, if we can get at those
algorithms, get at that process, is what we need in the
civilian community, in the ISACs, so we could start processing,
and get at--I think the last time we did a catalog of over 108
Federal data bases which had significant information that we
could use that might very well help us out in protecting our
infrastructure.
Mr. Horn. How would you characterize the quality and
quantity of the data being shared from the Information Sharing
Analysis Center to the government?
Mr. Jarocki. I looked at it--it is sort of a marriage;
we're dating, and so we are exchanging information. We haven't
gotten to the altar yet. But I think it is a positive thing.
You know, you are testing the waters.
You are saying, here it is. It's a very good relationship
with the organizations I mentioned: NIPC, the New York
Electronic Crimes Task Force. To me, it's a very positive
relationship. Again, it was built on one important thing--how
can we trust each other--as opposed to having guns and badges.
It's a trust of people and exchanging information, and I think
it's--it is only getting better.
Mr. Horn. What type of information is shared among
Information Sharing and Analysis Center members but not with
the Federal Government?
Mr. Jarocki. Right now I will only reflect on the
technology side, is we share an awful lot of information on
what's technology and, specifically, what might be within our
own realm of the financial sector, this piece of software or
whatever we have. Is that shared with other sectors? No,
because it's not germane to them. But we would look at that and
say, OK, here is what we use; this is a payment system, this is
it. How can we shore this up? How can we make it better?
And we are also working with the vendors that supply.
That's a key issue because we're saying, look, we find these
things; how can we work together to fix them. And fix them
when? Immediately, if not sooner. So we are looking at--I don't
think there is--at this stage of the game, there is no, shall
we say, holding back of information that would be critical in
any instance.
Mr. Horn. What Federal organizations do you coordinate with
now? And do you have any suggestions to improve this
coordination? For example, the proposed Department of Homeland
Security, will that affect this coordination or will that
improve it, as you look at the puzzle?
Mr. Jarocki. I sincerely hope it improves it, and I think
it's the right direction, because it's going to focus a lot of
the separate efforts that are taking place today. If you took a
look at the entire catalog of information that we analyze and
collect at the FS-ISAC, it is over 100 different sources.
That's not saying it's all Federal, but there is over 100
different sources. And I think, as you suddenly focus it all
and bring it together so we have one point of contact, much
like we have done with Ron Dick--I mean, one of the good things
that we managed to put together was how do we formalize what we
do. Where are the points of contacts? How can we get
information together? And, how can we hold--a simple thing like
we agreed to call each other once a week and say, hi, anything
going on? Because you just forget. You are so busy in business-
running that sometimes that phone call is necessary. So I think
Homeland Security. And if we--everything we read, though, it
keeps changing, though. So I'm just trying to map this on my
screen. It's not that easy.
Mr. Horn. I have one more question on this, and then I will
yield 10 minutes for Ms. Schakowsky. What are the impediments
that limit additional firms from participating in your
Information sharing and Analysis Center?
Mr. Jarocki. I don't think there's any impediments right
now, because we are actually working on opening it up to the
entire sector. The only impediment, like anything else, is
sheer cost. There is always a dollar associated with providing
it. And what we are working toward today is a multitiered
system so that at least the most important information, which
is the alerts and the vulnerabilities, can be gotten to the
first responders, to the executive management thing at the
lowest levels, immediately, if not sooner.
Mr. Horn. Thank you. Do you want to add something to that,
Mr. Tritak?
Mr. Tritak. No.
Mr. Horn. OK. Ten minutes for Ms. Schakowsky.
Ms. Schakowsky. Back to FOIA. Mr. Tritak, you said that the
President has wanted a narrowly crafted exemption to FOIA or
addition to FOIA. Let me just read to you from the bill that
came from the administration.
It says: ``information Voluntarily Provided, Section 204.
Information provided voluntarily by non-Federal entities or
individuals that relates to infrastructure vulnerabilities or
other vulnerabilities to terrorism and is or has been in the
possession of the Department shall not be subject to section
552 of Title 5, United States Code.''
That's the Freedom of Information Act.
``anything that relates to infrastructure vulnerabilities
or other vulnerabilities to terrorism will be exempt from the
Freedom of Information Act.'' You could hardly call this a
narrow exemption to FOIA.
Now, it has been fleshed out a bit in the Armey bill, but
the goal of the administration within this Department was to
protect all of this information. Now, how does that jibe with
your saying that the President wants a narrow exemption?
