<DOC> [107th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:87387.wais] CYBERTERRORISM: IS THE NATION'S CRITICAL INFRASTRUCTURE ADEQUATELY PROTECTED? ======================================================================= HEARING before the SUBCOMMITTEE ON GOVERNMENT EFFICIENCY, FINANCIAL MANAGEMENT AND INTERGOVERNMENTAL RELATIONS of the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED SEVENTH CONGRESS SECOND SESSION __________ JULY 24, 2002 __________ Serial No. 107-217 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpo.gov/congress/house http://www.house.gov/reform U.S. GOVERNMENT PRINTING OFFICE WASHINGTON : 2003 87-387 PDF For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpr.gov Phone: toll free (866) 512-1800; (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON GOVERNMENT REFORM DAN BURTON, Indiana, Chairman BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California CONSTANCE A. MORELLA, Maryland TOM LANTOS, California CHRISTOPHER SHAYS, Connecticut MAJOR R. OWENS, New York ILEANA ROS-LEHTINEN, Florida EDOLPHUS TOWNS, New York JOHN M. McHUGH, New York PAUL E. KANJORSKI, Pennsylvania STEPHEN HORN, California PATSY T. MINK, Hawaii JOHN L. MICA, Florida CAROLYN B. MALONEY, New York THOMAS M. DAVIS, Virginia ELEANOR HOLMES NORTON, Washington, MARK E. SOUDER, Indiana DC STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland BOB BARR, Georgia DENNIS J. KUCINICH, Ohio DAN MILLER, Florida ROD R. BLAGOJEVICH, Illinois DOUG OSE, California DANNY K. DAVIS, Illinois RON LEWIS, Kentucky JOHN F. TIERNEY, Massachusetts JO ANN DAVIS, Virginia JIM TURNER, Texas TODD RUSSELL PLATTS, Pennsylvania THOMAS H. ALLEN, Maine DAVE WELDON, Florida JANICE D. SCHAKOWSKY, Illinois CHRIS CANNON, Utah WM. LACY CLAY, Missouri ADAM H. PUTNAM, Florida DIANE E. WATSON, California C.L. ``BUTCH'' OTTER, Idaho STEPHEN F. LYNCH, Massachusetts EDWARD L. SCHROCK, Virginia ------ JOHN J. DUNCAN, Jr., Tennessee BERNARD SANDERS, Vermont JOHN SULLIVAN, Oklahoma (Independent) Kevin Binger, Staff Director Daniel R. Moll, Deputy Staff Director James C. Wilson, Chief Counsel Robert A. Briggs, Chief Clerk Phil Schiliro, Minority Staff Director Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations STEPHEN HORN, California, Chairman RON LEWIS, Kentucky JANICE D. SCHAKOWSKY, Illinois DOUG OSE, California MAJOR R. OWENS, New York ADAM H. PUTNAM, Florida PAUL E. KANJORSKI, Pennsylvania JOHN SULLIVAN, Oklahoma CAROLYN B. MALONEY, New York Ex Officio DAN BURTON, Indiana HENRY A. WAXMAN, California J. Russell George, Staff Director and Chief Counsel Bonnie Heald, Deputy Staff Director Chris Barkley, Assistant David McMillen, Minority Professional Staff Member C O N T E N T S ---------- Page Hearing held on July 24, 2002.................................... 1 Statement of: Belcher, Timothy G., chief technology officer, Riptech, Inc.. 15 Charney, Scott, chief security strategist, Microsoft Corp.... 31 Dacey, Robert F., Director, Information Security Issues, U.S. General Accounting Office.................................. 70 Dick, Ronald L., Director, National Infrastructure Protection Center, Federal Bureau of Investigation.................... 136 Jarocki, Stanley R., chairman, Financial Services Information and Analysis Center, and vice president, Morgan Stanley IT Security................................................... 159 Leffler, Louis G., manager-projects of North American Electric Reliability Council............................... 165 Maiffret, Marc, chief hacking officer and co-founder, eEye Digital Security........................................... 60 Paller, Alan, director of research, SANS Institute........... 23 Thomas, Douglas, associate professor, Annenberg School for Communication, Los Angeles, CA............................. 8 Tritak, John S., Director, Infrastructure Assurance Office, Department of Commerce..................................... 150 Weiss, Joseph M., executive consultant, KEMA Consulting...... 43 Letters, statements, etc., submitted for the record by: Belcher, Timothy G., chief technology officer, Riptech, Inc., prepared statement of...................................... 17 Charney, Scott, chief security strategist, Microsoft Corp., prepared statement of...................................... 34 Dacey, Robert F., Director, Information Security Issues, U.S. General Accounting Office, prepared statement of........... 72 Dick, Ronald L., Director, National Infrastructure Protection Center, Federal Bureau of Investigation, prepared statement of......................................................... 139 Jarocki, Stanley R., chairman, Financial Services Information and Analysis Center, and vice president, Morgan Stanley IT Security, prepared statement of............................ 161 Leffler, Louis G., manager-projects of North American Electric Reliability Council, prepared statement of........ 167 Maiffret, Marc, chief hacking officer and co-founder, eEye Digital Security, prepared statement of.................... 62 Paller, Alan, director of research, SANS Institute, prepared statement of............................................... 26 Shakowsky, Hon. Janice D., a Representative in Congress from the State of Illinois, prepared statement of............... 5 Thomas, Douglas, associate professor, Annenberg School for Communication, Los Angeles, CA, prepared statement of...... 11 Tritak, John S., Director, Infrastructure Assurance Office, Department of Commerce, prepared statement of.............. 152 Weiss, Joseph M., executive consultant, KEMA Consulting, prepared statement of...................................... 45 CYBERTERRORISM: IS THE NATION'S CRITICAL INFRASTRUCTURE ADEQUATELY PROTECTED? ---------- WEDNESDAY, JULY 24, 2002 House of Representatives, Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, Committee on Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 10:05 a.m., in room 2154, Rayburn House Office Building, Hon. Stephen Horn (chairman of the subcommittee) presiding. Present: Representatives Horn and Schakowsky. Staff present: J. Russell George, staff director; Bonnie L. Heald, deputy staff director; Chris Barkley, assistant to subcommittee, Michael Sazonov, professional staff member; Sterling Bentley, Joey DiSilvio, Freddie Ephraim, and Yigal Kerszenbaum, interns; David McMillen, minority professional staff member; and Jean Gosa, minority assistant clerk. Mr. Horn. A quorum being present, the Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations will come to order. In 1998, a 12-year-old boy successfully hacked into computer systems that controlled the Roosevelt Dam in Arizona. He could have opened the dam's floodgates and dumped nearly 500 billion gallons of water on the Arizona cities of Mesa and Tempe. Fortunately, he did not. However, in April 2000, an Australian hacker used his laptop computer and a commercially available radio transmitter to gain control of a local sewage treatment facility. He intentionally released raw sewage into nearby parks and rivers on 46 occasions before he was caught. It is clear from these and other reports that the Nation's water, power, financial markets, and telecommunication systems could be similarly attacked. These systems are essential to the health and well-being of all Americans, and they are fundamental to the continued operation of the government. More than 90 percent of the Nation's critical infrastructure is owned and operated by the private sector. To protect these assets, it is important to understand their vulnerability to cyberattacks, which are increasing in intensity and sophistication. During the first 6 months of this year, the Carnegie-Mellon CERT Coordination Center received reports of 43,000 cyberattacks. In comparison, last year, the Center received approximately 53,000 reports of attacks for the entire year. In many cases, businesses may not know when a cyber-attack is launched and may not gracefully recover from the attack. A recent survey of Fortune 500 companies by Ernst & Young found that only 40 percent of those companies were confident that they could detect an attack on their systems. The same survey also revealed that only 53 percent of the companies had business continuity plans to recover from an attack. To shore up the defense of the Nation's critical infrastructure, each industry group has formed its own information sharing and analysis center. These centers face formidable challenges. The businesses within each sector can vary widely in size and complexity and in their ability to safeguard their systems. For example, the financial service sector includes large banking corporations as well as small independent banks. Nevertheless, the financial sector center must develop common security processes in order to report, respond, and recover from a cyber-attack. Each center tends to focus on risks that are unique to its industry, even though the sectors are increasingly interconnected and interdependent. Damage to one can cascade to others. The recovery plans of one sector could affect the ability of other sectors to resume operation. Today's hearing will examine the roles and limitations of the information sharing and analysis centers and will explore what actions may be needed to ensure the security of the Nation's infrastructure. I welcome today's witnesses, and I look forward to working with you on this vital concern. Let me administer the oath, and then we will go into recess, because I believe we have a vote on the floor. So, if you will stand, raise your right hand. [Witnesses sworn.] Mr. Horn. The clerk will note that all affirmed the oath. Please sit down and relax. And we are delighted to have Ms. Schakowsky, the ranking member. And she will use her time to give her statement to open the hearing, and we will then go in recess. Ms. Schakowsky. Thank you, Mr. Chairman. It is unfortunate that we are having this hearing today. The issue before us is an important one that should be given due consideration by Congress. But instead, the majority has insisted on circumventing regular order and is trying to move language on this issue as part of the homeland security bill, language that would probably not become law if considered separately and openly, and language that is designed not to improve public safety but to curry favor with the business community. There is an attempt on the part of some to exclude from the Freedom of Information Act all information submitted voluntarily by businesses in the name of critical infrastructure protection. One of our witnesses today testified before the Senate that the government has the ability under the Freedom of Information Act and under almost 30 years of case law to protect information submitted voluntarily to the government by businesses. He goes on to say that, ``If the private sector doesn't think the law is clear, then by definition it isn't clear.'' I am puzzled by that logic. I always thought it was the role of the courts and not the private sector to clarify the interpretation of the law. By this gentleman's logic, any law that businesses disagree with, they only have to claim it as unclear and it becomes incumbent on Congress to change that law. I wonder if that logic extends to individuals. Mr. Chairman, I want to draw on the testimony David Sobel will be submitting for the record, and ask unanimous consent that his testimony be included in the record. Mr. Horn. Without objection, it will be put in the record at this point. Ms. Schakowsky. I also ask that the letter from Jim Dempsey at the Electronic Privacy Information Center be included the record. Mr. Horn. Without objection, it will be in the record at this point. Ms. Schakowsky. The fourth exemption to the Freedom of Information Act protects information which is a trade secret or information which is commercial and privileged or confidential. This information is considered confidential if disclosure of the information is likely to impair the government's ability to obtain the necessary information in the future or to cause substantial harm to the competitive position of the business from which the information was obtained. Let me restate this because it is exactly the point that has been ignored by those seeking this exemption. The Freedom of Information Act protects information submitted by businesses if that information is confidential. That information is confidential if the release of the information would make it more difficult to obtain that information in the future. The language in the Freedom of Information Act is quite clear. It doesn't end there. There are even more protections for confidential business information. In 1987, President Reagan issued Executive Order 12600, which provides notice to a business if the agency determines material submitted by that business and identified as confidential should be released, the business has an opportunity to make its case before the agency and before a court of law. Furthermore, no proponent of this exclusion from the Freedom of Information Act has cited a single example where a Federal agency has disclosed voluntarily submitted data against the expressed wishes of the industry which had submitted the information. On the other hand, the damage this exclusion could do is legion. The language included in the homeland security bill would allow businesses and agency officials to hide lobbying activities under this exclusion. Officials from energy companies could meet with Federal officials to craft government energy policy, and all of those conversations could be hidden from public view. This language would shield these companies from antitrust law. Even the Attorney General objects to that provision. Mr. Chairman, we all agree that the government has substantial work to do to assure the protection of our critical infrastructure. I hope that today's hearing will move us down that path. Unfortunately, the language included in the homeland security bill does little to improve the security of our critical infrastructure, but instead is about hiding information from the public. Thank you, Mr. Chairman. Mr. Horn. Thank you. [The prepared statement of Hon. Janice D. Schakowsky follows:] [GRAPHIC] [TIFF OMITTED] T7387.001 [GRAPHIC] [TIFF OMITTED] T7387.002 [GRAPHIC] [TIFF OMITTED] T7387.003 Mr. Horn. And we are now in recess until 10:30. Thank you. [Recess.]. Mr. Horn. The recess has ended, and we will have peace and quiet for about an hour and a half just to get your various agendas. We will now start with Douglas Thomas, the associate professor of Annenberg School for Communication at the University of Southern California. We are delighted to have you here. STATEMENT OF DOUGLAS THOMAS, ASSOCIATE PROFESSOR, ANNENBERG SCHOOL FOR COMMUNICATION, LOS ANGELES, CA Mr. Thomas. Thank you. I have a longer statement to submit for the record, and I would like to summarize my comments here. Mr. Horn. Thank you. Because let me tell all of you, your full written view goes right into the record, without even having to say it, the minute I give your name and what you are now doing. So, thank you very much, Mr. Thomas. We all had a chance when we got them last night--a little late--but it is a very fine job that all of you have done. So, Professor Thomas, if you can give a summary of 5 minutes, 8 minutes, something, so we can get to questions, we would appreciate it. Thank you. Mr. Thomas. Thank you, and particularly for inviting me to speak before you today. My name is Douglas Thomas, and I am Associate Professor in the Annenberg School for Communication at the University of Southern California. My research focuses on the social and cultural impacts of new media and technology, with particular emphasis on the subculture of the computer underground. I have recently published a book called Hacker Culture about the computer underground, and co-edited another called Cybercrime: Law Enforcement, Security and Surveillance in the Information Age. For the past 7 years I have studied computer hackers in an effort to understand who they are, what motivates them, and how their culture can be understood in relationship to technological innovation. During that time, I have met with, spoken to, and interviewed hundreds of computer hackers, and I've spent time immersed in their literature and their culture, and I feel confident in saying that I understand for the most part how they think. I would like to start off by answering the broad question: What are the risks that a terrorist organization might seek out hackers and employ them to carry out attacks on our information infrastructure? With the vast majority of computer hackers, I would say upwards of 99 percent of them, the risk is negligible for the simple reason that hackers don't have the skill--those hackers don't have the skill or ability to organize or execute an attack that would be anything more than a minor inconvenience. Of the hackers that remain, my experience suggests that the most talented, who may be able to inflict serious damage, are neither inclined to do so nor likely to be tempted by financial incentives. They tend instead to be the most strongly motivated by an ethic which values security, which values information, and which puts innovation and learning at the top of those priorities. In other words, the idea of engaging in terrorism of any sort does not fit their profile. In fact, I can think of few perspectives more hostile to radical Islamic fundamentalism than the ones that most hackers embrace. The typical hacker--and of, course, there are exceptions--is motivated by a profound sense of curiosity, by openness, by freedom and exploration. Hackers like to know how things work, and they like to make things work better or in unexpected ways. The hackers of today have a very clear ethic that shouldn't be overlooked by the committee. Above all else, they too believe in computer securities; and, most important, they believe that without constant vigilance, most software manufacturers will remain content to leave security as a secondary issue. They believe that in most computer software use today, security has become an add-on feature rather than a design principle; and it is that, above all else, which puts us at risk. In a new age of corporate responsibility, it may be worth taking a few minutes to understand why hackers write programs that expose security flaws in computer software. Many hackers release public releases of security holes as a result of companies refusing to fix or oftentimes even acknowledge security flaws in their products primarily because there is no regulation for security in software, and, most important, there is no liability for software companies when their products create risks for consumers or the public. At one level, the work that hackers do is not entirely unlike the work of a watchdog organization or Consumer Reports. Admittedly, the outlook, style, and demeanor are different, but the end results are the same. Hackers force computer software manufacturers to pay attention to security. We need to be careful to focus on the causes of such vulnerabilities and not blame the messengers. When facing a question as weighty as cyberterrorism, a very serious problem that you face is getting the facts. I have yet to hear anyone articulate a realistic scenario in which computer hackers will be able to effect significant economic or physical damage in order to be considered a terrorist threat. It is easy to imagine scenarios that sound like terrorism: For example, hacking into air traffic control and crashing planes, or hacking into the stock exchange and undermining the stock market. These things make great Hollywood plots, but there is no evidence that any such scenario is possible, much less likely. In fact, most of the research I'm familiar with on this topic concludes the opposite. For the foreseeable future, acts of cyberterrorism like the ones usually imagined, will be very difficult to perform, unreliable in their impact, and easy to respond to in relatively short periods of time. In point of fact, there has never been an act of cyberterrorism committed, nor has there ever been, to my knowledge, a computer hacking incident that has resulted in the loss of life. When these scenarios are proffered, I urge