[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]




 
                    COMPUTER SECURITY IMPACT OF Y2K:
                        EXPANDED RISKS OR FRAUD?

=======================================================================

                             JOINT HEARING

                               before the

                       SUBCOMMITTEE ON TECHNOLOGY

                                 of the

                          COMMITTEE ON SCIENCE

                                and the

                            SUBCOMMITTEE ON
                  GOVERNMENT MANAGEMENT, INFORMATION,
                             AND TECHNOLOGY

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED SIXTH CONGRESS

                             FIRST SESSION

                               __________

                             AUGUST 4, 1999

                               __________

                       Science Serial No. 106-23

                               __________

                  Government Reform Serial No. 106-57

                               __________

            Printed for the use of the Committee on Science


                   U.S. GOVERNMENT PRINTING OFFICE
60-842                     WASHINGTON : 2000


                     COMMITTEE ON GOVERNMENT REFORM

                     DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland       TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut       ROBERT E. WISE, Jr., West Virginia
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
STEPHEN HORN, California             PAUL E. KANJORSKI, Pennsylvania
JOHN L. MICA, Florida                PATSY T. MINK, Hawaii
THOMAS M. DAVIS, Virginia            CAROLYN B. MALONEY, New York
DAVID M. McINTOSH, Indiana           ELEANOR HOLMES NORTON, Washington, 
MARK E. SOUDER, Indiana                  DC
JOE SCARBOROUGH, Florida             CHAKA FATTAH, Pennsylvania
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
MARSHALL ``MARK'' SANFORD, South     DENNIS J. KUCINICH, Ohio
    Carolina                         ROD R. BLAGOJEVICH, Illinois
BOB BARR, Georgia                    DANNY K. DAVIS, Illinois
DAN MILLER, Florida                  JOHN F. TIERNEY, Massachusetts
ASA HUTCHINSON, Arkansas             JIM TURNER, Texas
LEE TERRY, Nebraska                  THOMAS H. ALLEN, Maine
JUDY BIGGERT, Illinois               HAROLD E. FORD, Jr., Tennessee
GREG WALDEN, Oregon                  JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California                             ------
PAUL RYAN, Wisconsin                 BERNARD SANDERS, Vermont 
HELEN CHENOWETH, Idaho                   (Independent)
DAVID VITTER, Louisiana


                      Kevin Binger, Staff Director
                 Daniel R. Moll, Deputy Staff Director
           David A. Kass, Deputy Counsel and Parliamentarian
                      Carla J. Martin, Chief Clerk
                 Phil Schiliro, Minority Staff Director
                                 ------                                

   Subcommittee on Government Management, Information, and Technology

                   STEPHEN HORN, California, Chairman
JUDY BIGGERT, Illinois               JIM TURNER, Texas
THOMAS M. DAVIS, Virginia            PAUL E. KANJORSKI, Pennsylvania
GREG WALDEN, Oregon                  MAJOR R. OWENS, New York
DOUG OSE, California                 PATSY T. MINK, Hawaii
PAUL RYAN, Wisconsin                 CAROLYN B. MALONEY, New York

                               Ex Officio

DAN BURTON, Indiana                  HENRY A. WAXMAN, California
          J. Russell George, Staff Director and Chief Counsel
                   Matt Ryan, Senior Policy Director
    Bonnie Heald, Communications Director/Professional Staff Member
                          Grant Newman, Clerk
                    Trey Henderson, Minority Counsel
                          COMMITTEE ON SCIENCE