Mr. Tritak. Well, as I said before, I think the idea here
is to make it narrowly crafted to deal with very sensitive
matters relating to critical infrastructure vulnerabilities. It
is not to provide a--basically, a dumping ground for any
information related to anything with respect to the
infrastructure industry that someone might want to put in there
and then claim it's protected under the----
Ms. Schakowsky. So--now, so the narrowness is as long as
you can somehow hook it to infrastructure----
Mr. Tritak. Vulnerabilities. Yes. Now, look, again, this is
a draftsman issue. I take your point. I understand that this is
very contentious. All I'm saying is that's precisely the
process. You are now in play to fix it if you have a problem
with it. I mean, truly. No one--let me tell you, nobody intends
this to become a mechanism by which basically people can, you
know, foist their responsibilities off by data dumping. No one
is trying to create a mechanism by which gross negligence and
criminal activity can be buried in the government and therefore
it can't be prosecuted or otherwise----
Ms. Schakowsky. Intention really doesn't matter. Intention
really doesn't matter. Depending on how the law is crafted, it
could be exactly used for that.
Mr. Tritak. Sure. But part of it--that's why, as I say,
it's the give and take of this process, to make it read what
it's supposed to do.
Ms. Schakowsky. OK. Mr. Dick, I want to get back to your
statement, and see if you wanted to reconsider it, the
statement you made before the Senate: ``if the private sector
doesn't think the law is clear, then by definition it isn't
clear.'' What do you mean? And do you want to reconsider?
Mr. Dick. One is, as I talked about a moment ago, we spent
a good deal of time with the private sector and their general
counsels trying to explain how the exemptions as they currently
exist under FOIA will protect the information that is provided
to it.
The problem that we run into is that the general counsels
for these companies either, (a) don't believe it, or cannot
provide to the CEOs absolute assurance that the sensitive
information that they would be providing to the government
would be protected. And so what, by definition, if it--
obviously, we're not being able to convince the private sector
that those exemptions are adequate, because we have done it
over and over again--you have heard it by the members here, on
this panel--that it's still a concern to them. And one of my
missions as the director of the Center is to try and promote,
as best I can, the partnership with the private sector so that
they do share that information so that we can compare threats
and vulnerabilities so as to assess the risk to our critical
infrastructures. And that's what we are seeking. If there is
not clarity there, if there is not our concerns, and if there
is a way that Congress can resolve those issues, then we
support that.
Ms. Schakowsky. It's really stunning to me. I mean, if
WorldCom or Enron or somebody comes to us and says, well, you
know, we really don't think we can provide you that information
even though we're--our stock has gone all the way down and
we're just not going to provide information--that the U.S.
Government should change its laws to accommodate that. It seems
to me, if we need the information, then we have laws in place
and they should give the information. I would like to----
Mr. Dick. This goes back to the point, though. At this
moment in time, this is voluntary information, owned by the
private sector, that it has no obligation to share unless it
wants to. We can't make them do it.
Ms. Schakowsky. Right. And at a time of war, at a time
where we feel threatened, we are negotiating with them to
provide critical information, and changing our laws so that
they will feel----
Mr. Dick. This issue was raised before September 11th.
Ms. Schakowsky. Oh, I know.
Mr. Dick. This has gone on for 4 years.
Ms. Schakowsky. Oh, I'm well aware. I'm well aware they
don't want to provide information to the government that we
might need to protect our--the safety and well-being of our
citizens. And we are going to accommodate that in ways that I
think diminish our ability for citizens to have information
that they are rightfully entitled to.
I would like examples of what kind of information that--
that you are saying that they don't want to provide us.
Mr. Dick. Well, obviously if I knew what that was--you mean
general scope examples? Or--I mean, if I knew what the
information was, I would----
Ms. Schakowsky. All right. Just give us categories of
information that we aren't going to get because they are
uncomfortable.
Mr. Dick. Well, NOSA has to, you know, defer to Stash and
the other people at the table for categories of this. But, for
example, the specific vulnerabilities associated with the SCADA
systems and the processing systems that they are able to
determine. Nobody has attacked them yet. But what my job is is
to compare what is the threat out there? Are there people,
whether they're hackers or al Qaeda or whoever, looking for the
vulnerabilities that have been identified out there?
The second piece of the equation at times is unknown to me.
I know that there are people out there looking to attack them,
but I don't know what the vulnerability is that they may seek
to do that by. And at times the private sector is concerned
about if they share it, then it will become public and
therefore the bad guys will know it and then attack them.
