<DOC> [110th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:43198.wais] CYBERSECURITY: A REVIEW OF PUBLIC AND PRIVATE EFFORTS TO SECURE OUR NATION'S INTERNET INFRASTRUCTURE ======================================================================= HEARING before the SUBCOMMITTEE ON INFORMATION POLICY, CENSUS, AND NATIONAL ARCHIVES of the COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED TENTH CONGRESS FIRST SESSION __________ OCTOBER 23, 2007 __________ Serial No. 110-59 __________ Printed for the use of the Committee on Oversight and Government Reform Available via the World Wide Web: http://www.gpoaccess.gov/congress/ index.html http://www.oversight.house.gov U.S. GOVERNMENT PRINTING OFFICE 43-198 PDF WASHINGTON DC: 2008 --------------------------------------------------------------------- For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800 Fax: (202) 512ÿ092104 Mail: Stop IDCC, Washington, DC 20402ÿ090001 COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM HENRY A. WAXMAN, California, Chairman TOM LANTOS, California TOM DAVIS, Virginia EDOLPHUS TOWNS, New York DAN BURTON, Indiana PAUL E. KANJORSKI, Pennsylvania CHRISTOPHER SHAYS, Connecticut CAROLYN B. MALONEY, New York JOHN M. McHUGH, New York ELIJAH E. CUMMINGS, Maryland JOHN L. MICA, Florida DENNIS J. KUCINICH, Ohio MARK E. SOUDER, Indiana DANNY K. DAVIS, Illinois TODD RUSSELL PLATTS, Pennsylvania JOHN F. TIERNEY, Massachusetts CHRIS CANNON, Utah WM. LACY CLAY, Missouri JOHN J. DUNCAN, Jr., Tennessee DIANE E. WATSON, California MICHAEL R. TURNER, Ohio STEPHEN F. LYNCH, Massachusetts DARRELL E. ISSA, California BRIAN HIGGINS, New York KENNY MARCHANT, Texas JOHN A. YARMUTH, Kentucky LYNN A. WESTMORELAND, Georgia BRUCE L. BRALEY, Iowa PATRICK T. McHENRY, North Carolina ELEANOR HOLMES NORTON, District of VIRGINIA FOXX, North Carolina Columbia BRIAN P. BILBRAY, California BETTY McCOLLUM, Minnesota BILL SALI, Idaho JIM COOPER, Tennessee JIM JORDAN, Ohio CHRIS VAN HOLLEN, Maryland PAUL W. HODES, New Hampshire CHRISTOPHER S. MURPHY, Connecticut JOHN P. SARBANES, Maryland PETER WELCH, Vermont Phil Schiliro, Chief of Staff Phil Barnett, Staff Director Earley Green, Chief Clerk David Marin, Minority Staff Director Subcommittee on Information Policy, Census, and National Archives WM. LACY CLAY, Missouri, Chairman PAUL E. KANJORSKI, Pennsylvania MICHAEL R. TURNER, Ohio CAROLYN B. MALONEY, New York CHRIS CANNON, Utah JOHN A. YARMUTH, Kentucky BILL SALI, Idaho PAUL W. HODES, New Hampshire Tony Haywood, Staff Director C O N T E N T S ---------- Page Hearing held on October 23, 2007................................. 1 Statement of: Garcia, Gregory T., Assistant Secretary for Cyber Security and Communications, Department of Homeland Security; Gregory C. Wilshusen, Director of Information Security Issues, GAO; and Daniel S. Ross, chief information officer, State of Missouri.......................................... 7 Garcia, Gregory T........................................ 7 Ross, Daniel S........................................... 43 Wilshusen, Gregory C..................................... 20 Sabo, John T., president, Information Technology Information Sharing and Analysis Center and director of Global Government Relations, CA, Inc.; Larry Clinton, president, Information Security Alliance; Ken Silva, chief security officer and vice president for networking and information security, Verisign; Catherine T. Allen, chairman and CEO, the Santa Fe Group; and Kiersten Todt Coon, vice president, Good Harbor Consulting..................................... 64 Allen, Catherine T....................................... 98 Clinton, Larry........................................... 86 Sabo, John T............................................. 64 Silva, Ken............................................... 78 Todt Coon, Kiersten...................................... 118 Letters, statements, etc., submitted for the record by: Allen, Catherine T., chairman and CEO, the Santa Fe Group, prepared statement of...................................... 100 Clay, Hon. Wm. Lacy, a Representative in Congress from the State of Missouri, prepared statement of................... 3 Clinton, Larry, president, Information Security Alliance, prepared statement of...................................... 88 Garcia, Gregory T., Assistant Secretary for Cyber Security and Communications, Department of Homeland Security, prepared statement of...................................... 10 Ross, Daniel S., chief information officer, State of Missouri, prepared statement of............................ 45 Sabo, John T., president, Information Technology Information Sharing and Analysis Center and director of Global Government Relations, CA, Inc., prepared statement of...... 66 Silva, Ken, chief security officer and vice president for networking and information security, Verisign, prepared statement of............................................... 80 Todt Coon, Kiersten, vice president, Good Harbor Consulting, prepared statement of...................................... 120 Wilshusen, Gregory C., Director of Information Security Issues, GAO, prepared statement of......................... 22 CYBERSECURITY: A REVIEW OF PUBLIC AND PRIVATE EFFORTS TO SECURE OUR NATION'S INTERNET INFRASTRUCTURE ---------- TUESDAY, OCTOBER 23, 2007 House of Representatives, Subcommittee on Information Policy, Census, and National Archives, Committee on Oversight and Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 10:06 a.m. in room 2154, Rayburn House Office Building, Hon. Wm. Lacy Clay (chairman of the committee) presiding. Present: Representatives Clay, Hodes, Yarmuth, and Turner. Staff present: Darryl Piggee, staff director/counsel; Jean Gosa, clerk; Adam C. Bordes, professional staff member; Nidia Salazar, staff assistant; Michelle Mitchell, legislative assistant, Office of Wm. Lacy Clay; Charles Phillips, minority counsel; Patrick Lyden, minority parliamentarian & member services coordinator; and Benjamin Chance, minority clerk. Mr. Clay. The subcommittee on Information Policy, Census, and National Archives will now come to order. Today's hearing will examine how well DHS is fulfilling its role as the leading Federal agency charged with coordinating response and recovery efforts in the event of a major Internet disruption. In addition, we will review the roles and responsibilities of private sector stakeholders in the development of Internet recovery plans and hear their recommendations for improving our current cyber security policy framework. Without objection the Chair and ranking minority member will have 5 minutes to make opening statements followed by opening statements not to exceed 3 minutes by any other Member who seeks recognition. And without objection Members and witnesses may have 5 legislative days to submit a written statement or extraneous materials for the record. I will begin with an opening statement and then recognize the ranking member. Then we will adjourn after that while we vote and then we will come back and take the testimony. Just be patient with us, please. Securing our Nation's economic and global interests relies upon having a resilient Internet infrastructure. A recently released study by the Business Roundtable summarized that there is a probability of between 10 percent and 20 percent for a major Internet breakdown over the next decade. At an estimated global cost of approximately $250 billion, an event of this magnitude would prove devastating to our domestic industries and international trading partners. Despite spending millions of dollars, the Department of Homeland Security has failed to develop an effective Internet recovery plan to rely upon for emergency response and recovery efforts. Furthermore, their lack of adequate progress in developing appropriate models for measuring the levels of risk facing each sector has left policymakers unable to determine which sectors are most vulnerable to major cyber network disruptions. It is my hope that today's witnesses will provide an update on DHS' efforts to remedy its deficiencies and provide recommendations for strengthening partnerships that will best secure our Internet infrastructure. That concludes my opening statement and I will recognize Mr. Turner of Ohio for his opening statement. Mr. Turner. [The prepared statement of Hon. Wm. Lacy Clay follows:] [GRAPHIC] [TIFF OMITTED] T3198.001 [GRAPHIC] [TIFF OMITTED] T3198.002 [GRAPHIC] [TIFF OMITTED] T3198.003 Mr. Turner. Thank you, Chairman Clay. I want to thank you for holding today's hearing on Cyber Security: A Review of Public and Private Efforts to Secure Our Nation's Internet Infrastructure. The Internet is a key critical infrastructure asset and has an enormous impact on communications as well as the economy. It is important that this asset is protected, much like other critical infrastructure assets. It seems, however, that due to a number of factors, the Internet isn't as secure from catastrophic events as it could be. I look forward to reading the testimony from today's witnesses on how DHS can better prepare our Internet infrastructure from potential catastrophic events, such as national disasters and terrorist attacks. I am interested in how DHS plans to address the concerns listed in the 2006 GAO report on DHS' efforts to coordinate an Internet infrastructure recovery plan. And I am particularly interested in learning about the legal barriers that DHS faces in providing assistance to private sector entities which own or operate Internet infrastructure in the event of disaster. Mr. Chairman, I want to thank you again for your leadership and your effectiveness in the oversight of the important Federal policy issues of information policy. Thank you. Mr. Clay. Thank you, Mr. Turner. And at this time, the subcommittee will recess and reconvene at the conclusion of the three votes that we will take now on the floor. The committee stands in recess. [Recess.] Mr. Clay. If there are no additional opening statements, the subcommittee will now reconvene and we will receive testimony from the witnesses before us today. I want to start by introducing our first panel, which will consist of Mr. Greg Garcia, who is the Assistant Secretary for Cyber security and Communications at the Department of Homeland Security. In his position, Mr. Garcia oversees the operations and strategic planning activities of the National Cyber Security Division, the Office of Emergency Communications and the National Communications System. Prior to joining DHS, he represented the information technology on Capitol Hill, and before that served as a staff member of the House Science Committee. We also have joining us Mr. Greg Wilshusen, who is a Director of Information Security Issues at GAO. He is a long time expert on the topic of information security and has testified before this panel numerous times on cyber security issues and Federal information security management practices. And to round out the panel, Mr. Dan Ross serves as the chief information officer for the State of Missouri. And prior to his appointment in 2005, Mr. Ross served under then Secretary of State Matt Blount in the capacity of executive deputy secretary of State. He holds a bachelor's degree in industrial relations from Lincoln University and a master's degree in public administration from the University of Missouri. Welcome, Mr. Ross. We know you came further than others. And also welcome to the other two witnesses. And thank you all for appearing before today's subcommittee. And it is the policy of the Committee on Oversight and Government Reform to swear in all witnesses before they testify. And I would like to ask you all to stand and raise your right hands. [Witnesses sworn.] Mr. Clay. Thank you. You may be seated. Let the record reflect that the witnesses answered in the affirmative. Mr. Hodes, did you have an opening statement that you would like to offer? Mr. Hodes. No, I will defer. Mr. Clay. OK. Thank you so much. I ask that each of the witnesses now give a brief summary of their testimony and to keep the summary under 5 minutes. Your complete written statement will be included in the hearing. Mr. Garcia, we will begin with you. Before you do that, I know that you come today to explain how seriously DHS and the administration takes its cyber security responsibility. I must admit that it is a little disappointing that you waited until 11:30 this morning to deliver your written testimony for members of the subcommittee to adequately prepare. With that said, you have 5 minutes to summarize your statement. STATEMENTS OF GREGORY T. GARCIA, ASSISTANT SECRETARY FOR CYBER SECURITY AND COMMUNICATIONS, DEPARTMENT OF HOMELAND SECURITY; GREGORY C. WILSHUSEN, DIRECTOR OF INFORMATION SECURITY ISSUES, GAO; AND DANIEL S. ROSS, CHIEF INFORMATION OFFICER, STATE OF MISSOURI STATEMENT OF GREGORY T. GARCIA Mr. Garcia. Thank you, Mr. Chairman, and members of the subcommittee. I appreciate the opportunity to discuss the Department of Homeland Security's efforts to promote the resilience of America's Internet infrastructure. Let me just say at the outset, Mr. Chairman, that I do apologize for the lateness of our testimony. It is more than a little disappointing to me, as well. It in no way reflects the seriousness with which DHS takes the mission of cyber security. And it is very much important for you, the members of the committee and the staff to have the benefit of advance reading of our testimony so that we can have an informed discussion. So, please accept my apology for that. We are endeavoring, in our process at DHS and interagency, to ensure that we bring testimony up to the Congress in a timely fashion. Mr. Clay. Thank you for that. Mr. Garcia. Sir, it is fitting that you are holding this hearing during National Cyber Security Awareness Month. It helps to raise public consciousness about the importance of Internet security to our economy and to our way of life. Over 200 million Americans use the Internet at home and in the workplace. The Internet facilitates communications, and supports Government and business operations. Although the Internet has yielded tremendous efficiencies, organizations and individuals remain vulnerable to disruptions in service and loss of sensitive data. Both the private sector and Government play a role in securing our Internet infrastructure. The private sector builds, owns and operates most of the cyber infrastructure and ensures the availability and functionality of the Internet. The Federal Government has the responsibility for ensuring the continued operation of essential Government functions, securing their timely restoration if they fail, and minimizing the impact to the Nation. As such, it is incumbent upon the Federal Government to help protect against Internet disruptions and to ensure a coordinated response to incidents. I would like today to highlight a few of our efforts in these areas. First, we are strengthening our ability to prevent Internet disruptions. Under the National Infrastructure Protection Plan [NIPP], the