            F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman
SHERWOOD L. BOEHLERT, New York       RALPH M. HALL, Texas
LAMAR SMITH, Texas                   BART GORDON, Tennessee
CONSTANCE A. MORELLA, Maryland       JERRY F. COSTELLO, Illinois
CURT WELDON, Pennsylvania            JAMES A. BARCIA, Michigan
DANA ROHRABACHER, California         EDDIE BERNICE JOHNSON, Texas
JOE BARTON, Texas                    LYNN C. WOOLSEY, California
KEN CALVERT, California              LYNN N. RIVERS, Michigan
NICK SMITH, Michigan                 ZOE LOFGREN, California
ROSCOE G. BARTLETT, Maryland         MICHAEL F. DOYLE, Pennsylvania
VERNON J. EHLERS, Michigan           SHEILA JACKSON LEE, Texas
DAVE WELDON, Florida                 DEBBIE STABENOW, Michigan
GIL GUTKNECHT, Minnesota             BOB ETHERIDGE, North Carolina
THOMAS W. EWING, Illinois            NICK LAMPSON, Texas
CHRIS CANNON, Utah                   JOHN B. LARSON, Connecticut
KEVIN BRADY, Texas                   MARK UDALL, Colorado
MERRILL COOK, Utah                   DAVID WU, Oregon
GEORGE R. NETHERCUTT, Jr.,           ANTHONY D. WEINER, New York
    Washington                       MICHAEL E. CAPUANO, Massachusetts
FRANK D. LUCAS, Oklahoma             BRIAN BAIRD, Washington
MARK GREEN, Wisconsin                JOSEPH M. HOEFFEL, Pennsylvania
STEVEN T. KUYKENDALL, California     DENNIS MOORE, Kansas
GARY G. MILLER, California           VACANCY
JUDY BIGGERT, Illinois
MARSHALL ``MARK'' SANFORD, South 
    Carolina
JACK METCALF, Washington


                            C O N T E N T S

                              ----------                              
                                                                   Page
August 4, 1999:
    Opening Statement by Representative Constance A. Morella, 
      Chairwoman, Subcommittee on Technology, U.S. House of 
      Representatives............................................     1
    Opening Statement by Representative Stephen Horn, Chairman, 
      Subcommittee on Government Management, Information and 
      Technology, U.S. House of Representatives..................     3
    Opening Statement by Representative Mark Udall, Member, 
      Subcommittee on Technology, U.S. House of Representatives..     6
Witnesses:
    Mr. Joe Pucciarelli, Vice President and Research Director, 
      Gartner Group Inc.:
        Oral Testimony...........................................     7
        Prepared Testimony.......................................    10
        Biography................................................    15
        Financial Disclosure.....................................    16
    Mr. Harris Miller, President, Information Technology 
      Association of America:
        Oral Testimony...........................................    17
        Prepared Testimony.......................................    19
        Biography................................................    33
        Financial Disclosure.....................................    35
    Mr. Dean Rich, Vice President for Security Services, WarRoom 
      Research:
        Oral Testimony...........................................    36
        Prepared Testimony.......................................    39
        Biography................................................    41
        Financial Disclosure.....................................    44
    Mr. Wayne Bennett, Chair, Commercial Technology Practice 
      Area, Bingham Dana LLP:
        Oral Testimony...........................................    45
        Prepared Testimony.......................................    47
        Biography................................................    52
        Financial Disclosure.....................................    56

                   Appendix 1: Additional Statements

Statement by Representative Debbie Stabenow, Member, Subcommittee 
  on Technology, U.S. House of Representatives...................    76

                  Appendix 2: Materials for the Record

USA Today Article, Y2K fixes open door for electronic heist, M.J. 
  Zuckerman......................................................    78
Gartner Group Report, Year 2000 and the Expanded Risk of 
  Financial Fraud, April 1, 1999.................................    80


  HEARING ON THE COMPUTER SECURITY IMPACT OF Y2K: ``EXPANDED RISKS OR 
                                FRAUD?''