you to ask tough questions about them, about what additional security measures would have to fail for such an attack to take place. Finally, I would like to conclude by saying that should a terrorist manage to launch a successful attack, it should be noted that our country has some of the best resources available to deal with it, diffuse, and neutralize such a threat. The faculty and students at places like MIT, Berkeley, Stanford, Purdue, Carnegie-Mellon, places like CERT and the NCSA, provide our best defense against such threats, but these groups only provide that advantage as long as the network remains open and accessible. Security only gets better through testing, design, and redesign. The real threat to security is closing off avenues of exploration and examination. The more we know about our networks, the better we are able to defend them. It is that openness in testing which is essential. So, as a result, I would encourage you to think of hackers not as the enemy but, instead, as an admittedly difficult-to- manage resource who may be in the best position to alert us of our vulnerabilities before they can be exploited. Thank you, and I would be happy to take any questions you may have. Mr. Horn. Well, we thank you. And we will get to the question period once we finish the whole panel. [The prepared statement of Mr. Thomas follows:] [GRAPHIC] [TIFF OMITTED] T7387.004 [GRAPHIC] [TIFF OMITTED] T7387.005 [GRAPHIC] [TIFF OMITTED] T7387.006 [GRAPHIC] [TIFF OMITTED] T7387.007 Mr. Horn. The next presenter is Timothy G. Belcher, the chief technology officer of Riptech, Inc. Mr. Belcher. STATEMENT OF TIMOTHY G. BELCHER, CHIEF TECHNOLOGY OFFICER, RIPTECH, INC. Mr. Belcher. Chairman Horn and distinguished members of this committee, thank you for inviting me to provide my thoughts on the issues of cyberterrorism and critical information protection. I have already provided you with written testimony, and I would like to take a few minutes to outline some key points and issues. First let me say that the networks that comprise our critical infrastructure are undoubtedly at significant risk of cyber-attack and compromise. The nature of these networks ensure that security is never going to be an absolute, but the vulnerabilities will always exist. The level of threat is increasing and, in my opinion, will continue to do so. The nature, complexity, and motivation of attacks against these networks have become and will continue to become more sophisticated over time. I am the chief technology officer of a computer security company called Riptech. We perform two services that would be of interest to this committee in terms of experience. We assess client organizational networks for vulnerabilities; in effect, sometimes can become a hired hacker to test their defenses. Second, we provide a monitoring service that provides 24x7 monitoring of client networks, detecting and analyzing attacks for effectiveness and severity. First let me talk about our assessment work. We have done assessments on over 50 critical infrastructure networks. Consistently, we have been able to demonstrate the viability of compromise to the most critical components of those networks. Those would include connectivity to the most critical components of power and energy companies, such as SCADA and EMS networks, financial transaction networks, and the inner workings of some of our government networks. Those organizations consistently had defenses in place, firewalls, intrusion detection systems, and our detections consistently went, by and large, undetected. Second let me talk about our monitoring service and some of the information that is providing today. We are providing monitoring services for over 500 organizations, or approximately 500 organizations throughout the world. Our monitoring service is producing real dividends in terms of quantifiable numbers of the attacks these organizations are facing. All organizations are suffering some level of compromise in their attacks, some significant volume of increases in the attacks on them. Most notably, power and energy companies and financial services appear to be the most targeted sectors. Critical infrastructure companies represent nearly 20 percent of our clientele and are our fastest growing segment. With regard to power and energy companies in our client base, 70 percent suffered at least some level of compromise over the last 6 months, up from 57 percent in the prior 6 months. Again, these companies not only have defenses in place and have invested in technologies, but have also invested in obtaining an outsourced expert service to analyze the attacks against their organizations. They are still suffering. Most importantly, we have been able to quantify a reduction in the success rates against these organizations over time, given proper defense. Let me sum up by simply saying that critical infrastructure is at significant risk; and, in order to achieve any successful and acceptable level of defense, they must establish reliable detection and response mechanisms which are unavailable today. Thank you for your attention, and I look forward to any questions that you may have. Mr. Horn. Thank you, Mr. Belcher. [The prepared statement of Mr. Belcher follows:] [GRAPHIC] [TIFF OMITTED] T7387.008 [GRAPHIC] [TIFF OMITTED] T7387.009 [GRAPHIC] [TIFF OMITTED] T7387.010 [GRAPHIC] [TIFF OMITTED] T7387.011 [GRAPHIC] [TIFF OMITTED] T7387.012 [GRAPHIC] [TIFF OMITTED] T7387.013 Mr. Horn. Our next presenter is Alan Paller, director of research at the SANS Institute. STATEMENT OF ALAN PALLER, DIRECTOR OF RESEARCH, SANS INSTITUTE Mr. Paller. Before I start my remarks, I want to bring greetings from Bob Chartrand, first, and also tell you that model that you provided to this body, this model of action, the model of taking on unpopular causes, what you did in---- Mr. Horn. Move the mic up. It's very important, what you are saying. Mr. Paller. You really have set a model, and I hope that model will follow you. And you are going to be sorely missed around here. One of the actions that I am going to talk about today is something that doesn't take more than 6 months; meaning, if you want to have something similar to the impact on security that you had on Y2k, I think you actually have it in your--it would be tough, but you have it in your hands to do it. So, let me go on. We train the people who are the frontline soldiers in security. We have 30,000 of them who have attended SANS training and go out and try to protect the computers. So we have to clean up after the messes. And right now, as we speak, the problem is getting worse. And the reason the problem is getting worse is that as all of us are sitting here, approximately 7,000, maybe 10,000 new computers will be installed and connected to the Internet, and almost every one of those will be installed with known vulnerabilities. That means almost every one of the machines being sold while we are sitting here is going to come in with known vulnerabilities. And between 2- and 3,000 computer programs are active on the Internet at all times--not people--programs, searching out every new address to see if they can take over those machines, put a Trojan in there, and be ready for an attack later. That is happening while we are sitting there. I am happy to be on the first panel, because I think if we define the problem right, then the actions we take might actually help solve the problem. And so I would like to give you the four reasons that I think cause that set of problems to exist and the two actions I think you could take that would help solve them. One is that the vendors actually deliver software that has known vulnerabilities. The people who install it trust the vendor, so they install it exactly the way the installation technique tells them. And, because they are so busy, they don't change that. So, most of those machines that are being installed unsafely today will still be unsafe in 90 days and still be unsafe in 180 days. Second--and two of these next three are going to be counterintuitive. The risk-based approach that many people say is so good, actually is causing part of the problem. While people are doing risk analysis and writing reports, all these new machines are getting installed. And, worse, they say ``Let's just fix the ones that are the highest risk.'' But since all the machines are connected together, if Tim had given you his demonstration of how you actually break into a utility company, he would have used the fact that one of the machines that had been installed that nobody cared about, was weak, to jump off into the other machines. So if we are going to solve the problem, we have to start by stopping the machines from being vulnerable on the day we install them. The third cause is that the government--we talk about critical infrastructure as if it is industry. The government is a part of the critical infrastructure. We care about government, and government is doing a not-very-good job of being a model for the rest of the critical infrastructure. And it turns out in this arena, because technology is transferrable so quickly and techniques are transferrable so quickly, it turns out that here, if the government actually did some good, the problem could roll over very quickly. And I think Dick Clarke's announcement last week of benchmarks is an example of how that can happen almost instantaneously. But the government hasn't been a great model, and that has to change quickly if we are going to ask industry to change. How can you ask a CEO to ``believe me and trust me'' and say to you, ``I'm going to do what you need to help protect the infrastructure, when you don't do what you need to help the infrastructure?'' It is really hard for a CEO to take you seriously. And the last one I think is the most counterintuitive. And that's that most of the money being spent by Government on cyber-security is being wasted, and the money has gone up radically in the next--in the last 2 years--at least an order of magnitude. Think of that money as having a huge vacuum cleaner sucking it out, and that the vacuum cleaner is people who like to write reports, and they are taking the money and they are writing reports. And the problem is, none of the money is left for the people who actually have to secure the systems. So you get all that security money out there spent on the studies about why you are so bad and it is so easy to find fault. And it doesn't take as much skill level to find fault than it does to fix it. It is much easier to--you can come out of grade school and run one of these penetration testing tools and do a pretty good job of delivering the report because the vendors make it pretty, but the difficulty is there's nobody there to fix it. So you have got $1 billion telling people what to do and nothing left fixing it. OK, two actions and then I'll quit. Action one--and this is the report card that you are the father of. Action one is that there are benchmarks, there's several of them. And NASA is the one actually that's proven this works. This is not a new idea. NASA has actually demonstrated beyond a doubt that this approach works. You take a set of vulnerabilities that matter, and you systemically make sure every single computer in your entire NASA facility all across the whole country doesn't have them anymore. And they took the vulnerabilities down by 93 percent and they took the number of successful attacks down radically, even though the number of attempted attacks is up radically. Dave Nelson, who is the deputy CIO, can give you the hard data on this. But this works. And if you--if you just take what they did and apply it to the rest of government over the next 6 months, we could fix somewhere out in the 70th to 80th percentile of the vulnerable machines real quickly. The second idea is a little harder. All these consultants that are spending money on vulnerability testing ought to be asked--and you are the only guy I can think of who could make this happen, because OMB doesn't seem to be awake to this. All these people who are doing vulnerability tests aren't staying to fix the problem. And if they are so smart that they can tell you what you are doing wrong, why aren't they staying to make sure the problem disappears? So solution 2 is some way of getting an amelioration phase into these consulting contracts so that the people actually have to fix it, they can't just send you a pretty, colorful report and tell you how bad you are and then go on to the next guy, would be very helpful. Thank you. Mr. Horn. Thank you. You have given us numerous months. We can take care of your ideas. [The prepared statement of Mr. Paller follows:] [GRAPHIC] [TIFF OMITTED] T7387.014 [GRAPHIC] [TIFF OMITTED] T7387.015 [GRAPHIC] [TIFF OMITTED] T7387.016 [GRAPHIC] [TIFF OMITTED] T7387.017 [GRAPHIC] [TIFF OMITTED] T7387.018 Mr. Horn. We now go to Scott Charney, the chief security strategist of the Microsoft Corp. Mr. Charney. STATEMENT OF SCOTT CHARNEY, CHIEF SECURITY STRATEGIST, MICROSOFT CORP. Mr. Charney. Mr. Chairman, thank you for the opportunity to appear today at this important hearing on cyberterrorism and critical infrastructure protection. My name is Scott Charney, and since April 1st, I've been Microsoft's Chief Security Strategist. Microsoft works with industry leaders and governments around the world to identify threats to computer networks, share best practices regarding computer security, and prevent computer attacks. While we have worked diligently on cyber- security for several years, this effort accelerated after September 11th, and was crystallized for Microsoft when Bill Gates launched our Trustworthy Computing initiative in January. Today I would like to address IT security issues broadly, and then use the Trustworthy Computing initiative as an example of how one company can take steps, both on its own and with others in industry and government, to address cyber-security. And finally, I will propose several things that Congress can do to address cyber-attacks. By way of background, prior to joining Microsoft I served as the Chief of the Computer Crime and Intellectual Property Section at the Department of Justice where I helped prosecute nearly every major hacker case in the United States, and international hacking cases as well, from 1991 to 1999. Based on those experiences, Mr. Chairman, I know two things with certainty: First, operating systems software is one of the most complex things we have ever built, and it may always have vulnerabilities. Second, society has always grappled with a criminal element, and this criminal element can be smart and malicious and will seek ways to exploit vulnerabilities in software. As a result, it is impossible to completely prevent cyber-attacks, and it places the IT industry in a perpetual race against cyber-criminals to maintain Internet security. We take our cyber-security responsibility very seriously, and perhaps most importantly, Bill Gates spearheads our Trustworthy Computing initiative. This is not a one-time event, but rather a change in the way we do business. It has four pillars: reliability, security, privacy, and business integrity. And those four pillars go to the heart of our culture and the way we create products and services. Today I want to focus on the security pillar, where we are working to create products and services that I call S D3: secure by design; secure by default; and secure by deployment. Secure-by-design centers on creating products that are inherently more secure. To do this, we recently provided advanced training for several thousand developers, and conducted extensive code reviews and threat modeling. In fact, we stopped Windows development for over 2 months to do that. Secure-by-default entails shipping products to customers in a lockdown position. This means that customers must consciously decide to enable features, leaving other unused services off, and thereby narrowing the attack surface of a production. Secure-by-deployment focuses on making it easier for consumers and IT professionals to maintain systems. For example, any Windows XP user can be automatically notified when critical updates are available for download. In fact, as Allan Paller has noted, when people first deploy software, they may already be at risk because there is some time from development to market. But with this kind of technology, the minute you load the software, the first thing you may get is that little notification that a patch is ready to be deployed. So we are working hard to automate that process. But we do not work alone in this effort. For example, the announcement last week of a baseline security configuration for Windows 2000 demonstrates the positive results that flow from a voluntary public/private partnership involving a broad range of organizations. Microsoft reviewed the proposed settings, and we expect that some Federal CIOs will incorporate these promptly. This work stands besides our coordination with entities such as the Partnership for Critical Infrastructure Security, John Tritak's Critical Infrastructure Assurance Office, the National Cyber Security Alliance coordinated by Dick Clarke's White House Office of Cyberspace Security, the FBI's National Infrastructure Protection Center, and, of course the IT-ISAC, which we helped create. There is also a strong roll for government in this area, and I would like to close by addressing some areas where more work can be done. As you consider creating the Department of Homeland Security, please know that we support the effort and we would like to see a strong cyber-security component in the new Department. Our support extends to language that facilitates cyber-security information sharing by granting an exemption from the Freedom of Information Act. We also applaud the House for passing H.R. 3482, the Cyber Security Enhancement Act of 2002. We are pleased that this bill strengthens law enforcement's ability to deter cyber-crime by permitting the U.S. Sentencing Commission to grant Federal judges more flexibility in sentencing cyber-criminals. There are other steps that Microsoft respectfully suggests the government take to help protect our critical infrastructures. First, we support the forfeiture of personal property such as computer equipment used in the commission of cyber-crime. Second, we strongly support increased funding for law enforcement. These hardworking individuals, many of whom were former colleagues of mine when I was at the Justice Department, are chronically overworked, understaffed, undertrained, and underequipped. Third, we support increased funding for cyber-security research and development, and we look to the government to lead by example in securing its own systems through the use of reasonable security practices, an issue that Allan has already touched on. Fourth, we believe that greater cross-jurisdictional cooperation among law enforcement is needed for investigating cyber-attacks, since cyber-criminals may reside anywhere. In conclusion, Microsoft pledges to remain a leader in industry efforts to secure products and services. Americans, their government, and the critical infrastructures they depend on every day face growing cyber-security challenges. Working with our government partners and industry peers, we are committed to preempting, catching, and prosecuting cyber- criminals to protect the computing experiences of our customers and the cyber-security of our Nation. Thank you. Mr. Horn. Thank you. And we will have a lot to ask you about, with one more presenter. [The prepared statement of Mr. Charney follows:] [GRAPHIC] [TIFF OMITTED] T7387.019 [GRAPHIC] [TIFF OMITTED] T7387.020 [GRAPHIC] [TIFF OMITTED] T7387.021 [GRAPHIC] [TIFF OMITTED] T7387.022 [GRAPHIC] [TIFF OMITTED] T7387.023 [GRAPHIC] [TIFF OMITTED] T7387.024 [GRAPHIC] [TIFF OMITTED] T7387.025 [GRAPHIC] [TIFF OMITTED] T7387.026 [GRAPHIC] [TIFF OMITTED] T7387.027 Mr. Horn. And Mr. Weiss, we are delighted to have you here. He is an executive consultant at KEMA Consulting. Thank you. STATEMENT OF JOSEPH M. WEISS, EXECUTIVE CONSULTANT, KEMA CONSULTING Mr. Weiss. Thank you. Mr. Chairman and committee members, thank you for the opportunity to address you about an area I consider vitally important