availability of the Internet and its associated services is identified as a shared key resource of the information technology and communications sectors. As the sector's specific agency for both, we work with the sectors to develop their Sector-Specific Plans [SSP], which were released in May of this year. The IT SSP defines six critical functions that support the sector's ability to produce and provide resilient products and services. Of these, two critical sector functions relate directly to the Internet. Similarly, the communications Sector Specific Plan identifies critical architectural elements of the Internet. Through implementation of their SSPs, the IT and communications sectors are continuing to work together to assess the risk to the Internet. Although the availability of the Internet is primarily the responsibility of the IT and communications sectors, all sectors rely on the Internet. And DHS, together with the Partnership for Critical Infrastructure Security [PCIS], established the Cross Sector Cyber Security Working Group [CSCSWG], comprised now of more than 90 Government and private sector experts from across the critical infrastructure sectors. This group provides a forum to assess, among other things, how critical sector operations could be impacted by disruptions and to develop appropriate mitigation strategies. Improving situational awareness is a critical component of preparedness. The U.S. Computer Emergency Readiness Team [U.S. CERT], within my organization, coordinates with the private sector and Government entities to increase situational awareness of network conditions. We developed a program called Einstein that provides Federal agencies with early cyber incident detection so that they can respond more rapidly to mitigate threats. It has slashed the time it takes us to gather and share critical data on IT security risks from days, as it used to be, to hours. The U.S. CERT also engages with private sector Information Sharing And Analysis Centers [ISACs], to share information on cyber threats, vulnerabilities and incidents. This includes collaboration with the IT-ISAC and the Multi-State ISAC to raise the level of cyber security readiness in each State. Our ability to protect against and prepare for Internet disruptions is further enhanced through exercises. We are currently planning for the Cyber Storm II Exercise in March 2008, which will include a focus on Internet disruption and recovery and involve Federal, State, local, international and private sector entities. Second, we are enhancing public and private collaboration to ensure effective response capabilities. The National Response Framework [NRF], which was recently released for public comment, articulates how our Nation will respond to all hazard disasters. My office has responsibility for Emergency Support Function No. II [ESF-2], the Communications Annex and the Cyber Incident Annex. We undertook an in-depth review of these components, and incorporated updates to them. In support of the NRF, the National Cyber Response Coordination Group [NCRCG], serves as the primary Federal interagency mechanism for coordinating Cyber Incidents. Recently, the NCRCG addressed the denial of service attack against the government of Estonia. The NCRCG co-chairs convened to discuss the situation and determined that an operational response was indeed needed. And we coordinated that through the National Coordination Center and U.S. CERT. To sum, my office is now implementing a plan to co-locate the U.S. CERT and the NCC, the IT and Communications to further facilitate collaboration among IT and communications experts. We are working side-by-side with them to make it easier to obtain situational awareness, to identify threats and coordinate response activities. To conclude, both Government and the private sector are taking proactive measures to address Internet resilience, and to prepare for and respond to Internet disruptions. Government and business leaders must continue to ensure that sectors, organizations and individuals all understand their dependence on the Internet, the impact that a disruption could have and actions that can be taken to mitigate the consequences. Sir, thank you for your time today. I appreciate the opportunity to discuss this issue and will be happy to answer questions. [The prepared statement of Mr. Garcia follows:] [GRAPHIC] [TIFF OMITTED] T3198.004 [GRAPHIC] [TIFF OMITTED] T3198.005 [GRAPHIC] [TIFF OMITTED] T3198.006 [GRAPHIC] [TIFF OMITTED] T3198.007 [GRAPHIC] [TIFF OMITTED] T3198.008 [GRAPHIC] [TIFF OMITTED] T3198.009 [GRAPHIC] [TIFF OMITTED] T3198.010 [GRAPHIC] [TIFF OMITTED] T3198.011 [GRAPHIC] [TIFF OMITTED] T3198.012 [GRAPHIC] [TIFF OMITTED] T3198.013 Mr. Clay. Thank you very much, Mr. Garcia. Mr. Wilshusen, you are next. STATEMENT OF GREGORY C. WILSHUSEN Mr. Wilshusen. Chairman Clay and members of the subcommittee, thank you for the opportunity to testify at today's hearing on public and private sector efforts to secure our Nation's Internet infrastructure. Since the early 1990's, the world community has come to rely on the Internet as a critical resource supporting commerce, education and communication. While the benefits of this technology have been enormous, this widespread inter- connectivity poses significant risks to our Government's and Nation's computer systems and, more importantly, to the critical operations and infrastructures they support. Today, I will discuss threats and vulnerabilities of the Internet, DHS' efforts in facilitating recovery from Internet disruptions and key challenges to such efforts. Mr. Chairman, the Internet is vulnerable to disruptions in service due to threats of terrorists and other malicious attacks, natural disasters and technological problems or a combination of these things. Disruptions to Internet service can be caused by cyber and physical incidents, both intentional and unintentional. For example, over the last few years, fast- spreading worms and viruses coordinated denial of service against key root servers, 9/11 and Hurricane Katrina have caused local or regional disruptions or slowdowns. Research organizations have pegged the annual worldwide costs of malicious code attacks as averaging about $14 billion for the 6-years ending in 2005, highlighting the importance of recovery planning. However, these incidents have also shown the Internet as a whole to be flexible resilient. Even in severe circumstances, the Internet has not yet suffered a catastrophic failure. Nevertheless, is it possible that a complex attack or series of attacks could cause the Internet to fail or to undermine users' trust in the Internet, thereby reducing the Internet's utility. In a June 2006 report, we noted that DHS had begun a variety of initiatives to improve the Nation's ability to recover from Internet disruptions, including developing an integrated public/private plan for Internet recovery, establishing working groups to facilitate coordination, and conducting exercises in which Government and private industry practice responding to cyber events. However, these efforts were not complete, comprehensive or effectively coordinated. In that report, we also noted key challenges that impeded progress. First, it was unclear what Government entity was in charge, what the Government's role should be, and when it should get involved. For example, DHS' National Cyber Security Division and National Communications System had overlapping responsibilities. There is also a lack of consensus about the role DHS should play. The Government was pursuing the big plan approach with the NIPP and the National Response Plan while the private sector wanted to more of the short-term tactical role from the Government. Furthermore, triggers to clarify when the Federal Government should be involved were unclear. Another key challenge is working in a legal framework that doesn't specifically address the Government's roles and responsibilities in the event of an Internet disruption. The Katrina recovery efforts also showed that the Stafford Act can create a roadblock when for-profit companies that own and operate critical infrastructures need Federal assistance during national emergencies. In addition, the private sector was reluctant to share information with DHS because it did not always see value in sharing information, did not necessarily trust the Government and viewed DHS as an organization lacking effective leadership. Until these challenges are addressed, DHS will have difficulty in achieving results in its role as a focal point in this area. In our June 2006 report, we suggested that Congress consider clarifying the legal framework that guides roles and responsibilities for Internet recovery. We also made recommendations to improve DHS' ability to facilitate public/ private efforts and planning for Internet disruptions. The Department agreed with our recommendations and since then has made progress in addressing many of them. Still work remains to be done to ensure that our Nation is prepared to effectively respond to a disruption of the Internet infrastructure. Mr. Chairman, this concludes my statement. I would be happy to answer any questions you or members of the subcommittee may have. [The prepared statement of Mr. Wilshusen follows:] [GRAPHIC] [TIFF OMITTED] T3198.014 [GRAPHIC] [TIFF OMITTED] T3198.015 [GRAPHIC] [TIFF OMITTED] T3198.016 [GRAPHIC] [TIFF OMITTED] T3198.017 [GRAPHIC] [TIFF OMITTED] T3198.018 [GRAPHIC] [TIFF OMITTED] T3198.019 [GRAPHIC] [TIFF OMITTED] T3198.020 [GRAPHIC] [TIFF OMITTED] T3198.021 [GRAPHIC] [TIFF OMITTED] T3198.022 [GRAPHIC] [TIFF OMITTED] T3198.023 [GRAPHIC] [TIFF OMITTED] T3198.024 [GRAPHIC] [TIFF OMITTED] T3198.025 [GRAPHIC] [TIFF OMITTED] T3198.026 [GRAPHIC] [TIFF OMITTED] T3198.027 [GRAPHIC] [TIFF OMITTED] T3198.028 [GRAPHIC] [TIFF OMITTED] T3198.029 [GRAPHIC] [TIFF OMITTED] T3198.030 [GRAPHIC] [TIFF OMITTED] T3198.031 [GRAPHIC] [TIFF OMITTED] T3198.032 [GRAPHIC] [TIFF OMITTED] T3198.033 [GRAPHIC] [TIFF OMITTED] T3198.034 Mr. Clay. Thank you very much. Mr. Ross, you may proceed for 5 minutes. STATEMENT OF DANIEL S. ROSS Mr. Ross. Thank you, Chairman Clay and distinguished members of the subcommittee. I thank you for inviting me here to day to appear before you in both my role as Missouri State chief information officer, and also as a member of NASCIO, the National Association of State Chief Information Officers. NASCIO is a not-for-profit, non-partisan research and advocacy organization, of which I and most State CIOs are members. I will briefly offer my perspective on efforts to secure my State and our Nation's Internet infrastructure. A lapse or shutdown of Internet availability would disable much of State government, rendering it unable to communicate, to deliver services and collect revenue for an extended period. Regional conditions in Missouri illustrate some of the challenges natural disasters may pose. A large portion of eastern Missouri, including the city of St. Louis, lies in close proximity to the New Madrid earthquake fault. Missouri experienced over 200 tornadoes last year. In addition, we experienced ice storms, thunderstorms and flooding which damaged communications infrastructure. In addition, the sheer pervasiveness and relentlessness of cyber-attacks is staggering. In the past fiscal year alone, Missouri's network and data center experienced nearly 5.6 million cyber-attacks. That's 29,000 per day, about 1,200 an hour. And in the few minutes that I am speaking with you today, we will experience about 100. The evolving nature and sophistication of cyber-attacks is worrisome as well. State information technology infrastructure is now specifically targeted by criminal elements connected to organized crime. In addition, they are also increasingly international in origin, which makes apprehension and criminal prosecution highly unlikely. What are we doing? In response to this, State CIOs are forging partnerships with State, Homeland Security, emergency management and public safety officials to plan for the potential of major disruptions and security breach events. We are also trying to secure the funding necessary to maintain our intrusion detection, spam filter and other technologies that were purchased previously with Homeland Security one-time grant funds. A current concern State CIOs face is acquiring funding to build security and resilience into all new IT projects and to hire and retain knowledgeable, trained IT staff. Some recommendations to fortify Internet communications infrastructure. First, there must be increased intergovernmental and private sector coordination. Business partners, stakeholders and all levels of government must coordinate actions, share best security practices, and plan for the potential of a major disruptive event. Second, continued State involvement in the National Infrastructure Protection Plan and Cyber Security Information Technology Sector Specific Plan within it is essential. Third, we must identify cyber vulnerabilities and fund their mitigation. Cyber security is not a tangible asset, and Federal programmatic funding rarely includes specific provisions for IT spending to protect Federal programs delivered by States. The creation of a funding pool for cyber security grants to specifically assist States in achieving a proper cyber security posture would be beneficial in raising the overall security level of critical IT infrastructure in the State government sector. Fourth, we must include and address Internet dependent critical State functions and continuity of operations and recovery plans. And finally, we have to partake of information sharing initiatives between NASCIO, the Multi-States Information Sharing and Analysis Center and Federal agencies. In conclusion, Mr. Chairman, technology alone will not solve the security challenges that States face while trying to protect key information technology systems and information given the wide variety of cyber-attacks and security vulnerabilities today, it may be only a matter of time before a State's information systems and assets are compromised. Therefore, it is imperative that an investment in human and technology resources be an ongoing, proactive process, and not a reactionary response to a security event. The well publicized hard costs of security breaches as well as the soft costs of losing citizen confidence drive the need for providing sufficient resources for securing Government's information and infrastructure assets. As CIO for Missouri and as a representative for NASCIO, I appreciate the work of this subcommittee in addressing this national challenge. The National Association of State Chief Information Officers stands ready to contribute to this subcommittee in a meaningful way as needed. Thank you for your time. [The prepared statement of Mr. Ross follows:] [GRAPHIC] [TIFF OMITTED] T3198.035 [GRAPHIC] [TIFF OMITTED] T3198.036 [GRAPHIC] [TIFF OMITTED] T3198.037 [GRAPHIC] [TIFF OMITTED] T3198.038 [GRAPHIC] [TIFF OMITTED] T3198.039 [GRAPHIC] [TIFF OMITTED] T3198.040 [GRAPHIC] [TIFF OMITTED] T3198.041 Mr. Clay. Thank you so much for your testimony, Mr. Ross. We will start the first round of questions and the gentleman from New Hampshire is recognized for 5 minutes. Mr. Hodes. Mr. Hodes. Thank you, Mr. Chairman. And thank you for holding this very, very important hearing. Given the Information Age that we are living in, there probably is nothing that is more important these days in some way to the security of this Nation than the issues that we are discussing today. As the use of the Internet and cyberspace blossoms, it is becoming ever more important to us. Mr. Garcia, I noted with appreciation your sense of regret that your testimony wasn't supplied earlier to us, and I take that you will be able to take steps in the future so that when you come back before us, we will have enough time to review your testimony. Mr. Garcia. Absolutely, sir. We do strive to give you the best quality product we can, as well, which may account for some of the delay and the review process. Mr. Hodes. I appreciate that. Prior to your appointment, Mr. Garcia, the previous Director of the NCSD, Andy Purdy, was hobbled because there were conflict of interest questions due to his continued employment with his original employer, Carnegie Mellon University, which was involved with several DHS, cyber-related projects at the time. My understanding is that he was actually drawing a salary while working also for the NCSD, which created real problems, as you can imagine. And it is my understanding that currently, a significant amount of the work that is being undertaken by NCSD is being carried out by other contractors. Private contractors, including Booz-Allen. As a member of the Oversight and Government Reform Committee, we have been exercising oversight in a number of areas where the Government is making significant use of private contractors, most notably in the news in connection with the war in Iraq and the flap that has developed around Blackwater. And I understand the role of contractors in assisting agencies with program administration, but I also understand that contractors aren't supposed to play any role in inherently governmental or policy-focused activities. We recognized that as a potential conflict with Mr. Purdy, and we remain concerned that there may continue to be conflicts at the NCSD. And I note in your testimony, at pages--especially at 4 and 6, where you talk about the collaboration that exists in the public/private partnership that is ongoing. So, there are relationships here, which while important are fraught with potential problems. Can you tell us how many full- time governmental employees there are within NCSD, NCS, and the other DHS units under your authority? Mr. Garcia. Sir, I don't have the exact number. We have approximately 100 individuals in NCSD and NCS, and about that number in contractors. So we do rely on contractors. It gives us the resilience we need to respond to urgent initiatives. It enables us to surge and to pull back our resources as necessary. Mr. Hodes. And when you say 100 contractors, do you mean 100 employees who are the employees of contractors, or 100 separate different companies? Mr. Garcia. I can give you that exact number--I can get back with you on that specifically. Mr. Hodes. I would appreciate having the documents that reflect that. And Mr. Chairman, if I may, request that the record stay open long enough to have that information submitted. Mr. Clay. Without objection, the gentleman will do everything to get us those records. Mr. Garcia. Absolutely. Mr. Hodes. Off the top of your head, who are the largest contracting entities who are supplying these contractors to those agencies of which you spoke? Mr. Garcia. The most number of contractors from any one organization, I cannot be certain on that answer, likely to be Booz-Allen. Mr. Hodes. And what is your sense of the size of Booz- Allen's commitment in terms of a percentage of that number of approximately 100 who are working? Mr. Garcia. I can get that for you, as well. Mr. Hodes. You don't have any sense today? Mr. Garcia. Not an accurate sense for you. No, sir. Mr. Hodes. And what are the roles and responsibilities of those contractors at your agency, versus the responsibilities of the Government employees? Mr. Garcia. None of the contractors are in managerial positions. So, they serve in a support role for all of our activities. Mr. Hodes. And who is supervising them? And who is responsible for their day-to-day activities? Is it the employees at your agency, or is it the providing companies? Mr. Garcia. The Government employees under my organization are responsible for supervising the activities that the contractors support. Mr. Hodes. May I continue with one further question, Mr. Chairman? I see my time is up. Mr. Clay. The gentleman is recognized for 2 additional minutes. Mr. Hodes. Thank you. Now, Mr. Garcia, I take it you would agree that conflict of interest policies are critical to ensuring the integrity of the work done for the Government? Mr. Garcia. Yes, sir. Mr. Hodes. And are there written conflict of interest policies in place at the agencies you supervise to ensure that those coming to work for your division remain free from decisions that may potentially impact former employers or clients? And I am talking about both full-time employees as well as consultants working under your direction. Mr. Garcia. Yes, sir. I believe there is. And I can get back with you on that and supply that with you. Mr. Hodes. Similarly, Mr. Chairman, I would ask that the record be held open to accept that submission. Mr. Clay. Without objection, and we would appreciate it if we could have it in 5 legislative days. Mr. Hodes. Thank you, Mr. Chairman. And just one final quick question. As a former lobbyist for the Information Technology Association of America, how have you yourself made sure that you are remaining free from any conflicts concerning issues of importance to your former employer? Mr. Garcia. My mission, Congressman, is in total support for the Department of Homeland Security and to the Nation that we protect. My former employer was a trade association, and my former employer was also the U.S. Congress. So, my mission is quite clear and that is to promote the security and resiliency and the availability of the Nation's communications and information infrastructure. Mr. Hodes. I understand that is what your mission is, and what have you done with your former employer to make sure that you yourself have taken the proper steps to ensure there is no conflict of interest? Mr. Garcia. We work with them. I have no conflict of interest with my former employer. We work with them as we do with any other major trade association in information technology as a major partner of the Department of Homeland Security. We cannot do our work without partnership from industry, from IT, from communications, from financial services. But they are but one of many, many stakeholders and players in this process. And I am focused squarely on our mission. Mr. Hodes. Thank you. Thank you, Mr. Chairman. Mr. Clay. Thank you, Mr. Hodes. Mr. Yarmuth of Kentucky, 5 minutes. Mr. Yarmuth. Thank you, Mr. Chairman. When I listened to the testimony, it kind of reminds me of the now infamous words of Secretary Rumsfeld when he said, ``There are things we know we know, and things we know we don't know, and things we don't know that we don't know.'' It sounds to me like there are a lot of things about the threats facing the Internet that we know, and threats that we don't know that we know, and we don't know that we don't know. And anyone can attack this problem. Is our biggest problem in this area threats that we don't even know exist, or are we still at the point where we don't know to combat the threats we know about? Mr. Garcia. I think it is a matter of both, Congressman. We over the past couple of years, I believe, have made tremendous progress in terms of understanding the threats facing the Internet infrastructure. Our visibility into the Internet infrastructure is increasing. For example, my U.S. CERT collects incident reports from private sector and Government entities. Last year, we received 37,000 reports. The year before that, 24,000 reports. Is that because the incidents are increasing or is it because the reporting is increasing? It is probably a little bit of both. But the threat is still there. So much is happening under the radar. There are so many attacks and probes happening across our networks that we are not seeing. And so, a big part of my mission is to work with the owners and operators of those infrastructures, whether it is IT or communications or financial services, transportation, electricity, to build awareness. And to build investment in the systems and the process that will raise the level of visibility into what is happening in our networks so that we can take the steps to mitigate them. Mr. Yarmuth. Is that ultimately the measure of whether you are successful or not? Whether the incidents that you know about are reported to you are declining? Or is there some other metric that you can come up with to allow you and us to know whether we are actually making progress? Mr. Garcia. Yes, sir. We have many metrics, and none of them taken by themselves is going to be sufficient. Increasing the number of incident reports. That is a measure of success. That means people are paying attention and they are reporting it. They are sharing sensitive information. The amount of investment is also a measure of success, the investment in cyber security and information technology is increasing. We are looking at the number of students going into information security as a curriculum pursuit in universities. So, there are many measures, but we still are not going to be able to measure all the attacks that are happening without our seeing them. The threat is constantly evolving. The adversaries are very sophisticated. And we have to evolve with them. It is an ongoing technological chess match, if you will, except that there is no check mate. So, this is going to be ongoing. And we can take one measure at a time, and measure our success and hope that we don't take any steps back. Mr. Yarmuth. I am curious also, and this may not even be related to--well, it relates to a certain extent, to the ultimate goal of the hearing. But the issue of motivation. Is there any way to gauge whether these--what percentage of the attacks are motivated by people who just want to see if they can figure it out? Kind of intellectual curiosity or whether they actually have evil motives, if you will. Evil intent. Mr. Garcia. I will let Mr. Wilshusen elaborate, but I think what we--and indeed Mr. Ross, since he is also on the front lines--but we do see a variety of motives. It used to be that hacking, as it were, was very much a joy ride exercise. Teenagers seeing what they can get away with. Motivations related to ``hactivists''--those relating to political motives, as perhaps what we saw in Estonia. But the adversaries are becoming more sophisticated and more focused on very specific targets. And that includes the desire for information, whether it is from companies or from governments. It includes the pursuit of money through cyber crime, through financial services networks or through identity theft. So, they are becoming very sophisticated and very targeted with multiple intents. Mr. Yarmuth. Mr. Wilshusen. Mr. Wilshusen. Yes. And I would just like to add, too--I agree with everything that Mr. Garcia just mentioned regarding the threats--is that there are criminal activities and criminal elements out there that do have a financial motivation. In addition, there are also foreign nation-states that also have an interest in obtaining intelligence information about their potential adversaries, including, of course, the United States. I would also like to point out, too, that the threat is evolving and indeed the vulnerabilities are also increasing. Just to give you a statistic, the National Vulnerability Data base has identified over 26,000 software flaws or mis- configurations that could be exploited to provide an avenue for someone to gain unauthorized access. That total, according to the National Vulnerability Data base, is increasing by 16 every day. The vulnerabilities are legion. The threats are adaptive, and they are constantly evolving, and it is quite a challenge to be able to protect computer systems against that. Mr. Clay. Thank you. Mr. Yarmuth. Thank you, Mr. Chairman. Mr. Clay. Thank you, Mr. Yarmuth. Mr. Wilshusen, since the original GAO Report on Internet Infrastructure and Recovery Plans came out last year, can you identify the areas in which DHS has demonstrated significant progress? How about the areas in which progress is lagging or that have been just totally ignored? Mr. Wilshusen. Yes, sir. Well, as Mr. Garcia mentioned in his opening remarks, some of the areas for progress included that DHS released its Sector Specific Plans for the IT and Communications Sectors. It also developed and revised its National Response Plan or framework to assure and make sure that it addresses cyber incidents that require Federal response. In addition, DHS has also led these private/public exercises, Cyber Tempest, Cyber Storm, that examine response and coordination mechanisms to simulated cyber events. These exercises add value. And the after action reports provide useful information on lessons learned during those exercises. Of course, the next step though is taking those lessons learned and actually implementing them into the plans. Now, some areas where DHS is lagging, if you will, is that it has not yet developed a private/public plan for Internet recovery. Nor has it set a date when that plan would be completed. In addition, DHS also disbanded the Internet Disruption Working Group, and it is not clear exactly how well that group's functions and responsibilities will be addressed by other groups that DHS is working with. And one other thing. As Mr. Garcia mentioned, there are a number of working groups addressing this area of Internet recovery. However, the interrelationship among these groups is not certain. Mr. Clay. Have there been appropriate triggers established to determine what type of Internet disruption would merit a Government response? Mr. Wilshusen. Well, there have been efforts, I believe. A couple of the working groups have looked at those triggers, but as of now, the specific triggers have not yet been fully developed or implemented. I might also want to point out, too, that one of the key aspects in order to make these triggers work is to make sure there is an effective analysis and warning capability. And DHS does have, for example, U.S. CERT, and as Mr. Garcia mentioned earlier, the use of the Einstein network monitoring tool, which can help provide information supporting those triggers. But Einstein has not yet been implemented across the Government. Mr. Clay. Thank you for that. As part of GAO's review of DHS' Internet recovery