                              ----------                              


                       WEDNESDAY, AUGUST 4, 1999

        House of Representatives, Subcommittee on 
            Technology, Committee on Science, and the 
            Subcommittee on Government Management, 
            Information, and Technology, Committee on 
            Government Reform,
                                                    Washington, DC.
    The subcommittees met, pursuant to notice, at 10:06 a.m., 
in Room 2318, Rayburn House Office Building, Hon. Constance A. 
Morella [chairwoman of the subcommittee] presiding.
    Present: Representatives Morella, Horn, Bartlett, 
Gutknecht, Turner, Rivers, Stabenow, Udall, and Wu.
    Chairwoman Morella. I'm going to call to order the latest 
in our series of ongoing hearings on our House Y2K Working 
Group made up of the Science Committee's Technology 
Subcommittee and the Government Reform Committee's Government 
Management, Information, and Technology Subcommittee.
    On behalf of my colleagues Chairman Horn, Ranking Members 
Barcia and Turner, and Mr. Udall, I want to welcome our 
distinguished panel as we discuss today the concerns raised by 
a number of information technology experts that Y2K fixes may 
pose a substantial security threat to computer operating 
systems.
    While the Technology Subcommittee has been reviewing the 
year 2000 problem over the past 3 years, during that time we 
have also been looking closely at the issue of computer 
security.
    Many of you have heard me compare our Nation's lack of 
adequate information security to the year 2000 computer 
problem.
    Well, it now appears that Y2K and computer security aren't 
just inviting comparisons, but have overlapped into one issue.
    A lot of recent attention has been focused on the April 1, 
1999, GartnerGroup report suggesting that as part of every year 
2000 system fix, every aspect of every single information 
technology system is potentially subject to change and 
manipulation, raising the risk of theft, fraud, or corruption.
    The GartnerGroup report also stated that at least one 
publicly reported theft exceeding $1 billion may occur through 
lapses in security directly resulting from Y2K remediation 
efforts.
    Since the publication of the report, a number of 
independent scientists, security professionals, and others in 
the Y2K community appear to have few quarrels with the 
GartnerGroup's dire prediction.
    The concern is that Y2K employees who have been hired to 
correct systems might have left ``trap doors'' or may 
manipulate the computer code through which they can 
clandestinely take control of the system at a future date--
leaving vulnerable the systems that electronically move $11 
trillion a year among financial institutions, corporations, 
governments, and private organizations.
    The computer security threat, however, may not be motivated 
merely by just financial theft and fraud.
    Some Y2K programmers with malicious intent may be quietly 
installing malicious software codes--such as a logic bomb or a 
time-delayed virus--to sabotage companies or gain access to 
sensitive information sometime in the new millennium.
    Most troubling is that several security firms say that they 
have already found ``trap doors'' in Y2K programming.
    If used successfully for hostile purposes, these computer 
``trap doors'' can open to make sensitive national and 
proprietary information systems vulnerable to be accessed, 
stolen, compromised, or disrupted.
    With less than 150 days now before the January 1, 2000, 
deadline, the last thing we want to do is to defer any Y2K 
remediation efforts.
    It should be made clear that nobody should halt or suspend 
fixing their Y2K problems simply because there exists this 
potential for computer security breaches.
    The goal of this hearing is not to create a how-to guide 
and stoke the embers of those Y2K programmers with a felonious 
heart and malicious intent.
    The goal of this hearing is to determine what measures can 
be undertaken to protect our computer systems and to limit the 
potential of Y2K computer security breaches.