to the economic and national security of America, the cyber-security of our critical infrastructures. I am a control system engineer. I have spent the past 2 years as the technical lead for the electric power industry, developing and understanding of what is known, and, more importantly, what is not known, about the cyber-security of control systems. The control systems I will be referring to are supervisory control and data acquisition, commonly known as SCADA, distributed controlled systems, DCS, and programmable logic controllers, PLCs. I have been working with all of the organizations that have a role to play in this area including the government, end users, equipment suppliers, standards organizations, and all other relevant organizations. There are several points I would like to make. One, control systems are vulnerable to cyber-security intrusions, and in fact have been impacted by electronic intrusions. Two, cyber-security of control systems affects all industries, not just the critical infrastructure. Three, IT security technology does not protect control systems. And, finally, cyber-security technology needs to be developed for control systems, and we do need immediate government funding to make this happen. Cyber-security has been viewed as an IT or Internet issue. Awareness of control system vulnerabilities is very low. The basic design premise inherent in every control system is the control system would be a stand-alone system, and all control system users would be trusted users. Consequently, these systems have been designed inadvertently to be vulnerable to cyber-intrusions. As long as the control systems are not networked, they are not vulnerable to cyber-intrusions. However, in order to make these systems more productive, these previously stand-alone systems are being networked, including to the Net, making them vulnerable to cyber-intrusions. They are not legacy systems anymore. Additionally, the vast majority of power plants and substations do not have technology to detect electronic intrusions. There have been more than 20 documented cases where control systems have been electronically impacted either intentionally or unintentionally. At least two cases have resulted in damage to the industrial system and environment. Those are the two you had mentioned. There have been several confirmed cases of inadvertent denial of service in control systems, including one in a nuclear facility. These weaknesses could be exploited by an intentional adversary. Existing cyber-monitoring technology has not detected any of these cases, and I have had discussions with Carnegie-Mellon CERT; they have not detected any of these incidents. There are only a handful of suppliers of these systems, and they supply the primary industrial applications: power, water, oil, gas, chemicals, metal refining, paper, pharmaceuticals, food, beverages, etc. Not only are the systems common, but so are the control system architectures. Consequently, if one industry is vulnerable, they all could be. Additionally, because you were talking about ISACs, this means that the information on control system vulnerabilities from the different industries could be of interest to the individual industry ISACs. Now, existing cyber-security technology has been developed for business functions in the Internet. Control systems require a degree of timing and reliability not critical for business systems. Because of this, employing existing IT security technology in a control system can range from lack of protection to actually creating a denial of service condition. This has actually occurred in attempting to employ encryption in these systems. Myself and others working with me have developed an understanding of what is needed to make control systems more secure from cyber-intrusion, but additionally to also make these systems more reliable. Cyber-security technologies need to be developed for control system applications. They include firewalls, intrusion detection, encryption, event logging, etc. They don't apply to control systems. The types of cyber- security projects at university classes Congress has identified to fund, are not applicable to control systems. Understanding a business system is different than understanding a control system. Government funding is needed to establish test beds. DOE can help be a lead on this. It also requires extending existing NIST-NSA methodology for procurement of desktop computing systems' common criteria to industrial control systems. But this is a very difficult task. There are a number of entities waiting to participate when funding is made available. These include DOE, NIST, NSA, several electric utilities control systems suppliers, and IT security suppliers. We also need to make sure that the transition team from Homeland Security addresses control system cyber-security. I hope you now have a better understanding of control system vulnerabilities and what technologies are needed to make them less vulnerable. Thank you for your time and interest. And I would be happy to answer any questions. Mr. Horn. Thank you very much, Mr. Weiss. [The prepared statement of Mr. Weiss follows:] [GRAPHIC] [TIFF OMITTED] T7387.028 [GRAPHIC] [TIFF OMITTED] T7387.029 [GRAPHIC] [TIFF OMITTED] T7387.030 [GRAPHIC] [TIFF OMITTED] T7387.031 [GRAPHIC] [TIFF OMITTED] T7387.032 [GRAPHIC] [TIFF OMITTED] T7387.033 Mr. Horn. We now will have the questioning of this Panel One, and later Panel Two. Mrs. Schakowsky has numerous commitments here, and so she can use as much as she wants for questioning. Ms. Schakowsky. Thank you. I'm sorry that I've been erratically here, and I also have to leave in a moment. But I wanted to thank you all for your testimony. I wanted to ask Mr. Weiss one question before I left. I represent a district in Illinois which is the most nuclear State in the country; we rely on nuclear power plants more than any. Your testimony said that even nuclear power plants have had a history of some problem with cyber-security. And I am curious, I know that nearly 50 percent of all the plants that were tested for mock terrorist attacks failed those tests; that they are vulnerable. My understanding is that did not even include testing for cyber-security and cyber-terrorism that could occur. First of all, do you know if that is true? And I am wondering if you could elaborate a little bit on the vulnerability of nuclear power plants, and what that might mean in terms of a terrorist intrusion into such a plant. Mr. Weiss. OK. Let me try and answer a number of those questions. First of all, the issue with the nuclear facility I mentioned was actually in a university reactor. It was one that also has the same type of technology as used in commercial nuclear plants, and it was a procedural issue. Nuclear plants originally were designed to be stand-alone systems. They weren't to be connected anywhere else. The non-nuclear safety systems are starting to be connected to the corporate networks because corporate wants to get information. That is starting to make them vulnerable whereas before they were not vulnerable. Ms. Schakowsky. That's non-nuclear. Mr. Weiss. Pardon? Ms. Schakowsky. You said non-nuclear? Mr. Weiss. In other words, on the non-safety side of the nuclear power plant. Ms. Schakowsky. I got you. Mr. Weiss. The safety side of a nuclear power plant is really not vulnerable, because they are not electronically tied to anything. So you are talking about the non-safety portion of the nuclear power plant. To the best of my knowledge, there has been no cyber-testing of any nuclear plant in the United States to date. That is correct. Ms. Schakowsky. Thank you. Mr. Horn. Thank you very much. Let us start with Dr. Thomas of the University of Southern California. Do you believe there are any cyber-terrorist threat scenarios that are realistic? If so, how do you believe an attack would occur under those circumstances? Mr. Thomas. I think there are two important aspects to that. I think the complexities of a cyber-terrorist attack really warrant our attention in that we are not talking about a 16-year-old kid simply hacking into a secure system. In order to make a cyber-attack happen, a lot of other things have to happen, too. Other security measures have to fail. Those hackers or terrorists need not only to understand how to penetrate a computer system, but they also have to understand how to work a power plant, how to work air traffic control. They need to have a fairly sophisticated understanding of those kind of aspects in order to make an attack successful. The second thing I would add to that is that our vulnerabilities are not simply technological. And, in fact, my experience has been, in talking to hackers, that in most cases the way a hacker will invade a system is not by getting online and not by typing in passwords, but is generally by calling up somebody in that organization and conning them out of enough information to get access. It is not uncommon for them to call up a secretary and say, I can't get onto the network, my password isn't working; what is your password? And they give it to them, believing that they are a member of the organization. There's also reports, in terms of air traffic control, of attacks I think in the U.K., which were not cyber-attacks but rather people who got radios and were able to broadcast signals to planes. So I think the question of vulnerability, what hackers teach us is we should not just look for the most technologically sophisticated way in, but for the easiest way. And I believe that our vulnerabilities are really, in terms of the design of the system, and what is easy to attack in that system is the place where we really need to shore up and make sure that we have access barriers and so on. So I foresee, if an attack is going to come, that it is not going to come through some sophisticated programming technique or cyber-attack necessarily, but through a much less technologically sophisticated kind of means. Mr. Horn. What kind of additional expertise do you believe a hacker would need to control a power grid or a financial transaction? Mr. Thomas. I think in order to do that, they are going to have to have some understanding--going to have to have some understanding of how that power plant works, how the financial systems work. We tend to forget when we are talking about cyber-attacks that there are people involved on the other end. And when they see things happening that look suspicious or wrong, they tend to look at those things and understand that, if something is askew, that it needs to be examined more carefully. There is an example, I think, with SCADA of hackers that were in a system for something like 17 days, and one of the lessons that they learned from that is that once hackers got into this control system for power, they had no idea what to do once they were in there. They had the access, but they had no kind of knowledge or sophistication about how that system worked in order to do anything with it. So, I think that becomes another critical question of a level of expertise that includes the system they are invading as well as the way to get in. Mr. Horn. Why do you believe that it is unlikely that a hacker could obtain this additional expertise? Mr. Thomas. From what I know of the culture itself, hackers are much more interested in access than they are in what they find once they get into a system. I suppose that there are exceptions. But for them, the challenge mainly lies in getting in and then moving onto another system and another system and another system. If they do want something from inside a system, it is usually--when we are talking about the culture itself, they want evidence they have been there. They want something for bragging rights. They want a document. One of the things I write about is the fact that while hackers may be pretty smart about technology, they tend to make terrible criminals. They make a lot of mistakes; they are easily caught. When they do things, particularly involving money, they are oftentimes tracked down very quickly and prosecuted very severely for the crimes that they commit. So I think they tend to not have a kind of criminal frame of mind, even though what they are doing are crimes. Mr. Horn. In your testimony, you indicate that human intervention is required to control important operations of the Nation's critical infrastructure. Could you provide some specific examples of this? Mr. Thomas. One of the examples that I think is worth thinking about that's often cited is air traffic control. And in point of fact, air traffic control information that's passed over a network doesn't control anything. It provides information to controllers who then speak to pilots. Pilots have onboard radar. There are a lot of things that have to go wrong in addition to being hacked in order for a plane to crash. Another example that was cited in the literature was the idea that terrorists could hack into a cereal manufacturing plant like Kellogg's and dump enormous amounts of iron, for example, in children's cereal and poison our children. The number of things that would have to go wrong in that scenario are myriad. For example, the plant would have to notice--or, not notice that they are running out of iron at an incredible rate. There would have to be no one doing any kind of quality testing to see that the cereal, in fact, tastes like iron. It would have to get out on the shelves and not be recalled. So those kind of human factors, that kind of testing and that kind of observation doesn't necessarily make that kind of attack impossible, it just makes it highly unlikely that it would succeed or have the kind of impact that people would want it to have if they were engaging in terrorism. Mr. Horn. Mr. Belcher, you point out the dangers of linking all the components of a company's network together under a single protocol. Do you believe that it is practical to unlink infrastructure control systems from the rest of the company's business systems? Mr. Belcher. It probably would not be practical, given other business considerations. They're linking for synergies and deficiencies; they are not linking for security. So, in most cases, probably impractical. Mr. Horn. In your testimony, you indicate that critical infrastructure companies are experiencing attacks that may be specifically targeting them. Can you describe the type of attacks that they are experiencing? Mr. Belcher. The attacks that we monitored over the 6 months alone, for instance, we quantified about 180,000 attacks against the client base and analyzed the characteristics of those attacks. There are numerous attacks that appear targeted, and we're able to quantify some statistics. Approximately 40 percent of all attacks appear to be going after an individual organization rather than searching the Internet for vulnerabilities. It gives a little bit of insight into the motivation. The attacks run the gamut of intent. Some are inconsequential. Some are done by, obvious, children or other miscreants. Some appear to be going after internal networks, for instance, to go after financial information, credit card numbers, commit fraud, commit theft of property. So they run the gamut. Mr. Horn. In your testimony, you indicate that critical infrastructure companies are experiencing attacks that may be specifically targeting them. Can you describe any type of these, besides what you had mentioned, quantification? Mr. Belcher. Sure. Absolutely. If you look at the profiles of attacks coming across the Internet to individual organizations--for instance, if you look at the activity coming from certain countries within the Middle East, they do by and large favor power and energy as an industry. You can read into the motivations all you want. All we are simply providing is quantifiable numbers in association with those activities. Mr. Horn. You state that information on the inner workings of the system control and data acquisition is available from public sources. Can you describe those sources and what, in your opinion, can or should be used to limit the availabilty of this data? Mr. Belcher. This is relating to some of the questions to Dr. Thomas. We have done assessments, as I mentioned, in both written and verbal of many power and energy companies, probably in the magnitude of 40, assessing their corporate infrastructures and their control systems. And while I agree with the majority of the testimony by the entire panel, anecdotally speaking, showing and demonstrating the viability of connecting to these critical networks, sometimes we get resistance along the same lines of Dr. Thomas saying that even giving access it would be difficult to manipulate the systems, and we completely agree. In the past we have demonstrated the ability to collect open source information on the systems, including their design all the way to a protocol level to do analysis. We demonstrated the ability to watch the operators in those environments. And more importantly, when asking the people that manage those environments, if I give you access to a foreign utility could you manipulate it, and almost every time they say absolutely. Could you manipulate it to cause damage? Absolutely. So why would we consider threats against our critical infrastructure not at that level of expertise? If you could hire a professional service team of information security experts to go after an organization and they can demonstrate viable access to the most critical components, why would that not be our threshold to consider for attacks coming from other organizing sponsors? When you are talking about cyber terrorism, you're talking an absolute sliver of the general volume of attacks that an organization is likely to receive, a very, very small percentage. You have to consider that their expertise would be somewhere in the same range of our expertise. Mr. Horn. Mr. Alan Paller of SANS Institute, you have identified some of the pressures on commercial software developers that impede their ability to produce secure software, including their manufacturing and distribution processes and their desire to make user friendly products. What actions can developers take to eliminate these pressures and remain competitive? Mr. Paller. Scott Charney of Microsoft, laid out a plan that ought to be a model for every one of the software companies and the only reason we don't all stand up and cheer and say we are done is that it is all prospective. You have to buy Microsoft's new systems to get this stuff. So we have maybe 150 million people who we still have to help. So the question is what can they do for the rest of us? And I think the key answer came out in an FTC hearing. A person from Sun described it and it is actually the right answer, and I think Microsoft is doing this with the Defense Department. The key is to have all software delivered for agencies that matter, delivered from a local server where the server is kept up to date with the latest patches. And whenever anyone in that organization needs it--that is the way you do externally, too--whenever anyone needs the software, they get it off that local server. And if they'd set that up so all the rest of the infrastructure could use that, we could move quickly. But again, that is prospective. We still have 150 million boxes we have to fix. Mr. Horn. What are the risks associated with having a common security configuration benchmark for all Federal systems? Mr. Paller. Let me tell you the benefit first and then the risk. There were some tests last week--and before that--that took a regularly installed system and then ran one of the good vulnerabilities testers on it. And they found a certain number of high priority, medium priority and low priority vulnerabilities. Then it installed the minimum benchmark and ran the same tests over again and several tests were run. The average was 80 to 88 percent of all those vulnerabilities disappeared. So that's why you want to do a minimum benchmark. Then the question is what breaks? The answer is that you don't want to do is break things. The absolute key is you can't install this and cause a critical application to break. And so the difficulty is making sure that something doesn't break. And