<DOC>
[110th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:43198.wais]
CYBERSECURITY: A REVIEW OF PUBLIC AND PRIVATE EFFORTS TO SECURE OUR
NATION'S INTERNET INFRASTRUCTURE
=======================================================================
HEARING
before the
SUBCOMMITTEE ON INFORMATION POLICY,
CENSUS, AND NATIONAL ARCHIVES
of the
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
FIRST SESSION
__________
OCTOBER 23, 2007
__________
Serial No. 110-59
__________
Printed for the use of the Committee on Oversight and Government Reform
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
http://www.oversight.house.gov
U.S. GOVERNMENT PRINTING OFFICE
43-198 PDF WASHINGTON DC: 2008
---------------------------------------------------------------------
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800
Fax: (202) 512ÿ092104 Mail: Stop IDCC, Washington, DC 20402ÿ090001
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
HENRY A. WAXMAN, California, Chairman
TOM LANTOS, California TOM DAVIS, Virginia
EDOLPHUS TOWNS, New York DAN BURTON, Indiana
PAUL E. KANJORSKI, Pennsylvania CHRISTOPHER SHAYS, Connecticut
CAROLYN B. MALONEY, New York JOHN M. McHUGH, New York
ELIJAH E. CUMMINGS, Maryland JOHN L. MICA, Florida
DENNIS J. KUCINICH, Ohio MARK E. SOUDER, Indiana
DANNY K. DAVIS, Illinois TODD RUSSELL PLATTS, Pennsylvania
JOHN F. TIERNEY, Massachusetts CHRIS CANNON, Utah
WM. LACY CLAY, Missouri JOHN J. DUNCAN, Jr., Tennessee
DIANE E. WATSON, California MICHAEL R. TURNER, Ohio
STEPHEN F. LYNCH, Massachusetts DARRELL E. ISSA, California
BRIAN HIGGINS, New York KENNY MARCHANT, Texas
JOHN A. YARMUTH, Kentucky LYNN A. WESTMORELAND, Georgia
BRUCE L. BRALEY, Iowa PATRICK T. McHENRY, North Carolina
ELEANOR HOLMES NORTON, District of VIRGINIA FOXX, North Carolina
Columbia BRIAN P. BILBRAY, California
BETTY McCOLLUM, Minnesota BILL SALI, Idaho
JIM COOPER, Tennessee JIM JORDAN, Ohio
CHRIS VAN HOLLEN, Maryland
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
JOHN P. SARBANES, Maryland
PETER WELCH, Vermont
Phil Schiliro, Chief of Staff
Phil Barnett, Staff Director
Earley Green, Chief Clerk
David Marin, Minority Staff Director
Subcommittee on Information Policy, Census, and National Archives
WM. LACY CLAY, Missouri, Chairman
PAUL E. KANJORSKI, Pennsylvania MICHAEL R. TURNER, Ohio
CAROLYN B. MALONEY, New York CHRIS CANNON, Utah
JOHN A. YARMUTH, Kentucky BILL SALI, Idaho
PAUL W. HODES, New Hampshire
Tony Haywood, Staff Director
C O N T E N T S
----------
Page
Hearing held on October 23, 2007................................. 1
Statement of:
Garcia, Gregory T., Assistant Secretary for Cyber Security
and Communications, Department of Homeland Security;
Gregory C. Wilshusen, Director of Information Security
Issues, GAO; and Daniel S. Ross, chief information officer,
State of Missouri.......................................... 7
Garcia, Gregory T........................................ 7
Ross, Daniel S........................................... 43
Wilshusen, Gregory C..................................... 20
Sabo, John T., president, Information Technology Information
Sharing and Analysis Center and director of Global
Government Relations, CA, Inc.; Larry Clinton, president,
Information Security Alliance; Ken Silva, chief security
officer and vice president for networking and information
security, Verisign; Catherine T. Allen, chairman and CEO,
the Santa Fe Group; and Kiersten Todt Coon, vice president,
Good Harbor Consulting..................................... 64
Allen, Catherine T....................................... 98
Clinton, Larry........................................... 86
Sabo, John T............................................. 64
Silva, Ken............................................... 78
Todt Coon, Kiersten...................................... 118
Letters, statements, etc., submitted for the record by:
Allen, Catherine T., chairman and CEO, the Santa Fe Group,
prepared statement of...................................... 100
Clay, Hon. Wm. Lacy, a Representative in Congress from the
State of Missouri, prepared statement of................... 3
Clinton, Larry, president, Information Security Alliance,
prepared statement of...................................... 88
Garcia, Gregory T., Assistant Secretary for Cyber Security
and Communications, Department of Homeland Security,
prepared statement of...................................... 10
Ross, Daniel S., chief information officer, State of
Missouri, prepared statement of............................ 45
Sabo, John T., president, Information Technology Information
Sharing and Analysis Center and director of Global
Government Relations, CA, Inc., prepared statement of...... 66
Silva, Ken, chief security officer and vice president for
networking and information security, Verisign, prepared
statement of............................................... 80
Todt Coon, Kiersten, vice president, Good Harbor Consulting,
prepared statement of...................................... 120
Wilshusen, Gregory C., Director of Information Security
Issues, GAO, prepared statement of......................... 22
CYBERSECURITY: A REVIEW OF PUBLIC AND PRIVATE EFFORTS TO SECURE OUR
NATION'S INTERNET INFRASTRUCTURE
----------
TUESDAY, OCTOBER 23, 2007
House of Representatives,
Subcommittee on Information Policy, Census, and
National Archives,
Committee on Oversight and Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:06 a.m. in
room 2154, Rayburn House Office Building, Hon. Wm. Lacy Clay
(chairman of the committee) presiding.
Present: Representatives Clay, Hodes, Yarmuth, and Turner.
Staff present: Darryl Piggee, staff director/counsel; Jean
Gosa, clerk; Adam C. Bordes, professional staff member; Nidia
Salazar, staff assistant; Michelle Mitchell, legislative
assistant, Office of Wm. Lacy Clay; Charles Phillips, minority
counsel; Patrick Lyden, minority parliamentarian & member
services coordinator; and Benjamin Chance, minority clerk.
Mr. Clay. The subcommittee on Information Policy, Census,
and National Archives will now come to order. Today's hearing
will examine how well DHS is fulfilling its role as the leading
Federal agency charged with coordinating response and recovery
efforts in the event of a major Internet disruption. In
addition, we will review the roles and responsibilities of
private sector stakeholders in the development of Internet
recovery plans and hear their recommendations for improving our
current cyber security policy framework.
Without objection the Chair and ranking minority member
will have 5 minutes to make opening statements followed by
opening statements not to exceed 3 minutes by any other Member
who seeks recognition. And without objection Members and
witnesses may have 5 legislative days to submit a written
statement or extraneous materials for the record.
I will begin with an opening statement and then recognize
the ranking member. Then we will adjourn after that while we
vote and then we will come back and take the testimony. Just be
patient with us, please.
Securing our Nation's economic and global interests relies
upon having a resilient Internet infrastructure. A recently
released study by the Business Roundtable summarized that there
is a probability of between 10 percent and 20 percent for a
major Internet breakdown over the next decade. At an estimated
global cost of approximately $250 billion, an event of this
magnitude would prove devastating to our domestic industries
and international trading partners.
Despite spending millions of dollars, the Department of
Homeland Security has failed to develop an effective Internet
recovery plan to rely upon for emergency response and recovery
efforts.
Furthermore, their lack of adequate progress in developing
appropriate models for measuring the levels of risk facing each
sector has left policymakers unable to determine which sectors
are most vulnerable to major cyber network disruptions.
It is my hope that today's witnesses will provide an update
on DHS' efforts to remedy its deficiencies and provide
recommendations for strengthening partnerships that will best
secure our Internet infrastructure.
That concludes my opening statement and I will recognize
Mr. Turner of Ohio for his opening statement. Mr. Turner.
[The prepared statement of Hon. Wm. Lacy Clay follows:]
[GRAPHIC] [TIFF OMITTED] T3198.001
[GRAPHIC] [TIFF OMITTED] T3198.002
[GRAPHIC] [TIFF OMITTED] T3198.003
Mr. Turner. Thank you, Chairman Clay. I want to thank you
for holding today's hearing on Cyber Security: A Review of
Public and Private Efforts to Secure Our Nation's Internet
Infrastructure.
The Internet is a key critical infrastructure asset and has
an enormous impact on communications as well as the economy. It
is important that this asset is protected, much like other
critical infrastructure assets. It seems, however, that due to
a number of factors, the Internet isn't as secure from
catastrophic events as it could be.
I look forward to reading the testimony from today's
witnesses on how DHS can better prepare our Internet
infrastructure from potential catastrophic events, such as
national disasters and terrorist attacks.
I am interested in how DHS plans to address the concerns
listed in the 2006 GAO report on DHS' efforts to coordinate an
Internet infrastructure recovery plan. And I am particularly
interested in learning about the legal barriers that DHS faces
in providing assistance to private sector entities which own or
operate Internet infrastructure in the event of disaster.
Mr. Chairman, I want to thank you again for your leadership
and your effectiveness in the oversight of the important
Federal policy issues of information policy. Thank you.
Mr. Clay. Thank you, Mr. Turner. And at this time, the
subcommittee will recess and reconvene at the conclusion of the
three votes that we will take now on the floor. The committee
stands in recess.
[Recess.]
Mr. Clay. If there are no additional opening statements,
the subcommittee will now reconvene and we will receive
testimony from the witnesses before us today.
I want to start by introducing our first panel, which will
consist of Mr. Greg Garcia, who is the Assistant Secretary for
Cyber security and Communications at the Department of Homeland
Security. In his position, Mr. Garcia oversees the operations
and strategic planning activities of the National Cyber
Security Division, the Office of Emergency Communications and
the National Communications System. Prior to joining DHS, he
represented the information technology on Capitol Hill, and
before that served as a staff member of the House Science
Committee.
We also have joining us Mr. Greg Wilshusen, who is a
Director of Information Security Issues at GAO. He is a long
time expert on the topic of information security and has
testified before this panel numerous times on cyber security
issues and Federal information security management practices.
And to round out the panel, Mr. Dan Ross serves as the
chief information officer for the State of Missouri. And prior
to his appointment in 2005, Mr. Ross served under then
Secretary of State Matt Blount in the capacity of executive
deputy secretary of State. He holds a bachelor's degree in
industrial relations from Lincoln University and a master's
degree in public administration from the University of
Missouri.
Welcome, Mr. Ross. We know you came further than others.
And also welcome to the other two witnesses. And thank you all
for appearing before today's subcommittee.
And it is the policy of the Committee on Oversight and
Government Reform to swear in all witnesses before they
testify. And I would like to ask you all to stand and raise
your right hands.
[Witnesses sworn.]
Mr. Clay. Thank you. You may be seated. Let the record
reflect that the witnesses answered in the affirmative.
Mr. Hodes, did you have an opening statement that you would
like to offer?
Mr. Hodes. No, I will defer.
Mr. Clay. OK. Thank you so much. I ask that each of the
witnesses now give a brief summary of their testimony and to
keep the summary under 5 minutes. Your complete written
statement will be included in the hearing.
Mr. Garcia, we will begin with you. Before you do that, I
know that you come today to explain how seriously DHS and the
administration takes its cyber security responsibility. I must
admit that it is a little disappointing that you waited until
11:30 this morning to deliver your written testimony for
members of the subcommittee to adequately prepare.
With that said, you have 5 minutes to summarize your
statement.
STATEMENTS OF GREGORY T. GARCIA, ASSISTANT SECRETARY FOR CYBER
SECURITY AND COMMUNICATIONS, DEPARTMENT OF HOMELAND SECURITY;
GREGORY C. WILSHUSEN, DIRECTOR OF INFORMATION SECURITY ISSUES,
GAO; AND DANIEL S. ROSS, CHIEF INFORMATION OFFICER, STATE OF
MISSOURI
STATEMENT OF GREGORY T. GARCIA
Mr. Garcia. Thank you, Mr. Chairman, and members of the
subcommittee. I appreciate the opportunity to discuss the
Department of Homeland Security's efforts to promote the
resilience of America's Internet infrastructure.
Let me just say at the outset, Mr. Chairman, that I do
apologize for the lateness of our testimony. It is more than a
little disappointing to me, as well. It in no way reflects the
seriousness with which DHS takes the mission of cyber security.
And it is very much important for you, the members of the
committee and the staff to have the benefit of advance reading
of our testimony so that we can have an informed discussion.
So, please accept my apology for that.
We are endeavoring, in our process at DHS and interagency,
to ensure that we bring testimony up to the Congress in a
timely fashion.