    It is my hope that, today, this panel can collectively come 
up with measures and guidelines that both the private and 
public sectors can review and utilize in their current 
remediation efforts to deter and catch any computer security 
breach that may occur as a result of the Y2K fix.
    Toward that end, I am pleased that we have a very 
distinguished panel.
    I welcome Mr. Joe Pucciarelli, Vice President, Research 
Director of the GartnerGroup, a leading and influential 
information technology research firm, which we know very well 
through our hearings, and the author of the GartnerGroup Y2K 
computer security report.
    Also joining us is a familiar figure to us, Mr. Harris 
Miller, President of the Information Technology Association of 
America.
    The Technology Subcommittee has worked very closely with 
Mr. Miller and the ITAA in the past on both the Y2K and the 
computer security issue, and it is great to see him back as a 
witness before us.
    We also have Mr. Dean Rich, Vice President for Security 
Services at WarRoom Research in Annapolis, Maryland, who is a 
computer security consultant with a great deal of expertise and 
experience in both the public and private sectors. I'm somebody 
who knows Annapolis well. I welcome you also, Mr. Rich.
    Additionally, Mr. Wayne Bennett, Chair of the Commercial 
Technology Practice Area of the law firm of Bingham Dana in 
Boston and an expert in computer security laws and practice, is 
with us today. A pleasure to have you, Mr. Bennett.
    So I look forward to everybody's testimony, and I would now 
like to turn to our distinguished Co-Chair of today's hearing, 
the member from California, Chairman of the Government 
Management, Information and Technology Subcommittee, Mr. Horn, 
for any opening statement that he may wish to make. Mr. Horn.
    Mr. Horn. Thank you very much.
    For the past 3 years, these two Subcommittees have been 
prodding agencies in the executive branch of the Federal 
Government to prepare their computer systems for the year 2000. 
Nearly all seem to have made good progress toward avoiding 
major computer disruptions at the end of this year. However, 
the rush to solve the year 2000 problem may have created 
another more insidious and potentially troubling problem.
    Today, we will discuss the danger that government agencies, 
corporations, and individuals are now more vulnerable to 
computer fraud, whether it is in the form of electronic 
robberies or information warfare.
    The reality is that computer systems can be compromised for 
any number of reasons--some far more damaging than the loss of 
money. Among them are the threats of industrial or military 
espionage and the use of computers and the network systems by 
terrorists or organized crime.
    Private companies and government agencies alike have opened 
up their most sensitive computer systems to outside contractors 
who are helping them sort through billions of lines of computer 
code to ensure their year 2000 compliance.
    Although the vast majority of these contractors are honest 
and truthworthy people, even a few unscrupulous operators could 
create a significant problem.
    The GartnerGroup, which is represented here today, has 
predicted that by 2004, there will be at least one reported $1 
billion or more theft due to the year 2000 remediation effort.
    The concern involves something called ``trap doors,'' 
computer coding that can give unscrupulous contractors access 
to the sensitive information in a computer long after the year 
2000 work is completed.
    From bank accounts and intellectual property to medical 
records and defense secrets, companies and government agencies 
have given contractors the keys that unlock an enormous 
storehouse of information.
    With only 149 days left until the new millennium, we must 
ensure that our critical information technology infrastructure 
is secure long after the year 2000 has passed away.
    So, with Mrs. Morella, I welcome the witnesses we have 
today, and I'm sure you will enlighten us in a number of areas.
    [The prepared statement of Hon. Stephen Horn follows:]