the next step in these benchmarks is to set up test beds so all application vendors can run their application against the test bed and make sure their customers' applications won't break. But the answer to your question is the cost is breaking applications. We can't let that happen. Mr. Horn. You state that so much emphasis has been placed on a risk based approach that many organizations fail to make any investments in security until a risk assessment is completed. Mr. Paller. It is true. It is sad. GAO and congressional language is so emphatic that you have to do this risk assessment that people just get at big meetings and say ``We can't do anything until we have done a risk assessment and they take a long time and they're buying computers every day. So it is not that they're not buying the computers and installing them. You've just got this huge consulting contract going on and on and on and you are not hardening the boxes you're installing today. Mr. Horn. What type of security investments do you believe should be made prior to completing a risk assessment? Mr. Paller. I think it is very much like living in a really rough neighborhood. You ought to lock the doors at night and maybe all the time when you're in your house and have locks on the windows. And there is a certain small set of things that every computer should have before we allow it--we as users, allow it to be connected to the Internet. If you think of this as unsafe cars on the road, that car could hurt all of us, there ought to be some little thing you do, and the vendors will help. They are coming around and willing to help. But before anyone hooks a machine to the Internet, they need to just lock the doors and lock the windows. Mr. Horn. Well, you give us some very interesting physical matters rather than just electronic. Mr. Scott Charney of Microsoft might have some ideas on this. Do you have a cascading effect that an attack on one sector of the infrastructure can affect other sectors? And what are some of the challenges in identifying cascading effects across industries? Mr. Charney. We actually did have such a case when I was at the Justice Department involving a juvenile who had the telecommunications switch in the Town of Worcester, Massachusetts. The switch actually serviced the regional airport where the tower was unmanned. As planes were coming in they would radio the tower and a signal would be sent automatically across the telecommunications network to turn on the landing lights on the runway. As the next plane came in and radioed the tower, because the telecommunications switch was disabled, the landing lights did not go on, the plane was diverted and the airport was closed. So we had a transportation failure based upon an attack on a telecommunications network. The huge challenge is I don't think anyone would say we fully understand all the interdependencies between all these networks at a granular level. Yes, we all understand if the power supply dies a lot of things won't work. If we don't have telecommunications a lot of things don't work. But how these things actually work in a more granular level where they share vulnerabilities is not entirely clear yet, and there are a lot of groups like the Partnership for Critical Infrastructure Security that are studying that to figure that out. Mr. Horn. With regard to cascading, please describe the unique problems in recovering from an attack that has cascaded into other sectors. Mr. Charney. The difficulty, I think, will be in the scope of the problem and integrating all the pieces back together and making sure that all the relevant pieces are in fact considered as we recover from the event. The thought that comes to mind was when I was at PricewaterhouseCoopers, you know, after the September 11th attacks, there was a lot of concern about when the stock markets would be up and operating again. And a lot of people were talking to the exchanges, for example, and the telecommunications carriers. It turns out no one was talking to the exchanges in the back that actually did the actual trading, the clearinghouses for the exchanges, and since then they have become more involved. But people were focused on the obvious visible problem and not some of the substructures that actually make it all go. So it is really important to understand how the different parts of the infrastructure functions, including the parts that are less visible, and make sure they are all integrated into the recovery plan. Mr. Horn. What challenges has the Information Technology Information Sharing and Analysis Center encountered in its efforts to coordinate interdependency analysis and recovery efforts with other sectors? Mr. Charney. I think we have a couple of challenges. One is, of course, that sectors have certain commonalities and therefore we have divided the ISACs into different sectors, but it is important that we not stovepipe the information because of these interdependencies. As a result, in fact there is a meeting later this week, a cross-ISAC meeting where we are starting to coordinate better in that regard. And there are the issues I referred to in my example, the FOIA exemption, and creating an environment where the ISACs can share information far more freely with the government. Mr. Horn. You mentioned there are these separate organizations and processes to prosecute cyber crimes depending on whether they appear to be intelligence related or law enforcement related. Can you give us a description of some of the differences and how they can affect the outcome of a case? Mr. Charney. Yes. And some of this goes back to my years at the Justice Department. As you know, historically the government has had different organizations with different authorities to counter different threats. So if you believe you are under attack from a criminal, you launch criminal investigative authorities using things like pen registers, trap and tracers, and wiretaps. When you believe that say an intelligence gathering operation, for example, you have foreign counterintelligence authorities and other tools such as FISA, the Foreign Surveillance Intelligence Act, which, for example, when I was at Justice requires links to an agent of a foreign power, some sort of governmental action. And then of course when you have war, you have U.N. Charter 51 and you have rules for how you engage in warfare. The difficulty is that all of those mechanisms and procedures depend upon who is attacking you and why. And in an Internet attack, what you normally do not know at the outset is who is attacking you and why. So there is an issue about what kind of response would be appropriate. And let me give you a real life example. Many years ago when we were gearing up for air strikes against Iraq, we found we had a massive penetration coming from the Middle East into the U.S. Department of Defense, and there was concern this might have been a preemptive strike against our information systems to disrupt our military activities in the area. Fortunately, the military people involved and the Justice involved knew enough to know that where the attack looks like it is coming from may not be where the attack is coming from. But if you see that kind of attack, the question is, is it a foreign state and does it constitute an act of information warfare? And if it does, does that mean you can drop bombs in response? Is that a proportional response under the rules of war? Of course we didn't do that. We did investigate the case as a criminal matter, and it came back to two juveniles in Cloverdale, California who were looping through the Middle East and hacking the Department of Defense with help from an Israeli. So we have this problem in that we set up these processes and procedures, but we are in a completely new threat model. And I simply think the government has to really start thinking about this and figuring out what constitutes the right response in an environment where you don't have the facts you need to make the traditional decisions. Mr. Horn. What lessons learned did Microsoft take away from the company's intensive scrutiny and security analysis of millions of lines of code? Mr. Charney. That we need to do a lot better and we are going to do a lot better. You know, I have people who say to me now Microsoft is issuing a lot of bulletins about vulnerabilities and an awful large number of patches. Well, if we looked at our code reviews and threat modeling, I would hope that we are issuing a lot of bulletins and patches because we are making the systems more secure and what we have learned is we have to do this right. And the good thing is that markets are now demanding it. National security and public safety concerns are now demanding it. There is a confluence of events that really rewards, I think, companies that recognize that this has to be an industry initiative and a government industry initiative. Mr. Horn. Thank you very much for enlightening us on that. Our last questions will be for Mr. Joe Weiss. And what can the Federal Government do to improve the security of the SCADA systems and why don't you explain what S-C-A-D-A is? Mr. Weiss. SCADA--I think it has been used too much now as a euphemism. What I believe we need to worry about are what's called control systems. These are the real-time systems that control processes, whether they are for a power plant, an assembly line, etc. For whatever reason, the term SCADA came out early. It stands for supervisory control and data acquisition. It's simply a type of control system. It is used in certain types of industries. It is usually used where you are trying to gather data from very dispersed facilities. You are not really trying to do significant calculations. If you are in a refinery, a power plant or a steel mill where you are more concentrated and you are doing much higher levels of calculation, you have things called distributed control systems. If you are in a discrete type of a facility like an assembly line or a parts manufacturer, you are actually using programmable logic controllers. SCADA has been used as a term to lump them together. Mr. Horn. A lot of it is with inventory movement in the Japanese---- Mr. Weiss. No. If you will, that is really a manufacturing execution system. What we are worried about is the physical control aspect that occurs in real-time. You want to open or close a breaker in a substation. You want to move a valve. You can even think of your sprinkler system at home. The purpose of a control system is to be able to do that in an automated way. It is going to take, for example, a pressure or a temperature and to make a change in order to keep my process moving the right way. What has happened is with the net, it has allowed us to get information from so many different places and to use these new, mathematical algorithms to make this adjustment of different signals better and smarter and quicker. And in a sense that's what's opened us up because we can. Now to the question you asked originally. We have a problem with the chicken and the egg. The chicken and the egg are vendors, and not just in electric utilities, but generally the control system suppliers aren't producing secure control systems because they feel there's no market. It would take development--like I say, the technology isn't even there yet because they are different. It would take development and it would take a lot of other things. So the vendors are not supplying that secure control system. On the other hand, the end users, be they utilities, oil companies, etc., because the vendors don't have one they don't even put it in their specs. So what's happening is we are in this chicken and egg scenario that we are not moving at all, and that is one area of the government can help us is in a sense getting this market to occur or the fact that there needs to be a market so the technology will even occur. The other piece is literally the technology development itself. There's an awful lot of technology that's being developed in DOD that may have some relevance to us. The converse is if you look at a ship, the ship is a power plant with a rudder. So there's an awful lot, if you will, of synergy in between. But if the government helps, for example, and is involved with the test beds, the way it will move this forward is to actually have facilities where you can go in and try out and test out and find out what happens when I do put this in, what is my incremental security benefit, what is my either incremental improvement of reliability or possibly decrease in reliability. So I have some intelligent way of saying, what should I do? We don't have that right now. Mr. Horn. What sectors are most vulnerable and why? Mr. Weiss. All, because we all have the same control systems from the same vendors using the same architectures. The vulnerability--I am not talking threat. Again, I am a control system engineer talking about the systems. From a vulnerability perspective, the same control system from the same vendor is in power plants, is in refineries, is in water treatment plants, is in steel mills. So in a funny sense, the vulnerability is no different. The threat may be different, but the vulnerability isn't. Mr. Horn. Let me ask this one last question to this panel. How available are hacking tools? Mr. Weiss, let's just go down the line. Mr. Weiss. They are available. What we didn't realize is their applicability to a control system. We had originally assumed that it wouldn't impact a control system. We are starting to find out that they can. But let me just add one other thing. In order to impact a control system, you don't need a hacking tool. That, to me, is something that's different. There are other things that you can use to impact, via cyber, the operation of a control system and it doesn't have to be a hacking tool. Mr. Charney. The tools are widely available. And what that means, of course, is that when you're under attack and under an attack that appears to be sophisticated, it may not be a sophisticated attacker. It may be a novice. Mr. Paller. Just to reinforce that, I was the expert witness in the Mafia Boy trial where he attacked Yahoo and eBay and he used a tool that he got from somebody else. He had no clue how the tool worked. And as I said earlier, there are at least 2,000 programs running at all times searching on the whole Internet. And finally there are Web sites now where you can do either of two or three things. You can actually type in what you want a virus to do and it will write the virus for you. You can type in who you want to attack and it will run the attack. Anybody can use those Web sites. Mr. Belcher. I think everyone in the panel is going to say I think the tools are readily available. I think the concern would be that for cyber terrorism issues you are really worried about the perpetrator that does not need or does not want the tool. Mr. Thomas. I would agree that tools are widely available. And I may have a different perspective in that I would suggest that the availability of tools is not necessarily a bad thing. I think it does force software companies to be responsible in updating their product, in analyzing their own networks and analyzing their own software. And as a result we get better security because those tools are out there, not worse. Mr. Horn. Well, I want to thank each of you. You have educated all of us in many ways, and so thank you very much and we will now bring panel two forward. If you would like to stay, fine. Robert Dacey is the Director U.S. General Accounting Office; Ronald Dick, Director, National Infrastructure Protection Center, Federal Bureau of Investigation; John S. Tritak, Director, Critical Infrastructure Assurance Office, Department of Commerce; Stanley Jarocki, Chairman, Financial Services Information and Analysis Center, and Vice President, Morgan Stanley IT Security. The last part of this is Louis G. Leffler, Manager-Projects, North American Electric Reliability Council. And as you know, gentlemen, a lot of you have been here before. If you have any aides with you just get them to take the oath, also. And Mr. Marc Maiffret, we are glad to have him here. [Witnesses sworn.] Mr. Horn. Mark Maiffret will join this panel and there is a sign already for him and a chair and we are glad you made it here. Chief hacking officer and co-founder of eEye Digital Security. And then we will start with you if we might. STATEMENT OF MARC MAIFFRET, CHIEF HACKING OFFICER AND CO- FOUNDER, eEYE DIGITAL SECURITY Mr. Maiffret. Thank you. Thank you for having me. My name is Marc Maiffret, Chief Hacking Officer and Co-Founder of eEye Digital Security. We focus on creating computer security products, and we are also heavily involved in vulnerability research. Much debate has been given to the security of our infrastructure. Some are peddling doom and gloom. That sounds like a script to the next cheesy sci-fi movie. Others, however, are ignoring the problem to say it is overhyped. I personally believe that it is pointless to debate whether our infrastructure is secure or not. At the heart of it all we have the basic understanding that as a Nation we wish to be secure. If our infrastructure is vulnerable, then we are not secure. Therefore, more time needs to be put into creating guidelines of how to secure infrastructure rather than debating whether it is secure or not. With proper guidelines in place and enforced by our government, we will be that much closer to securing our infrastructure. The current level of security within our infrastructure cannot be judged as a whole. There are too many systems run by too many organizations, therefore making it very hard to quantify how secure or insecure our infrastructure is. The fact does remain, though, that there are vulnerable systems within our infrastructure. It is also a fact that many of the software solutions controlling our infrastructure are vulnerable. This includes the various software that controls SCADA systems. SCADA systems are probably one of the most vulnerable parts of our infrastructure because of the link created between software and hardware allowing engineers in infrastructure companies to easily manage their systems. A lot of times it is possible to gain access to the networks which House SCADA systems. Once on these networks, it is entirely possible to take control of an infrastructure site and start performing functions just as an operator of the site would. I will not go into a ton of detail in possible ways of taking over SCADA systems as I have done so in my written testimony. In the end though, it is entirely possible to take control of SCADA systems. Taking control of a SCADA system is not something that any two-bit Internet hacker is going to be able to do. Hacking SCADA systems should not be equated to teenage hackers breaking into Web sites and then mysteriously being able to control a power grid. That is not to say that technology is not moving to make that type of scenario totally unrealistic. However, hacking a SCADA system does take more skill than an average teenage hacker will have. Security of our Nation's infrastructure is a complex problem because of the integrated nature of our systems even beyond their technical aspects. It is security meets business, meets usability and meets politics, everyone's opinion of how things should be. Albert Einstein once wrote that if we have the courage to decide ourselves for peace we will have peace. I believe the same goes for security. Only when we as a society decide we truly wish to be secure and then follow through in that decision shall we begin to start to attain security. Once again, I suggest that in order for us to start to secure our infrastructure, we must create guidelines that critical infrastructure companies must follow. These guidelines must be enforced by our government. We must move quickly on securing our infrastructure for I fear if we do not act soon then we will be forced to thrust our infrastructure through nihilistic rebirth, as the only means of becoming secure would be to start over. Thank you. [The prepared statement of Mr. Maiffret follows:] [GRAPHIC] [TIFF OMITTED] T7387.034 [GRAPHIC] [TIFF OMITTED] T7387.035 [GRAPHIC] [TIFF OMITTED] T7387.036 [GRAPHIC] [TIFF OMITTED] T7387.037 [GRAPHIC] [TIFF OMITTED] T7387.038 [GRAPHIC] [TIFF OMITTED] T7387.039 [GRAPHIC] [TIFF OMITTED] T7387.040 [GRAPHIC] [TIFF OMITTED] T7387.041 Mr. Horn. Thank you. That is very helpful and we go now with Robert Dacey, the Director of Information Security, U.S. General Accounting Office, which is under the Comptroller General of the United States. And we always use GAO in one way or the other, beginning or end. You are on the beginning but we will probably ask you what did we miss at the end. And so, Bob, nice to have you here. STATEMENT OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY ISSUES, U.S. GENERAL ACCOUNTING OFFICE Mr. Dacey. Mr. Chairman, I am pleased to be here today and thank you for your continuing interests and efforts to provide oversight over this critical area. Today I would like to discuss the challenges that our Nation faces concerning critical infrastructure protection, or CIP, and Federal information security. As you requested, I will briefly summarize my written statement. We have made numerous recommendations over the last several years concerning CIP and Federal information security challenges that need to be addressed. For each of these challenges, improvements have been made and continuing efforts are in the process, including a number of efforts by other members of this panel. However, much more is needed to address them. These challenges include, No. 1, developing a national CIP strategy. A more complete strategy is needed that will address specific roles, responsibilities and relationships for all CIP entities, clearly define interim objectives and milestones and set timeframes to achieve them and establish appropriate performance measures. Last week, we issued a report that further highlights the importance of coordinating the dozens of Federal entities involved in cyber CIP efforts. The President's National Strategy for Homeland Security, also released last week, calls for interim cyber and physical infrastructure protection plans by September of this year to be followed at an unspecified date by a comprehensive national infrastructure plan. The second major challenge is improving analysis and warning capabilities. More robust analysis and warning capabilities are still needed to identify threats and provide timely warnings. Such capabilities need to address both cyber and physical threats. The National Strategy for Homeland Security calls for major initiatives to improve our Nation's analysis and warning capabilities that include enhancing existing capabilities within the FBI and building new capabilities at the proposed Department of Homeland Security. The third major challenge is improving information sharing on threats and vulnerabilities. Information sharing needs to be enhanced both within the Federal Government and between the Federal Government and the private sector and State and local governments. The National Strategy for Homeland Security identifies partnering with non-Federal entities as a major initiative and discusses the need to integrate information sharing within the Federal Government and among the various levels of government and the private industry. Information sharing and analysis centers, which will be discussed today, continue to be a key component of that strategy. The strategy also discusses the need to use available public policy tools such as grants and regulations. The fourth challenge is addressing pervasive weaknesses in Federal information security. Despite the importance of maintaining the integrity of confidentiality and availability of important Federal computer operations, Federal computer systems have significant pervasive information security weaknesses. A comprehensive strategy for improving Federal information security is needed in which roles and responsibilities are clearly delineated, appropriate guidance is given, regular monitoring is undertaken and security information and expertise are shared. As I testified earlier this year before this subcommittee, continued authorization of government information security reform legislation is essential to sustaining agency efforts to identify and correct these significant weaknesses. The President's draft legislation on the creation of a Department of Homeland Security and the National Strategy for Homeland Security acknowledge the need to address many of these challenges. However, much work remains to effectively respond to them. Until a comprehensive and coordinated strategy is developed for all CIP efforts, our Nation risks not having an appropriate and consistent structure to deal with the growing threats of attacks on its critical infrastructures. Mr. Chairman, this concludes my oral statement, and I would be pleased to answer any questions that you or members of the subcommittee might have. [The prepared statement of Mr. Dacey follows:] [GRAPHIC] [TIFF OMITTED] T7387.042 [GRAPHIC] [TIFF OMITTED] T7387.043 [GRAPHIC] [TIFF OMITTED] T7387.044 [GRAPHIC] [TIFF OMITTED] T7387.045 [GRAPHIC] [TIFF OMITTED] T7387.046 [GRAPHIC] [TIFF OMITTED] T7387.047 [GRAPHIC] [TIFF OMITTED] T7387.048 [GRAPHIC] [TIFF OMITTED] T7387.049 [GRAPHIC] [TIFF OMITTED] T7387.050 [GRAPHIC] [TIFF OMITTED] T7387.051 [GRAPHIC] [TIFF OMITTED] T7387.052 [GRAPHIC] [TIFF OMITTED] T7387.053 [GRAPHIC] [TIFF OMITTED] T7387.054 [GRAPHIC] [TIFF OMITTED] T7387.055 [GRAPHIC] [TIFF OMITTED] T7387.056 [GRAPHIC] [TIFF OMITTED] T7387.057 [GRAPHIC] [TIFF OMITTED] T7387.058 [GRAPHIC] [TIFF OMITTED] T7387.059 [GRAPHIC] [TIFF OMITTED] T7387.060 [GRAPHIC] [TIFF OMITTED] T7387.061 [GRAPHIC] [TIFF OMITTED] T7387.062 [GRAPHIC] [TIFF OMITTED] T7387.063 [GRAPHIC] [TIFF OMITTED] T7387.064 [GRAPHIC] [TIFF OMITTED] T7387.065 [GRAPHIC] [TIFF OMITTED] T7387.066 [GRAPHIC] [TIFF OMITTED] T7387.067 [GRAPHIC] [TIFF OMITTED] T7387.068 [GRAPHIC] [TIFF OMITTED] T7387.069 [GRAPHIC] [TIFF OMITTED] T7387.070 [GRAPHIC] [TIFF OMITTED] T7387.071 [GRAPHIC] [TIFF OMITTED] T7387.072 [GRAPHIC] [TIFF OMITTED] T7387.073 [GRAPHIC] [TIFF OMITTED] T7387.074 [GRAPHIC] [TIFF OMITTED] T7387.075 [GRAPHIC] [TIFF OMITTED] T7387.076 [GRAPHIC] [TIFF OMITTED] T7387.077 [GRAPHIC] [TIFF OMITTED] T7387.078 [GRAPHIC] [TIFF OMITTED] T7387.079 [GRAPHIC] [TIFF OMITTED] T7387.080 [GRAPHIC] [TIFF OMITTED] T7387.081 [GRAPHIC] [TIFF OMITTED] T7387.082 [GRAPHIC] [TIFF OMITTED] T7387.083 [GRAPHIC] [TIFF OMITTED] T7387.084 [GRAPHIC] [TIFF OMITTED] T7387.085 [GRAPHIC] [TIFF OMITTED] T7387.086 [GRAPHIC] [TIFF OMITTED] T7387.087 [GRAPHIC] [TIFF OMITTED] T7387.088 [GRAPHIC] [TIFF OMITTED] T7387.089 [GRAPHIC] [TIFF OMITTED] T7387.090 [GRAPHIC] [TIFF OMITTED] T7387.091 [GRAPHIC] [TIFF OMITTED] T7387.092 [GRAPHIC] [TIFF OMITTED] T7387.093 [GRAPHIC] [TIFF OMITTED] T7387.094 [GRAPHIC] [TIFF OMITTED] T7387.095 [GRAPHIC] [TIFF OMITTED] T7387.096 [GRAPHIC] [TIFF OMITTED] T7387.097 [GRAPHIC] [TIFF OMITTED] T7387.098 [GRAPHIC] [TIFF OMITTED] T7387.099 [GRAPHIC] [TIFF OMITTED] T7387.100 [GRAPHIC] [TIFF OMITTED] T7387.101 [GRAPHIC] [TIFF OMITTED] T7387.102 [GRAPHIC] [TIFF OMITTED] T7387.103 [GRAPHIC] [TIFF OMITTED] T7387.104 [GRAPHIC] [TIFF OMITTED] T7387.105 Mr. Horn. Thank you. We appreciate that. Our next presenter is Ronald L. Dick, the Director of the National Infrastructure Protection Center, Federal Bureau of Investigation. I want to express the feelings of the Committee on Government Reform and this subcommittee in particular about what you have done to help us in many ways, and so thank you very much, Mr. Dick. You do a fine job down there. STATEMENT OF RONALD L. DICK, DIRECTOR, NATIONAL INFRASTRUCTURE PROTECTION CENTER, FEDERAL BUREAU OF INVESTIGATION Mr. Dick. Thank you, Mr. Chairman, for this opportunity to discuss our government's important and continuing challenges with respect to critical infrastructure protection. But before I begin my statement I would like to express my appreciation to you for your service in the House and note that everyone concerned with infrastructure protection will miss your leadership. Mr. Horn. That is kind of you. Mr. Dick. Thank you, sir. And ITC representatives have testified several times in front of this committee, most recently in September of last year. Since that time, while the Nation has focused on the war against terrorism, the NIPC has forged ahead on several fronts. I have been asked many times about what keeps me up at night and I think about a scenario that combines a serious physical attack with a concurrent cyber attack which would tie up 911 systems or stop the flow of electricity and water during the crisis. We work to prevent such a scenario through two-way information sharing. Because approximately 85 percent of the Nation's critical infrastructures are owned by the private sector, we rely heavily on private sector information sharing. In the written statement, I discuss some of the challenges we must overcome in two-way information sharing. I will focus on two areas in which we have made substantial progress in the last year. First, we have built many trusting relationships with members of the private sector, particularly those through our government-private sector infrastructure protection partnership, known as InfraGard, and with information sharing and analysis centers. For example, InfraGard membership has grown by more than 600 percent in the last 14 months from 800 to nearly 5,000. Second, our news unit, the ISAC's Support and Development Unit, was designed to assist in the development and expansion of ISACs. Since formation of that unit, information sharing agreements have been signed with ISACs for telecommunications, information technology, food, water supply, emergency services like fire, banking and finance, chemical sectors and the Aviation Administration. Tomorrow I am scheduled to sign another agreement, adding the National Association of State Chief Information Officers to our list of infrastructure protection partners. One of the most recent agreements was with the ISAC for fire emergency services led by the U.S. Fire Administration, an organization which has been a model for mutual benefits of two- way information sharing. Since that agreement, we have shared intelligence on scuba diving threats to waterfront facilities, suspicious attempts to purchase an ambulance in New York and the theft of a truck with 10 tons of cyanide in Mexico. In turn, they have told us of suspicious foreign nationals attempting to gather information on emergency services. However, more work still needs to be done. The annual Computer Security Institute and FBI Computer Crime and Security Survey, released in April, indicated that 90 percent of the respondents detected computer security breaches in the last 12 months. Only 34 percent reported the intrusion to law enforcement. On the positive side, that 34 percent is more than double the 16 percent who reported intrusions in 1996. This nonreporting impairs the government's ability to analyze threats and vulnerabilities and take appropriate action. The two primary reasons for not reporting were the fear of negative publicity and the belief that competitors would use the information against them if it were released. First, I assure you that the Department of Justice and the FBI, Office of General Counsel will be happy to discuss with your staffs the issues more thoroughly regarding information sharing because it always must be kept in mind that sharing of information is voluntary. Therefore, it becomes the government's burden to demonstrate it can and will protect information. One of the issues we have heard for years is that companies are concerned that information they provide to the government will be released by the government under the Freedom of Information Act. We looked at the Freedom of Information Act and discussed it with the private sector. Under exemption (b)(4) of FOIA, the government is not required to disclose, ``trade secrets and commercial or financial information obtained from a person and privileged or confidential.'' On the face of that statute, you find the definite--you don't find, rather, the definition of those key terms. Companies asked us what ``trade secrets'' meant under FOIA as well as the scope and terms of information. They asked, for example, is vulnerability information considered commercial or financial? They also asked whether under the statute information gets different protection if it is voluntarily provided to the government. We worked with the Department of Justice and also did our own legal research. In doing so, we found a number of important cases that discuss these issues. The most important, I am told, is a case decided by the D.C. District Circuit Court of Appeals called Critical Mass Energy Project vs. the Nuclear Regulatory Commission. Nonetheless, despite these cases and some others like it, companies want clear statutes with straightforward language. They do not want to be kept up to date on the latest cases or have to keep up to date on the latest cases. They want a simple statute they can understand. Without that, many companies will not share information. The question of whether in the abstract we can protect the information becomes meaningless if the companies will not give us the information in the first place. Many companies seek certain outcomes and they don't want to rely on a judge's decision. They also don't want to face even the possibility of having to go to court to litigate the protection of their information whether under FOIA or under the Trade Secrets Act. Finally, they are also concerned about the State open records laws. Many have told us that they want to be able to share sensitive information with the Federal Government and they would like the Federal Government to be able to share information with them and would like to be able to share information with the States. But they are equally clear that if the sensitive information becomes public, they will not share it. Sharing a lot of this information publicly would weaken the Nation's security, not strengthen it. The NIPC has been asked to engage in a constructive dialog with industry in order to promote information sharing. For over 4 years we have heard this same message. We would like the FOIA issue resolved in a manner that industry is convinced of the government's ability to protect their information. At a recent Senate hearing before Senator Lieberman, the NIPC, myself and the Department of Justice committed to work with Congress on these concerns so as to resolve them. And let me conclude. Faced with the hard fact that most companies are not reporting, the NIPC has promoted an aggressive outreach program and is seeing results. The system of information sharing amongst ISACs, the NIPC, government agencies and the private sector is beginning to work. At the NIPC we continue to seek partnerships and means which promote two-way information sharing. As Director Mueller stated in a speech on July 16, prevention of terrorist attacks is by far and away our most urgent priority. We can only prevent attacks on our critical infrastructures by building an intelligence base, analyzing that information and providing timely, actionable, threat-related products to our private and public sector partners. Therefore, we will continue our efforts with your committee in improving information sharing and infrastructure protection, and I welcome your comments. [The prepared statement of Mr. Dick follows:] [GRAPHIC] [TIFF OMITTED] T7387.106 [GRAPHIC] [TIFF OMITTED] T7387.107 [GRAPHIC] [TIFF OMITTED] T7387.108 [GRAPHIC] [TIFF OMITTED] T7387.109 [GRAPHIC] [TIFF OMITTED] T7387.110 [GRAPHIC] [TIFF OMITTED] T7387.111 [GRAPHIC] [TIFF OMITTED] T7387.112 [GRAPHIC] [TIFF OMITTED] T7387.113 [GRAPHIC] [TIFF OMITTED] T7387.114 [GRAPHIC] [TIFF OMITTED] T7387.115 [GRAPHIC] [TIFF OMITTED] T7387.116 Mr. Horn. Thank you very much. We will now hear from John S. Tritak, Director of the Critical Infrastructure Assurance Office in the Department of Commerce. Now that is partly, with NIST, also involved in standards and that kind of thing. Very good, if you want to give us a better view of that, start in with it. STATEMENT OF JOHN S. TRITAK, DIRECTOR, INFRASTRUCTURE ASSURANCE OFFICE, DEPARTMENT OF COMMERCE Mr. Tritak. Thank you for the opportunity to be here today. I submitted my written remarks, and I would be more than happy to talk about the move to the Department of Homeland Security and our respective roles as you would like, but I would like to touch on a few themes that have arisen during the course of this hearing and give some reflection on those in my brief remarks now. I want to begin by focusing--homeland security differs fundamentally from what I would call classic national security. And by classic national security, I am referring to those things the government more or less did on its own on behalf of the United States and its citizenry. We are now confronted with a unique challenge. And that is because, as we have heard from al Qaeda and others, is that the terrorists have indicated that the economy is a target, particularly the pillars of that economy, and the vast majority of those are privately owned and operated. Terrorists' followers have been urged to attack these pillars of the economy wherever vulnerabilities exist, whether they are in the physical domain or in the cyber domain. And we know they're looking at the cyber domain as well. And we have heard a little bit earlier that attacking SCADA systems or major facilities through cyberspace is not easy and is not something that the average hacker can do, and I would completely concur in that. It is not easy, but I will submit the terrorists are not lazy. And it wasn't easy to orchestrate the hijacking of four aircraft and turn those aircraft into cruise missiles. The point of all of these terrorist activities is to force the United States to look inward and change and rethink its global commitments overseas, particularly in the Persian Gulf and the Middle East. Their goal was to create serious impact and force us to redo and rethink our commitments overseas. So I would submit to you it is not a question of whether cyber terrorism exists or whether it is overblown. I think to the extent that our economy relies on information systems and networks to function and to the extent there are vulnerabilities of the kind that could be exploited to cause harm in combination with other forms of attack--Ron Dick just mentioned one. I think he is right on this. We don't necessarily have to envision terrorism playing out like a war game or Nintendo. We are talking about a situation where perhaps in combination with a devastating physical attack certain key information systems networks are disrupted and therefore exacerbate an already terrible situation because that is the impact they are seeking. It is their goal we have to keep an eye on when we are talking about this problem. Therefore, because the economy is largely privately owned and operated, we have to see homeland security as a shared responsibility, and this is going to require redefining our respective roles between government and industry and how we go about achieving this new goal, and that is going to require a level of collaboration that frankly we've never had to have before. And that is why I think it is very important when we create this new department that the culture of partnership and collaboration suffuse that organization. It has to actually build on the premise that government and industry together need to achieve this goal and that neither government nor industry alone can do it. Information sharing is deemed one very important way in which we actually operationalize homeland security, and information sharing is taking place now. Ron Dick will tell you and many of the ISAC people will tell you they are sharing now. But the real goal here is to create an environment where dynamic sharing can take place on an ongoing basis to deal with problems as they arise in real-time. And I would submit to you that the question with respect to FOIA or any other question is whether the current statutory and regulatory environment is conducive to promoting voluntary acts of information sharing. Now, this is not an easy issue and I know there are very important public interests and public goods at stake here and