responsibilities, it cited a lack of DHS leadership and stability throughout its management ranks. Has this improved since the report was released last year? Mr. Wilshusen. Well, one area where it has improved is indeed the appointment of Mr. Garcia as the Assistant Secretary for Office of Cyber Security and Communications, and the Assistant Secretary has spelled out some key priorities for the Department, including preparing and deterring attacks, responding to cyber-attacks of potentially national importance or significance, and also building awareness among the various different stakeholders in cyber security. However, DHS continues to be hampered by its inability to retain key officials in the cyber security area. For example, the Director of the National Cyber Security Division has recently left, as have other key officials related to cyber security control systems and officials responsible for cyber- related exercises. Mr. Clay. Thank you so much for that. Mr. Ross, as the CIO from Missouri, has your office sought to prioritize the State networks and critical infrastructures that are most critical in an emergency incident? And if so, how was it done? Mr. Ross. Yes, sir. We are always looking to find that single point of failure, which if taken out, will take the whole system down. You know, we have identified the essential functions Government has to do, which is communicate, pay people, pay bills, buy things, provide medical services, direct people in emergencies and so, in working with the Department of Homeland Security, the State Department of Homeland Security, the State emergency management folks, we are putting together a plan to do that. Now, in my own shop and the IT folks, we have identified vulnerabilities in the State network and we are working to patch those. We have recently signed a contract with AT&T to manage the State-wide network to give us that resiliency and that disaster recovery ability because of their large network and their redundancy. So, that in combination with State assets--which do include 1,700 miles of fibers that the Highway Department owns, that we leverage for them--all come together to give us a resilient backbone to keep running in times of emergency. We are not there yet because we have just signed the agreement with AT&T and are moving into that relationship with them. But I look forward to that. That will provide not only the tremendous wide highway to operate on, but also the back-up and disaster recovery we have been after. Mr. Clay. Thank you. What are the greatest strengths and weaknesses of the Multi-State ISAC? Are its activities related to information sharing and threat analysis of cyber incidents providing you with adequate information for decisionmaking? Mr. Ross. Mr. Chairman, Missouri is one of the two founding States in that organization. We are extremely active in that. One of my security officers is co-chair of the Legislative Committee and another member of his team is on an Operations Committee, I believe. So, we are actively engaged with them, in contact with them nearly every day. Phone calls and then certainly when an event or a vulnerability is identified, that network fires up very quickly. So, we depend on and use them very heavily. Mr. Clay. OK. Thank you for that. Mr. Hodes, did you have a second round of questioning? Please proceed for 5 minutes. Mr. Hodes. Thank you, Mr. Chairman. Mr. Wilshusen, I am looking through the statement you provided, your testimony here. And I note on pages 9 and 10, in dealing with the questions of the existing laws and regulations and their application to Internet recovery, some issues arise. You point out, for instance, that the Stafford Act authorizes Federal assistance to States, local governments, not-for-profits, in the event of a major disaster or emergency, but doesn't apply to for-profits. Do you see a revision of that as necessary, desirable? Something else, is it absolutely required? Would it provide an incentive for some kind of conduct on the part of for-profits, which has been problematic up until now? Would you comment? Thanks. Mr. Wilshusen. Yes, I would be glad to. During this review that we conducted last year, we did a number of case studies over key Internet cyber events. One of them had to do, of course, with Hurricane Katrina. And it was during that event where key infrastructure owners needed to gain access to the resources or to their facilities and have the ability to have basic food, water and other necessities in order to more quickly restore service operations--their service capabilities. However, the Federal Government was not able to help them or to provide the short-term tactical support that was needed in order for them to actually gain access to their facilities. And so, part of that was due to the Stafford Act, because the Federal Government cannot provide assistance to these for- profit organizations. Mr. Hodes. So, had the Federal Government been able to provide that short term tactical assistance, the response of those for-profits in coordinating the effort to recover, would have been much quicker? Mr. Wilshusen. And would have been enhanced. Yes, sir. Mr. Hodes. Turning to the Communications Act of 1934, there is an implicit suggestion in your written statement that needs to be revised to address the new threats, the new concerns, that the cyber infrastructure has created since 1934 and whatever amendments there have been. Am I correct that you see that as something that Congress needs to look at? Mr. Wilshusen. Yes, because we see that as a Communications Act that does not address specifically the Internet and certainly not the roles and responsibilities for Internet recovery from disruptions or major disruptions. Mr. Hodes. Thank you. Mr. Garcia, it was recently reported that one vendor, a major DHS IT vendor, Unisys, had been concealing a number of significant cyber security incidents and attacks on Department systems, including many that apparently exposed the entire DHS enterprise to significant cyber-threats. Could you explain your role in responding to the incidents as they were reported to DHS leadership? Mr. Garcia. Sir, that particular issue, we have a separation of responsibilities. The Office of Cyber Security and Communications is responsible for a national outreach on cyber security policy and implementation, whereas the protection of the DHS network itself, that responsibility resides within the Office of the Chief Information Officer [CIO]. So, neither I nor was my office was directly involved in that particular issue. Mr. Hodes. So, it is not your job? Mr. Garcia. That is correct. Mr. Hodes. Did you coordinate at all with the Chief Information Officer on what happened? Mr. Garcia. Yes. So our role within the U.S. CERT is in fact, to treat the DHS networks as we do all of our Federal agency customers, if you will, particularly through our outreach and information sharing in the Einstein program, we work to try to help agencies see what is happening on their networks and to exchange information with them and ultimately to correlate activities to find trends that are happening across the Federal network. And that goes with the CIO's office as well. So, we are in close contact with the Office of the CIO as incidents happen, in the DHS networks or any other Federal agency network. Mr. Hodes. So, I am assuming that because it is an agency with which you are involved and that you must be in touch with the CIO about these kinds of incidents, what happened to Unisys? What was done? Were they sanctioned? And what steps were taken by the CIO to prevent these kinds of incidents from happening in the future? Mr. Garcia. I certainly would defer to the CIO to answer those questions for you, as I was not directly involved in that. Mr. Hodes. May I just followup for one quick moment? Mr. Clay. Please. Go ahead. Mr. Hodes. Did you have any conversations with the CIO about what was going on with this breach by Unisys and how it was being handled and what effect it would have on the agencies that you do deal with? Mr. Garcia. Our U.S. CERT facility was in contact with his office, and I can get back with you as to exactly what the interaction was. I personally was not involved. That also deals with a contracting matter with the CIO's contract with Unisys. Mr. Hodes. So, to the extent there are any documents within your purview, control, constructive control, or custody, I would like you to provide to this body any and all documents reflecting any interaction, discussion or contact you or your agency, or anybody in it had with the CIO about the response to Unisys over this breach. Will you provide that to us? Mr. Garcia. Certainly. Mr. Hodes. Mr. Chairman, I request that the record stay open so that those documents may be provided. Mr. Clay. Without objection, for 5 legislative days. Mr. Hodes. Thank you, sir. Thank you, Mr. Garcia. Mr. Clay. Mr. Yarmuth. Mr. Yarmuth. Just one followup question. And this is mostly for my own understanding. I would like to try again to clarify the difference between for-profit and the not-for-profit world. And also, the difference between the infrastructure world and the software world, because presumably most of the software out there is produced by for-profit companies and you have a security aspect of the software and a security aspect of the infrastructure. I am just curious as to where you draw the line as to where the Government's interest and responsibility begins and where it ends. Mr. Garcia. If I understand your question, the way we look at it is that 85 percent to 90 percent of the critical infrastructure is owned by the private sector. So, they are managing the networks and the private sector is developing the hardware that runs on and runs those networks. It is our job to coordinate with those who are owning and operating and those who are using those systems to ensure that we have a proactive way of dealing with attacks and vulnerabilities as we find them. Mr. Yarmuth. What I am trying to understand the difference between the relevance of for-profit and not-for-profit where the Stafford Act issues arise. Mr. Garcia. I am not exactly sure of the answer to that question, sir. Mr. Yarmuth. OK. Well, I am not sure that I know enough to ask any more. Thank you. Mr. Clay. OK. The gentleman yields back. Mr. Garcia, Mr. Wilshusen pointed out that one of the issues that your Department has is retaining key officials in cyber security. What do you think is the solution to the revolving door there? What are the main issues and why do you lose so many key people? Mr. Garcia. Thank you, sir. I honestly would not characterize it as a revolving door. In fact, some of our more recent departures were strictly for personal reasons. Two major staff wanted to relocate closer to family across country and south of here. And to be honest, the DHS environment and our mission is a very high intensity one, and very fast paced and long hours. And given that, we make every effort to first recruit the best talent we can and then to retain them, and to reward them, and to make their experiences and their challenges meaningful. So, we are acutely aware of the need to have the best talent we can and we are actively filling those posts that have been vacated. Mr. Clay. Are many leaving for private corporate cyber security positions? Mr. Garcia. I am not sure exactly where they went. Probably to the private sector, but more toward a different way of life, closer to family. Mr. Clay. I see. Let me go another direction. According to GAO's 2006 Report on Internet Infrastructure, one of the significant obstacles facing DHS is the conflicting or overlapping roles of the National Cyber Security Division and the National Communications System, which seems to have undefined and conflicting roles in response to a major Internet disruption or cyber-attack. As the person in charge of both the NCSD and NCS, can you explain to us how the roles and responsibilities of both units are distinct or different? Mr. Garcia. Absolutely. Very good question. The National Cyber Security Division is responsible for the security of the information infrastructure. The National Communications System is responsible for ensuring that the Government, that the Nation, has the ability to communicate in times of national emergency. So you think of the NCS and communications as the pipe, the telecommunications pipe, and the NCSD as dealing with the software and the technology that controls the operations of those pipes and sends information through those pipes. So, NCSD and NCS have very complementary roles. Certainly not conflicting. Sometimes overlapping, but overlapping for the better. My role is to try to bring those--by the way, NCS is a 40 year old organization, and NCSD is a 4-year old organization. So they have much different histories, but they work very closely together. For example, in the Estonia distributed denial-of-service attacks, NCS and NCSD worked very closely. Second, I am working to bring together, to co-locate the U.S. CERT operations with the NCS operations, which is called the NCC, the National Coordinating Center for Telecommunications, that is a 24/7 watch operation as well, that serves the communications infrastructure involving communications companies and Government employees. So, we are bringing them together so that the IT and Communications can have a more synthesized view of what is happening on our information and communications infrastructures. Mr. Clay. Let me ask you, as voice and data transmission networks continue to converge, wouldn't combining NCSD and NCS prove to be more efficient for agency operations? Mr. Garcia. I think certainly a good number of the functions have already converged. That when we look at the convergence of communications from the traditional circuit switch to packet switch technology, security is going to equal availability, and availability is going to equal security. So we can't bifurcate those functions. There are unique and distinct functions within the National Communications System and NCSD that may remain unique, but by and large, you are absolutely right, Mr. Chairman, functionally NCS and NCSD will over time converge. Mr. Clay. Thank you for that response. It is my understanding that NCSD recently released a draft of what it called the Information Technology Security Central Body of Knowledge, competency and functional, A Framework for IT Security and Workforce Development. Isn't this the type of work usually undertaken by the private standards-setting community, such as the ISO standards organization? How is this work unique to what has already been developed by the standards community? Mr. Garcia. Very good question, and I thank you for that. Yes, the Essential Body of Knowledge [EBK], is our attempt to bring together actually a number of those security skills, training skills standards that have been put out by a number of different organizations and really find the common elements among all of those. What we can do is provide as a reference