    [GRAPHIC] [TIFF OMITTED] T0842.001
    
    [GRAPHIC] [TIFF OMITTED] T0842.002
    
    Chairwoman Morella. Thank you, Chairman Horn.
    I am now pleased to recognize for any opening comments Mr. 
Udall, who is our ranking member today.
    Mr. Udall. Thank you, Madam Chairman. I want to join my 
colleagues in welcoming all of you here today to the hearing. 
This hearing focuses on two issues, the way I see it: computer 
and network security and then, secondly, whether Y2K-related 
computer system upgrades have increased the threat to a 
company's or a federal agency's computer security.
    I'd like to take a few minutes to speak about the Science 
Committee's role in the area of computer security. Going back 
into the late 1980s, the members of this Committee were aware 
that the first computer networks, such as ARPANET, which became 
NSFNET and is now known, of course, as the Internet, had a two-
edged quality: they improved electronic communication but also 
compromised computer security.
    In 1987, the Science Committee was instrumental in 
developing and passing the Computer Security Act. This was the 
first effort to improve the security of federal computer 
systems. Ever since, the Science Committee has maintained a 
high profile in this area.
    I mention this issue because many believe that Congress has 
not given sufficient attention to this issue of computer 
security. I wanted to highlight that at least one Congressional 
Committee has worked diligently to raise public and government 
awareness of computer security issues for more than a decade. 
This was long before most people even knew that the Internet 
existed, let alone before related computer security issues 
became important.
    Today's hearing, as my fellow colleagues have mentioned, 
was prompted by recent newspaper stories about a GartnerGroup 
report warning that by 2004 there will be at least one publicly 
reported electronic theft exceeding $1 billion and that steps 
to solve the Y2K problem will be a root cause of the security 
lapses that have allowed this step to happen.
    This is a serious assertion that raises more questions than 
it answers. For example, if it's true there will be at least a 
$1 billion theft, what about the likelihood of several thefts 
in the range of $100 million or the tens of thousands of 
dollars?
    Further, how credible are these alarms? After all, the 
warnings themselves could undermine public trust in our 
financial systems and the government's ability to provide 
public services and in our computer-based infrastructure as a 
whole.
    So, in that spirit, there are several issues that I hope 
our witnesses will address today. The first is: What data 
substantiates claims that there's an increased risk of fraud as 
a result of these Y2K fixes? Secondly, federal agencies, 
including Congress, and industry have relied on contractors to 
service their computer systems since their first installation. 
What has been the past experience of this type of fraud? And 
then, finally, if this Y2K-related fraud is a real problem, 
what steps can federal agencies and large corporations take to 
determine if the malicious code, the so-called trap doors, have 
been inserted into their programs?
    I want to thank you for being here. I very much look 
forward to hearing what you have to say.
    Thank you.
    Chairwoman Morella. Thank you, Mr. Udall, and thank you for 
also mentioning sort of the genesis of the Science Committee's 
interest and involvement in this issue.
    I'm now going to ask our panelists if they would rise and 
raise their right hand. It's the policy of this Committee to 
swear in those who will testify.
    Do you swear that the testimony you are about to give is 
the truth, the whole truth, and nothing but the truth?
    Mr. Pucciarelli. I do.
    Mr. Miller. I do.
    Mr. Rich. I do.
    Mr. Bennett. I do.
    Chairwoman Morella. The record will reflect an affirmative 
response from all. And, again, we'll try to follow a tradition, 
to give time for questions and other comments, of asking each 
panelist to speak about 5 minutes, and then we'll open it up to 
questions. And we'll start off then in the order in which I 
mentioned you.
    Mr. Pucciarelli, you will start off with the Gartner 
report.