Mr. Clay. Thank you for that.
Mr. Garcia. Sir, it is fitting that you are holding this
hearing during National Cyber Security Awareness Month. It
helps to raise public consciousness about the importance of
Internet security to our economy and to our way of life.
Over 200 million Americans use the Internet at home and in
the workplace. The Internet facilitates communications, and
supports Government and business operations. Although the
Internet has yielded tremendous efficiencies, organizations and
individuals remain vulnerable to disruptions in service and
loss of sensitive data.
Both the private sector and Government play a role in
securing our Internet infrastructure. The private sector
builds, owns and operates most of the cyber infrastructure and
ensures the availability and functionality of the Internet. The
Federal Government has the responsibility for ensuring the
continued operation of essential Government functions, securing
their timely restoration if they fail, and minimizing the
impact to the Nation.
As such, it is incumbent upon the Federal Government to
help protect against Internet disruptions and to ensure a
coordinated response to incidents. I would like today to
highlight a few of our efforts in these areas.
First, we are strengthening our ability to prevent Internet
disruptions. Under the National Infrastructure Protection Plan
[NIPP], the availability of the Internet and its associated
services is identified as a shared key resource of the
information technology and communications sectors. As the
sector's specific agency for both, we work with the sectors to
develop their Sector-Specific Plans [SSP], which were released
in May of this year.
The IT SSP defines six critical functions that support the
sector's ability to produce and provide resilient products and
services. Of these, two critical sector functions relate
directly to the Internet.
Similarly, the communications Sector Specific Plan
identifies critical architectural elements of the Internet.
Through implementation of their SSPs, the IT and communications
sectors are continuing to work together to assess the risk to
the Internet.
Although the availability of the Internet is primarily the
responsibility of the IT and communications sectors, all
sectors rely on the Internet. And DHS, together with the
Partnership for Critical Infrastructure Security [PCIS],
established the Cross Sector Cyber Security Working Group
[CSCSWG], comprised now of more than 90 Government and private
sector experts from across the critical infrastructure sectors.
This group provides a forum to assess, among other things,
how critical sector operations could be impacted by disruptions
and to develop appropriate mitigation strategies.
Improving situational awareness is a critical component of
preparedness. The U.S. Computer Emergency Readiness Team [U.S.
CERT], within my organization, coordinates with the private
sector and Government entities to increase situational
awareness of network conditions.
We developed a program called Einstein that provides
Federal agencies with early cyber incident detection so that
they can respond more rapidly to mitigate threats. It has
slashed the time it takes us to gather and share critical data
on IT security risks from days, as it used to be, to hours.
The U.S. CERT also engages with private sector Information
Sharing And Analysis Centers [ISACs], to share information on
cyber threats, vulnerabilities and incidents. This includes
collaboration with the IT-ISAC and the Multi-State ISAC to
raise the level of cyber security readiness in each State.
Our ability to protect against and prepare for Internet
disruptions is further enhanced through exercises. We are
currently planning for the Cyber Storm II Exercise in March
2008, which will include a focus on Internet disruption and
recovery and involve Federal, State, local, international and
private sector entities.
Second, we are enhancing public and private collaboration
to ensure effective response capabilities. The National
Response Framework [NRF], which was recently released for
public comment, articulates how our Nation will respond to all
hazard disasters. My office has responsibility for Emergency
Support Function No. II [ESF-2], the Communications Annex and
the Cyber Incident Annex. We undertook an in-depth review of
these components, and incorporated updates to them.
In support of the NRF, the National Cyber Response
Coordination Group [NCRCG], serves as the primary Federal
interagency mechanism for coordinating Cyber Incidents.
Recently, the NCRCG addressed the denial of service attack
against the government of Estonia. The NCRCG co-chairs convened
to discuss the situation and determined that an operational
response was indeed needed. And we coordinated that through the
National Coordination Center and U.S. CERT.
To sum, my office is now implementing a plan to co-locate
the U.S. CERT and the NCC, the IT and Communications to further
facilitate collaboration among IT and communications experts.
We are working side-by-side with them to make it easier to
obtain situational awareness, to identify threats and
coordinate response activities.
To conclude, both Government and the private sector are
taking proactive measures to address Internet resilience, and
to prepare for and respond to Internet disruptions. Government
and business leaders must continue to ensure that sectors,
organizations and individuals all understand their dependence
on the Internet, the impact that a disruption could have and
actions that can be taken to mitigate the consequences.
Sir, thank you for your time today. I appreciate the
opportunity to discuss this issue and will be happy to answer
questions.
[The prepared statement of Mr. Garcia follows:]
[GRAPHIC] [TIFF OMITTED] T3198.004
[GRAPHIC] [TIFF OMITTED] T3198.005
[GRAPHIC] [TIFF OMITTED] T3198.006
[GRAPHIC] [TIFF OMITTED] T3198.007
[GRAPHIC] [TIFF OMITTED] T3198.008
[GRAPHIC] [TIFF OMITTED] T3198.009
[GRAPHIC] [TIFF OMITTED] T3198.010
[GRAPHIC] [TIFF OMITTED] T3198.011
[GRAPHIC] [TIFF OMITTED] T3198.012
[GRAPHIC] [TIFF OMITTED] T3198.013
Mr. Clay. Thank you very much, Mr. Garcia. Mr. Wilshusen,
you are next.
STATEMENT OF GREGORY C. WILSHUSEN
Mr. Wilshusen. Chairman Clay and members of the
subcommittee, thank you for the opportunity to testify at
today's hearing on public and private sector efforts to secure
our Nation's Internet infrastructure.
Since the early 1990's, the world community has come to
rely on the Internet as a critical resource supporting
commerce, education and communication. While the benefits of
this technology have been enormous, this widespread inter-
connectivity poses significant risks to our Government's and
Nation's computer systems and, more importantly, to the
critical operations and infrastructures they support.
Today, I will discuss threats and vulnerabilities of the
Internet, DHS' efforts in facilitating recovery from Internet
disruptions and key challenges to such efforts.
Mr. Chairman, the Internet is vulnerable to disruptions in
service due to threats of terrorists and other malicious
attacks, natural disasters and technological problems or a
combination of these things. Disruptions to Internet service
can be caused by cyber and physical incidents, both intentional
and unintentional. For example, over the last few years, fast-
spreading worms and viruses coordinated denial of service
against key root servers, 9/11 and Hurricane Katrina have
caused local or regional disruptions or slowdowns.
Research organizations have pegged the annual worldwide
costs of malicious code attacks as averaging about $14 billion
for the 6-years ending in 2005, highlighting the importance of
recovery planning. However, these incidents have also shown the
Internet as a whole to be flexible resilient. Even in severe
circumstances, the Internet has not yet suffered a catastrophic
failure.
Nevertheless, is it possible that a complex attack or
series of attacks could cause the Internet to fail or to
undermine users' trust in the Internet, thereby reducing the
Internet's utility.
In a June 2006 report, we noted that DHS had begun a
variety of initiatives to improve the Nation's ability to
recover from Internet disruptions, including developing an
integrated public/private plan for Internet recovery,
establishing working groups to facilitate coordination, and
conducting exercises in which Government and private industry
practice responding to cyber events.
However, these efforts were not complete, comprehensive or
effectively coordinated. In that report, we also noted key
challenges that impeded progress. First, it was unclear what
Government entity was in charge, what the Government's role
should be, and when it should get involved. For example, DHS'
National Cyber Security Division and National Communications
System had overlapping responsibilities. There is also a lack
of consensus about the role DHS should play. The Government was
pursuing the big plan approach with the NIPP and the National
Response Plan while the private sector wanted to more of the
short-term tactical role from the Government.
Furthermore, triggers to clarify when the Federal
Government should be involved were unclear. Another key
challenge is working in a legal framework that doesn't
specifically address the Government's roles and
responsibilities in the event of an Internet disruption. The
Katrina recovery efforts also showed that the Stafford Act can
create a roadblock when for-profit companies that own and
operate critical infrastructures need Federal assistance during
national emergencies.
In addition, the private sector was reluctant to share
information with DHS because it did not always see value in
sharing information, did not necessarily trust the Government
and viewed DHS as an organization lacking effective leadership.
Until these challenges are addressed, DHS will have
difficulty in achieving results in its role as a focal point in
this area.
In our June 2006 report, we suggested that Congress
consider clarifying the legal framework that guides roles and
responsibilities for Internet recovery. We also made
recommendations to improve DHS' ability to facilitate public/
private efforts and planning for Internet disruptions. The
Department agreed with our recommendations and since then has
made progress in addressing many of them.
Still work remains to be done to ensure that our Nation is
prepared to effectively respond to a disruption of the Internet
infrastructure.
Mr. Chairman, this concludes my statement. I would be happy
to answer any questions you or members of the subcommittee may
have.
[The prepared statement of Mr. Wilshusen follows:]
[GRAPHIC] [TIFF OMITTED] T3198.014
[GRAPHIC] [TIFF OMITTED] T3198.015
[GRAPHIC] [TIFF OMITTED] T3198.016
[GRAPHIC] [TIFF OMITTED] T3198.017
[GRAPHIC] [TIFF OMITTED] T3198.018
[GRAPHIC] [TIFF OMITTED] T3198.019
[GRAPHIC] [TIFF OMITTED] T3198.020
[GRAPHIC] [TIFF OMITTED] T3198.021
[GRAPHIC] [TIFF OMITTED] T3198.022
[GRAPHIC] [TIFF OMITTED] T3198.023
[GRAPHIC] [TIFF OMITTED] T3198.024
[GRAPHIC] [TIFF OMITTED] T3198.025
[GRAPHIC] [TIFF OMITTED] T3198.026
[GRAPHIC] [TIFF OMITTED] T3198.027
[GRAPHIC] [TIFF OMITTED] T3198.028
[GRAPHIC] [TIFF OMITTED] T3198.029
[GRAPHIC] [TIFF OMITTED] T3198.030
[GRAPHIC] [TIFF OMITTED] T3198.031
[GRAPHIC] [TIFF OMITTED] T3198.032
[GRAPHIC] [TIFF OMITTED] T3198.033
[GRAPHIC] [TIFF OMITTED] T3198.034
Mr. Clay. Thank you very much. Mr. Ross, you may proceed
for 5 minutes.
STATEMENT OF DANIEL S. ROSS
Mr. Ross. Thank you, Chairman Clay and distinguished
members of the subcommittee. I thank you for inviting me here
to day to appear before you in both my role as Missouri State
chief information officer, and also as a member of NASCIO, the
National Association of State Chief Information Officers.
NASCIO is a not-for-profit, non-partisan research and advocacy
organization, of which I and most State CIOs are members.
I will briefly offer my perspective on efforts to secure my
State and our Nation's Internet infrastructure. A lapse or
shutdown of Internet availability would disable much of State
government, rendering it unable to communicate, to deliver
services and collect revenue for an extended period.
Regional conditions in Missouri illustrate some of the
challenges natural disasters may pose. A large portion of
eastern Missouri, including the city of St. Louis, lies in
close proximity to the New Madrid earthquake fault. Missouri
experienced over 200 tornadoes last year. In addition, we
experienced ice storms, thunderstorms and flooding which
damaged communications infrastructure.
In addition, the sheer pervasiveness and relentlessness of
cyber-attacks is staggering. In the past fiscal year alone,
Missouri's network and data center experienced nearly 5.6
million cyber-attacks. That's 29,000 per day, about 1,200 an
hour. And in the few minutes that I am speaking with you today,
we will experience about 100.
The evolving nature and sophistication of cyber-attacks is
worrisome as well. State information technology infrastructure
is now specifically targeted by criminal elements connected to
organized crime. In addition, they are also increasingly
international in origin, which makes apprehension and criminal
prosecution highly unlikely.
What are we doing? In response to this, State CIOs are
forging partnerships with State, Homeland Security, emergency
management and public safety officials to plan for the
potential of major disruptions and security breach events. We
are also trying to secure the funding necessary to maintain our
intrusion detection, spam filter and other technologies that
were purchased previously with Homeland Security one-time grant
funds.
A current concern State CIOs face is acquiring funding to
build security and resilience into all new IT projects and to
hire and retain knowledgeable, trained IT staff.
Some recommendations to fortify Internet communications
infrastructure. First, there must be increased
intergovernmental and private sector coordination. Business
partners, stakeholders and all levels of government must
coordinate actions, share best security practices, and plan for
the potential of a major disruptive event.
Second, continued State involvement in the National
Infrastructure Protection Plan and Cyber Security Information
Technology Sector Specific Plan within it is essential.