for academia, for the practitioners, a synthesized set of work force skills and training standards to develop curricula or to develop training within the enterprise. So, in no way is it intended to supplant the other private sector-developed security standards. It is instead intended to sort of de-conflict among those and provide a much higher level reference for those who are trying to distinguish between one or the other type of standard that they ought to be using. So we are quite enthusiastic about it. Mr. Clay. OK. Thank you. Mr. Wilshusen or Mr. Ross, do you have anything else to add? Mr. Ross. Thank you, Mr. Chairman. I might go back to a previous point that Mr. Yarmuth mentioned. And that is the evolving nature of threats. We are always having to--what we see in Missouri is, we will see low-level threats. Low-level probes of our data center and our network. We will see hundreds of thousands of these low-level threats and probes but little variations on each other, and then at the end of that period, we will see a heavy strike on our data center in an attempt to bring down servers or communication equipment and the like. And to get to your other point, Representative, it is not teenagers hacking anymore. It is coming from other countries. Our forensic tools can track it down to continents and to countries, and it is coming from all over the world. But it is very focused. States have extremely valuable information. Financial information, health information, driver's license, Social Security number-type information and they are after that. A recent example I heard a presentation about. If you can just get hold of a CD copy of all the freshmen coming into the University of Missouri, either the law school of the finance school or accounting or the like, that is probably worth $2,000 going in. Then years down the road, when it is actually--when they are income-producing people, that information is extremely valuable, and that is when they use it. So that type of information is what people are after. Mr. Clay. Do you ever make any successful apprehensions? Mr. Ross. Outside the country? No. Inside the country, we do. Mr. Clay. OK. Mr. Wilshusen, anything to add? Mr. Wilshusen. No. Mr. Clay. No? Thank you. I want to thank the entire panel for their testimony and answering questions. This panel is dismissed. Thank you. As soon as this panel is up, we would like the second panel to come forward to be sworn in. Thank you. On our second panel, we have a distinguished group of individuals who are highly qualified to address the issues associated with cyber security and Internet architecture from a variety of important perspectives. Mr. John T. Sabo is the current president of the Information Technology Information Sharing and Analysis Center [IT-ISAC], as well as the director of Global Government Relations for CA, Inc. In addition to IT-ISAC, Mr. Sabo represents CA in a number of security and privacy focus industry organizations and is an appointed member of the U.S. Department of Homeland Security Data Privacy and Integrity Advisory Committee. Welcome. Mr. Larry Clinton is the president of the Information Security Alliance, which has over 500 corporate members on four continents representing virtually every major segment of the economy. Mr. Clinton is a member of several boards and advisory committees, including the National Partnership for Cyber security, the Internet Education Foundation and the Advisory Board of the U.S. Congressional Internet Caucus, the IT Sector Coordinating Council and the DHS Critical Infrastructure Protection Advisory Council. Prior to coming to IS Alliance, he was a vice president at the U.S. Telecom Association, served as a legislative director, in the House of Representatives. Welcome back, Mr. Clinton. Mr. Ken Silva is the chief security officer of VeriSign. VeriSign's chief security officer and VP for Networking and Information Security. He oversees the mission critical infrastructure for all network security and production IT services for VeriSign. He also serves on several boards and advisory committees, including Information Technology, Information Sharing and Analysis Center. He is the chairman of the board of the Internet Security Alliance. Thank you for being here. Ms. Catherine T. Allen is the chairman and CEO of the Santa Fe Group, a strategic consulting firm specializing in technology and innovation issues facing the critical infrastructure. Ms. Allen has long been recognized as a leading expert on technology issues facing the financial services sector and other critical infrastructure industry. Prior to her current position with Santa Fe, she served as the founding CEO of BITS, a technology-focused consortium led by the CEOs and CIOs of our Nation's top 100 financial institutions. She is a graduate of the University of Missouri, where she also received an honorary Doctorate of Humane Letters in 2005. Congratulations and welcome. Ms. Kiersten Todt Coon is a VP of Good Harbor Consulting, where she focuses her efforts on developing risk management solutions for IT infrastructure and homeland security clients. Prior to joining Good Harbor, Ms. Todt Coon worked as a policy advisor to several senior Government and private sector leaders, including the Governor of California and former VP Al Gore. She also served as a professional staff member on the U.S. Senate Committee on Governmental Affairs, where she was responsible for drafting the Science and Technology Infrastructure Protection and Emergency Preparedness Directorate section of the Homeland Security Act of 2002. A graduate of both Princeton and Kennedy School of Government at Harvard, Ms. Todt Coon currently serves as a term member of the Council on Foreign Relations. I welcome all of you. It is the policy of the committee to swear in all witnesses before you testify. And I would like to ask you to stand, please, and raise your right hands. [Witnesses sworn.] Mr. Clay. Thank you. Let the record reflect that all of the witnesses answered in the affirmative. You may be seated. And we will start with Mr. Sabo to begin his testimony. And you have 5 minutes, and we like summaries. STATEMENTS OF JOHN T. SABO, PRESIDENT, INFORMATION TECHNOLOGY INFORMATION SHARING AND ANALYSIS CENTER AND DIRECTOR OF GLOBAL GOVERNMENT RELATIONS, CA, INC.; LARRY CLINTON, PRESIDENT, INFORMATION SECURITY ALLIANCE; KEN SILVA, CHIEF SECURITY OFFICER AND VICE PRESIDENT FOR NETWORKING AND INFORMATION SECURITY, VERISIGN; CATHERINE T. ALLEN, CHAIRMAN AND CEO, THE SANTA FE GROUP; AND KIERSTEN TODT COON, VICE PRESIDENT, GOOD HARBOR CONSULTING STATEMENT OF JOHN T. SABO Mr. Sabo. Mr. Chairman, and members of the subcommittee. I am John Sabo, director of Global Government Relations for CA. It is one of the world's largest software companies. More importantly for this hearing, I am a board member and president of the Information Technology Information Sharing and Analysis Center [IT-ISAC]. I am also a member of the separate IT Sector Coordinating Council, and I chair the ISAC Council, which is composed of 13 ISACs addressing cross-sector information sharing issues. I want to thank you and the subcommittee for the opportunity to share our views on public/private sector responsibilities with respect to preventing and addressing Internet disruptions. The IT-ISAC is a not-for-profit organization. We were founded in 2001. We fund an operation center. We monitor and address threats, vulnerabilities and attacks on the IT infrastructure and we have processes in place allowing us to address these issues collectively across the member companies when issues rise to a level requiring joint analysis or action. The IT Sector Coordinating Council and DHS formally recognize the IT-ISAC as the operational, informational sharing mechanism for our sector. The IT-ISAC is financed entirely by member companies through our membership dues and represents a significant by leading companies in the IT sector who have stepped to the call for industry action. The GAO and the Business Roundtable have released reports, both of which have been referenced, expressing significant concerns about the ability of the Nation to respond and recover from a significant Internet failure. Despite the fact that the Internet has to date proven resilient, these reports reinforce the imperative to plan for events that exceed our current understanding of threats. History often proves us wrong and surprises us with the unthinkable. The IT sector strategy to address these challenges is outlined in the IT Sector specific plan and at the heart of this plan is the need to protect key IT sector functions. And this is a very distinct concept from the physical asset focus of many other sectors. We are looking at IT functions. The plan identifies in great detail a number of areas that need to be strengthened and in the statement we have addressed a number of them. I only touch on two here. The first includes a number of steps that Government can take to enhance the public/private operational capability. Leveraging the expertise of the IT-ISAC and other fully functional ISACs instead of turning to policy councils for operational purposes. Stabilizing U.S. CERT and providing it with adequate funding in scale with its overall national mission, defining and clarifying the relationship among the U.S. CERT and other DHS analytical and operational components and programs. Programmatically encouraging companies to join ISACs as a best practice, something which the Roundtable did in its report. Supporting the cross-sector operational information sharing projects initiated by the ISAC Council, with equal energy and level of resources with which DHS supports policy and planning initiatives. Providing regular classified briefings to ISAC operational experts and not just to sector policy representatives. And finally, in this area, organizing more effectively in response to the growing convergence between traditional IT and telecommunications. And we welcome the physical co-location of the U.S. CERT and the NCC watch that Assistant Secretary Garcia mentioned, and in fact appreciate his invitation for the IT- ISAC to have representation. [The prepared statement of Mr. Sabo follows:] [GRAPHIC] [TIFF OMITTED] T3198.042 [GRAPHIC] [TIFF OMITTED] T3198.043 [GRAPHIC] [TIFF OMITTED] T3198.044 [GRAPHIC] [TIFF OMITTED] T3198.045 [GRAPHIC] [TIFF OMITTED] T3198.046 [GRAPHIC] [TIFF OMITTED] T3198.047 [GRAPHIC] [TIFF OMITTED] T3198.048 [GRAPHIC] [TIFF OMITTED] T3198.049 [GRAPHIC] [TIFF OMITTED] T3198.050 [GRAPHIC] [TIFF OMITTED] T3198.051 [GRAPHIC] [TIFF OMITTED] T3198.052 [GRAPHIC] [TIFF OMITTED] T3198.053 Mr. Clay. I am going to ask each remaining witness to summarize, if they can, in less than 5 minutes, their opening statements. We are going to try to get in all opening statements before we recess again. Thank you, Mr. Sabo. Mr. Silva. STATEMENT OF KEN SILVA Mr. Silva. Thank you, Mr. Chairman. I want to commend and thank you for holding this hearing. It is difficult to overstate the importance of amplifying and expanding our national focus on cyber security. Richard Clarke famously warned of the potential of a digital Pearl Harbor in which critical components of the Nation's increasingly vital electronic infrastructure would be brought down by a coordinated electronic attack. Since he expressed his concern, nothing really much has changed to make this any less dire. If anything, the threat grows greater every day. In fact, it has already happened to the country of Estonia earlier this year. None of us in Government or the private sector can sit still on electronic security. Our defenses must always remain two steps ahead of potential holes and exploits. If we fail to maintain that focus and let it deteriorate, we will be holding a very different sort of hearing in the near future, one in which we are all called upon to answer the hard question about what happened and what could we have done to have prevented it. I have been asked to offer a perspective on the efforts VeriSign and the Internet industry are taking to ensure that such a calamity never occurs. Make no mistake, it would be a major catastrophe for the Internet to experience such a significant failure. Approximately 25 percent of America's economic value moves over network connections each day. And it is not just our economy that would suffer. Government agencies at every level rely on the Internet. Imagine today's Congress trying to operate without e-mail or any other network services. What could cause such a failure? There are a couple of potential scenarios. The first is that we in the Internet community simply fail to expand the Internet infrastructure enough to meet the mounting demands placed upon it. The second potential for failure is that we fall short in adequate protection of our critical resources against a host of increasingly sophisticated cyber-attacks being directed against it. Internet crimes are increasingly conducted by sophisticated international crime syndicates that reap huge profits by targeting the network and its users. Even more frightening is the rise of cyber-attackers backed by governments and other deep-pocketed enemies of the United States. Today's attacks can cause damage 100 times more extensive than the attacks just a year ago. This is why investment in the infrastructure is so critical. Simply put, if we wait for usage to outpace the development or for sophisticated attacks to overwhelm our stagnant defenses, we are already too late. We learned the cost of complacency as a country when we watched the damage done by Hurricane Katrina. By the time Katrina hit the Gulf Coast, it was too late to strengthen its levees. We should not have to learn that lesson more than once. Critical resources should be reinforced long before there is a threat to their well-being. The Internet continues to grow at dramatic rates, which means the infrastructure must scale to meet that demand. No one can take security and stability of these networks for granted; not VeriSign, not the ISPs or other private sector players, and certainly not the Government. As the operator of the dot-com and dot-net domain registries, as well as a steward for 2 of the 13 root servers, VeriSign understands what is at stake. Over the last 8 years, VeriSign has operated its infrastructure with 100 percent in up-time. In other words, the systems that ensure Internet's core infrastructure remain functional have never gone down. VeriSign's primary computers that handle the dot-com and dot- net traffic are now capable of handling 10,000 the number of queries that they could handle in 2000. And while the dot-com and dot-net systems currently process more than 30 billion queries a day, we will need to build a network infrastructure that can support 10 to 100 times that level of volume in the next few years. That is why earlier this year, VeriSign announced a global initiative called Project Titan to expand and diversify its Internet infrastructure to those levels by 2010. These upgrades are vital to managing