    STATEMENTS OF JOSEPH C. PUCCIARELLI, VICE PRESIDENT AND 
 RESEARCH DIRECTOR, GARTNERGROUP, INC., STAMFORD, CONNECTICUT; 
HARRIS N. MILLER, PRESIDENT, INFORMATION TECHNOLOGY ASSOCIATION 
 OF AMERICA, ARLINGTON, VIRGINIA; L. DEAN RICH, VICE PRESIDENT 
 FOR SECURITY SERVICES, WARROOM RESEARCH, ANNAPOLIS, MARYLAND; 
  AND WAYNE D. BENNETT, CHAIR, COMMERCIAL TECHNOLOGY PRACTICE 
         AREA, BINGHAM DANA LLP, BOSTON, MASSACHUSETTS

               STATEMENT OF JOSEPH C. PUCCIARELLI

    Mr. Pucciarelli. Madam Chairman--Madam Chairwoman, Mr. 
Chairman, and Members of the two Subcommittees, I appreciate 
the opportunity to testify----
    Chairwoman Morella. I think you should either move it 
closer or make sure it's on.
    Mr. Pucciarelli. Madam Chairwoman, Mr. Chairman, and 
Members of the two Subcommittees, I appreciate the opportunity 
to testify today on the computer security impact of year 2000 
and the expanded risks of fraud. Key points in my testimony we 
will discuss: our prediction, the analysts of GartnerGroup, 
that by 2004 there will be at least one publicly reported 
electronic theft exceeding $1 billion, 70 percent likelihood; 
our forecast that year 2000 remediation efforts will be 
identified as a root cause of the security lapses that will 
have allowed this theft to happen, 70 percent likelihood; and 
how input from our clients was factored into these predictions 
and caused us to increase the probabilities.
    My role is to advise business and financial executives in 
the public and private sector on actions they should take to 
protect and maximize the effectiveness of their investments in 
computer technology. We found medium and large organizations in 
the United States spend some 8 percent of sales revenue--that 
is, 8 cents of every sales dollar--for computer systems. Ten 
years ago, this number was only 1 percent. During the same 
period, our financial systems have largely migrated to an 
electronically interconnected business model. Best estimates 
are that $11 trillion in electronic transfers occurred in the 
United States in 1998.
    Earlier this year, as part of my ongoing research, I 
reviewed those issues that may require action by my clients. I 
concluded, by reviewing the technical research conducted by my 
colleagues at GartnerGroup, that many firms had not taken 
adequate steps to secure and audit a year 2000 remediation 
process. Based on these observations, I formulated a 
recommendation to our clients.
    I reviewed these preliminary findings with some 300 clients 
on Tuesday, March 2, 1999, at a conference in New Orleans. Our 
clients had differing opinions. Their feedback indicated that 
the risk of theft was even higher than I had proposed. As a 
result, we formally advised our clients in April that we 
believe that by 2004 there will be at least one publicly 
reported electronic theft exceeding $1 billion, and that Y2K 
remediation efforts will be a root cause of those--that allowed 
this theft to happen, 70 percent likelihood.
    Predicting what will happen is challenging. Anticipating 
how it may happen raises the bar considerably. In the case of 
the first $1 billion electronic theft, the motive will likely 
be one of greed combined with feelings of underappreciation by 
a highly skilled software engineer, especially related to the 
stress of the year 2000 remediation effort. The means will be 
the tools at hand--the same electronic systems reliably 
transact the business of the day will be instructed to transfer 
funds beyond the boundaries of the enterprise into the hands of 
a thief. The opportunity to perpetrate the crime will come in 
an odd moment, a situation outside the bounds of the operating 
manual. A system will crash unexpectedly and a single software 
engineer could make changes without the normal reviews, due 
diligence, or oversight. Further, the incident will likely 
occur long after January 1, 2000.
    Clearly, a billion dollars is a huge sum of money. However, 
compared with the $11 trillion in annual volume of financial 
electronic data interchange transfers during 1998, which are 
growing some 40 percent annually, it represents only 0.0009 
percent. To use a metaphor, a $1 billion theft compared to the 
$11 trillion in throughput equates to 48 minutes over the 
course of a year. In this context, a billion seems somewhat 
less significant. Opposing all this money is the unbounded 
creativity of the human mind--which has proved the world round, 
produced Einstein's theory of relativity, placed a man on the 
moon, and committed countless crimes throughout history. From 
the Brinks armored car robbery through the Great Train Robbery, 
to the most recent financial scandals including BCCI and 
Barings, each generation adapts theft and fraud to the 
technological circumstances of the day.
    Given the enormity of the year 2000 remediation process, 
the scope of the cash flowing through these systems and the 
resourcefulness of the human mind in finding different ways to 
steal, a large theft seems much more likely perhaps inevitable.
    Specific steps need to be taken now and continually re-
emphasized to minimize risk. Specifically, we recommended:
    One, the most effective theft and fraud deterrent is 
maintaining the perception that there are high levels of 
security. To accomplish this, we advise our clients to 
collaborate to create a year 2000 security team with the 
requisite technical and auditing skills to review procedures, 
assess the threats, and implement a containment plan.
    Second, procedure reviews must limit the ability of a 
single individual to make changes or initiate activities 
without a second person participating in the process.
    Third, risk assessment must include reviewing all 
enterprise insurance coverage as well as contracts with 
external service providers and independent (programmer) 
contractors.
    Four, risk management plans should include careful 
reconsideration of all existing theft and fraud deterrence 
activities in light of this expanded threat profile.
    The law of very large numbers dictates that we will have a 
vastly increased risk of theft after the year 2000 remediation 
efforts. In the rush to aggressively solve one problem, 
enterprises need to ensure appropriate resources have been 
rededicated to protecting the enterprise from the increased 
risks of electronic theft and fraud--possibly the most 
important artifact created by year 2000 remediation. These 
nonlinear consequences of the year 2000 computer maintenance 
effort may have a more profound implication than the linear 
consequences such as a failure of a specific computer system.
    Thank you.
    [The statement of Mr. Pucciarelli follows:]