Ms. Schakowsky. So there is so little confidence, that at
this point in history that people within the government would
not have the sense to know what information would be critical
to al Qaeda, that they are just not going to provide that
information?
Mr. Dick. No. We do know what some of that information is.
Ms. Schakowsky. No, no. I'm saying that businesses feel
that they can't trust you to maintain secrecy around
information that will help al Qaeda.
Mr. Dick. Well, I think the issue is not if we know it;
it's whether the industry's required to provide it, and whether
FOIA, in their opinion--meaning the industry--believes that
they can protect it.
Ms. Schakowsky. That's what I'm saying. They don't believe
it. They believe that if they provide information that's
critical to terrorists, that this government under its current
laws is just going to let that information out.
Mr. Dick. Their concern is that the government--if I
understand it correctly, and you should ask them--is that the
government could not adequately protect it. That's the advice
that I understand being given by the general counsels, and we
are trying to work with them to resolve those issues.
Ms. Schakowsky. And I just want to say that it is precisely
because of those concerns that the exemptions to FOIA were
crafted. It is precisely for that reason that the Executive
order--to make sure, as kind of a backup system, Executive
Order 12600 was put in place so that those would be protected.
These are precious civil liberties, sunshine laws, that now
have come into focus how important it is to have transparency.
This is what we preach around the world. And I just am at a
loss to see why we should use this moment to sacrifice those
protections.
Mr. Horn. I now yield 10 minutes for myself.
Mr. Dick, what efforts should we focus on to improve
information sharing and success of the Information Sharing and
Analysis Center structure?
Mr. Dick. I think the things that we are doing now, and I
think we have been able to demonstrate, at least over the last
couple of years, that the government can be trusted; and, in
particular, the NIPC can be trusted with that information; that
we have been able to demonstrate that with it, we can provide
back to them timely actionable information to better provide--
better protect their assets.
Frankly, as Stash has indicated, it's just going to take
time to build up that trust to make the free flow of
information to the point that we can do an even better job than
what we are doing today.
Mr. Horn. What changes should we make to the Information
Sharing and Analysis Center in the new critical infrastructure
protection strategy?
Mr. Dick. I'm sorry? Changes insofar as the strategy itself
to enhance information sharing? Is that what you're talking
about?
Mr. Horn. Yeah.
Mr. Dick. I really think under the President's proposal, as
it was talked about a moment ago, by combining these issues
that--or, resources,--that we'll have a much more focused and
effective and efficient manner by which to deal with assessing
threats and vulnerabilities. I think that there will be a lot
of leveraging of capabilities across the government by the
merging of some of these agencies under one leadership, and
overall should have a very positive effect on our capabilities.
Mr. Horn. How are you assured that you are getting the
appropriate intelligence information? And, how will the new
Department improve the flow of intelligence information to the
National Infrastructure Protection Center?
Mr. Dick. One of the things--I mean, I think we've built
some very good partnerships with the other agencies that are in
the Center. For example, CIA and NSA and Department of Defense
and U.S. Secret Service now has a manager within the Center. I
think we have about 22 different agencies represented there.
And I think one of the things that it is going to enhance, if I
understand the proposal correctly, is that DHS will--you know,
the flow of information, the requirement of sharing information
on a much broader scale, will be further enhanced. With that
comes responsibility and accountability for other people's
information.
But at least in the current structure, as I understand it,
the ability to look at the big picture will be substantially
increased.
Mr. Horn. Do you think the private sector and State and
local governments are willing to fund the efforts required to
adequately secure our critical infrastructure?
Mr. Dick. I think there is a will there. But in these
fiscal times of budget deficits, I think it is going to be
difficult for State and local governments to find those
resources. But the will is there to do that.
I met just last week with representatives from the State of
Florida that are looking at starting a State--or, a State of
Florida Critical Infrastructure Protection Center. I know
that--participated with Texas in doing a similar type of
project. And one of the things we have to ensure--I like to
talk about the thousand points of light theory insofar as
infrastructure protection. I don't care how many centers there
are out there or how many ISACs there are out there or how many
members of InfraGard out there, the point is that they are all
interconnected and sharing information so that we truly have
the ability to determine what the vulnerabilities are and when
some threat is going to attack that vulnerability. So I think
there is the will. The funding of it is a different question.
Mr. Horn. Before I get to the General Accounting Office,
our research arm--and I haven't forgotten you, Mr. Maifrett,
and you've listened to all this. What's your thinking on that?