honest people can disagree over the challenge of open government on the one hand and the need to secure information and how it could come into conflict. And frankly, it is the Congress who is going to have to resolve these problems. I also want to make clear that any change in the FOIA is not going to be a silver bullet because the one thing you can't do through the regulation or statutory reform is create trust and legislate trust. That has to come out of experience. What I would suggest, however, is that to the extent that the current environment is viewed as an impediment that we very carefully narrow reform to actually create an environment that induces that collaboration and that kind of dynamic information sharing which I think everyone agrees needs to take place if we are going to achieve the mission of securing our homeland. And I thank you for the opportunity to be here, Mr. Chairman. You will be deeply missed by all of us who have respected your work over these last few years. [The prepared statement of Mr. Tritak follows:] [GRAPHIC] [TIFF OMITTED] T7387.117 [GRAPHIC] [TIFF OMITTED] T7387.118 [GRAPHIC] [TIFF OMITTED] T7387.119 [GRAPHIC] [TIFF OMITTED] T7387.120 [GRAPHIC] [TIFF OMITTED] T7387.121 [GRAPHIC] [TIFF OMITTED] T7387.122 [GRAPHIC] [TIFF OMITTED] T7387.123 Mr. Horn. Well, thank you very much. Let us now move to Stanley Jarocki, chairman of the Financial Services Information and Analysis Center and vice president of Morgan Stanley IT Security. STATEMENT OF STANLEY R. JAROCKI, CHAIRMAN, FINANCIAL SERVICES INFORMATION AND ANALYSIS CENTER, AND VICE PRESIDENT, MORGAN STANLEY IT SECURITY Mr. Jarocki. Mr. Chairman and members of committee, thank you for this opportunity to testify about the importance of information sharing and the protection of this Nation's critical infrastructure. It is an honor to appear before you as we discuss these matters in our efforts to further the protection of our great Nation. My name is Stash Jarocki and I come before you to speak from a perspective formed by three decades of experience in the information security field and also as founder and present chairman of the Financial Services Information Sharing and Analysis Center. The FS-ISAC is the first of the private sector's Information Sharing and Analysis Center created in response to PD-63. This directive called for the establishment of these centers to assist sector efforts in the protection of critical infrastructure components from the cyber and the physical world. I have come before you today to speak about terrorism, both the cyber and the physical, and one of the successful approaches for mitigating its risks. I will also discuss the obstacles to this approach and the steps necessary to address impediments that will slow our successful battle against infrastructure threats. I would like to begin by asking us all to consider the nature of cyber terrorism. It is not merely a creation of an attention hungry, sensationalized media, or the result of panicked public outcry. Cyber terrorism is as much of a threat to us as the painfully realized danger of its counterpart, physical based terrorism. Its implications are far reaching, as the potential for cyber-based terrorism is directly proportional to the pervasiveness of possible targets. Due to the utter saturation and dependence on a technology- based infrastructure, the realities of the dangers of cyber terrorism must be acknowledged. We may begin with the sad fact that our information technology systems are already under attack and we have every reason to believe that these threats will worsen as we go forward. Also, it lives and depends on a physical environment that has been harshly attacked and could be attacked again and again, not only by man but by the natural forces that exist. We must act, and we must act quickly. Furthermore, we are not powerless. Just as it is our physical and cyber infrastructure systems that are subject to these attacks, it is our ability to share and exchange information that can provide us with a strong foundation for defense. Today, there are some 57 of the largest financial institutions, banks, brokerages, insurances and SROs, which represent more than 50 percent of all the credit assets who are members of the FS-ISAC. Our mission is straightforward: Through information sharing and analysis, provide its members with early notification of computer vulnerabilities and access to subject matter expertise and other relevant information such as trending analysis for all levels of management and first responders. In fact, we are embarking on a major effort to be the information dissemination pipeline for the entire financial sector, comprised of clients that use our systems to the family run bank to the largest multinational financial institutions. We are joined in this endeavor by other organizations with similar missions. These include the National Infrastructure Protection Center, NIPC; U.S. Secret Service, especially their New York Electronic Crimes Task Force; the Department of Defense's Joint Task Force for Computer Network Operations and others trying to create an effective and trusted network of government and private sector entities sharing information to collectively benefit critical infrastructure protection. Unfortunately, I am here today to tell you that we cannot succeed in this mission without your help. Legitimate concern has arisen among members of the private sector that has directly affected information sharing, the result of a legislative environment that is not conducive to our best infrastructure protection efforts. We believe there are three actions that must be taken in order to remove legislative obstacles that block effective, robust sharing: One, provide a narrowly written exemption to FOIA for critical infrastructure information voluntarily shared from private companies or private sharing groups to the Federal Government. Two, provide an exemption or guidance under the antitrust laws on both a Federal and State level to critical infrastructure information voluntarily shared in good faith within the private sector, especially with a formal structure like the ISACs. And, finally, provide safe harbor legislation similar to that provided for Y2K to protect the disclosure of infrastructure information within the private sector as long as such disclosure is made in good faith. We have heard a lot. The risk is too great. Better to keep your mouth shut. Better safe than sorry. These statements represent the danger we face today because that is the kind of advice by general counsels throughout the Nation. We faced this danger before, preparing for the Y2K turnover. In the Y2K effort we avoided it through thoughtful and balanced legislation. We must avoid that danger again. While legislation alone will not solve all the challenges in information sharing, it will go a long way in providing the protection industry needs as well as demonstrating the government's commitment and desire to be an active member of the information sharing process. As a founder and supporter of the ISAC concept and practitioner in the information security world, I can state that information security is essential. Finally, effectively robust information sharing becomes the foundation for mapping trends and developing actuarial tables needed to create a factual basis for risk management and a stabilized, insurable environment, thereby reducing the risk that industry sectors must manage on a daily basis. Mr. Chairman, I would like to thank the committee for permitting me to testify on this important subject. I will be pleased to answer any questions you may have at this time. Thank you. [The prepared statement of Mr. Jarocki follows:] [GRAPHIC] [TIFF OMITTED] T7387.124 [GRAPHIC] [TIFF OMITTED] T7387.125 [GRAPHIC] [TIFF OMITTED] T7387.126 [GRAPHIC] [TIFF OMITTED] T7387.127 Mr. Horn. Thank you, Mr. Jarocki. The last presenter is Louis G. Leffler, the Manager-Projects of North American Electric Reliability Council. I am very fascinated by your companion councils around the country, so you might just like to tell us a little bit about it before you start in on the substance of all this. STATEMENT OF LOUIS G. LEFFLER, MANAGER-PROJECTS OF NORTH AMERICAN ELECTRIC RELIABILITY COUNCIL Mr. Leffler. Thank you, Mr. Chairman, and thank you for this opportunity to present some of the work of the electricity sector directed at securing our critical infrastructure from cyber and/or physical attack with specific emphasis on the Electricity Sector, Information Sharing Analysis Center. Regarding NERC, the North American Electric Reliability Council was formed in the aftermath of the 1965 power system failure in the Northeast; it was formed actually in 1968. There are currently 10 regional councils which includes all of the United States, virtually all of Canada and a very small part of Mexico. One of the points that is made in the testimony, and I will make it here, is that electricity is unique. All the critical infrastructures have their own unique characteristics. One of the uniquenesses of ours is that electricity is an on-demand product. It is made the moment it is required. And one other point that is extremely important in what we are trying to do here, is that we are all connected. We are all interconnected. Virtually every single power producer, power transmission system and distribution grid one way or another is connected with every one. So what happens to one may very well impact what happens to another. Therefore, it is imperative and absolutely essential that we coordinate and have the policies in place on how we operate the system so this system is operated reliably to avoid another cascading power system failure, be it due to any myriad of possible things like bad weather, equipment malfunction or a terrorist attack. That is a little bit of a sum-up as to what NERC is. Mr. Horn. Thank you. We will now go into the question period. Mr. Leffler. I am not done. Where interdependencies were mentioned before, I mention them now within our sector, and of course they exist between our sector and the others. We did an exercise years ago on Governor's Island in New York, and it was interesting. It was 10 years ago or more, brought together all these same critical infrastructures and we sat around a table and the challenge was, here it is Sunday morning, snowstorm coming, terrorists have come in and shut down a major power system and you are all here. President is at Camp David and he is coming back to the White House at 3 o'clock in the afternoon, what are you going to tell him? So we sat around and looked at ourselves and started to come up with solutions. Some interdependency problems, some of the things that one of the other presenters spoke about regarding this intricate linkage of the interdependencies and so on. Our sector is well equipped for a panoply of events. I already said that. We established--and then we really established right after the PDD-63 was promulgated by the last administration--a group to start dealing with this, and we began meeting with our sector liaison, which is the Department of Energy, and immediately following that we found out about an organization called the National Infrastructure Protection Center and began working with Ron Dick and his people over there. We established excellent relationships. In order to do this for the electricity sector so it was done once and done well for the entire sector, we created a thing called the Critical Infrastructure Advisory Group and it represents the subject matter experts in physical security, cyber security and operations from all the industry segments. And it is working pretty well; it reports directly to the NERC board of trustees. We also worked with--I mentioned the Department of Energy and the NIPC, the Department of Defense, the Critical Infrastructure Assurance Office, the Nuclear Regulatory Commission and the Federal Energy Regulatory Commission, the FERC. The testimony goes into a lot of what we have done. I am not going to repeat that here. We do have a set of security guidelines, both physical and cyber. We have one on security of data that we think is extremely important and we are working with the FERC on including appropriate security measures in the standard market design for electricity. Our ISAC was established about the same time that we initiated the IAW--Indications, analysis, waring program--with the NIPC. That was in October 2000. The mission is to receive information for analysis, provide interpretive analytical support to the NIPC and other government agencies, and disseminate threat warnings together with interpretation to guide the sector. The staff with NERC personnel is available to any electricity sector entity at no charge. What can the government do to encourage information sharing? We already talked quite a bit around this table about the need for some considerations to FOIA. I am not an expert in this area, but it has been said very well that we want to voluntarily share this information. We need to voluntarily share this information, and we need some additional limited protections in that area. We request faster granting of U.S. clearances. We have a number of clearances. The ISAC people have them. A number of people in the industry do, and we need them to enhance our capabilities for analysis and understanding. The very essence of ISAC operations requires communications. We must increase the availability of reliable and secure telecommunications for use among sector participants, the government and the ISAC. The electric industry operates in a constant state of preparedness planning, training and operating synchronous grids, requires preparedness for natural disaster energy emergencies and the attacks of sabotage or terrorism. We greatly appreciate our working relationships with the government agencies and look forward to answering any questions you may have for us. Thank you. [The prepared statement of Mr. Leffler follows:] [GRAPHIC] [TIFF OMITTED] T7387.128 [GRAPHIC] [TIFF OMITTED] T7387.129 [GRAPHIC] [TIFF OMITTED] T7387.130 [GRAPHIC] [TIFF OMITTED] T7387.131 [GRAPHIC] [TIFF OMITTED] T7387.132 [GRAPHIC] [TIFF OMITTED] T7387.133 [GRAPHIC] [TIFF OMITTED] T7387.134 [GRAPHIC] [TIFF OMITTED] T7387.135 [GRAPHIC] [TIFF OMITTED] T7387.136 [GRAPHIC] [TIFF OMITTED] T7387.137 [GRAPHIC] [TIFF OMITTED] T7387.138 [GRAPHIC] [TIFF OMITTED] T7387.139 Mr. Horn. Thank you. We will now have the question period, and it will alternate between Ms. Schakowsky, the ranking member, and myself, and we will do 5 minutes each so everybody gets a chance here. So Ms. Schakowsky, 5 minutes. Ms. Schakowsky. Well, I am hearing the drum beat of FOIA and while there are many other things to focus on, I want to focus on that because I am very disturbed about what I am hearing. I was particularly concerned and I quoted in my opening statement, Mr. Dick, a remark of yours that talks--that says, ``if the private sector doesn't think the law is clear, then by definition it isn't clear.'' It seems like that's the theme of the day--have talked about not a conducive atmosphere for the private sector to share, and therefore we should change FOIA. I would just want to suggest there is another option, and that is to say this information isn't voluntary, that we require it; that this is a time of a war on terrorism, and that we are calling on individuals and businesses to be patriotic and to provide information. I just--I'm not suggesting I am going to introduce anything of the sort, but I wanted to just say that this is a critical time, we all agree, that's why we are here today to discuss it. That we could, in fact, just say that because this is so critical to our national security, our homeland security, we could simply require this rather than, in my view, pander to the desires of businesses to keep information secret, an item that's been on that agenda for many years, not just now. And when I see public officials saying that individuals-- because that's what we're saying--individual citizens should be deprived of information that is--now, we have a Freedom of Information Act, and I want to talk to you about that, that has nine exemptions to protect information from the public when necessary. And such exemption b(4) deals with trade secrets, confidential business information, protecting--and I know, Mr. Dick, you don't think that's sufficient. And, so in addition, we have Executive Order 12600 that says if information is to be released and a business objects, there is a whole procedure to stop that information from being released. And it astounds me that at a moment in history when transparency in business is on the headlines every day, the need for us to know what is going on in our private sector, which has deprived many of our citizens of their ability to retire and employees of their future retirement plans, sends the stock market diving because of this lack of transparency, cooking the books, that now we want to offer, in my view--and I want your opinion on this--not a narrowly constructed exemption to FOIA, but a loophole big enough to drive any corporation and its secrets through, in my view. One that says that if they simply declare it to be--to need to be secret, that not only in an amendment that would--I think may be part of the bill--is that 12, Department exemption now, the Davis amendment? Homeland Security. So now if a company wants to protect information from public view, they could dump it in the Department of Homeland Security and say we don't want anyone to have access to it because it's critical information, and it could be something that communities need to know, about pollution of a chemical plant or etc. I think we ought to be concerned about these abridgements of individual rights to information, and have a little more concern about that than we seem to be exhibiting today about the lack of interest of private businesses at this time of war to share critical information. If I seem outraged, it is only because I am. So I would like some response. Mr. Tritak. I would like to take this, if I may just comment on a couple things. One is the administration's position has been very clear. One--this is supposed to be a narrowly crafted exemption. Ms. Schakowsky. And do you think this one is? Mr. Tritak. Well, let me--what I would like to say is what the administration's position has been. Right now, you are in the give-and-take process of creating law. If things aren't as clear as they need to be, this is the time to work on them. I can tell you what the President has made clear about what the intentions are: It is to be narrowly crafted. It is not to be a permit or a process for data dumping--if I may finish, please. Also, we are talking about voluntary information, as we said before. Now, you just presented an alternative to that. But the point is, right now, today, there is information of the kind that right now is not mandatorily required that could help safeguard the homeland through a voluntary sharing regime? I think the answer is yes. But no one is talking about creating a safe haven for negligence or a safe haven for criminal activity. Now, what I said before, that we are talking about a culture collaboration, I don't want that to be viewed as a synonym for a culture of coddling. What we are talking about here is we have a shared responsibility, and we have got to manage it properly. If the existing provisions that have been put forward suggest otherwise than what the President has made clear and has been his position before, then it seems to me this is the give-and-take process---- Ms. Schakowsky. What does the administration think about it? Is it narrowly focused enough for the administration, the current language that we are going to be considering tomorrow or Friday? This is not imaginary language. There is language. Mr. Tritak. No. Look, I am aware of the concerns that have been expressed, and they have been expressed quite a bit. I am also aware that there has been a fairly active dialog to address those concerns and to bring this into--my sense is that the new provision is going to look a lot different from the one that exists today. So that's why---- Ms. Schakowsky. That's not my