the surge in Internet interactions and protecting against cyber-attacks. VeriSign is well on its way to meeting its goals under Project Titan and is already considering how to address this set of challenges. Thank you. [The prepared statement of Mr. Silva follows:] [GRAPHIC] [TIFF OMITTED] T3198.054 [GRAPHIC] [TIFF OMITTED] T3198.055 [GRAPHIC] [TIFF OMITTED] T3198.056 [GRAPHIC] [TIFF OMITTED] T3198.057 [GRAPHIC] [TIFF OMITTED] T3198.058 [GRAPHIC] [TIFF OMITTED] T3198.059 Mr. Clay. Thank you. STATEMENT OF LARRY CLINTON Mr. Clinton. I want to congratulate you, Mr. Chairman, on holding this hearing of the Government Reform Committee, because Government reform is clearly what is necessary. The June 2, 2006 GAO Report got it exactly right. The problem is the inherent characteristics of the Internet. The Internet is unlike anything we have ever dealt with before. It is international, it is interactive, it is constantly on the attack. Consequently, it will require a security system unlike anything we have ever designed before. We can't simply cut and paste previous government systems and put them into Internet security. Even if Congress enacted a brilliant statute, it would only go to our national borders. Even if a regulator came up with a brilliant solution, it would be outdated before you could put it into effect. Fortunately, we need other things to attack the Internet. The committee has expressed some interest in the instance of Katrina, saying that we should model ourselves on that. There are major differences between cyber-attack and Katrina. Katrina, we could see it coming. Literally. From hundreds of miles away. The adequate analogy to Katrina is that the problem with Katrina wasn't the event itself. The problem with Katrina was that the systems weren't in place to properly handle the event. Now, fortunately, we actually know a good deal about how to mitigate and manage a number of issues dealing with cyber security. The largest study ever conducted in this field found that the best practices group, people who follow the industry recognize best practices were able to have fewer incidents, less downtime, less financial loss. What we need to do is find a way to get more people to follow the best practices that industry is already following. Industry is also not waiting for government to get its act together. Industry is aggressively moving forward with new products and services because, as it has already been pointed out, the problem has morphed. We are no longer looking at these well publicized instances like Blaster and Love Bug that were designed to get publicity. Instead, what we are dealing with now are carefully targeted designer malware that can sit on a system for an extended period of time, cause tremendous damage and we don't even know it is there. Fortunately, we are developing new systems to attack this. But there is a role for the government. And role for the government was pointed out in that 2006 GAO Report, where they pointed out that in the private sector, competitors were working together to deal with these incidents when they see that there is a direct business relationship benefit to that. And the NIPP, the National Infrastructure Protection Plan, also pointed out--and this is the one thing that I choose to read for you, Mr. Chairman: That the public private partnership called for in the NIPP provides for the foundation for effective critical infrastructure protection. The success of the partnership depends on articulating the mutual benefits to government and the private sector partners. While articulating the value to the proposition for the government is typically clear, it is often difficult to articulate the direct benefits to the private sector. In assessing the value proposition for the private sector, there is a clear national security interest and homeland security interest in ensuring that the collective protection of the critical infrastructure goes beyond that of the business unit. Government can engage industry to go beyond efforts already justified by their corporate business needs and assists in a broad-scale critical infrastructure protection by creating an environment that supports incentives for companies to voluntarily adopt widely held best practices. And I conclude my presentation by listing for you 10 steps that I would suggest that the committee consider for roles that the Government can embrace, which are not your traditional regulatory role, but are things like leading by example, using your market power instead of your regulatory power; supporting research and development that is not going to be undertaken by industry; using the market incentives that you have traditionally used in other areas; address the lack of cyber insurance; raise your aim in terms of awareness to focus on senior executives rather than individuals; adopt a coherent strategy for dealing with the private sector, something discussed before; clarify the roles and procedures for crisis management; and rethink your approach to information sharing. Thank you, Mr. Chairman. [The prepared statement of Mr. Clinton follows:] [GRAPHIC] [TIFF OMITTED] T3198.060 [GRAPHIC] [TIFF OMITTED] T3198.061 [GRAPHIC] [TIFF OMITTED] T3198.062 [GRAPHIC] [TIFF OMITTED] T3198.063 [GRAPHIC] [TIFF OMITTED] T3198.064 [GRAPHIC] [TIFF OMITTED] T3198.065 [GRAPHIC] [TIFF OMITTED] T3198.066 [GRAPHIC] [TIFF OMITTED] T3198.067 [GRAPHIC] [TIFF OMITTED] T3198.068 [GRAPHIC] [TIFF OMITTED] T3198.069 Mr. Clay. Thank you so much, Mr. Clinton. The committee will now recess for the duration of these votes on the floor. They tell me it will be about half an hour. I am sorry. The committee stands in recess. [Recess.] Mr. Clay. The committee will come to order. Ms. Allen. STATEMENT OF CATHERINE T. ALLEN Ms. Allen. Thank you, Chairman Clay and members of the subcommittee and committee for the opportunity to submit testimony before you today on private and public sector efforts to secure our Nation's Internet infrastructure. The Santa Fe Group does a lot of work for the industry and still for BITS. I am actually going to go directly to the recommendations because of the time. And what I am suggesting is that the financial services industry has done a great deal to strengthen business continuity, planning and coordinate prior to and during times of crisis. We have business continuity plans which are constantly updated. We refine and test them, and this is a regulatory requirement, and part of our risk management process. Most financial institutions, in fact, all that are deemed mission critical are required by our regulators to have recovery operations in place and back-up in a very narrow timeframe. And this requires telecommunications, it requires power and it requires dependency upon IT. If any of those are not working, we cannot meet our regulatory requirements. I would be the first to tell you that we have a long way to go as an industry, but there is much of what we do that we believe could be copied or modeled for other critical infrastructure industries. We have a very successful FS-ISAC, Financial Services ISAC, and FSSCC, a coordinating council for critical infrastructure protection. We work very closely with our regulators through the FBIIC and with the Department of Treasury in coordinating on everything from Katrina to the power outage after 9/11. Most recently, we ran a pandemic exercise which included a component that looked at if the Internet was down and we had many people working from home, what would that mean. And I would say that the two most important things that we have done related to Internet recovery are the work that we did on business critical telecommunications services, where we developed best practices, not only for the financial sector but for the telecom sector, upon which we are extremely dependent, to make sure that they had the diversity and redundancy that we needed. We also finished a business critical access to power. We did this with the power industry, again to look at best practices for alternative power if there was disruption in any of the IT industry. Last, we worked in managing third-party service providers. Much of the Internet is dependent upon third parties, many of whom are located in India and China and other places. So, looking at how we manage those. Those are all models for other industries. The recommendations that I have are, recognize that other industries may need to share the same level of responsibility and liability that we do as an industry, and to look at some of our regulatory requirements might not be a bad idea. Second, we maintain rapid and reliable communications, and that means diverse communications. I personally had a number of our CIOs from the financial sector in Detroit when we had the power outage, we were all using our Blackberries, which were the only thing that still worked, because the cell phones ran out and there was no power. But that is how we communicated with our regulators, and we were able to make sure that it wasn't a terrorist event, that it was in fact a power outage. But we needed to have alternative channels. Recognize the critical infrastructures that are dependent upon software and operating systems. The IT industry is the backbone for telecommunications, for power, for the user groups like financial services and chemical, and if they are down or disrupted, we are down. So, it is critically important to focus on the Internet, the software and operating systems that access the Internet because that is the backbone of both economic and communications-wise for us. We encourage our regulatory agencies and others to look at the software vendors. Similar to what our regulators look at, third-party service providers, to make sure that they are delivering safe and sound practices and security practices within those vendors. Encourage collaboration and coordination among critical infrastructures and the government agencies to enhance the diversity and resiliency of the telecommunications infrastructure. The NCC, the NCS, used to be an outstanding organization. We did a lot of our early work with them. They were gutted. They have no budget to be able to do the kind of work that we need for them to do. Invest in the power grid because of its critical and cascading impact on other industries and other critical infrastructures. And when I talk about invest, I think there are incentives that Congress can put in place to have these other industries make sure that they maintain a resiliency. Improve the coordination procedures across all critical infrastructures and with the Federal, State and local governments, I don't believe it is working, and I think there is much that we need to do, when we do have a major event. And last, encourage law enforcement to prosecute cyber criminals. And in particular, on a global basis, because much of the problems we have are not criminals in the United States, they are criminals in the Ukraine or in Asia or in other countries that are attacking our systems here today. I thank you, Chairman Clay and Members, for this opportunity to testify ensuring Internet resiliency and security in light of the increased cyber-attacks. It is a daunting task, but it is critically important to do so. Thank you. [The prepared statement of Ms. Allen follows:] [GRAPHIC] [TIFF OMITTED] T3198.070 [GRAPHIC] [TIFF OMITTED] T3198.071 [GRAPHIC] [TIFF OMITTED] T3198.072 [GRAPHIC] [TIFF OMITTED] T3198.073 [GRAPHIC] [TIFF OMITTED] T3198.074 [GRAPHIC] [TIFF OMITTED] T3198.075 [GRAPHIC] [TIFF OMITTED] T3198.076 [GRAPHIC] [TIFF OMITTED] T3198.077 [GRAPHIC] [TIFF OMITTED] T3198.078 [GRAPHIC] [TIFF OMITTED] T3198.079 [GRAPHIC] [TIFF OMITTED] T3198.080 [GRAPHIC] [TIFF OMITTED] T3198.081 [GRAPHIC] [TIFF OMITTED] T3198.082 [GRAPHIC] [TIFF OMITTED] T3198.083 [GRAPHIC] [TIFF OMITTED] T3198.084 [GRAPHIC] [TIFF OMITTED] T3198.085 [GRAPHIC] [TIFF OMITTED] T3198.086 [GRAPHIC] [TIFF OMITTED] T3198.087 Mr. Clay. Thank you so much, Ms. Allen, for your testimony. Ms. Todt Coon, you may proceed. STATEMENT OF KIERSTEN TODT COON Ms. Todt Coon. Good afternoon, Chairman Clay, and thank you for the opportunity to testify. As was mentioned in the introductions, I am currently a vice president at Good Harbor, and of particular relevance to this hearing, served on the Senate Committee on Homeland Security and Government Affairs, and worked on the Directorate part of the DHS legislation on Internet Protection and Emergency Preparedness. In the interests of time, I will move pretty quickly to my recommendations. As the National Strategy to Secure Cyberspace correctly stated, cyberspace is the nervous system supporting our Nation's critical infrastructure. Yet, despite our recognition of this, little has been done and there are several reasons for this, including authority and ownership issues, both in the public and private sectors. Our Internet infrastructure is vulnerable for several reasons, and I will tackle two of them regarding infrastructure and looking at response capabilities. Regarding infrastructure in our end systems, there are two classes of end systems. There are home users and enterprise. Access to the servers usually by these enterprise users is critical in a time of crisis. If the end systems are compromised, then key response personnel will not be able to access the information they need to respond to an event. The current challenge with which we are faced is that all information, both critical and non-critical, is transmitted over our information networks and treated equally. For example, if this Nation is confronted with a pandemic like the avian flu, our information networks as they currently exist will experience disruptions and outages that will paralyze us and prevent us from executing an effective emergency response. The second area of weakness I will discuss in this brief statement is response capabilities. Our response capability is critical because obviously we are not able to guard successfully against all threats. We don't have a back-up system at this time that can be activated in the event of a widespread Internet failure. And we have not developed scenarios for potential attacks on our Internet infrastructure. Experts disagree on the magnitude of risks and what needs to be done. And what is important that we routinely use this lack of consensus as an excuse for inaction. Until we reach agreement on these issues, we will not be able to prepare for imminent attacks. So I offer today the following recommendations. The Internet was designed for the purpose of openly sharing information. The question then with which we are posed is how do we impose the secure exchange of information on top of an open sharing environment. We should create a three-tiered system that allows our networks to identify and prioritize in the following order. First, critical communications supporting government operations, business and first responders. Second, routine business information, and third, non-critical information. In a time of crisis, we must be able to ensure that critical