Mr. Maifrett. I think the debate of like information
sharing is obviously something that should happen. But I think
the even bigger problem is that we don't really have any
information to share or any worthwhile information. And
basically that is to say that there are--you know, if you want
to take SCADA systems or just control systems in general,
there's plenty of them out there that do have vulnerabilities.
I've actually had access to a few of these types of systems
myself. And people--you know, myself and also other researchers
of the eEye, we found numerous vulnerabilities in that, in the
actual SCADA software themselves, in the actual control
software.
And this information, you know, it's slowly getting up to
the software developers and whatnot so they can fix these
problems, but there needs to be a lot more work actually done
on determining what is the vulnerability, you know, why is a
certain type of infrastructure site vulnerable, depending on
the type of setup that it has, whether it's using commercial
off-the-shelf software which has vulnerabilities, or whether it
be, once again, the actual SCADA software itself.
And you know, I will say again, I think we really need to
work hard on actually--you know, to state the obvious, I think
we need to work hard on actually fixing the infrastructure
sites themselves. And that is creating, whether it be
guidelines that are enforced, kind of like we've had in the
health care with HIPAA and whatnot.
But we need to basically get down in the trenches. I think
there's--you know, while there's a certain amount of high-level
talk that needs to be done, there is even more on a technical
level that needs to be discussed and hammered out and, you
know, true technical solutions to a technical problem need to
be put forth.
Mr. Horn. One of your colleagues on Panel One said
generally this--and that's Dr. Thomas--noted that hackers who
have the skills to break into a supervisory control and data
acquisition system are unlikely to conduct a targeted attack,
based upon their ethics.
Mr. Maifrett. I think with hackers--I mean, there's so many
different kind of classes of hackers, if you will. There is
more the typical term ``hacker'' which is used by the media and
just by people in general, which is, you know, the people that
are posting on mailing lists about security vulnerabilities and
that type of thing and doing research. And I think those type
of people, you know, people like myself, I definitely consider
myself a hacker.
Yes, we actually--you know, there is the ethic there that
you would never do such a thing. At the same time, I know for a
fact that there's plenty of foreign governments that do heavily
research vulnerabilities and how to actually take control of
these types of systems. There's other governments that have
SCADA systems also, for example. And just like our government
does a lot of analysis in finding vulnerabilities in these
types of systems, although a lot of time that information
doesn't kind of bubble up to the surface, you know, there's
definitely other countries that are doing the same type of
thing. And at the same time, there is definitely hackers that,
you know, while they might not necessarily have the ethic,
there is a certain dollar value that, when brought up, makes
that ethic go away a little bit.
So I definitely think there are people out there that do
have the skills and they definitely think that sooner or later
they are going to be approached, and it's going to start--you
know, these types of attacks are going to take place.
Mr. Horn. About a year and a half ago, I was in Italy when
they had reached a wonderful part in their economy. And I
happened to mention to the Prime Minister, are you worried
about any foreign nation trying to upset your economy? Which is
very electronic in many ways. And he said, ``We certainly
are.''
Now, from your background, do you worry about that kind of
situation? And do you see that type of thing going on, where a
good economy of the free world is under fire?
Mr. Maifrett. Yeah. I don't know. I mean, there's a lot of
times there's talks like that where it's kind of like the
economy as a whole or, you know, the North American power grid
as a whole and stuff. And I don't think that you necessarily
right now are going to see the type of attack that could be
that broad and affect that much. I think it's going to be more
targeted attacks.
For example, an attack that takes place and the power for
Los Angeles goes off, or something like that. I don't think
that it's really something that's so broad for the United
States in general. But it obviously shouldn't be discounted
that--you know, depending on the number of, you know, hackers
that you have working for you and how well you are able to
coordinate and things. If you hit a few of the major cities and
stuff, it obviously can be just as devastating.
Mr. Horn. You recommended enforcing a set of requirements
on the security of sites and companies deemed to be integral
parts of the Nation's critical infrastructure. Who do you
believe should develop those requirements and who do you
believe should enforce them? What are some of the practical
limitations in enforcing such requirements?
Mr. Maifrett. As far as creating them, obviously the
infrastructure companies themselves need to be heavily
involved. One of the things I stated in my written testimony,
though, is that not just the kind of managers, the more high-
level people at the infrastructures, but more of the kind of
people in the trenches. You know, I mean, I've sat over dinner
with people before that do run the power grids, and they joke
about how easy it would be for somebody to, using a dial-up
modem, get in and shut down certain things.