Third, we must identify cyber vulnerabilities and fund
their mitigation. Cyber security is not a tangible asset, and
Federal programmatic funding rarely includes specific
provisions for IT spending to protect Federal programs
delivered by States. The creation of a funding pool for cyber
security grants to specifically assist States in achieving a
proper cyber security posture would be beneficial in raising
the overall security level of critical IT infrastructure in the
State government sector.
Fourth, we must include and address Internet dependent
critical State functions and continuity of operations and
recovery plans.
And finally, we have to partake of information sharing
initiatives between NASCIO, the Multi-States Information
Sharing and Analysis Center and Federal agencies.
In conclusion, Mr. Chairman, technology alone will not
solve the security challenges that States face while trying to
protect key information technology systems and information
given the wide variety of cyber-attacks and security
vulnerabilities today, it may be only a matter of time before a
State's information systems and assets are compromised.
Therefore, it is imperative that an investment in human and
technology resources be an ongoing, proactive process, and not
a reactionary response to a security event. The well publicized
hard costs of security breaches as well as the soft costs of
losing citizen confidence drive the need for providing
sufficient resources for securing Government's information and
infrastructure assets.
As CIO for Missouri and as a representative for NASCIO, I
appreciate the work of this subcommittee in addressing this
national challenge. The National Association of State Chief
Information Officers stands ready to contribute to this
subcommittee in a meaningful way as needed.
Thank you for your time.
[The prepared statement of Mr. Ross follows:]
[GRAPHIC] [TIFF OMITTED] T3198.035
[GRAPHIC] [TIFF OMITTED] T3198.036
[GRAPHIC] [TIFF OMITTED] T3198.037
[GRAPHIC] [TIFF OMITTED] T3198.038
[GRAPHIC] [TIFF OMITTED] T3198.039
[GRAPHIC] [TIFF OMITTED] T3198.040
[GRAPHIC] [TIFF OMITTED] T3198.041
Mr. Clay. Thank you so much for your testimony, Mr. Ross.
We will start the first round of questions and the
gentleman from New Hampshire is recognized for 5 minutes. Mr.
Hodes.
Mr. Hodes. Thank you, Mr. Chairman. And thank you for
holding this very, very important hearing. Given the
Information Age that we are living in, there probably is
nothing that is more important these days in some way to the
security of this Nation than the issues that we are discussing
today. As the use of the Internet and cyberspace blossoms, it
is becoming ever more important to us.
Mr. Garcia, I noted with appreciation your sense of regret
that your testimony wasn't supplied earlier to us, and I take
that you will be able to take steps in the future so that when
you come back before us, we will have enough time to review
your testimony.
Mr. Garcia. Absolutely, sir. We do strive to give you the
best quality product we can, as well, which may account for
some of the delay and the review process.
Mr. Hodes. I appreciate that. Prior to your appointment,
Mr. Garcia, the previous Director of the NCSD, Andy Purdy, was
hobbled because there were conflict of interest questions due
to his continued employment with his original employer,
Carnegie Mellon University, which was involved with several
DHS, cyber-related projects at the time. My understanding is
that he was actually drawing a salary while working also for
the NCSD, which created real problems, as you can imagine.
And it is my understanding that currently, a significant
amount of the work that is being undertaken by NCSD is being
carried out by other contractors. Private contractors,
including Booz-Allen. As a member of the Oversight and
Government Reform Committee, we have been exercising oversight
in a number of areas where the Government is making significant
use of private contractors, most notably in the news in
connection with the war in Iraq and the flap that has developed
around Blackwater.
And I understand the role of contractors in assisting
agencies with program administration, but I also understand
that contractors aren't supposed to play any role in inherently
governmental or policy-focused activities. We recognized that
as a potential conflict with Mr. Purdy, and we remain concerned
that there may continue to be conflicts at the NCSD. And I note
in your testimony, at pages--especially at 4 and 6, where you
talk about the collaboration that exists in the public/private
partnership that is ongoing.
So, there are relationships here, which while important are
fraught with potential problems. Can you tell us how many full-
time governmental employees there are within NCSD, NCS, and the
other DHS units under your authority?
Mr. Garcia. Sir, I don't have the exact number. We have
approximately 100 individuals in NCSD and NCS, and about that
number in contractors. So we do rely on contractors. It gives
us the resilience we need to respond to urgent initiatives. It
enables us to surge and to pull back our resources as
necessary.
Mr. Hodes. And when you say 100 contractors, do you mean
100 employees who are the employees of contractors, or 100
separate different companies?
Mr. Garcia. I can give you that exact number--I can get
back with you on that specifically.
Mr. Hodes. I would appreciate having the documents that
reflect that. And Mr. Chairman, if I may, request that the
record stay open long enough to have that information
submitted.
Mr. Clay. Without objection, the gentleman will do
everything to get us those records.
Mr. Garcia. Absolutely.
Mr. Hodes. Off the top of your head, who are the largest
contracting entities who are supplying these contractors to
those agencies of which you spoke?
Mr. Garcia. The most number of contractors from any one
organization, I cannot be certain on that answer, likely to be
Booz-Allen.
Mr. Hodes. And what is your sense of the size of Booz-
Allen's commitment in terms of a percentage of that number of
approximately 100 who are working?
Mr. Garcia. I can get that for you, as well.
Mr. Hodes. You don't have any sense today?
Mr. Garcia. Not an accurate sense for you. No, sir.
Mr. Hodes. And what are the roles and responsibilities of
those contractors at your agency, versus the responsibilities
of the Government employees?
Mr. Garcia. None of the contractors are in managerial
positions. So, they serve in a support role for all of our
activities.
Mr. Hodes. And who is supervising them? And who is
responsible for their day-to-day activities? Is it the
employees at your agency, or is it the providing companies?
Mr. Garcia. The Government employees under my organization
are responsible for supervising the activities that the
contractors support.
Mr. Hodes. May I continue with one further question, Mr.
Chairman? I see my time is up.
Mr. Clay. The gentleman is recognized for 2 additional
minutes.
Mr. Hodes. Thank you. Now, Mr. Garcia, I take it you would
agree that conflict of interest policies are critical to
ensuring the integrity of the work done for the Government?
Mr. Garcia. Yes, sir.
Mr. Hodes. And are there written conflict of interest
policies in place at the agencies you supervise to ensure that
those coming to work for your division remain free from
decisions that may potentially impact former employers or
clients? And I am talking about both full-time employees as
well as consultants working under your direction.
Mr. Garcia. Yes, sir. I believe there is. And I can get
back with you on that and supply that with you.
Mr. Hodes. Similarly, Mr. Chairman, I would ask that the
record be held open to accept that submission.
Mr. Clay. Without objection, and we would appreciate it if
we could have it in 5 legislative days.
Mr. Hodes. Thank you, Mr. Chairman. And just one final
quick question. As a former lobbyist for the Information
Technology Association of America, how have you yourself made
sure that you are remaining free from any conflicts concerning
issues of importance to your former employer?
Mr. Garcia. My mission, Congressman, is in total support
for the Department of Homeland Security and to the Nation that
we protect. My former employer was a trade association, and my
former employer was also the U.S. Congress. So, my mission is
quite clear and that is to promote the security and resiliency
and the availability of the Nation's communications and
information infrastructure.
Mr. Hodes. I understand that is what your mission is, and
what have you done with your former employer to make sure that
you yourself have taken the proper steps to ensure there is no
conflict of interest?
Mr. Garcia. We work with them. I have no conflict of
interest with my former employer. We work with them as we do
with any other major trade association in information
technology as a major partner of the Department of Homeland
Security. We cannot do our work without partnership from
industry, from IT, from communications, from financial
services. But they are but one of many, many stakeholders and
players in this process. And I am focused squarely on our
mission.
Mr. Hodes. Thank you. Thank you, Mr. Chairman.
Mr. Clay. Thank you, Mr. Hodes. Mr. Yarmuth of Kentucky, 5
minutes.
Mr. Yarmuth. Thank you, Mr. Chairman. When I listened to
the testimony, it kind of reminds me of the now infamous words
of Secretary Rumsfeld when he said, ``There are things we know
we know, and things we know we don't know, and things we don't
know that we don't know.''
It sounds to me like there are a lot of things about the
threats facing the Internet that we know, and threats that we
don't know that we know, and we don't know that we don't know.
And anyone can attack this problem. Is our biggest problem in
this area threats that we don't even know exist, or are we
still at the point where we don't know to combat the threats we
know about?
Mr. Garcia. I think it is a matter of both, Congressman. We
over the past couple of years, I believe, have made tremendous
progress in terms of understanding the threats facing the
Internet infrastructure. Our visibility into the Internet
infrastructure is increasing.
For example, my U.S. CERT collects incident reports from
private sector and Government entities. Last year, we received
37,000 reports. The year before that, 24,000 reports. Is that
because the incidents are increasing or is it because the
reporting is increasing? It is probably a little bit of both.
But the threat is still there. So much is happening under
the radar. There are so many attacks and probes happening
across our networks that we are not seeing. And so, a big part
of my mission is to work with the owners and operators of those
infrastructures, whether it is IT or communications or
financial services, transportation, electricity, to build
awareness. And to build investment in the systems and the
process that will raise the level of visibility into what is
happening in our networks so that we can take the steps to
mitigate them.
Mr. Yarmuth. Is that ultimately the measure of whether you
are successful or not? Whether the incidents that you know
about are reported to you are declining? Or is there some other
metric that you can come up with to allow you and us to know
whether we are actually making progress?
Mr. Garcia. Yes, sir. We have many metrics, and none of
them taken by themselves is going to be sufficient. Increasing
the number of incident reports. That is a measure of success.
That means people are paying attention and they are reporting
it. They are sharing sensitive information.
The amount of investment is also a measure of success, the
investment in cyber security and information technology is
increasing. We are looking at the number of students going into
information security as a curriculum pursuit in universities.
So, there are many measures, but we still are not going to
be able to measure all the attacks that are happening without
our seeing them. The threat is constantly evolving. The
adversaries are very sophisticated. And we have to evolve with
them.
It is an ongoing technological chess match, if you will,
except that there is no check mate. So, this is going to be
ongoing. And we can take one measure at a time, and measure our
success and hope that we don't take any steps back.
Mr. Yarmuth. I am curious also, and this may not even be
related to--well, it relates to a certain extent, to the
ultimate goal of the hearing. But the issue of motivation. Is
there any way to gauge whether these--what percentage of the
attacks are motivated by people who just want to see if they
can figure it out? Kind of intellectual curiosity or whether
they actually have evil motives, if you will. Evil intent.
Mr. Garcia. I will let Mr. Wilshusen elaborate, but I think
what we--and indeed Mr. Ross, since he is also on the front
lines--but we do see a variety of motives. It used to be that
hacking, as it were, was very much a joy ride exercise.
Teenagers seeing what they can get away with. Motivations
related to ``hactivists''--those relating to political motives,
as perhaps what we saw in Estonia.
But the adversaries are becoming more sophisticated and
more focused on very specific targets. And that includes the
desire for information, whether it is from companies or from
governments. It includes the pursuit of money through cyber
crime, through financial services networks or through identity
theft.
So, they are becoming very sophisticated and very targeted
with multiple intents.
Mr. Yarmuth. Mr. Wilshusen.
Mr. Wilshusen. Yes. And I would just like to add, too--I
agree with everything that Mr. Garcia just mentioned regarding
the threats--is that there are criminal activities and criminal
elements out there that do have a financial motivation.
In addition, there are also foreign nation-states that also
have an interest in obtaining intelligence information about
their potential adversaries, including, of course, the United
States.
I would also like to point out, too, that the threat is
evolving and indeed the vulnerabilities are also increasing.
Just to give you a statistic, the National Vulnerability Data
base has identified over 26,000 software flaws or mis-
configurations that could be exploited to provide an avenue for
someone to gain unauthorized access. That total, according to
the National Vulnerability Data base, is increasing by 16 every
day. The vulnerabilities are legion. The threats are adaptive,
and they are constantly evolving, and it is quite a challenge
to be able to protect computer systems against that.
Mr. Clay. Thank you.
Mr. Yarmuth. Thank you, Mr. Chairman.
Mr. Clay. Thank you, Mr. Yarmuth. Mr. Wilshusen, since the
original GAO Report on Internet Infrastructure and Recovery
Plans came out last year, can you identify the areas in which
DHS has demonstrated significant progress? How about the areas
in which progress is lagging or that have been just totally
ignored?