information is being delivered with priority speed and that it is not encumbered by non-critical information being sent simultaneously. We must also develop back-up systems and conduct scenario planning. If we experience a life cycle attack, we would need to have the ability to reboot the Internet. We should have reserve network protocols and we should maintain back-up parallel systems that can replace the active systems and bring up the critical portion of the Internet in the time of crisis. And we should develop a playbook for scenario planning. And I assert that this is different than exercise. Scenario planning is different than exercises. Scenario planning would push us to identify and conceive possible responses to a serious attack. We need to think through how appropriate players in both the public and private sectors will respond and we need to examine our current authority and ownership issues within both the government and the private sectors. I now submit to you a final recommendation. One of the first steps we need to take in preparing ourselves for an information infrastructure failure is to set risk standards. However, we can't set risk standards if we don't know what the risk is. I commend this committee on its work with FSMA because I think FSMA has done a good job with defining cyber security. I also propose a National Cyber Risk Assessment to be conducted by a blue ribbon commission of experts who would be responsible for defining the risks that exist. The only way we can begin to adequately prepare ourselves is to commit to possible scenarios. The assessment would inform the scenarios and enable us to assign ownership and controls. The Office of Management and Budget should provide the resources, the direction and the oversight and leadership for this assessment. In conclusion, experts and observers postulate that we do not have to be worried about hackers taking down the Internet because hackers would not intentionally bury their playground. But our greatest risk does not come from hackers. It comes, as was mentioned before, from foreign governments that can ably and quietly use the Internet infrastructure for espionage and other nefarious purposes. The threat is particular strong from governments that have developed their own internal Internets, such as China, and would therefore not be severely affected by a worldwide disruption. Recent events have demonstrated that these scenarios are not possibilities, but realities. Our national security, the health and well-being of the community, and the daily functioning of our society depend on the security and resiliency of our infrastructure. We have a responsibility to define the Internet infrastructure risk that exists and to plan for that risk appropriately. And we have a responsibility to act. I assert that we must act now. Thank you for the opportunity to testify before you today. [The prepared statement of Ms. Todt Coon follows:] [GRAPHIC] [TIFF OMITTED] T3198.088 [GRAPHIC] [TIFF OMITTED] T3198.089 [GRAPHIC] [TIFF OMITTED] T3198.090 [GRAPHIC] [TIFF OMITTED] T3198.091 [GRAPHIC] [TIFF OMITTED] T3198.092 [GRAPHIC] [TIFF OMITTED] T3198.093 [GRAPHIC] [TIFF OMITTED] T3198.094 [GRAPHIC] [TIFF OMITTED] T3198.095 Mr. Clay. Thank you very much. I will ask the panel several questions, and I would love to hear responses from the entire panel. We will just start at this end of the table with Ms. Todt Coon, and go down the line. The first issue is, regardless of which sector of the economy we focus on, all of them have significant levels of dependence on the Internet for their operations. It seems, however, that we spend more time focusing on the risk of 17 different sectors, as opposed to the broad risk associated with the disruption of a key critical asset, such as the Internet. First, should we begin to move away from establishing levels of risk for each specific sector, and move toward establishing risk models according to specific assets or critical functions, such as telecom, Internet or infrastructure resiliency or the security of our power transmission assets? Ms. Todt Coon, let's begin with you. Ms. Todt Coon. Thank you. That is an excellent question, and it is obviously a question that we are confronted with in looking at how we have organized our sectors. I think some would assert at this point that the sector model is sophisticated in a way that is almost too sophisticated for us to manage right now, because the reality of how we are handling the sector issue is that it is stalling us and preventing us from making the progress that we could on information infrastructure protection. I would reference a report that was recently released by the Business Roundtable which talks about public/private partnerships. And it talks about the fact that the private sector incorrectly believes that government is developing response plans and that the Government believes that the industry structures will have their recovery response plans. We recognize that both the public and the private sector have a role but neither is adequately prepared. Having said that, I would like to reference, I think, a model within the private sector and its coordination with the public sector that has worked effectively. And that is the FBIIC model, which Ms. Allen has referenced. It is the Financial and Banking Information Infrastructure Committee. Post 9/11, the financial sector was obviously concerned about the anticipation of what could happen to our banking and financial markets. Through the committee, the Fed reached out to 11 financial institutions--reached out to the banking industry, and said we are going to talk to 11 institutions, we are not going to tell you who they are. Obviously if we talk to you, you will know you are one of them. And if not, you are not. And they worked with these institutions to create a security and resiliency plan. And Ms. Allen, I am sure, can talk to this in greater detail. But what this collaboration reflected was the clarity of Government purpose, and it also reflected industry working within a Government strategy. And one of the reasons why I think this was effective, was that the Government was able to leverage its institutional knowledge. The way that we have currently organized with DHS is that we have split the ownership roles across different agencies and entities, both on the cyber side, but we see it with energy and with other structures. And what I would propose is that we look at how the Government can institute this integrated approach to industry protection in a more collaborative way that doesn't silo this protection issue. Mr. Clay. Thank you for that response. Ms. Allen. Ms. Allen. I agree with everything you just said, and I would add to it, you can't boil the ocean. And I would pick five infrastructure groups to first coordinate and use that as a model for the others. And that is, the IT, the Internet, the telecom and the power, because they are absolutely interdependent. Then I would add financial services, because if that is down, then you are going to have a major problem with the economy and the confidence of the people. Last, first responders, so that you are taking care of the first responders. If you could look at integrated programs across those five groups, with the Government, that would be the starting point. And I think the FBIIC model, that the financial sector developed is the right model. Mr. Clay. Should it all be Homeland Security's responsibility? [Laughter.] Well, maybe Ms. Todt Coon should answer that. You helped design---- Ms. Todt Coon. Well, I don't have a lot of confidence. Let's just say that there has been many, many attempts to have this happen under DHS and it has been very difficult for it to be effective. So I think it is really going to take absolute administrative support. I am in support of a blue ribbon commission and then maybe DHS responds back to and does whatever this commission says it needs to do. But I don't think that it is going to come the way that we have it structured now. Mr. Clay. All right. Mr. Clinton. Mr. Clinton. Mr. Chairman, I think that is a very thoughtful question. And I have been trying to listen to my colleagues to get a good answer for it, while I have been thinking of it myself. Here is my off-the-cuff view on it. First of all, we at the Internet Security Alliance have never embraced the sector model. The Internet Security Alliance is built on an entirely different model. We are a cross-sectoral organization. We have the defense sector, IT, banks, Coca-Cola, food service. Only because when you are dealing with the Internet, it is all ones and zeroes. So we all have the same problem, although, at a sub- structural level, there are individual sector orientations within. So, the sector model, I think, was entirely the wrong way to go, fundamentally. And when I say we ought to rethink things, that is one of the places where I would suggest we begin. The second question, and this kind of gets to your followup question a little bit, has to do--when you say, what should we be doing. That is a really critical question. Who is the ``we'' you are talking about, sir? I think it is appropriate for you to be thinking, well, should this be DHS? And my answer is no, it shouldn't be DHS. It can't be DHS. If we try to shove this into DHS, even if we hire Catherine Allen to run DHS, I am still not sure that they are going to be able to do it. They are a U.S. Federal Government institution trying to deal with an inherently international infrastructure that is owned and operated 95 percent by the private sector. Trying to get this done through DHS or the Internet Commission on Wonderfulness is not going to work. We have to understand that we are dealing with an entirely different model. We have to find a way to work together with the private sector. The private sector is constantly--the major players, anyway--are constantly doing risk assessments. They are constantly upgrading their systems. As I said in my testimony, they are not waiting for DHS. And we work cooperatively with DHS. I am not going to bash DHS. But the system is being run by the private sector. That is never going to change. We have to find a way that Government understands its role. And its role is not to manage, to dictate, to be the parent here. Their role is to be a major user who works with all the other major users. Now, obviously they have a separate role in terms of national defense that we could deal with differently. But my suggestion would be that the way to go about this is to harden the entire system. Not to identify what the one particular risk is because that is a static moment in time. This past week we had a major conference at ISA where we looked at securing the IT supply chain. Talk about a major problem. There is nothing that is not in the IT system that is not researched, resourced, developed, assembled, whatever, someplace. And some of the places this stuff is made can be a little bit scary. How do we secure the supply chain? And we looked at all the risks. And we said this is the area where we have the greatest vulnerability. We looked at it for a minute, and we said, well, as soon as we established that as the major risk vector, the guys who are attacking this aren't stupid. Move it over to here. So the risks don't stay static. We need a full systems solution that is sustainable on a long term basis and that is why we argued for a system of market incentives. We have to make the owners and operators realize that it is in their self- interest to continually upgrade and build-out the system, including the Federal Government's, and that is, we think, the answer to the approach that you are suggesting. Mr. Clay. Thank you for that response. Mr. Silva. Mr. Silva. I think that you have brought up a couple of interesting questions here, and I thank you for the opportunity to respond to them. It is interesting, when you really think about throughout time, we have kind of decided that we would handle this in a sector-specific way and that's just sort of how it worked itself out. In fact, the ISACs themselves were created as sector-specific to a large degree. And there are problems that are sector-specific. For instance, financial institutions have a more interesting set of threats unrelated to the infrastructure itself, but more around IT security and around the practices of being online for a bank or other financial institutions. But there are a lot of overlapping infrastructures, and those infrastructures certainly include the Internet itself, which all by itself is very insecure. I mean, the Internet itself doesn't offer any security. It really doesn't. Most of the security is handled either through appliances or through the applications themselves. But the Internet itself was designed to be an open system with really zero security measures to it at all. So I think that we need to look at the Internet infrastructure and its resilience and whatever security mechanisms we need to put in place to make sure that it continues to stay up, and the international aspect of it needs to be something that is looked at commonly across all of the sectors. Now you did ask what we should be doing and, as Mr. Clinton pointed out, what we should be doing is dependent upon who ``we'' is. Since the private sector is responsible for most of the infrastructure on the Internet, it is incumbent upon the private sector to take action. I think if we beg for too much regulation from the Government, we will get exactly what we asked for, and I don't think that would be a pleasant situation, either. But as Mr. Clinton pointed out, incentives are probably the best tactical step that could be taken with long term effects that I think would be positive. Unfortunately, when we look at building out the infrastructure, say, for the next generation of the Internet protocol--which by the way that next generation of Internet protocol was developed a decade ago, and still has yet to be implemented literally. IP Version 6 has been pretty much standardized for a number of years and is the best technology yet to come, still. But there is no incentive for telecommunications providers or Internet service providers to deploy it. There aren't any customers and it is a chicken and egg kind of thing. There is more secure, more robust protocol, and some would argue that it is not necessarily more secure and I might be one of them. But it hasn't been deployed because there are no customers for it. There are no customers for it because it doesn't exist. The Federal Government is a big enough customer that if they demanded it as part of their infrastructure, and their infrastructure build-out and used their market influence, their buying power, then those kinds of protocols and those kinds of enhancements would be made, if demanded by the Government as part of the procurement process. Thank you. Mr. Clay. Thank you for that response. Mr. Sabo. Mr. Sabo. Well, summing up after that, or coming to a conclusion, a couple of things I would say with respect to the