understanding. Mr. Tritak. Well---- Ms. Schakowsky. We're going to try, certainly. Mr. Tritak. Well, but I think this is in fact an active dialog that's happening between the administration and the Congress as we speak. Ms. Schakowsky. No, I think that's really a copout, because there is language, as was proposed by the administration, that is currently in the bill. I will be offering an amendment, I hope it will get bipartisan support, that will change that language. But it's not theoretical or--I mean, it is written right now in a piece of legislation. And I want to know if that is the language that you think is narrowly crafted enough, and that's the administration's language. Mr. Tritak. I think the position the administration put forward is the one that it believes would advance the issues I have just addressed. I also think that people recognized going in that this was going to be a provision that was going to be worked. So the real question at the end of the day is, the final bill that is going to pass both the House, the Senate, and the administration, is going to reflect a consensus on this matter. And I can only tell you that what the administration has been fairly clear on is that this is not intended to be an open-ended, overly broad information sharing process; it is meant to provide clarity and certainty to the stakeholders of the infrastructure as to what is in and out of bounds in terms of what is protected under FOIA. Ms. Schakowsky. So the language in the Armey bill--that's the bill right now--came out of the select committee. That's the bill, that's the language. Is that the--does the administration support that language currently? Mr. Tritak. You know, what I have to tell you, I think that there currently is a review about that language as part of the administration's response, and I would rather not say anything about it at this time. But I take the point, and---- Ms. Schakowsky. OK. Mr. Tritak [continuing]. All---- Ms. Schakowsky. But, no. Let me ask--can I ask another quick question? Mr. Horn. Certainly. Ms. Schakowsky. What efforts have been made to let the private sector that might have this critical information know about how to use the existing FOIA act, about the Executive order, and to create a sense of comfort--which, I guess, is what we need to do. It seems to me that the tools are here. It doesn't surprise me that the private sector might want to go further. But have there been efforts, particularly post- September 11th, when we are trying to get this information, to encourage that information and to make it clear how to use the current tools? Mr. Dick. I will take that one. Since the inception of the ITC, one of the issues that has continually come up, as I said in my oral statement, is this very issue. We have had a continual dialog with the ISACs, the InfraGard members, which, as I said, total over 5,000, and anyone else that we can get in front of, and try and clarify and explain how the government would be able to protect information under the FOIA exemptions. The reality is, though, for example, in the Trade Secrets Act, one of the things that I am told--I am not a lawyer--that if there is a request for that, the industry would have to come forward and discuss in court what it had done to protect that information. So therefore, they would have to go into court and prove, I assume beyond some standard, that they had adequately protected it in the first place. One of the things you have to keep in mind is that the information that we are talking about is owned by the private sector, and FOIA does not apply to the private sector; it only applies to the executive branch. So we are talking about information that the private sector believes is sensitive and are concerned about it being disclosed, and they have questions as to whether the government can adequately protect it. And what we are recommending is not some broad loophole, but a measured response in the language that provides them the assurances that will provide better information sharing. Ms. Schakowsky. Well, first of all, my understanding is that you are wrong about the protection of that information. If it is voluntarily provided to the Federal Government and then there is a FOIA request, it is not because it is in that category of voluntary information that it is automatically released and not covered by FOIA; it is now covered by FOIA, and all of those nine exemptions and the Executive order apply to that information. But I think perhaps a more central question is, do any of you know of any instance, even one, where confidential information has been released by the Federal Government in response to a FOIA request over the objection of the business that supplied that information? Mr. Dick. The answer is we are not--meaning the NIPC and the FBI--aware of that. But on the flip side of that, because of these concerns, I can't tell you that we are getting an extremely high volume of information either. So it hasn't really been tested. Mr. Horn. We will move from 5 minutes to 10. And Mr. Tritak, again, when is the Comprehensive National Infrastructure Protection Plan expected to be completed? Mr. Tritak. Well, as you know, the overall homeland security strategy was just released last week. And the next step is that there will be two, what I would consider to be baseline strategies, one dealing with the concerns of the cyberspace security, which is being overseen by Dick Clarke, and the other is the challenges to the physical infrastructures--critical infrastructures, which will be coming out sometime in September or October as well. It is then the intention of the homeland security effort to create one integrated approach, which would follow sometime thereafter. I think the real answer is as soon as possible, but there hasn't been that date set. But given--frankly, given the pace with which things have been moving, I wouldn't expect it to follow much longer from those releases. Mr. Horn. Will the proposed plan address specific roles, responsibilities, and relationships for all the critical infrastructure protection entities, establish interim objectives, and set milestones for the achievement, and establish performance measures? Mr. Tritak. Yes, that is the intention. Mr. Horn. OK. Mr. Tritak. And I will also add, more infrastructure sectors have been added since PDD-63 to take into account the homeland security issues of food protection and the rest. So, yes. Mr. Horn. What are the incentives for the private sector to share information with the Federal Government? Mr. Tritak. They're a target. And there is also I think a recognition that there are certain pieces of information that the government can provide, once it knows more about the challenges that the private sector is facing, that can help them better do their jobs. Mr. Horn. What can we do to do anything to improve these various incentives? Mr. Tritak. I think one of the purposes of the strategy is to actually--by the way, the strategy that will be coming out in September is actually the product of industry and government working together. And I think what will be extremely important is as we find obstacles to homeland security, some of them may very well raise issues, statutory concerns or otherwise, and then we will be coming to people like you to discuss how we go about dealing with them. And so I think it is the constant vigilance of the Congress as these public issues come to the fore, in which government has to play a role in order to get to advance the cause of homeland security that you will provide the most helpful function in that regard. Mr. Horn. Do you think the private sector in the State and local governments are willing to fund the efforts required to adequately secure our critical infrastructures? Mr. Tritak. I think they are. I think the question is always going to be, particularly with State and local governments, how much of this is quintessentially the roles and responsibilities of the State and local government, and how much is the homeland security proposition at the State and local level really a Federal issue as well. Governor Ridge has made it very clear that at the end of the day, homeland security is won in the hometown, which is exactly what happened in New York. We were much, much better off because of the brilliant work that was done by New Jersey, Arlington, Virginia and the rest, and the contingency plans that they had done. And we would have been in a lot worse shape if they hadn't been thinking through this problem before. Mr. Horn. How long will the move to the new Department of Homeland Security improve the Critical Infrastructure Assurance Office's ability to fullfil its mission? Will it stay with Commerce, essentially? Mr. Tritak. No. The idea is that it will actually be under the Department of Homeland Security. And I think what it will do is allow us to leverage our resources along with the co- location of people like Ron Dick and others, so that we-- basically, we could be more focused. We give industry, for example, single points of contact as opposed to multiple points of contact. It will be more efficient and effective, Mr. Chairman. Mr. Horn. Well, thank you. That's a good response. Mr. Leffler, do you believe that the private sector is willing to fund the efforts necessary to adequately secure our critical infrastructure? Mr. Leffler. Absolutely. I think that with--with some help. I think that we have to define very clearly and very carefully what securing this infrastructure really means, and we have begun that dialog. Cyber is one perspective. We heard a lot of discussions on the earlier panel about process control systems. It's an issue that we have on our--under our purview right now. We are seriously considering what needs to be done. It's a big issue, and it does need to be addressed, and we are in the process of commencing that process. The other one on cyber controls or cyber perspective is the cyber business commerce. And this, I mentioned in my testimony, this is--we are working with the FERC in developing a security standard for the standard marketing design, and we will work with them in establishing that, promulgating what needs to be done by everybody. Basically anybody who is going to be participating in this industry, will need to step up to the bar on that one. And then, securing everything in the cyber world, we have another project called Public Key Infrastructure, which we have embarked upon received approval from our board to commence, and we are working that one to do it as well. Now, we get to physical. And we say, OK, how do we secure this system from physical--from any kind of physical attack? It is everywhere, as everyone knows. And that's an extremely difficult thing to do. So part of the answer is in knowing where critical things are, knowing what things are critical, knowing what we need in the way of spares. Perhaps we can get some support there in establishing spares, locating spares, transporting spares when they are needed to be used. Those are some of the things that we may need some assistance in. And then, finally having excellent--I mean excellent--plans for reconstitution in place, as did ConEd in New York City. Their restoration of that city's electricity, gas, and steam infrastructures was just fantastic. Mr. Horn. Mr. Jarocki, you probably ought to be in on this dialog here. Any thoughts with what Mr. Leffler thought? Mr. Jarocki. I think a lot of the things that are already being done are helpful and an expansion. For instance, let me give you some examples. During--obviously, during the September 11th scenario, the FS-ISAC opened up the ISAC to the entire industry, and we created an eBay type environment that says, what is available? Is there space available? Is there product available? And everything else. We also found that in order to communicate readily with each other, we needed the exact thing that Lou said. Where is the emergency communications? Through John's office we were able to get a lot of guest cards immediately issued to our executives to start that process, because it is key. When all fails--in New York City, I was a participant in the September 11th exercise. Unfortunately, what worked--it was strange. Two- way pagers worked; cell phones and everything else just went out. And I saw the fear in people's eyes. You know, what do we do? It was a war. It was a definite war, and communications breaking down. I mean, we were lucky at Morgan Stanley because of the redundancy in everything else, our communications did not break down internally; but externally, we were there. So I think there is a lot there. Wearing my old hat from many, many years ago as an intelligence officer at Fort Meade and working with that group, I think one of the things that we could get from the government is we learned a lot about taking large volumes of data, analyzing it, and being able to extract the fine points that are necessary to make an operation valid and give us value information. I think a lot of that, if we can get at those algorithms, get at that process, is what we need in the civilian community, in the ISACs, so we could start processing, and get at--I think the last time we did a catalog of over 108 Federal data bases which had significant information that we could use that might very well help us out in protecting our infrastructure. Mr. Horn. How would you characterize the quality and quantity of the data being shared from the Information Sharing Analysis Center to the government? Mr. Jarocki. I looked at it--it is sort of a marriage; we're dating, and so we are exchanging information. We haven't gotten to the altar yet. But I think it is a positive thing. You know, you are testing the waters. You are saying, here it is. It's a very good relationship with the organizations I mentioned: NIPC, the New York Electronic Crimes Task Force. To me, it's a very positive relationship. Again, it was built on one important thing--how can we trust each other--as opposed to having guns and badges. It's a trust of people and exchanging information, and I think it's--it is only getting better. Mr. Horn. What type of information is shared among Information Sharing and Analysis Center members but not with the Federal Government? Mr. Jarocki. Right now I will only reflect on the technology side, is we share an awful lot of information on what's technology and, specifically, what might be within our own realm of the financial sector, this piece of software or whatever we have. Is that shared with other sectors? No, because it's not germane to them. But we would look at that and say, OK, here is what we use; this is a payment system, this is it. How can we shore this up? How can we make it better? And we are also working with the vendors that supply. That's a key issue because we're saying, look, we find these things; how can we work together to fix them. And fix them when? Immediately, if not sooner. So we are looking at--I don't think there is--at this stage of the game, there is no, shall we say, holding back of information that would be critical in any instance. Mr. Horn. What Federal organizations do you coordinate with now? And do you have any suggestions to improve this coordination? For example, the proposed Department of Homeland Security, will that affect this coordination or will that improve it, as you look at the puzzle? Mr. Jarocki. I sincerely hope it improves it, and I think it's the right direction, because it's going to focus a lot of the separate efforts that are taking place today. If you took a look at the entire catalog of information that we analyze and collect at the FS-ISAC, it is over 100 different sources. That's not saying it's all Federal, but there is over 100 different sources. And I think, as you suddenly focus it all and bring it together so we have one point of contact, much like we have done with Ron Dick--I mean, one of the good things that we managed to put together was how do we formalize what we do. Where are the points of contacts? How can we get information together? And, how can we hold--a simple thing like we agreed to call each other once a week and say, hi, anything going on? Because you just forget. You are so busy in business- running that sometimes that phone call is necessary. So I think Homeland Security. And if we--everything we read, though, it keeps changing, though. So I'm just trying to map this on my screen. It's not that easy. Mr. Horn. I have one more question on this, and then I will yield 10 minutes for Ms. Schakowsky. What are the impediments that limit additional firms from participating in your Information sharing and Analysis Center? Mr. Jarocki. I don't think there's any impediments right now, because we are actually working on opening it up to the entire sector. The only impediment, like anything else, is sheer cost. There is always a dollar associated with providing it. And what we are working toward today is a multitiered system so that at least the most important information, which is the alerts and the vulnerabilities, can be gotten to the first responders, to the executive management thing at the lowest levels, immediately, if not sooner. Mr. Horn. Thank you. Do you want to add something to that, Mr. Tritak? Mr. Tritak. No. Mr. Horn. OK. Ten minutes for Ms. Schakowsky. Ms. Schakowsky. Back to FOIA. Mr. Tritak, you said that the President has wanted a narrowly crafted exemption to FOIA or addition to FOIA. Let me just read to you from the bill that came from the administration. It says: ``information Voluntarily Provided, Section 204. Information provided voluntarily by non-Federal entities or individuals that relates to infrastructure vulnerabilities or other vulnerabilities to terrorism and is or has been in the possession of the Department shall not be subject to section 552 of Title 5, United States Code.'' That's the Freedom of Information Act. ``anything that relates to infrastructure vulnerabilities or other vulnerabilities to terrorism will be exempt from the Freedom of Information Act.'' You could hardly call this a narrow exemption to FOIA. Now, it has been fleshed out a bit in the Armey bill, but the goal of the administration within this Department was to protect all of this information. Now, how does that jibe with your saying that the President wants a narrow exemption? Mr. Tritak. Well, as I said before, I think the idea here is to make it narrowly crafted to deal with very sensitive matters relating to critical infrastructure vulnerabilities. It is not to provide a--basically, a dumping ground for any information related to anything with respect to the infrastructure industry that someone might want to put in there and then claim it's protected under the---- Ms. Schakowsky. So--now, so the narrowness is as long as you can somehow hook it to infrastructure---- Mr. Tritak. Vulnerabilities. Yes. Now, look, again, this is a draftsman issue. I take your point. I understand that this is very contentious. All I'm saying is that's precisely the process. You are now in play to fix it if you have a problem with it. I mean, truly. No one--let me tell you, nobody intends this to become a mechanism by which basically people can, you know, foist their responsibilities off by data dumping. No one is trying to create a mechanism by which gross negligence and criminal activity can be buried in the government and therefore it can't be prosecuted or otherwise---- Ms. Schakowsky. Intention really doesn't matter. Intention really doesn't matter. Depending on how the law is crafted, it could be exactly used for that. Mr. Tritak. Sure. But part of it--that's why, as I say, it's the give and take of this process, to make it read what it's supposed to do. Ms. Schakowsky. OK. Mr. Dick, I want to get back to your statement, and see if you wanted to reconsider it, the statement you made before the Senate: ``if the private sector doesn't think the law is clear, then by definition it isn't clear.'' What do you mean? And do you want to reconsider? Mr. Dick. One is, as I talked about a moment ago, we spent a good deal of time with the private sector and their general counsels trying to explain how the exemptions as they currently exist under FOIA will protect the information