Mr. Wilshusen. Yes, sir. Well, as Mr. Garcia mentioned in
his opening remarks, some of the areas for progress included
that DHS released its Sector Specific Plans for the IT and
Communications Sectors. It also developed and revised its
National Response Plan or framework to assure and make sure
that it addresses cyber incidents that require Federal
response.
In addition, DHS has also led these private/public
exercises, Cyber Tempest, Cyber Storm, that examine response
and coordination mechanisms to simulated cyber events. These
exercises add value. And the after action reports provide
useful information on lessons learned during those exercises.
Of course, the next step though is taking those lessons learned
and actually implementing them into the plans.
Now, some areas where DHS is lagging, if you will, is that
it has not yet developed a private/public plan for Internet
recovery. Nor has it set a date when that plan would be
completed.
In addition, DHS also disbanded the Internet Disruption
Working Group, and it is not clear exactly how well that
group's functions and responsibilities will be addressed by
other groups that DHS is working with.
And one other thing. As Mr. Garcia mentioned, there are a
number of working groups addressing this area of Internet
recovery. However, the interrelationship among these groups is
not certain.
Mr. Clay. Have there been appropriate triggers established
to determine what type of Internet disruption would merit a
Government response?
Mr. Wilshusen. Well, there have been efforts, I believe. A
couple of the working groups have looked at those triggers, but
as of now, the specific triggers have not yet been fully
developed or implemented.
I might also want to point out, too, that one of the key
aspects in order to make these triggers work is to make sure
there is an effective analysis and warning capability. And DHS
does have, for example, U.S. CERT, and as Mr. Garcia mentioned
earlier, the use of the Einstein network monitoring tool, which
can help provide information supporting those triggers. But
Einstein has not yet been implemented across the Government.
Mr. Clay. Thank you for that. As part of GAO's review of
DHS' Internet recovery responsibilities, it cited a lack of DHS
leadership and stability throughout its management ranks. Has
this improved since the report was released last year?
Mr. Wilshusen. Well, one area where it has improved is
indeed the appointment of Mr. Garcia as the Assistant Secretary
for Office of Cyber Security and Communications, and the
Assistant Secretary has spelled out some key priorities for the
Department, including preparing and deterring attacks,
responding to cyber-attacks of potentially national importance
or significance, and also building awareness among the various
different stakeholders in cyber security.
However, DHS continues to be hampered by its inability to
retain key officials in the cyber security area. For example,
the Director of the National Cyber Security Division has
recently left, as have other key officials related to cyber
security control systems and officials responsible for cyber-
related exercises.
Mr. Clay. Thank you so much for that. Mr. Ross, as the CIO
from Missouri, has your office sought to prioritize the State
networks and critical infrastructures that are most critical in
an emergency incident? And if so, how was it done?
Mr. Ross. Yes, sir. We are always looking to find that
single point of failure, which if taken out, will take the
whole system down. You know, we have identified the essential
functions Government has to do, which is communicate, pay
people, pay bills, buy things, provide medical services, direct
people in emergencies and so, in working with the Department of
Homeland Security, the State Department of Homeland Security,
the State emergency management folks, we are putting together a
plan to do that.
Now, in my own shop and the IT folks, we have identified
vulnerabilities in the State network and we are working to
patch those. We have recently signed a contract with AT&T to
manage the State-wide network to give us that resiliency and
that disaster recovery ability because of their large network
and their redundancy.
So, that in combination with State assets--which do include
1,700 miles of fibers that the Highway Department owns, that we
leverage for them--all come together to give us a resilient
backbone to keep running in times of emergency.
We are not there yet because we have just signed the
agreement with AT&T and are moving into that relationship with
them. But I look forward to that. That will provide not only
the tremendous wide highway to operate on, but also the back-up
and disaster recovery we have been after.
Mr. Clay. Thank you. What are the greatest strengths and
weaknesses of the Multi-State ISAC? Are its activities related
to information sharing and threat analysis of cyber incidents
providing you with adequate information for decisionmaking?
Mr. Ross. Mr. Chairman, Missouri is one of the two founding
States in that organization. We are extremely active in that.
One of my security officers is co-chair of the Legislative
Committee and another member of his team is on an Operations
Committee, I believe.
So, we are actively engaged with them, in contact with them
nearly every day. Phone calls and then certainly when an event
or a vulnerability is identified, that network fires up very
quickly. So, we depend on and use them very heavily.
Mr. Clay. OK. Thank you for that. Mr. Hodes, did you have a
second round of questioning? Please proceed for 5 minutes.
Mr. Hodes. Thank you, Mr. Chairman. Mr. Wilshusen, I am
looking through the statement you provided, your testimony
here. And I note on pages 9 and 10, in dealing with the
questions of the existing laws and regulations and their
application to Internet recovery, some issues arise.
You point out, for instance, that the Stafford Act
authorizes Federal assistance to States, local governments,
not-for-profits, in the event of a major disaster or emergency,
but doesn't apply to for-profits.
Do you see a revision of that as necessary, desirable?
Something else, is it absolutely required? Would it provide an
incentive for some kind of conduct on the part of for-profits,
which has been problematic up until now? Would you comment?
Thanks.
Mr. Wilshusen. Yes, I would be glad to. During this review
that we conducted last year, we did a number of case studies
over key Internet cyber events. One of them had to do, of
course, with Hurricane Katrina. And it was during that event
where key infrastructure owners needed to gain access to the
resources or to their facilities and have the ability to have
basic food, water and other necessities in order to more
quickly restore service operations--their service capabilities.
However, the Federal Government was not able to help them
or to provide the short-term tactical support that was needed
in order for them to actually gain access to their facilities.
And so, part of that was due to the Stafford Act, because the
Federal Government cannot provide assistance to these for-
profit organizations.
Mr. Hodes. So, had the Federal Government been able to
provide that short term tactical assistance, the response of
those for-profits in coordinating the effort to recover, would
have been much quicker?
Mr. Wilshusen. And would have been enhanced. Yes, sir.
Mr. Hodes. Turning to the Communications Act of 1934, there
is an implicit suggestion in your written statement that needs
to be revised to address the new threats, the new concerns,
that the cyber infrastructure has created since 1934 and
whatever amendments there have been. Am I correct that you see
that as something that Congress needs to look at?
Mr. Wilshusen. Yes, because we see that as a Communications
Act that does not address specifically the Internet and
certainly not the roles and responsibilities for Internet
recovery from disruptions or major disruptions.
Mr. Hodes. Thank you. Mr. Garcia, it was recently reported
that one vendor, a major DHS IT vendor, Unisys, had been
concealing a number of significant cyber security incidents and
attacks on Department systems, including many that apparently
exposed the entire DHS enterprise to significant cyber-threats.
Could you explain your role in responding to the incidents as
they were reported to DHS leadership?
Mr. Garcia. Sir, that particular issue, we have a
separation of responsibilities. The Office of Cyber Security
and Communications is responsible for a national outreach on
cyber security policy and implementation, whereas the
protection of the DHS network itself, that responsibility
resides within the Office of the Chief Information Officer
[CIO]. So, neither I nor was my office was directly involved in
that particular issue.
Mr. Hodes. So, it is not your job?
Mr. Garcia. That is correct.
Mr. Hodes. Did you coordinate at all with the Chief
Information Officer on what happened?
Mr. Garcia. Yes. So our role within the U.S. CERT is in
fact, to treat the DHS networks as we do all of our Federal
agency customers, if you will, particularly through our
outreach and information sharing in the Einstein program, we
work to try to help agencies see what is happening on their
networks and to exchange information with them and ultimately
to correlate activities to find trends that are happening
across the Federal network. And that goes with the CIO's office
as well.
So, we are in close contact with the Office of the CIO as
incidents happen, in the DHS networks or any other Federal
agency network.
Mr. Hodes. So, I am assuming that because it is an agency
with which you are involved and that you must be in touch with
the CIO about these kinds of incidents, what happened to
Unisys? What was done? Were they sanctioned? And what steps
were taken by the CIO to prevent these kinds of incidents from
happening in the future?
Mr. Garcia. I certainly would defer to the CIO to answer
those questions for you, as I was not directly involved in
that.
Mr. Hodes. May I just followup for one quick moment?
Mr. Clay. Please. Go ahead.
Mr. Hodes. Did you have any conversations with the CIO
about what was going on with this breach by Unisys and how it
was being handled and what effect it would have on the agencies
that you do deal with?
Mr. Garcia. Our U.S. CERT facility was in contact with his
office, and I can get back with you as to exactly what the
interaction was. I personally was not involved. That also deals
with a contracting matter with the CIO's contract with Unisys.
Mr. Hodes. So, to the extent there are any documents within
your purview, control, constructive control, or custody, I
would like you to provide to this body any and all documents
reflecting any interaction, discussion or contact you or your
agency, or anybody in it had with the CIO about the response to
Unisys over this breach. Will you provide that to us?
Mr. Garcia. Certainly.
Mr. Hodes. Mr. Chairman, I request that the record stay
open so that those documents may be provided.
Mr. Clay. Without objection, for 5 legislative days.
Mr. Hodes. Thank you, sir. Thank you, Mr. Garcia.
Mr. Clay. Mr. Yarmuth.
Mr. Yarmuth. Just one followup question. And this is mostly
for my own understanding. I would like to try again to clarify
the difference between for-profit and the not-for-profit world.
And also, the difference between the infrastructure world and
the software world, because presumably most of the software out
there is produced by for-profit companies and you have a
security aspect of the software and a security aspect of the
infrastructure. I am just curious as to where you draw the line
as to where the Government's interest and responsibility begins
and where it ends.
Mr. Garcia. If I understand your question, the way we look
at it is that 85 percent to 90 percent of the critical
infrastructure is owned by the private sector. So, they are
managing the networks and the private sector is developing the
hardware that runs on and runs those networks. It is our job to
coordinate with those who are owning and operating and those
who are using those systems to ensure that we have a proactive
way of dealing with attacks and vulnerabilities as we find
them.
Mr. Yarmuth. What I am trying to understand the difference
between the relevance of for-profit and not-for-profit where
the Stafford Act issues arise.
Mr. Garcia. I am not exactly sure of the answer to that
question, sir.
Mr. Yarmuth. OK. Well, I am not sure that I know enough to
ask any more. Thank you.
Mr. Clay. OK. The gentleman yields back. Mr. Garcia, Mr.
Wilshusen pointed out that one of the issues that your
Department has is retaining key officials in cyber security.
What do you think is the solution to the revolving door there?
What are the main issues and why do you lose so many key
people?
Mr. Garcia. Thank you, sir. I honestly would not
characterize it as a revolving door. In fact, some of our more
recent departures were strictly for personal reasons. Two major
staff wanted to relocate closer to family across country and
south of here. And to be honest, the DHS environment and our
mission is a very high intensity one, and very fast paced and
long hours. And given that, we make every effort to first
recruit the best talent we can and then to retain them, and to
reward them, and to make their experiences and their challenges
meaningful.
So, we are acutely aware of the need to have the best
talent we can and we are actively filling those posts that have
been vacated.
Mr. Clay. Are many leaving for private corporate cyber
security positions?
Mr. Garcia. I am not sure exactly where they went. Probably
to the private sector, but more toward a different way of life,
closer to family.
Mr. Clay. I see. Let me go another direction. According to
GAO's 2006 Report on Internet Infrastructure, one of the
significant obstacles facing DHS is the conflicting or
overlapping roles of the National Cyber Security Division and
the National Communications System, which seems to have
undefined and conflicting roles in response to a major Internet
disruption or cyber-attack. As the person in charge of both the
NCSD and NCS, can you explain to us how the roles and
responsibilities of both units are distinct or different?
Mr. Garcia. Absolutely. Very good question. The National
Cyber Security Division is responsible for the security of the
information infrastructure. The National Communications System
is responsible for ensuring that the Government, that the
Nation, has the ability to communicate in times of national
emergency.
So you think of the NCS and communications as the pipe, the
telecommunications pipe, and the NCSD as dealing with the
software and the technology that controls the operations of
those pipes and sends information through those pipes. So, NCSD
and NCS have very complementary roles. Certainly not
conflicting. Sometimes overlapping, but overlapping for the
better.
My role is to try to bring those--by the way, NCS is a 40
year old organization, and NCSD is a 4-year old organization.
So they have much different histories, but they work very
closely together. For example, in the Estonia distributed
denial-of-service attacks, NCS and NCSD worked very closely.
Second, I am working to bring together, to co-locate the
U.S. CERT operations with the NCS operations, which is called
the NCC, the National Coordinating Center for
Telecommunications, that is a 24/7 watch operation as well,
that serves the communications infrastructure involving
communications companies and Government employees.
So, we are bringing them together so that the IT and
Communications can have a more synthesized view of what is
happening on our information and communications
infrastructures.