And I mean, it's people like that where they--you know,
they work at these companies, they understand the technology,
and a lot of times they understand what they do need to do to
help secure it. And a lot of times, though, that information--
it's not easy to kind of bubble it up to the top where it can
actually be used and they can start to enforce this thing.
At the same time, I think there is definitely a lot of
researchers, including some of the people on the first panel,
that have a very good idea of how these systems work and, you
know, the kind of technical mind definitely needs to be there.
But at the same time, you know, there is a certain amount of
the business aspect to it and stuff. So that all needs to be
hammered out.
And as far as enforcing it, you know, I don't know. It's
not really my place to say who should be the one enforcing it,
you know, just as long as there's--somebody is. And obviously--
I think it needs to be somebody at the government level.
Mr. Horn. Well, there is a lot of now State information
officers, and you have a real wealth of knowledge in the area,
and hopefully they will be working with the various Silicon
Valleys--east, west, south, and north--and that might be one
way to get at the requirements.
Mr. Maifrett. Definitely. And just one other, like, side
comment. I'd say one of the other problems with why a lot of
the infrastructure ends up being secure--you know, we were
talking on the first panel, there was a lot of discussion about
hackers and whatnot. And the thing that we have with a lot of
just the kind, you know, kind of regular software systems that
are out there and used by the public, is there are hackers out
there that are testing the software, and they are attempting to
break it and find flaws in it and whatnot. And these
vulnerabilities do eventually get fixed.
And part of the problem, a lot of the--you know, the kind
of control systems and software out there are not really
accessible by these types of people, and so they are actually
not being tested. And, you know, I mean, the few that we
actually have access to that we were able to set up, it was a
matter of minutes before finding just, you know, total common
vulnerabilities that have been known for a very long time now,
and it's very easy.
Mr. Horn. Moving now to Robert Dacey, the Director of the
Information Security portion of the U.S. General Accounting
Office.
And in your testimony, you mention that a clearly defined
strategy is essential to ensure that our national approach is
comprehensive and well coordinated. What are the key components
that should be included in our national strategy? And I would
like to know, from your other colleagues here in Panel Two,
what are your comments in response to what they've asked and
answered some of these questions?
Mr. Dacey. I think in terms of the strategy, we have
indicated for a number of years that this was an important
aspect. And, as we released in our report last week, there are
over 50 entities directly involved in cyber CIP, let alone some
of the physical aspects that are starting to be considered as
part of our CIP strategy.
I think the key issues go back to what we have in the
testimony; and that is, we need to make sure there are clear
roles and responsibilities, and how the relationships between
all these organizations work. The proposed Department of
Homeland Security would include--at least the President's
proposal included six entities that would be transferred, still
leaving a large number of entities that would not be. And it is
going to be critical to make sure that there is clear
coordination about the efforts involved.
The second major area would be, again, establishing clear
objectives and milestones and making sure that there are
timeframes in place to address them, as well as performance
measures which we have throughout government, with GPRA, found
to be a very important aspect in terms of establishing the
right performance measures and having a regular reporting
process to understand the progress that's being made. And I
think earlier on the panel, Mr. Tritak indicated the strategy
would address those matters.
Mr. Horn. Thank you. And I would like to thank those that
brought you here, both Panels One and Two. And we have to
vacate this for another subcommittee.
To my left, your right, Claire Buckles is professional
staff, American Political Science Association, congressional
fellow. Vice President Cheney was one of those Fellows, and so
was I. He's way ahead of every one of us. Back here on the wall
is the staff director and chief counsel for the subcommittee,
J. Russell George. And with him there is the deputy staff
director, Bonnie Heald, and they all had a hand in this. And
our assistant to the subcommittee, Chris Barkley, is very--
standing up in the door there. And we have a lot of interns:
Sterling Bentley--is she here--and Joey DiSilvio, Freddie
Ephraim, Michael Sazonov, and Yigal Kerszenbaum.
And then for Ms. Schakowsky, we have a longtime
professional staff member who knows what he is talking about,
one David McMillen. And Jean Gosa, minority clerk, another
great institution. And, last but not least, our two wonderful
court reporters, and that's Desirae Jura, and Nancy O'Rourke.
Thank you very much. And, with that, we are adjourned.
[Whereupon, at 1:05 p.m., the subcommittee was adjourned.]
-