basic question. There are risk assessments that can be applied generally to what we see as the infrastructure. And some of that work is happening now. The IT-ISAC and the Sector Coordinating Council, in fact, have work groups of industry experts attempting to look at the key functionality provided by the infrastructure and the sub-functionality, and attempt to build a risk assessment methodology that actually might make some sense. If you do a static risk assessment, although I respect the idea of bringing in experts and assembling for many months, we have had many of those studies. You can look at the literature and you can see a number of recommendations made by academicians and by industry experts that are sitting on the shelves because the Internet and the infrastructure are very dynamic. And, as Mr. Silva pointed out in his statement, a number of threats to the infrastructure are not on the infrastructure, it is on the applications that ride on the infrastructure and that impact the utility of the infrastructure. In the financial sector, a number of attacks are based on social engineering. And those attacks open up and expose vulnerabilities, the vector of an attack that can be used much later to go after the infrastructure. In a way, we have a very organic Internet infrastructure. The components of it, such as software itself or a domain name service resolution or some of the other pieces of it, are all components which lead to the vulnerabilities which actors can use when they decide to make an attack. So a couple of things. One is, work needs to happen cross- sector and I agree with that, and it is actually starting, but it has not really moved far enough along. Work also has to happen by the users of the infrastructure, and that is, the major sectors and the major corporations and companies in the sector. And to some degree that is addressed by the type of regulatory environment in which financial services operates. It is not addressed in many other environments and yet the work needs to be done. So I think it really is a combination of both looking at the risks associated with the use of the network infrastructure, for example, by control systems, the use of the infrastructure by the major corporations, but also by the industry that writes the hardware/software and operates resolution services and security services for the infrastructure. You can't look at it, I think, as one simple solution. You have to recognize how complex the beast is, and you have to let, actually encourage, which was the purpose of my testimony for the ISAC, that where industry is stepping forward to address these issues, Government's best role is to foster and encourage through appropriate incentives. And not all monetary incentives. They could be incentives such as saying we encourage you and we will support some of these activities, to move forward with that. And I think to conclude, the Roundtable Report is an eye- opener. Because what the Business Roundtable found in its report says that we are increasingly and fundamentally and almost totally becoming dependent on this IT infrastructure which is network based. And in that interdependence, we are losing our capacity to go backward. We are losing our ability to go back to older systems. We are losing our ability to fall back to paper systems. Therefore it is imperative for us as a Nation to take the steps to do what you just said; do an active risk assessment, put in the types of controls we need, do some of the strategic work that is academically based, but have a proactive operational plan to move forward. If all we are going to do is write more papers, do more commissions, do more studies, we are going to hopelessly fall behind. And so I think being active, looking at the uniqueness of each sector, what the companies are doing, what the practices are, as well as looking cross-sector at some of the functions, is a combination way to go. And then from a congressional perspective, avoiding regulation but perhaps looking to measures and to saying to us who are in these sectors, what are some performance measures that you are using to evaluate your effectiveness. What steps are you taking. What outcomes are you offering. And to me that would be the most effective short-term approach. Mr. Clay. Thank you for that response. One more question for the panel. Is the extension of the Federal Terrorism Reinsurance Backstop program an adequate model for Government to provide economic security to the private sector in the event of a major Internet disruption? Do we have effective risk models to determine the cost and potential exposure to the Government for covering this type of incident? We will start with Ms. Todt Coon. Ms. Todt Coon. I would go back to--I appreciate the comments of the panelists, but I continue to assert that we have not defined the risk in a way that allows us to create a model, in response to your question. By not having this accountability and by not defining this risk, we are being stalled with inaction. And while there has been action in different components, as we cited earlier--I think what the financial sector has done is exemplary and noteworthy--as a whole, we have not made the progress on these issues that we are looking to do. And I think at the end of the day, in looking at what the public and the private sectors have done, as we cited earlier, looking up multiple post-Katrina reports, we recognize that neither the public nor the private sector can respond individually. They need to work together. And Katrina showed us that the ways in which they work together currently aren't working properly. And so I would encourage us to look at legislation, like the Stafford Act, to revise to include for-profit companies and also look at the Defense Production Act, which if leveraged correctly by DHS could support the work that they are doing. And I think that legislation exists out there within which we need to work. And that we also need to be assigning the ownership and responsibility in a more clear way that allows those entities responsible for this to act accordingly. Mr. Clay. Thank you for that. And, Ms. Allen, the Terrorism Reinsurance Backstop program, is it an adequate model? Ms. Allen. It is not adequate. I think it is a good thing, but it is not adequate. Again, I agree that there is not an appropriate risk model. We don't yet understand the cross- sector impact. I think there are other incentives, including insurance, the ratings agencies, tax incentives, Government procurement, that might be more effective in the short run. And that is my answer. Mr. Clay. Mr. Clinton. Mr. Clinton. I think I would agree that it is a useful model, but some important differences have to be realized. First of all, cyber insurance is a very different animal than traditional insurance. The cyber insurance market has not taken off at all. It has been stagnant for 5 or 6 years, about 20 percent of companies have cyber insurance. And there are things that the Government can do to help in that area. So, if you are talking about cyber, the model is probably worth looking at, but there are other things that need to be done. And my colleagues are exactly right with regard to you can't assess the risk. Let me quickly tell you what the core problem is with cyber and then in my written testimony I go into a little bit more depth on insurance. I won't bore you with that now. But the problem with cyber insurance, it is available. But the problem is, nobody buys it. And the reason nobody buys it is because it costs too much money. And the reason it costs too much money is because since there isn't adequate actuarial tables, the businesses that run the cyber insurance naturally set the risk at maximum and therefore the prices are at maximum. The Federal Government could do a tremendous service by coming in and working with us so that we get the data appropriate so that we could set actuarial tables which would bring more providers into the market. Currently one company, AIG, has 85 percent of the market. That is not a good thing. If we got more providers into the market by providing them with the data, which expect the Government does actually have, that would then lower the cost. By lowering the cost, now more providers will get in. That will increasingly lower the cost, which has two major benefits. First of all, if you have a cyber Katrina right now, there is virtually nobody covered. Which means the insurer of last resort is going to be the Federal Government. The Federal Government is going to be stuck with a billions and billions and billions of dollars bill. It is going to be worse than Katrina because at least there was some insurance down there. There isn't in a cyber Katrina. Second, once we have insurance available and being purchased broadly throughout the market place, insurance can be, in addition to other incentives, and I would endorse Cathy's comments in that regard, but insurance can be a tremendous incentive. We use insurance all the time to motivate pro-social behavior. Good driving behavior, good health behavior. My daughter is desperate to get really good grades because it is going to lower the insurance on her car. This can drive better behavior. And what I have argued in my testimony is, the way to have a fully resilient, consistent, consistently up-growing system is to have market incentives. Insurance is a great one. So that people will constantly want to adopt the best practices, get the lower insurance rate and the industry and the Government is therefore covered if we have a major event. So, it is a good model, but there are a variety of things that we have to do to make it work, particular in the cyber arena. Mr. Clay. Thank you for that response. Mr. Silva. Mr. Silva. Thank you. I don't know that level of assistance is necessarily everything that we need. And there has been a lot of discussion about how difficult it is to assess the risk. And I don't know about assessing the risk because I think each individual element of this could assess what they believe is a risk and then somehow we could wrap that up. It is difficult to assess now. What is even harder to assess is what the level of damage is going to be. And it will be more than we can even imagine sitting at this table. We couldn't have imagined the damage that happened during Katrina and when we sat and tried to plan for that ahead of time. But the damage that would have happened from even shutting down the Internet for a couple of hours in the middle of a trading day or the middle of a business would be catastrophic. It would be huge. And if something so serious occurred that we had to reboot the Internet, so to speak, it would be a significant amount before that recovery would actually take place. There are so many different players. But one of the things that I worry about, in addition to those attacks that come from a terrorist act, if you will, or some malicious behavior, are those sorts of things that might create a self-inflicted wound. In our zeal to try to improve the Internet, in many cases, we make it more complicated and in fact create new and additional risk that we should think through a lot more carefully before we do it. One example of that is internationalized domain names. There are proposals to create internationalized domain names in order to let countries create domain names, the name of Web sites, if you will, in Cyrillic or Arabic, etc. The problem is that because of a lack of careful action and careful planning on this, other countries are on their own racing out to create another Internet, if you will, that uses the Internet we are used to, but works in a completely different way. So the rules and regulations that we would create and the policies that we would create as industry sectors and as governments wouldn't apply to these people. Therefore, we have to take corrective action for whatever the weakest link is going to be, and carefully think through some of these improvements that we think are improvements, and make sure that they are not actually creating more complexity and more confusion for users and more confusion for the people who have to assess threats and damage. Mr. Clay. Thank you for that response. Mr. Sabo. Mr. Sabo. I think an approach to this is to give a chance to the mechanisms that have not been given a chance to work. It is a complex environment. We have never been in a situation where millions of individuals scattered around the whole United States, or for that matter, the world, could literally have an impact on a national economy. We have never been in a situation where people living--and it has been rare--but if you think of a physical event and the insurance for terrorism, it might be very applicable to that. But we are dealing with a much different animal. Mr. Clay. Mr. Sabo, let me interrupt you. Are we too dependent on the Internet as a society? As a world? Mr. Clinton is saying there is no going back. There is no way to go back to the paper or anything else. Does that make us too dependent on the Internet? Mr. Sabo. We are dependent on it. And it is increasingly so. And we can't stop that because the nature of us as human beings, the nature of the capitalist society and the development of many uses of information and new technologies, simply can't be arrested without some dramatic shift back to a society of almost the Stone Age. You can't do it. Having said that, and knowing the complexity that we do, my suggestion is that we give an opportunity for measures to begin working slowly to address different aspects of this. So one aspect is Internet resilience and some of the things that Ken is talking about. Another aspect is expectations of companies as noted in the Business Roundtable to take steps, good steps, to deal with business continuity practices. Another example would be looking to industry through the ISACs and so on, to address vulnerabilities. And by putting this together in combination, you have some opportunity to see progress against a set of measures. But if you just look at it in terms of--particularly with the Internet, as Ken said, a catastrophe so huge that in cyber terms it would be the equivalent of a national state of emergency that might continue for weeks or months. What is that? How can you insure against it? Insurance might be good to, say, I have a breach issue and I am insured against the risk associated with that. But how do you insure against the loss of a whole infrastructure for the whole economy? So I would say an approach is let each of the measures that are best suited for this tier of protection be given a chance to operate and be given a chance to demonstrate effectiveness. Mr. Clay. Thank you so much for that response. Let me thank the panel for their responses and their expertise in this area. I am certain that this will not be the last hearing. But as you have heard, the bells have rung, and without objection, this committee is adjourned. Thank you. [Whereupon, at 5:50 p.m., the subcommittee was adjourned.] <all>