Mr. Clay. Let me ask you, as voice and data transmission
networks continue to converge, wouldn't combining NCSD and NCS
prove to be more efficient for agency operations?
Mr. Garcia. I think certainly a good number of the
functions have already converged. That when we look at the
convergence of communications from the traditional circuit
switch to packet switch technology, security is going to equal
availability, and availability is going to equal security. So
we can't bifurcate those functions.
There are unique and distinct functions within the National
Communications System and NCSD that may remain unique, but by
and large, you are absolutely right, Mr. Chairman, functionally
NCS and NCSD will over time converge.
Mr. Clay. Thank you for that response. It is my
understanding that NCSD recently released a draft of what it
called the Information Technology Security Central Body of
Knowledge, competency and functional, A Framework for IT
Security and Workforce Development. Isn't this the type of work
usually undertaken by the private standards-setting community,
such as the ISO standards organization? How is this work unique
to what has already been developed by the standards community?
Mr. Garcia. Very good question, and I thank you for that.
Yes, the Essential Body of Knowledge [EBK], is our attempt to
bring together actually a number of those security skills,
training skills standards that have been put out by a number of
different organizations and really find the common elements
among all of those. What we can do is provide as a reference
for academia, for the practitioners, a synthesized set of work
force skills and training standards to develop curricula or to
develop training within the enterprise.
So, in no way is it intended to supplant the other private
sector-developed security standards. It is instead intended to
sort of de-conflict among those and provide a much higher level
reference for those who are trying to distinguish between one
or the other type of standard that they ought to be using. So
we are quite enthusiastic about it.
Mr. Clay. OK. Thank you. Mr. Wilshusen or Mr. Ross, do you
have anything else to add?
Mr. Ross. Thank you, Mr. Chairman. I might go back to a
previous point that Mr. Yarmuth mentioned. And that is the
evolving nature of threats. We are always having to--what we
see in Missouri is, we will see low-level threats. Low-level
probes of our data center and our network. We will see hundreds
of thousands of these low-level threats and probes but little
variations on each other, and then at the end of that period,
we will see a heavy strike on our data center in an attempt to
bring down servers or communication equipment and the like.
And to get to your other point, Representative, it is not
teenagers hacking anymore. It is coming from other countries.
Our forensic tools can track it down to continents and to
countries, and it is coming from all over the world. But it is
very focused. States have extremely valuable information.
Financial information, health information, driver's license,
Social Security number-type information and they are after
that.
A recent example I heard a presentation about. If you can
just get hold of a CD copy of all the freshmen coming into the
University of Missouri, either the law school of the finance
school or accounting or the like, that is probably worth $2,000
going in. Then years down the road, when it is actually--when
they are income-producing people, that information is extremely
valuable, and that is when they use it. So that type of
information is what people are after.
Mr. Clay. Do you ever make any successful apprehensions?
Mr. Ross. Outside the country? No. Inside the country, we
do.
Mr. Clay. OK. Mr. Wilshusen, anything to add?
Mr. Wilshusen. No.
Mr. Clay. No? Thank you. I want to thank the entire panel
for their testimony and answering questions. This panel is
dismissed. Thank you.
As soon as this panel is up, we would like the second panel
to come forward to be sworn in.
Thank you. On our second panel, we have a distinguished
group of individuals who are highly qualified to address the
issues associated with cyber security and Internet architecture
from a variety of important perspectives.
Mr. John T. Sabo is the current president of the
Information Technology Information Sharing and Analysis Center
[IT-ISAC], as well as the director of Global Government
Relations for CA, Inc. In addition to IT-ISAC, Mr. Sabo
represents CA in a number of security and privacy focus
industry organizations and is an appointed member of the U.S.
Department of Homeland Security Data Privacy and Integrity
Advisory Committee. Welcome.
Mr. Larry Clinton is the president of the Information
Security Alliance, which has over 500 corporate members on four
continents representing virtually every major segment of the
economy. Mr. Clinton is a member of several boards and advisory
committees, including the National Partnership for Cyber
security, the Internet Education Foundation and the Advisory
Board of the U.S. Congressional Internet Caucus, the IT Sector
Coordinating Council and the DHS Critical Infrastructure
Protection Advisory Council.
Prior to coming to IS Alliance, he was a vice president at
the U.S. Telecom Association, served as a legislative director,
in the House of Representatives. Welcome back, Mr. Clinton.
Mr. Ken Silva is the chief security officer of VeriSign.
VeriSign's chief security officer and VP for Networking and
Information Security. He oversees the mission critical
infrastructure for all network security and production IT
services for VeriSign. He also serves on several boards and
advisory committees, including Information Technology,
Information Sharing and Analysis Center. He is the chairman of
the board of the Internet Security Alliance. Thank you for
being here.
Ms. Catherine T. Allen is the chairman and CEO of the Santa
Fe Group, a strategic consulting firm specializing in
technology and innovation issues facing the critical
infrastructure. Ms. Allen has long been recognized as a leading
expert on technology issues facing the financial services
sector and other critical infrastructure industry. Prior to her
current position with Santa Fe, she served as the founding CEO
of BITS, a technology-focused consortium led by the CEOs and
CIOs of our Nation's top 100 financial institutions. She is a
graduate of the University of Missouri, where she also received
an honorary Doctorate of Humane Letters in 2005.
Congratulations and welcome.
Ms. Kiersten Todt Coon is a VP of Good Harbor Consulting,
where she focuses her efforts on developing risk management
solutions for IT infrastructure and homeland security clients.
Prior to joining Good Harbor, Ms. Todt Coon worked as a policy
advisor to several senior Government and private sector
leaders, including the Governor of California and former VP Al
Gore. She also served as a professional staff member on the
U.S. Senate Committee on Governmental Affairs, where she was
responsible for drafting the Science and Technology
Infrastructure Protection and Emergency Preparedness
Directorate section of the Homeland Security Act of 2002. A
graduate of both Princeton and Kennedy School of Government at
Harvard, Ms. Todt Coon currently serves as a term member of the
Council on Foreign Relations.
I welcome all of you. It is the policy of the committee to
swear in all witnesses before you testify. And I would like to
ask you to stand, please, and raise your right hands.
[Witnesses sworn.]
Mr. Clay. Thank you. Let the record reflect that all of the
witnesses answered in the affirmative. You may be seated. And
we will start with Mr. Sabo to begin his testimony. And you
have 5 minutes, and we like summaries.
STATEMENTS OF JOHN T. SABO, PRESIDENT, INFORMATION TECHNOLOGY
INFORMATION SHARING AND ANALYSIS CENTER AND DIRECTOR OF GLOBAL
GOVERNMENT RELATIONS, CA, INC.; LARRY CLINTON, PRESIDENT,
INFORMATION SECURITY ALLIANCE; KEN SILVA, CHIEF SECURITY
OFFICER AND VICE PRESIDENT FOR NETWORKING AND INFORMATION
SECURITY, VERISIGN; CATHERINE T. ALLEN, CHAIRMAN AND CEO, THE
SANTA FE GROUP; AND KIERSTEN TODT COON, VICE PRESIDENT, GOOD
HARBOR CONSULTING
STATEMENT OF JOHN T. SABO
Mr. Sabo. Mr. Chairman, and members of the subcommittee. I
am John Sabo, director of Global Government Relations for CA.
It is one of the world's largest software companies. More
importantly for this hearing, I am a board member and president
of the Information Technology Information Sharing and Analysis
Center [IT-ISAC]. I am also a member of the separate IT Sector
Coordinating Council, and I chair the ISAC Council, which is
composed of 13 ISACs addressing cross-sector information
sharing issues.
I want to thank you and the subcommittee for the
opportunity to share our views on public/private sector
responsibilities with respect to preventing and addressing
Internet disruptions.
The IT-ISAC is a not-for-profit organization. We were
founded in 2001. We fund an operation center. We monitor and
address threats, vulnerabilities and attacks on the IT
infrastructure and we have processes in place allowing us to
address these issues collectively across the member companies
when issues rise to a level requiring joint analysis or action.
The IT Sector Coordinating Council and DHS formally
recognize the IT-ISAC as the operational, informational sharing
mechanism for our sector. The IT-ISAC is financed entirely by
member companies through our membership dues and represents a
significant by leading companies in the IT sector who have
stepped to the call for industry action.
The GAO and the Business Roundtable have released reports,
both of which have been referenced, expressing significant
concerns about the ability of the Nation to respond and recover
from a significant Internet failure.
Despite the fact that the Internet has to date proven
resilient, these reports reinforce the imperative to plan for
events that exceed our current understanding of threats.
History often proves us wrong and surprises us with the
unthinkable. The IT sector strategy to address these challenges
is outlined in the IT Sector specific plan and at the heart of
this plan is the need to protect key IT sector functions. And
this is a very distinct concept from the physical asset focus
of many other sectors. We are looking at IT functions.
The plan identifies in great detail a number of areas that
need to be strengthened and in the statement we have addressed
a number of them. I only touch on two here.
The first includes a number of steps that Government can
take to enhance the public/private operational capability.
Leveraging the expertise of the IT-ISAC and other fully
functional ISACs instead of turning to policy councils for
operational purposes.
Stabilizing U.S. CERT and providing it with adequate
funding in scale with its overall national mission, defining
and clarifying the relationship among the U.S. CERT and other
DHS analytical and operational components and programs.
Programmatically encouraging companies to join ISACs as a
best practice, something which the Roundtable did in its
report.
Supporting the cross-sector operational information sharing
projects initiated by the ISAC Council, with equal energy and
level of resources with which DHS supports policy and planning
initiatives. Providing regular classified briefings to ISAC
operational experts and not just to sector policy
representatives.
And finally, in this area, organizing more effectively in
response to the growing convergence between traditional IT and
telecommunications. And we welcome the physical co-location of
the U.S. CERT and the NCC watch that Assistant Secretary Garcia
mentioned, and in fact appreciate his invitation for the IT-
ISAC to have representation.
[The prepared statement of Mr. Sabo follows:]
[GRAPHIC] [TIFF OMITTED] T3198.042
[GRAPHIC] [TIFF OMITTED] T3198.043
[GRAPHIC] [TIFF OMITTED] T3198.044
[GRAPHIC] [TIFF OMITTED] T3198.045
[GRAPHIC] [TIFF OMITTED] T3198.046
[GRAPHIC] [TIFF OMITTED] T3198.047
[GRAPHIC] [TIFF OMITTED] T3198.048
[GRAPHIC] [TIFF OMITTED] T3198.049
[GRAPHIC] [TIFF OMITTED] T3198.050
[GRAPHIC] [TIFF OMITTED] T3198.051
[GRAPHIC] [TIFF OMITTED] T3198.052
[GRAPHIC] [TIFF OMITTED] T3198.053
Mr. Clay. I am going to ask each remaining witness to
summarize, if they can, in less than 5 minutes, their opening
statements. We are going to try to get in all opening
statements before we recess again.
Thank you, Mr. Sabo. Mr. Silva.
STATEMENT OF KEN SILVA
Mr. Silva. Thank you, Mr. Chairman. I want to commend and
thank you for holding this hearing. It is difficult to
overstate the importance of amplifying and expanding our
national focus on cyber security.
Richard Clarke famously warned of the potential of a
digital Pearl Harbor in which critical components of the
Nation's increasingly vital electronic infrastructure would be
brought down by a coordinated electronic attack.
Since he expressed his concern, nothing really much has
changed to make this any less dire. If anything, the threat
grows greater every day. In fact, it has already happened to
the country of Estonia earlier this year.
None of us in Government or the private sector can sit
still on electronic security. Our defenses must always remain
two steps ahead of potential holes and exploits. If we fail to
maintain that focus and let it deteriorate, we will be holding
a very different sort of hearing in the near future, one in
which we are all called upon to answer the hard question about
what happened and what could we have done to have prevented it.
I have been asked to offer a perspective on the efforts
VeriSign and the Internet industry are taking to ensure that
such a calamity never occurs. Make no mistake, it would be a
major catastrophe for the Internet to experience such a
significant failure.
Approximately 25 percent of America's economic value moves
over network connections each day. And it is not just our
economy that would suffer. Government agencies at every level
rely on the Internet. Imagine today's Congress trying to
operate without e-mail or any other network services.
What could cause such a failure? There are a couple of
potential scenarios. The first is that we in the Internet
community simply fail to expand the Internet infrastructure
enough to meet the mounting demands placed upon it. The second
potential for failure is that we fall short in adequate
protection of our critical resources against a host of
increasingly sophisticated cyber-attacks being directed against
it.