    [GRAPHIC] [TIFF OMITTED] T0842.003
    
    [GRAPHIC] [TIFF OMITTED] T0842.004
    
    [GRAPHIC] [TIFF OMITTED] T0842.005
    
    [GRAPHIC] [TIFF OMITTED] T0842.006
    
    [GRAPHIC] [TIFF OMITTED] T0842.007
    
    [GRAPHIC] [TIFF OMITTED] T0842.008
    
    [GRAPHIC] [TIFF OMITTED] T0842.009
    
     STATETEMENT OF HARRIS N. MILLERMr. Miller. Thank you, 
Chairwoman Morella and Chairman Horn and other Members of the 
Subcommittee. It is an honor to appear before your joint 
Subcommittees, and I want to commend you and your colleagues 
for holding this hearing on computer security as attention 
moves from the Y2K problem to the next and even greater 
challenge--Information Security or Critical Information 
Infrastructure Protection, as it is often called.
    Just as your two Subcommittees were among the leaders in 
educating Congress and the Nation on the year 2000 challenge, I 
know that you will play the same role on Information Security. 
Make no mistake about it: Information Security is the next Y2K 
issue for the IT community and its users.
    The evildoers are not just unscrupulous Y2K repair firms. 
The infosec threat comes in numerous guises: mischief-minded 
hackers, disgruntled employees, corporate spies, cyber 
criminals, terrorists, and unfriendly nations.
    Virus episodes like Melissa and Chernobyl are becoming more 
frequent. The Symantec Anti-Virus Research Center estimates 
that new viruses are being launched at a rate of 10 to 15 per 
day and that over 2,400 currently exist, and 35 percent of 
those are considered to be intentionally destructive.
    And, of course, there are the unintended consequences 
associated with our new dynamic information technology 
evolution, and, of course, year 2000 is the exhibit number one.
    Assessing the ultimate infosec roles for government and the 
private sector is really very simple. Our new information-based 
assets must be protected and preserved. Participants and users 
must understand that along with the obvious benefits of 
information technology are corresponding commitments to protect 
information technology. With rights--the right for IT to become 
the firmament on which most of our society, our government, and 
our economy are built--come responsibilities. And the primary 
responsibility is to ensure the security of our information 
society. The societal stakes involved compel government and 
industry to seek common ground on the issue.
    Security is much more challenging in the digital world 
because it is not the traditional security of wire fences, 
thick walls, and guard dogs. And it is not an activity just to 
be left to the experts, for all of us are part of the 
information age and must be sensitive to protecting it.
    The road to a common ground between government and industry 
will never be a straight line. On the contrary, while the ends 
are commonly shared, the policies that government and industry 
will develop in order to provide this protection are likely to 
be quite different. Again, I remind the Subcommittees that the 
year 2000 is the wake-up call. A well-prepared and well-
informed private sector can work with government to find the 
proper balance which optimizes the government's needs to 
protect the critical infrastructure with business' needs to 
manage risks appropriately.
    Significant reservations exist, however, on the part of 
both private industry and government, and ITAA is attempting to 
address both from a theoretical and practical standpoint.
    In developing industry positions on national infosec 
issues, ITAA has established a list of general principles that 
will guide the development of our policy. They emphasize 
industry leadership, communication and collaboration, infosec 
commensurate with the true threat involved without 
embellishment or magnification, and international 
collaboration. My written statement provided to the Committee 
outlines these principles in more detail.
    But there are also many questions that must be addressed, 
including the question, for example: What should be the 
mechanism for sharing information between government and the 
private sector, or even within the private sector itself? What 
type of threat and intrusion reporting will be required as 
opposed to optional? What type of organizations should plan and 
execute the strategy for critical information infrastructure 
defense? And what kind of legal and regulatory obstacles are 
there to information sharing and information security?
    And, of course, a less tangible concern must be addressed, 
particularly development of trust, both within the private 
sector and between the private sector and government. So as you 
can see, there is much to be done.
    We are working with our customers and with our government 
to build the necessary bridges. ITAA is taking a number of 
actions to focus on this issue. Following, for example, the 
issuance of Presidential Decision Directive 63 last year, ITAA 
was appointed as the sector coordinator for the IT sector along 
with two other high-tech trade associations. We are involved in 
massive education efforts, including White Papers, and we have 
held frequent meetings with representatives across the 
government to educate, discuss, and provide input.
    Education and outreach will be critical to the success of 
our efforts collectively. This past March, ITAA created the 
framework for a new Cybercitizen Partnership in conjunction 
with Attorney General Janet Reno. The partnership will focus on 
promoting individual responsibility in cyberspace and creating 
a private-public sector forum for exchange and cooperation.
    In all honesty, we at ITAA face a daunting job of 
convincing the IT industry and our customers to work with 
government on these initiatives. But it is a challenge we must 
step up to if we are to achieve any degree of success in 
opening lines of communication.
    The United States and much of the world are building their 
economic house on an information technology foundation. This is 
an extremely positive approach to take, delivering tangible 
benefits to a fast-growing percentage of the world's 
population. If year 2000 is the first challenge to place our 
economic house at risk, failure to adopt a rigorous approach to 
infosec will be the second and even more dangerous. ITAA and 
its member companies are committed to a private sector 
leadership role in ensuring that the necessary, timely, and 
cost-effective solutions are implemented.
    Thank you, and I would be happy to answer any questions you 
may have.
    [The statement of Mr. Miller follows:]