that is provided to it. The problem that we run into is that the general counsels for these companies either, (a) don't believe it, or cannot provide to the CEOs absolute assurance that the sensitive information that they would be providing to the government would be protected. And so what, by definition, if it-- obviously, we're not being able to convince the private sector that those exemptions are adequate, because we have done it over and over again--you have heard it by the members here, on this panel--that it's still a concern to them. And one of my missions as the director of the Center is to try and promote, as best I can, the partnership with the private sector so that they do share that information so that we can compare threats and vulnerabilities so as to assess the risk to our critical infrastructures. And that's what we are seeking. If there is not clarity there, if there is not our concerns, and if there is a way that Congress can resolve those issues, then we support that. Ms. Schakowsky. It's really stunning to me. I mean, if WorldCom or Enron or somebody comes to us and says, well, you know, we really don't think we can provide you that information even though we're--our stock has gone all the way down and we're just not going to provide information--that the U.S. Government should change its laws to accommodate that. It seems to me, if we need the information, then we have laws in place and they should give the information. I would like to---- Mr. Dick. This goes back to the point, though. At this moment in time, this is voluntary information, owned by the private sector, that it has no obligation to share unless it wants to. We can't make them do it. Ms. Schakowsky. Right. And at a time of war, at a time where we feel threatened, we are negotiating with them to provide critical information, and changing our laws so that they will feel---- Mr. Dick. This issue was raised before September 11th. Ms. Schakowsky. Oh, I know. Mr. Dick. This has gone on for 4 years. Ms. Schakowsky. Oh, I'm well aware. I'm well aware they don't want to provide information to the government that we might need to protect our--the safety and well-being of our citizens. And we are going to accommodate that in ways that I think diminish our ability for citizens to have information that they are rightfully entitled to. I would like examples of what kind of information that-- that you are saying that they don't want to provide us. Mr. Dick. Well, obviously if I knew what that was--you mean general scope examples? Or--I mean, if I knew what the information was, I would---- Ms. Schakowsky. All right. Just give us categories of information that we aren't going to get because they are uncomfortable. Mr. Dick. Well, NOSA has to, you know, defer to Stash and the other people at the table for categories of this. But, for example, the specific vulnerabilities associated with the SCADA systems and the processing systems that they are able to determine. Nobody has attacked them yet. But what my job is is to compare what is the threat out there? Are there people, whether they're hackers or al Qaeda or whoever, looking for the vulnerabilities that have been identified out there? The second piece of the equation at times is unknown to me. I know that there are people out there looking to attack them, but I don't know what the vulnerability is that they may seek to do that by. And at times the private sector is concerned about if they share it, then it will become public and therefore the bad guys will know it and then attack them. Ms. Schakowsky. So there is so little confidence, that at this point in history that people within the government would not have the sense to know what information would be critical to al Qaeda, that they are just not going to provide that information? Mr. Dick. No. We do know what some of that information is. Ms. Schakowsky. No, no. I'm saying that businesses feel that they can't trust you to maintain secrecy around information that will help al Qaeda. Mr. Dick. Well, I think the issue is not if we know it; it's whether the industry's required to provide it, and whether FOIA, in their opinion--meaning the industry--believes that they can protect it. Ms. Schakowsky. That's what I'm saying. They don't believe it. They believe that if they provide information that's critical to terrorists, that this government under its current laws is just going to let that information out. Mr. Dick. Their concern is that the government--if I understand it correctly, and you should ask them--is that the government could not adequately protect it. That's the advice that I understand being given by the general counsels, and we are trying to work with them to resolve those issues. Ms. Schakowsky. And I just want to say that it is precisely because of those concerns that the exemptions to FOIA were crafted. It is precisely for that reason that the Executive order--to make sure, as kind of a backup system, Executive Order 12600 was put in place so that those would be protected. These are precious civil liberties, sunshine laws, that now have come into focus how important it is to have transparency. This is what we preach around the world. And I just am at a loss to see why we should use this moment to sacrifice those protections. Mr. Horn. I now yield 10 minutes for myself. Mr. Dick, what efforts should we focus on to improve information sharing and success of the Information Sharing and Analysis Center structure? Mr. Dick. I think the things that we are doing now, and I think we have been able to demonstrate, at least over the last couple of years, that the government can be trusted; and, in particular, the NIPC can be trusted with that information; that we have been able to demonstrate that with it, we can provide back to them timely actionable information to better provide-- better protect their assets. Frankly, as Stash has indicated, it's just going to take time to build up that trust to make the free flow of information to the point that we can do an even better job than what we are doing today. Mr. Horn. What changes should we make to the Information Sharing and Analysis Center in the new critical infrastructure protection strategy? Mr. Dick. I'm sorry? Changes insofar as the strategy itself to enhance information sharing? Is that what you're talking about? Mr. Horn. Yeah. Mr. Dick. I really think under the President's proposal, as it was talked about a moment ago, by combining these issues that--or, resources,--that we'll have a much more focused and effective and efficient manner by which to deal with assessing threats and vulnerabilities. I think that there will be a lot of leveraging of capabilities across the government by the merging of some of these agencies under one leadership, and overall should have a very positive effect on our capabilities. Mr. Horn. How are you assured that you are getting the appropriate intelligence information? And, how will the new Department improve the flow of intelligence information to the National Infrastructure Protection Center? Mr. Dick. One of the things--I mean, I think we've built some very good partnerships with the other agencies that are in the Center. For example, CIA and NSA and Department of Defense and U.S. Secret Service now has a manager within the Center. I think we have about 22 different agencies represented there. And I think one of the things that it is going to enhance, if I understand the proposal correctly, is that DHS will--you know, the flow of information, the requirement of sharing information on a much broader scale, will be further enhanced. With that comes responsibility and accountability for other people's information. But at least in the current structure, as I understand it, the ability to look at the big picture will be substantially increased. Mr. Horn. Do you think the private sector and State and local governments are willing to fund the efforts required to adequately secure our critical infrastructure? Mr. Dick. I think there is a will there. But in these fiscal times of budget deficits, I think it is going to be difficult for State and local governments to find those resources. But the will is there to do that. I met just last week with representatives from the State of Florida that are looking at starting a State--or, a State of Florida Critical Infrastructure Protection Center. I know that--participated with Texas in doing a similar type of project. And one of the things we have to ensure--I like to talk about the thousand points of light theory insofar as infrastructure protection. I don't care how many centers there are out there or how many ISACs there are out there or how many members of InfraGard out there, the point is that they are all interconnected and sharing information so that we truly have the ability to determine what the vulnerabilities are and when some threat is going to attack that vulnerability. So I think there is the will. The funding of it is a different question. Mr. Horn. Before I get to the General Accounting Office, our research arm--and I haven't forgotten you, Mr. Maifrett, and you've listened to all this. What's your thinking on that? Mr. Maifrett. I think the debate of like information sharing is obviously something that should happen. But I think the even bigger problem is that we don't really have any information to share or any worthwhile information. And basically that is to say that there are--you know, if you want to take SCADA systems or just control systems in general, there's plenty of them out there that do have vulnerabilities. I've actually had access to a few of these types of systems myself. And people--you know, myself and also other researchers of the eEye, we found numerous vulnerabilities in that, in the actual SCADA software themselves, in the actual control software. And this information, you know, it's slowly getting up to the software developers and whatnot so they can fix these problems, but there needs to be a lot more work actually done on determining what is the vulnerability, you know, why is a certain type of infrastructure site vulnerable, depending on the type of setup that it has, whether it's using commercial off-the-shelf software which has vulnerabilities, or whether it be, once again, the actual SCADA software itself. And you know, I will say again, I think we really need to work hard on actually--you know, to state the obvious, I think we need to work hard on actually fixing the infrastructure sites themselves. And that is creating, whether it be guidelines that are enforced, kind of like we've had in the health care with HIPAA and whatnot. But we need to basically get down in the trenches. I think there's--you know, while there's a certain amount of high-level talk that needs to be done, there is even more on a technical level that needs to be discussed and hammered out and, you know, true technical solutions to a technical problem need to be put forth. Mr. Horn. One of your colleagues on Panel One said generally this--and that's Dr. Thomas--noted that hackers who have the skills to break into a supervisory control and data acquisition system are unlikely to conduct a targeted attack, based upon their ethics. Mr. Maifrett. I think with hackers--I mean, there's so many different kind of classes of hackers, if you will. There is more the typical term ``hacker'' which is used by the media and just by people in general, which is, you know, the people that are posting on mailing lists about security vulnerabilities and that type of thing and doing research. And I think those type of people, you know, people like myself, I definitely consider myself a hacker. Yes, we actually--you know, there is the ethic there that you would never do such a thing. At the same time, I know for a fact that there's plenty of foreign governments that do heavily research vulnerabilities and how to actually take control of these types of systems. There's other governments that have SCADA systems also, for example. And just like our government does a lot of analysis in finding vulnerabilities in these types of systems, although a lot of time that information doesn't kind of bubble up to the surface, you know, there's definitely other countries that are doing the same type of thing. And at the same time, there is definitely hackers that, you know, while they might not necessarily have the ethic, there is a certain dollar value that, when brought up, makes that ethic go away a little bit. So I definitely think there are people out there that do have the skills and they definitely think that sooner or later they are going to be approached, and it's going to start--you know, these types of attacks are going to take place. Mr. Horn. About a year and a half ago, I was in Italy when they had reached a wonderful part in their economy. And I happened to mention to the Prime Minister, are you worried about any foreign nation trying to upset your economy? Which is very electronic in many ways. And he said, ``We certainly are.'' Now, from your background, do you worry about that kind of situation? And do you see that type of thing going on, where a good economy of the free world is under fire? Mr. Maifrett. Yeah. I don't know. I mean, there's a lot of times there's talks like that where it's kind of like the economy as a whole or, you know, the North American power grid as a whole and stuff. And I don't think that you necessarily right now are going to see the type of attack that could be that broad and affect that much. I think it's going to be more targeted attacks. For example, an attack that takes place and the power for Los Angeles goes off, or something like that. I don't think that it's really something that's so broad for the United States in general. But it obviously shouldn't be discounted that--you know, depending on the number of, you know, hackers that you have working for you and how well you are able to coordinate and things. If you hit a few of the major cities and stuff, it obviously can be just as devastating. Mr. Horn. You recommended enforcing a set of requirements on the security of sites and companies deemed to be integral parts of the Nation's critical infrastructure. Who do you believe should develop those requirements and who do you believe should enforce them? What are some of the practical limitations in enforcing such requirements? Mr. Maifrett. As far as creating them, obviously the infrastructure companies themselves need to be heavily involved. One of the things I stated in my written testimony, though, is that not just the kind of managers, the more high- level people at the infrastructures, but more of the kind of people in the trenches. You know, I mean, I've sat over dinner with people before that do run the power grids, and they joke about how easy it would be for somebody to, using a dial-up modem, get in and shut down certain things. And I mean, it's people like that where they--you know, they work at these companies, they understand the technology, and a lot of times they understand what they do need to do to help secure it. And a lot of times, though, that information-- it's not easy to kind of bubble it up to the top where it can actually be used and they can start to enforce this thing. At the same time, I think there is definitely a lot of researchers, including some of the people on the first panel, that have a very good idea of how these systems work and, you know, the kind of technical mind definitely needs to be there. But at the same time, you know, there is a certain amount of the business aspect to it and stuff. So that all needs to be hammered out. And as far as enforcing it, you know, I don't know. It's not really my place to say who should be the one enforcing it, you know, just as long as there's--somebody is. And obviously-- I think it needs to be somebody at the government level. Mr. Horn. Well, there is a lot of now State information officers, and you have a real wealth of knowledge in the area, and hopefully they will be working with the various Silicon Valleys--east, west, south, and north--and that might be one way to get at the requirements. Mr. Maifrett. Definitely. And just one other, like, side comment. I'd say one of the other problems with why a lot of the infrastructure ends up being secure--you know, we were talking on the first panel, there was a lot of discussion about hackers and whatnot. And the thing that we have with a lot of just the kind, you know, kind of regular software systems that are out there and used by the public, is there are hackers out there that are testing the software, and they are attempting to break it and find flaws in it and whatnot. And these vulnerabilities do eventually get fixed. And part of the problem, a lot of the--you know, the kind of control systems and software out there are not really accessible by these types of people, and so they are actually not being tested. And, you know, I mean, the few that we actually have access to that we were able to set up, it was a matter of minutes before finding just, you know, total common vulnerabilities that have been known for a very long time now, and it's very easy. Mr. Horn. Moving now to Robert Dacey, the Director of the Information Security portion of the U.S. General Accounting Office. And in your testimony, you mention that a clearly defined strategy is essential to ensure that our national approach is comprehensive and well coordinated. What are the key components that should be included in our national strategy? And I would like to know, from your other colleagues here in Panel Two, what are your comments in response to what they've asked and answered some of these questions? Mr. Dacey. I think in terms of the strategy, we have indicated for a number of years that this was an important aspect. And, as we released in our report last week, there are over 50 entities directly involved in cyber CIP, let alone some of the physical aspects that are starting to be considered as part of our CIP strategy. I think the key issues go back to what we have in the testimony; and that is, we need to make sure there are clear roles and responsibilities, and how the relationships between all these organizations work. The proposed Department of Homeland Security would include--at least the President's proposal included six entities that would be transferred, still leaving a large number of entities that would not be. And it is going to be critical to make sure that there is clear coordination about the efforts involved. The second major area would be, again, establishing clear objectives and milestones and making sure that there are timeframes in place to address them, as well as performance measures which we have throughout government, with GPRA, found to be a very important aspect in terms of establishing the right performance measures and having a regular reporting process to understand the progress that's being made. And I think earlier on the panel, Mr. Tritak indicated the strategy would address those matters. Mr. Horn. Thank you. And I would like to thank those that brought you here, both Panels One and Two. And we have to vacate this for another subcommittee. To my left, your right, Claire Buckles is professional staff, American Political Science Association, congressional fellow. Vice President Cheney was one of those Fellows, and so was I. He's way ahead of every one of us. Back here on the wall is the staff director and chief counsel for the subcommittee, J. Russell George. And with him there is the deputy staff director, Bonnie Heald, and they all had a hand in this. And our assistant to the subcommittee, Chris Barkley, is very-- standing up in the door there. And we have a lot of interns: Sterling Bentley--is she here--and Joey DiSilvio, Freddie Ephraim, Michael Sazonov, and Yigal Kerszenbaum. And then for Ms. Schakowsky, we have a longtime professional staff member who knows what he is talking about, one David McMillen. And Jean Gosa, minority clerk, another great institution. And, last but not least, our two wonderful court reporters, and that's Desirae Jura, and Nancy O'Rourke. Thank you very much. And, with that, we are adjourned. [Whereupon, at 1:05 p.m., the subcommittee was adjourned.] -