Internet crimes are increasingly conducted by sophisticated
international crime syndicates that reap huge profits by
targeting the network and its users. Even more frightening is
the rise of cyber-attackers backed by governments and other
deep-pocketed enemies of the United States.
Today's attacks can cause damage 100 times more extensive
than the attacks just a year ago. This is why investment in the
infrastructure is so critical. Simply put, if we wait for usage
to outpace the development or for sophisticated attacks to
overwhelm our stagnant defenses, we are already too late.
We learned the cost of complacency as a country when we
watched the damage done by Hurricane Katrina. By the time
Katrina hit the Gulf Coast, it was too late to strengthen its
levees. We should not have to learn that lesson more than once.
Critical resources should be reinforced long before there is a
threat to their well-being.
The Internet continues to grow at dramatic rates, which
means the infrastructure must scale to meet that demand. No one
can take security and stability of these networks for granted;
not VeriSign, not the ISPs or other private sector players, and
certainly not the Government.
As the operator of the dot-com and dot-net domain
registries, as well as a steward for 2 of the 13 root servers,
VeriSign understands what is at stake. Over the last 8 years,
VeriSign has operated its infrastructure with 100 percent in
up-time. In other words, the systems that ensure Internet's
core infrastructure remain functional have never gone down.
VeriSign's primary computers that handle the dot-com and dot-
net traffic are now capable of handling 10,000 the number of
queries that they could handle in 2000.
And while the dot-com and dot-net systems currently process
more than 30 billion queries a day, we will need to build a
network infrastructure that can support 10 to 100 times that
level of volume in the next few years.
That is why earlier this year, VeriSign announced a global
initiative called Project Titan to expand and diversify its
Internet infrastructure to those levels by 2010. These upgrades
are vital to managing the surge in Internet interactions and
protecting against cyber-attacks.
VeriSign is well on its way to meeting its goals under
Project Titan and is already considering how to address this
set of challenges.
Thank you.
[The prepared statement of Mr. Silva follows:]
[GRAPHIC] [TIFF OMITTED] T3198.054
[GRAPHIC] [TIFF OMITTED] T3198.055
[GRAPHIC] [TIFF OMITTED] T3198.056
[GRAPHIC] [TIFF OMITTED] T3198.057
[GRAPHIC] [TIFF OMITTED] T3198.058
[GRAPHIC] [TIFF OMITTED] T3198.059
Mr. Clay. Thank you.
STATEMENT OF LARRY CLINTON
Mr. Clinton. I want to congratulate you, Mr. Chairman, on
holding this hearing of the Government Reform Committee,
because Government reform is clearly what is necessary.
The June 2, 2006 GAO Report got it exactly right. The
problem is the inherent characteristics of the Internet. The
Internet is unlike anything we have ever dealt with before. It
is international, it is interactive, it is constantly on the
attack. Consequently, it will require a security system unlike
anything we have ever designed before.
We can't simply cut and paste previous government systems
and put them into Internet security. Even if Congress enacted a
brilliant statute, it would only go to our national borders.
Even if a regulator came up with a brilliant solution, it would
be outdated before you could put it into effect.
Fortunately, we need other things to attack the Internet.
The committee has expressed some interest in the instance of
Katrina, saying that we should model ourselves on that. There
are major differences between cyber-attack and Katrina.
Katrina, we could see it coming. Literally. From hundreds of
miles away. The adequate analogy to Katrina is that the problem
with Katrina wasn't the event itself. The problem with Katrina
was that the systems weren't in place to properly handle the
event.
Now, fortunately, we actually know a good deal about how to
mitigate and manage a number of issues dealing with cyber
security. The largest study ever conducted in this field found
that the best practices group, people who follow the industry
recognize best practices were able to have fewer incidents,
less downtime, less financial loss.
What we need to do is find a way to get more people to
follow the best practices that industry is already following.
Industry is also not waiting for government to get its act
together. Industry is aggressively moving forward with new
products and services because, as it has already been pointed
out, the problem has morphed.
We are no longer looking at these well publicized instances
like Blaster and Love Bug that were designed to get publicity.
Instead, what we are dealing with now are carefully targeted
designer malware that can sit on a system for an extended
period of time, cause tremendous damage and we don't even know
it is there.
Fortunately, we are developing new systems to attack this.
But there is a role for the government. And role for the
government was pointed out in that 2006 GAO Report, where they
pointed out that in the private sector, competitors were
working together to deal with these incidents when they see
that there is a direct business relationship benefit to that.
And the NIPP, the National Infrastructure Protection Plan, also
pointed out--and this is the one thing that I choose to read
for you, Mr. Chairman:
That the public private partnership called for in the NIPP
provides for the foundation for effective critical
infrastructure protection. The success of the partnership
depends on articulating the mutual benefits to government and
the private sector partners. While articulating the value to
the proposition for the government is typically clear, it is
often difficult to articulate the direct benefits to the
private sector. In assessing the value proposition for the
private sector, there is a clear national security interest and
homeland security interest in ensuring that the collective
protection of the critical infrastructure goes beyond that of
the business unit. Government can engage industry to go beyond
efforts already justified by their corporate business needs and
assists in a broad-scale critical infrastructure protection by
creating an environment that supports incentives for companies
to voluntarily adopt widely held best practices.
And I conclude my presentation by listing for you 10 steps
that I would suggest that the committee consider for roles that
the Government can embrace, which are not your traditional
regulatory role, but are things like leading by example, using
your market power instead of your regulatory power; supporting
research and development that is not going to be undertaken by
industry; using the market incentives that you have
traditionally used in other areas; address the lack of cyber
insurance; raise your aim in terms of awareness to focus on
senior executives rather than individuals; adopt a coherent
strategy for dealing with the private sector, something
discussed before; clarify the roles and procedures for crisis
management; and rethink your approach to information sharing.
Thank you, Mr. Chairman.
[The prepared statement of Mr. Clinton follows:]
[GRAPHIC] [TIFF OMITTED] T3198.060
[GRAPHIC] [TIFF OMITTED] T3198.061
[GRAPHIC] [TIFF OMITTED] T3198.062
[GRAPHIC] [TIFF OMITTED] T3198.063
[GRAPHIC] [TIFF OMITTED] T3198.064
[GRAPHIC] [TIFF OMITTED] T3198.065
[GRAPHIC] [TIFF OMITTED] T3198.066
[GRAPHIC] [TIFF OMITTED] T3198.067
[GRAPHIC] [TIFF OMITTED] T3198.068
[GRAPHIC] [TIFF OMITTED] T3198.069
Mr. Clay. Thank you so much, Mr. Clinton. The committee
will now recess for the duration of these votes on the floor.
They tell me it will be about half an hour. I am sorry. The
committee stands in recess.
[Recess.]
Mr. Clay. The committee will come to order. Ms. Allen.
STATEMENT OF CATHERINE T. ALLEN
Ms. Allen. Thank you, Chairman Clay and members of the
subcommittee and committee for the opportunity to submit
testimony before you today on private and public sector efforts
to secure our Nation's Internet infrastructure.
The Santa Fe Group does a lot of work for the industry and
still for BITS. I am actually going to go directly to the
recommendations because of the time.
And what I am suggesting is that the financial services
industry has done a great deal to strengthen business
continuity, planning and coordinate prior to and during times
of crisis. We have business continuity plans which are
constantly updated. We refine and test them, and this is a
regulatory requirement, and part of our risk management
process.
Most financial institutions, in fact, all that are deemed
mission critical are required by our regulators to have
recovery operations in place and back-up in a very narrow
timeframe. And this requires telecommunications, it requires
power and it requires dependency upon IT. If any of those are
not working, we cannot meet our regulatory requirements.
I would be the first to tell you that we have a long way to
go as an industry, but there is much of what we do that we
believe could be copied or modeled for other critical
infrastructure industries.
We have a very successful FS-ISAC, Financial Services ISAC,
and FSSCC, a coordinating council for critical infrastructure
protection. We work very closely with our regulators through
the FBIIC and with the Department of Treasury in coordinating
on everything from Katrina to the power outage after 9/11.
Most recently, we ran a pandemic exercise which included a
component that looked at if the Internet was down and we had
many people working from home, what would that mean.
And I would say that the two most important things that we
have done related to Internet recovery are the work that we did
on business critical telecommunications services, where we
developed best practices, not only for the financial sector but
for the telecom sector, upon which we are extremely dependent,
to make sure that they had the diversity and redundancy that we
needed.
We also finished a business critical access to power. We
did this with the power industry, again to look at best
practices for alternative power if there was disruption in any
of the IT industry.
Last, we worked in managing third-party service providers.
Much of the Internet is dependent upon third parties, many of
whom are located in India and China and other places. So,
looking at how we manage those. Those are all models for other
industries.
The recommendations that I have are, recognize that other
industries may need to share the same level of responsibility
and liability that we do as an industry, and to look at some of
our regulatory requirements might not be a bad idea. Second, we
maintain rapid and reliable communications, and that means
diverse communications.
I personally had a number of our CIOs from the financial
sector in Detroit when we had the power outage, we were all
using our Blackberries, which were the only thing that still
worked, because the cell phones ran out and there was no power.
But that is how we communicated with our regulators, and we
were able to make sure that it wasn't a terrorist event, that
it was in fact a power outage. But we needed to have
alternative channels.
Recognize the critical infrastructures that are dependent
upon software and operating systems. The IT industry is the
backbone for telecommunications, for power, for the user groups
like financial services and chemical, and if they are down or
disrupted, we are down.
So, it is critically important to focus on the Internet,
the software and operating systems that access the Internet
because that is the backbone of both economic and
communications-wise for us.
We encourage our regulatory agencies and others to look at
the software vendors. Similar to what our regulators look at,
third-party service providers, to make sure that they are
delivering safe and sound practices and security practices
within those vendors.
Encourage collaboration and coordination among critical
infrastructures and the government agencies to enhance the
diversity and resiliency of the telecommunications
infrastructure. The NCC, the NCS, used to be an outstanding
organization. We did a lot of our early work with them. They
were gutted. They have no budget to be able to do the kind of
work that we need for them to do.
Invest in the power grid because of its critical and
cascading impact on other industries and other critical
infrastructures.
And when I talk about invest, I think there are incentives
that Congress can put in place to have these other industries
make sure that they maintain a resiliency.
Improve the coordination procedures across all critical
infrastructures and with the Federal, State and local
governments, I don't believe it is working, and I think there
is much that we need to do, when we do have a major event.
And last, encourage law enforcement to prosecute cyber
criminals. And in particular, on a global basis, because much
of the problems we have are not criminals in the United States,
they are criminals in the Ukraine or in Asia or in other
countries that are attacking our systems here today.
I thank you, Chairman Clay and Members, for this
opportunity to testify ensuring Internet resiliency and
security in light of the increased cyber-attacks. It is a
daunting task, but it is critically important to do so.
Thank you.
[The prepared statement of Ms. Allen follows:]
[GRAPHIC] [TIFF OMITTED] T3198.070
[GRAPHIC] [TIFF OMITTED] T3198.071
[GRAPHIC] [TIFF OMITTED] T3198.072
[GRAPHIC] [TIFF OMITTED] T3198.073
[GRAPHIC] [TIFF OMITTED] T3198.074
[GRAPHIC] [TIFF OMITTED] T3198.075
[GRAPHIC] [TIFF OMITTED] T3198.076
[GRAPHIC] [TIFF OMITTED] T3198.077
[GRAPHIC] [TIFF OMITTED] T3198.078
[GRAPHIC] [TIFF OMITTED] T3198.079
[GRAPHIC] [TIFF OMITTED] T3198.080
[GRAPHIC] [TIFF OMITTED] T3198.081
[GRAPHIC] [TIFF OMITTED] T3198.082
[GRAPHIC] [TIFF OMITTED] T3198.083
[GRAPHIC] [TIFF OMITTED] T3198.084
[GRAPHIC] [TIFF OMITTED] T3198.085
[GRAPHIC] [TIFF OMITTED] T3198.086
[GRAPHIC] [TIFF OMITTED] T3198.087
Mr. Clay. Thank you so much, Ms. Allen, for your testimony.
Ms. Todt Coon, you may proceed.
STATEMENT OF KIERSTEN TODT COON
Ms. Todt Coon. Good afternoon, Chairman Clay, and thank you
for the opportunity to testify. As was mentioned in the
introductions, I am currently a vice president at Good Harbor,
and of particular relevance to this hearing, served on the
Senate Committee on Homeland Security and Government Affairs,
and worked on the Directorate part of the DHS legislation on
Internet Protection and Emergency Preparedness.
In the interests of time, I will move pretty quickly to my
recommendations.
As the National Strategy to Secure Cyberspace correctly
stated, cyberspace is the nervous system supporting our
Nation's critical infrastructure. Yet, despite our recognition
of this, little has been done and there are several reasons for
this, including authority and ownership issues, both in the
public and private sectors.
Our Internet infrastructure is vulnerable for several
reasons, and I will tackle two of them regarding infrastructure
and looking at response capabilities. Regarding infrastructure
in our end systems, there are two classes of end systems. There
are home users and enterprise. Access to the servers usually by
these enterprise users is critical in a time of crisis. If the
end systems are compromised, then key response personnel will
not be able to access the information they need to respond to
an event.
The current challenge with which we are faced is that all
information, both critical and non-critical, is transmitted
over our information networks and treated equally. For example,
if this Nation is confronted with a pandemic like the avian
flu, our information networks as they currently exist will
experience disruptions and outages that will paralyze us and
prevent us from executing an effective emergency response.
The second area of weakness I will discuss in this brief
statement is response capabilities. Our response capability is
critical because obviously we are not able to guard
successfully against all threats. We don't have a back-up
system at this time that can be activated in the event of a
widespread Internet failure. And we have not developed
scenarios for potential attacks on our Internet infrastructure.
Experts disagree on the magnitude of risks and what needs
to be done. And what is important that we routinely use this
lack of consensus as an excuse for inaction. Until we reach
agreement on these issues, we will not be able to prepare for
imminent attacks.
So I offer today the following recommendations. The
Internet was designed for the purpose of openly sharing
information. The question then with which we are posed is how
do we impose the secure exchange of information on top of an
open sharing environment.
We should create a three-tiered system that allows our
networks to identify and prioritize in the following order.
First, critical communications supporting government
operations, business and first responders. Second, routine
business information, and third, non-critical information. In a
time of crisis, we must be able to ensure that critical
information is being delivered with priority speed and that it
is not encumbered by non-critical information being sent
simultaneously.
We must also develop back-up systems and conduct scenario
planning. If we experience a life cycle attack, we would need
to have the ability to reboot the Internet. We should have
reserve network protocols and we should maintain back-up
parallel systems that can replace the active systems and bring
up the critical portion of the Internet in the time of crisis.
And we should develop a playbook for scenario planning. And
I assert that this is different than exercise. Scenario
planning is different than exercises. Scenario planning would
push us to identify and conceive possible responses to a
serious attack. We need to think through how appropriate
players in both the public and private sectors will respond and
we need to examine our current authority and ownership issues
within both the government and the private sectors.
I now submit to you a final recommendation. One of the
first steps we need to take in preparing ourselves for an
information infrastructure failure is to set risk standards.
However, we can't set risk standards if we don't know what the
risk is.
I commend this committee on its work with FSMA because I
think FSMA has done a good job with defining cyber security. I
also propose a National Cyber Risk Assessment to be conducted
by a blue ribbon commission of experts who would be responsible
for defining the risks that exist. The only way we can begin to
adequately prepare ourselves is to commit to possible
scenarios. The assessment would inform the scenarios and enable
us to assign ownership and controls. The Office of Management
and Budget should provide the resources, the direction and the
oversight and leadership for this assessment.
In conclusion, experts and observers postulate that we do
not have to be worried about hackers taking down the Internet
because hackers would not intentionally bury their playground.
But our greatest risk does not come from hackers. It comes, as
was mentioned before, from foreign governments that can ably
and quietly use the Internet infrastructure for espionage and
other nefarious purposes.
The threat is particular strong from governments that have
developed their own internal Internets, such as China, and
would therefore not be severely affected by a worldwide
disruption.
Recent events have demonstrated that these scenarios are
not possibilities, but realities. Our national security, the
health and well-being of the community, and the daily
functioning of our society depend on the security and
resiliency of our infrastructure.
We have a responsibility to define the Internet
infrastructure risk that exists and to plan for that risk
appropriately. And we have a responsibility to act. I assert
that we must act now.
Thank you for the opportunity to testify before you today.
[The prepared statement of Ms. Todt Coon follows:]
[GRAPHIC] [TIFF OMITTED] T3198.088
[GRAPHIC] [TIFF OMITTED] T3198.089
[GRAPHIC] [TIFF OMITTED] T3198.090
[GRAPHIC] [TIFF OMITTED] T3198.091
[GRAPHIC] [TIFF OMITTED] T3198.092
[GRAPHIC] [TIFF OMITTED] T3198.093
[GRAPHIC] [TIFF OMITTED] T3198.094
[GRAPHIC] [TIFF OMITTED] T3198.095
Mr. Clay. Thank you very much. I will ask the panel several
questions, and I would love to hear responses from the entire
panel. We will just start at this end of the table with Ms.
Todt Coon, and go down the line.
The first issue is, regardless of which sector of the
economy we focus on, all of them have significant levels of
dependence on the Internet for their operations. It seems,
however, that we spend more time focusing on the risk of 17
different sectors, as opposed to the broad risk associated with
the disruption of a key critical asset, such as the Internet.
First, should we begin to move away from establishing
levels of risk for each specific sector, and move toward
establishing risk models according to specific assets or
critical functions, such as telecom, Internet or infrastructure
resiliency or the security of our power transmission assets?
Ms. Todt Coon, let's begin with you.
Ms. Todt Coon. Thank you. That is an excellent question,
and it is obviously a question that we are confronted with in
looking at how we have organized our sectors.
I think some would assert at this point that the sector
model is sophisticated in a way that is almost too
sophisticated for us to manage right now, because the reality
of how we are handling the sector issue is that it is stalling
us and preventing us from making the progress that we could on
information infrastructure protection.
I would reference a report that was recently released by
the Business Roundtable which talks about public/private
partnerships. And it talks about the fact that the private
sector incorrectly believes that government is developing
response plans and that the Government believes that the
industry structures will have their recovery response plans.
We recognize that both the public and the private sector
have a role but neither is adequately prepared.
Having said that, I would like to reference, I think, a
model within the private sector and its coordination with the
public sector that has worked effectively. And that is the
FBIIC model, which Ms. Allen has referenced. It is the
Financial and Banking Information Infrastructure Committee.
Post 9/11, the financial sector was obviously concerned
about the anticipation of what could happen to our banking and
financial markets. Through the committee, the Fed reached out
to 11 financial institutions--reached out to the banking
industry, and said we are going to talk to 11 institutions, we
are not going to tell you who they are. Obviously if we talk to
you, you will know you are one of them. And if not, you are
not.
And they worked with these institutions to create a
security and resiliency plan. And Ms. Allen, I am sure, can
talk to this in greater detail. But what this collaboration
reflected was the clarity of Government purpose, and it also
reflected industry working within a Government strategy.
And one of the reasons why I think this was effective, was
that the Government was able to leverage its institutional
knowledge. The way that we have currently organized with DHS is
that we have split the ownership roles across different
agencies and entities, both on the cyber side, but we see it
with energy and with other structures.
And what I would propose is that we look at how the
Government can institute this integrated approach to industry
protection in a more collaborative way that doesn't silo this
protection issue.
Mr. Clay. Thank you for that response.
Ms. Allen.
Ms. Allen. I agree with everything you just said, and I
would add to it, you can't boil the ocean. And I would pick
five infrastructure groups to first coordinate and use that as
a model for the others. And that is, the IT, the Internet, the
telecom and the power, because they are absolutely
interdependent.
Then I would add financial services, because if that is
down, then you are going to have a major problem with the
economy and the confidence of the people. Last, first
responders, so that you are taking care of the first
responders.
If you could look at integrated programs across those five
groups, with the Government, that would be the starting point.
And I think the FBIIC model, that the financial sector
developed is the right model.
Mr. Clay. Should it all be Homeland Security's
responsibility? [Laughter.]
Well, maybe Ms. Todt Coon should answer that. You helped
design----
Ms. Todt Coon. Well, I don't have a lot of confidence.
Let's just say that there has been many, many attempts to have
this happen under DHS and it has been very difficult for it to
be effective. So I think it is really going to take absolute
administrative support. I am in support of a blue ribbon
commission and then maybe DHS responds back to and does
whatever this commission says it needs to do.
But I don't think that it is going to come the way that we
have it structured now.
Mr. Clay. All right. Mr. Clinton.
Mr. Clinton. Mr. Chairman, I think that is a very
thoughtful question. And I have been trying to listen to my
colleagues to get a good answer for it, while I have been
thinking of it myself.
Here is my off-the-cuff view on it. First of all, we at the
Internet Security Alliance have never embraced the sector
model. The Internet Security Alliance is built on an entirely
different model. We are a cross-sectoral organization. We have
the defense sector, IT, banks, Coca-Cola, food service. Only
because when you are dealing with the Internet, it is all ones
and zeroes.
So we all have the same problem, although, at a sub-
structural level, there are individual sector orientations
within. So, the sector model, I think, was entirely the wrong
way to go, fundamentally. And when I say we ought to rethink
things, that is one of the places where I would suggest we
begin.
The second question, and this kind of gets to your followup
question a little bit, has to do--when you say, what should we
be doing. That is a really critical question. Who is the ``we''
you are talking about, sir? I think it is appropriate for you
to be thinking, well, should this be DHS? And my answer is no,
it shouldn't be DHS. It can't be DHS. If we try to shove this
into DHS, even if we hire Catherine Allen to run DHS, I am
still not sure that they are going to be able to do it. They
are a U.S. Federal Government institution trying to deal with
an inherently international infrastructure that is owned and
operated 95 percent by the private sector.
Trying to get this done through DHS or the Internet
Commission on Wonderfulness is not going to work. We have to
understand that we are dealing with an entirely different
model. We have to find a way to work together with the private
sector. The private sector is constantly--the major players,
anyway--are constantly doing risk assessments. They are
constantly upgrading their systems.
As I said in my testimony, they are not waiting for DHS.
And we work cooperatively with DHS. I am not going to bash DHS.
But the system is being run by the private sector. That is
never going to change. We have to find a way that Government
understands its role. And its role is not to manage, to
dictate, to be the parent here. Their role is to be a major
user who works with all the other major users.
Now, obviously they have a separate role in terms of
national defense that we could deal with differently. But my
suggestion would be that the way to go about this is to harden
the entire system. Not to identify what the one particular risk
is because that is a static moment in time.
This past week we had a major conference at ISA where we
looked at securing the IT supply chain. Talk about a major
problem. There is nothing that is not in the IT system that is
not researched, resourced, developed, assembled, whatever,
someplace. And some of the places this stuff is made can be a
little bit scary.
How do we secure the supply chain? And we looked at all the
risks. And we said this is the area where we have the greatest
vulnerability. We looked at it for a minute, and we said, well,
as soon as we established that as the major risk vector, the
guys who are attacking this aren't stupid. Move it over to
here.
So the risks don't stay static. We need a full systems
solution that is sustainable on a long term basis and that is
why we argued for a system of market incentives. We have to
make the owners and operators realize that it is in their self-
interest to continually upgrade and build-out the system,
including the Federal Government's, and that is, we think, the
answer to the approach that you are suggesting.
Mr. Clay. Thank you for that response.
Mr. Silva.
Mr. Silva. I think that you have brought up a couple of
interesting questions here, and I thank you for the opportunity
to respond to them.
It is interesting, when you really think about throughout
time, we have kind of decided that we would handle this in a
sector-specific way and that's just sort of how it worked
itself out. In fact, the ISACs themselves were created as
sector-specific to a large degree.
And there are problems that are sector-specific. For
instance, financial institutions have a more interesting set of
threats unrelated to the infrastructure itself, but more around
IT security and around the practices of being online for a bank
or other financial institutions.
But there are a lot of overlapping infrastructures, and
those infrastructures certainly include the Internet itself,
which all by itself is very insecure. I mean, the Internet
itself doesn't offer any security. It really doesn't. Most of
the security is handled either through appliances or through
the applications themselves. But the Internet itself was
designed to be an open system with really zero security
measures to it at all.
So I think that we need to look at the Internet
infrastructure and its resilience and whatever security
mechanisms we need to put in place to make sure that it
continues to stay up, and the international aspect of it needs
to be something that is looked at commonly across all of the
sectors.
Now you did ask what we should be doing and, as Mr. Clinton
pointed out, what we should be doing is dependent upon who
``we'' is. Since the private sector is responsible for most of
the infrastructure on the Internet, it is incumbent upon the
private sector to take action.
I think if we beg for too much regulation from the
Government, we will get exactly what we asked for, and I don't
think that would be a pleasant situation, either.
But as Mr. Clinton pointed out, incentives are probably the
best tactical step that could be taken with long term effects
that I think would be positive. Unfortunately, when we look at
building out the infrastructure, say, for the next generation
of the Internet protocol--which by the way that next generation
of Internet protocol was developed a decade ago, and still has
yet to be implemented literally. IP Version 6 has been pretty
much standardized for a number of years and is the best
technology yet to come, still.
But there is no incentive for telecommunications providers
or Internet service providers to deploy it. There aren't any
customers and it is a chicken and egg kind of thing. There is
more secure, more robust protocol, and some would argue that it
is not necessarily more secure and I might be one of them. But
it hasn't been deployed because there are no customers for it.
There are no customers for it because it doesn't exist.
The Federal Government is a big enough customer that if
they demanded it as part of their infrastructure, and their
infrastructure build-out and used their market influence, their
buying power, then those kinds of protocols and those kinds of
enhancements would be made, if demanded by the Government as
part of the procurement process.
Thank you.
Mr. Clay. Thank you for that response.
Mr. Sabo.
Mr. Sabo. Well, summing up after that, or coming to a
conclusion, a couple of things I would say with respect to the
basic question.
There are risk assessments that can be applied generally to
what we see as the infrastructure. And some of that work is
happening now. The IT-ISAC and the Sector Coordinating Council,
in fact, have work groups of industry experts attempting to
look at the key functionality provided by the infrastructure
and the sub-functionality, and attempt to build a risk
assessment methodology that actually might make some sense.
If you do a static risk assessment, although I respect the
idea of bringing in experts and assembling for many months, we
have had many of those studies. You can look at the literature
and you can see a number of recommendations made by
academicians and by industry experts that are sitting on the
shelves because the Internet and the infrastructure are very
dynamic. And, as Mr. Silva pointed out in his statement, a
number of threats to the infrastructure are not on the
infrastructure, it is on the applications that ride on the
infrastructure and that impact the utility of the
infrastructure.
In the financial sector, a number of attacks are based on
social engineering. And those attacks open up and expose
vulnerabilities, the vector of an attack that can be used much
later to go after the infrastructure.
In a way, we have a very organic Internet infrastructure.
The components of it, such as software itself or a domain name
service resolution or some of the other pieces of it, are all
components which lead to the vulnerabilities which actors can
use when they decide to make an attack.
So a couple of things. One is, work needs to happen cross-
sector and I agree with that, and it is actually starting, but
it has not really moved far enough along. Work also has to
happen by the users of the infrastructure, and that is, the
major sectors and the major corporations and companies in the
sector. And to some degree that is addressed by the type of
regulatory environment in which financial services operates. It
is not addressed in many other environments and yet the work
needs to be done.
So I think it really is a combination of both looking at
the risks associated with the use of the network
infrastructure, for example, by control systems, the use of the
infrastructure by the major corporations, but also by the
industry that writes the hardware/software and operates
resolution services and security services for the
infrastructure.
You can't look at it, I think, as one simple solution. You
have to recognize how complex the beast is, and you have to
let, actually encourage, which was the purpose of my testimony
for the ISAC, that where industry is stepping forward to
address these issues, Government's best role is to foster and
encourage through appropriate incentives. And not all monetary
incentives. They could be incentives such as saying we
encourage you and we will support some of these activities, to
move forward with that.
And I think to conclude, the Roundtable Report is an eye-
opener. Because what the Business Roundtable found in its
report says that we are increasingly and fundamentally and
almost totally becoming dependent on this IT infrastructure
which is network based. And in that interdependence, we are
losing our capacity to go backward. We are losing our ability
to go back to older systems. We are losing our ability to fall
back to paper systems. Therefore it is imperative for us as a
Nation to take the steps to do what you just said; do an active
risk assessment, put in the types of controls we need, do some
of the strategic work that is academically based, but have a
proactive operational plan to move forward.
If all we are going to do is write more papers, do more
commissions, do more studies, we are going to hopelessly fall
behind. And so I think being active, looking at the uniqueness
of each sector, what the companies are doing, what the
practices are, as well as looking cross-sector at some of the
functions, is a combination way to go.
And then from a congressional perspective, avoiding
regulation but perhaps looking to measures and to saying to us
who are in these sectors, what are some performance measures
that you are using to evaluate your effectiveness. What steps
are you taking. What outcomes are you offering.
And to me that would be the most effective short-term
approach.
Mr. Clay. Thank you for that response. One more question
for the panel. Is the extension of the Federal Terrorism
Reinsurance Backstop program an adequate model for Government
to provide economic security to the private sector in the event
of a major Internet disruption? Do we have effective risk
models to determine the cost and potential exposure to the
Government for covering this type of incident? We will start
with Ms. Todt Coon.
Ms. Todt Coon. I would go back to--I appreciate the
comments of the panelists, but I continue to assert that we
have not defined the risk in a way that allows us to create a
model, in response to your question. By not having this
accountability and by not defining this risk, we are being
stalled with inaction.
And while there has been action in different components, as
we cited earlier--I think what the financial sector has done is
exemplary and noteworthy--as a whole, we have not made the
progress on these issues that we are looking to do.
And I think at the end of the day, in looking at what the
public and the private sectors have done, as we cited earlier,
looking up multiple post-Katrina reports, we recognize that
neither the public nor the private sector can respond
individually. They need to work together. And Katrina showed us
that the ways in which they work together currently aren't
working properly.
And so I would encourage us to look at legislation, like
the Stafford Act, to revise to include for-profit companies and
also look at the Defense Production Act, which if leveraged
correctly by DHS could support the work that they are doing.
And I think that legislation exists out there within which we
need to work. And that we also need to be assigning the
ownership and responsibility in a more clear way that allows
those entities responsible for this to act accordingly.
Mr. Clay. Thank you for that. And, Ms. Allen, the Terrorism
Reinsurance Backstop program, is it an adequate model?
Ms. Allen. It is not adequate. I think it is a good thing,
but it is not adequate. Again, I agree that there is not an
appropriate risk model. We don't yet understand the cross-
sector impact. I think there are other incentives, including
insurance, the ratings agencies, tax incentives, Government
procurement, that might be more effective in the short run.
And that is my answer.
Mr. Clay. Mr. Clinton.
Mr. Clinton. I think I would agree that it is a useful
model, but some important differences have to be realized.
First of all, cyber insurance is a very different animal than
traditional insurance. The cyber insurance market has not taken
off at all. It has been stagnant for 5 or 6 years, about 20
percent of companies have cyber insurance. And there are things
that the Government can do to help in that area.
So, if you are talking about cyber, the model is probably
worth looking at, but there are other things that need to be
done. And my colleagues are exactly right with regard to you
can't assess the risk.
Let me quickly tell you what the core problem is with cyber
and then in my written testimony I go into a little bit more
depth on insurance. I won't bore you with that now.
But the problem with cyber insurance, it is available. But
the problem is, nobody buys it. And the reason nobody buys it
is because it costs too much money. And the reason it costs too
much money is because since there isn't adequate actuarial
tables, the businesses that run the cyber insurance naturally
set the risk at maximum and therefore the prices are at
maximum.
The Federal Government could do a tremendous service by
coming in and working with us so that we get the data
appropriate so that we could set actuarial tables which would
bring more providers into the market. Currently one company,
AIG, has 85 percent of the market. That is not a good thing.
If we got more providers into the market by providing them
with the data, which expect the Government does actually have,
that would then lower the cost. By lowering the cost, now more
providers will get in. That will increasingly lower the cost,
which has two major benefits.
First of all, if you have a cyber Katrina right now, there
is virtually nobody covered. Which means the insurer of last
resort is going to be the Federal Government. The Federal
Government is going to be stuck with a billions and billions
and billions of dollars bill. It is going to be worse than
Katrina because at least there was some insurance down there.
There isn't in a cyber Katrina.
Second, once we have insurance available and being
purchased broadly throughout the market place, insurance can
be, in addition to other incentives, and I would endorse
Cathy's comments in that regard, but insurance can be a
tremendous incentive.
We use insurance all the time to motivate pro-social
behavior. Good driving behavior, good health behavior. My
daughter is desperate to get really good grades because it is
going to lower the insurance on her car. This can drive better
behavior. And what I have argued in my testimony is, the way to
have a fully resilient, consistent, consistently up-growing
system is to have market incentives. Insurance is a great one.
So that people will constantly want to adopt the best
practices, get the lower insurance rate and the industry and
the Government is therefore covered if we have a major event.
So, it is a good model, but there are a variety of things
that we have to do to make it work, particular in the cyber
arena.
Mr. Clay. Thank you for that response.
Mr. Silva.
Mr. Silva. Thank you. I don't know that level of assistance
is necessarily everything that we need. And there has been a
lot of discussion about how difficult it is to assess the risk.
And I don't know about assessing the risk because I think each
individual element of this could assess what they believe is a
risk and then somehow we could wrap that up. It is difficult to
assess now.
What is even harder to assess is what the level of damage
is going to be. And it will be more than we can even imagine
sitting at this table. We couldn't have imagined the damage
that happened during Katrina and when we sat and tried to plan
for that ahead of time.
But the damage that would have happened from even shutting
down the Internet for a couple of hours in the middle of a
trading day or the middle of a business would be catastrophic.
It would be huge. And if something so serious occurred that we
had to reboot the Internet, so to speak, it would be a
significant amount before that recovery would actually take
place. There are so many different players.
But one of the things that I worry about, in addition to
those attacks that come from a terrorist act, if you will, or
some malicious behavior, are those sorts of things that might
create a self-inflicted wound. In our zeal to try to improve
the Internet, in many cases, we make it more complicated and in
fact create new and additional risk that we should think
through a lot more carefully before we do it.
One example of that is internationalized domain names.
There are proposals to create internationalized domain names in
order to let countries create domain names, the name of Web
sites, if you will, in Cyrillic or Arabic, etc. The problem is
that because of a lack of careful action and careful planning
on this, other countries are on their own racing out to create
another Internet, if you will, that uses the Internet we are
used to, but works in a completely different way.
So the rules and regulations that we would create and the
policies that we would create as industry sectors and as
governments wouldn't apply to these people. Therefore, we have
to take corrective action for whatever the weakest link is
going to be, and carefully think through some of these
improvements that we think are improvements, and make sure that
they are not actually creating more complexity and more
confusion for users and more confusion for the people who have
to assess threats and damage.
Mr. Clay. Thank you for that response.
Mr. Sabo.
Mr. Sabo. I think an approach to this is to give a chance
to the mechanisms that have not been given a chance to work. It
is a complex environment. We have never been in a situation
where millions of individuals scattered around the whole United
States, or for that matter, the world, could literally have an
impact on a national economy.
We have never been in a situation where people living--and
it has been rare--but if you think of a physical event and the
insurance for terrorism, it might be very applicable to that.
But we are dealing with a much different animal.
Mr. Clay. Mr. Sabo, let me interrupt you. Are we too
dependent on the Internet as a society? As a world? Mr. Clinton
is saying there is no going back. There is no way to go back to
the paper or anything else. Does that make us too dependent on
the Internet?
Mr. Sabo. We are dependent on it. And it is increasingly
so. And we can't stop that because the nature of us as human
beings, the nature of the capitalist society and the
development of many uses of information and new technologies,
simply can't be arrested without some dramatic shift back to a
society of almost the Stone Age. You can't do it.
Having said that, and knowing the complexity that we do, my
suggestion is that we give an opportunity for measures to begin
working slowly to address different aspects of this. So one
aspect is Internet resilience and some of the things that Ken
is talking about.
Another aspect is expectations of companies as noted in the
Business Roundtable to take steps, good steps, to deal with
business continuity practices. Another example would be looking
to industry through the ISACs and so on, to address
vulnerabilities.
And by putting this together in combination, you have some
opportunity to see progress against a set of measures. But if
you just look at it in terms of--particularly with the
Internet, as Ken said, a catastrophe so huge that in cyber
terms it would be the equivalent of a national state of
emergency that might continue for weeks or months.
What is that? How can you insure against it? Insurance
might be good to, say, I have a breach issue and I am insured
against the risk associated with that. But how do you insure
against the loss of a whole infrastructure for the whole
economy?
So I would say an approach is let each of the measures that
are best suited for this tier of protection be given a chance
to operate and be given a chance to demonstrate effectiveness.
Mr. Clay. Thank you so much for that response. Let me thank
the panel for their responses and their expertise in this area.
I am certain that this will not be the last hearing.
But as you have heard, the bells have rung, and without
objection, this committee is adjourned.
Thank you.
[Whereupon, at 5:50 p.m., the subcommittee was adjourned.]
<all>