    [GRAPHIC] [TIFF OMITTED] T0842.010
    
    [GRAPHIC] [TIFF OMITTED] T0842.011
    
    [GRAPHIC] [TIFF OMITTED] T0842.012
    
      Introduction

[GRAPHIC] [TIFF OMITTED] T0842.013

[GRAPHIC] [TIFF OMITTED] T0842.014

[GRAPHIC] [TIFF OMITTED] T0842.015

[GRAPHIC] [TIFF OMITTED] T0842.016

[GRAPHIC] [TIFF OMITTED] T0842.017

[GRAPHIC] [TIFF OMITTED] T0842.018

[GRAPHIC] [TIFF OMITTED] T0842.019

[GRAPHIC] [TIFF OMITTED] T0842.020

[GRAPHIC] [TIFF OMITTED] T0842.021

[GRAPHIC] [TIFF OMITTED] T0842.022

[GRAPHIC] [TIFF OMITTED] T0842.023

[GRAPHIC] [TIFF OMITTED] T0842.024

[GRAPHIC] [TIFF OMITTED] T0842.025

[GRAPHIC] [TIFF OMITTED] T0842.026

    Chairwoman Morella. Thank you, Mr. Miller. And I want all 
of the panelists to know that the entirety of their statements 
as submitted to us will be included in the record, and I know 
that you have submitted extensive statements, and we appreciate 
that.
    Mr. Rich, I now recognize you, sir. May I indicate that we 
have been joined by Mr. Bartlett from the great State of 
Maryland. Mr. Rich is from Maryland, Mr. Bartlett.

                   STATEMENT OF L. DEAN RICH

    Mr. Rich. Thank you. Chairwoman Morella, Chairman Horn, and 
Members of the Subcommittees, I appreciate the opportunity to 
appear before you and I thank you for continuing to address the 
problems associated with information assurance and national 
critical infrastructure. As a lead into Y2K, I'd like to submit 
that Y2K, while a problem in itself, is a manifestation of a 
much larger issue--overall infrastructure assurance. We can 
look at Y2K as a wake-up event to better understand and manage 
those systems that are increasing in control or influencing 
every aspect of our lives.
    I come to this Committee with a background of information 
security as a Naval Reserve Officer in the Naval Cryptologic 
community and as a businessman working with industry to address 
the very issues we are discussing today. I support the Naval 
Criminal Investigative Service in my reserve capacity 
addressing threat issues. In my civilian position, I am 
currently with WarRoom Research as Vice President of Security 
Services, addressing both threat and vulnerability issues.
    You might recall that WarRoom research services the U.S. 
Senate's Permanent Subcommittee on Investigations under the 
1996 Security in Cyberspace Hearings where we collected 
information security risk profiles of 205 Fortune 1,000 
corporations.
    As we move even further into the digital age, those 
elements that comprise electronic commerce, networked systems, 
and national infrastructure are increasingly at risk. In order 
for this networked world to be viable and to be able to operate 
without concern and with all the worries transparent to the 
user, there must be an underpinning of robust security. Often 
we take security for granted or, using traditional cost 
analysis, will accept a certain level of risk as a cost of 
doing business. However, in today's environment, the cost of 
doing business without a strong security posture is too high. 
Yet many are unaware of these costs. In order to understand the 
new requirements of the digital age, governments and businesses 
must understand that security can no longer be an afterthought 
or redlined when budgets get squeezed. Security must be 
integral to one's overall management picture.
    To effectively manage security, one must manage risk. I 
believe in the formula risk equals threat multiplied by 
vulnerabilities and apply it to my own business decisions. You 
can see that with zero threat no matter the vulnerabilities, 
you will have zero risk. Likewise, if you have zero 
vulnerabilities and a world of ``bad actors,'' you have zero 
risk. Unfortunately, we have a great number of both, which is 
driving the risk index skyward.
    Vulnerabilities within our infrastructure are exposed on 
almost a daily basis. The scale of the infrastructure affected 
magnifies the impact of these vulnerabilities. Popular computer 
programs that get larger distribution have a larger impact. 
This has been demonstrated recently by a vulnerability that 
allows the promulgation of Macro viruses via e-mail. Using the 
risk formula, this vulnerability would not be an issue if it 
were not for the immense threat we live with on a daily basis.
    I believe the threat to our infrastructure is real. During 
the hearings on security in cyberspace in June of 1996, Mr. 
John Deutch did a great job of summarizing the threat and the 
need for increased public awareness. Many companies and 
government agencies have taken a skeptic's approach when 
discussing threats. They will say, ``My network and systems are 
running fine. I don't see any threat here.'' They lack the 
ability to see the threat and, therefore, deny it exists. They 
would be surprised to see, with an intrusion detection 
package--or intrusion detection application on their Internet 
perimeter, they would detect at least one unusual occurrence a 
day.
    A number of years ago, while on active duty in the Navy, I 
was deployed aboard a submarine for a couple of months. Having 
an interest in the sonar system, I asked one of the crew to 
give me an overview. The young officer was very proud of the 
system and said, ``If something were out in the water, we would 
hear it.'' I caught him by surprise when I said, ``So, let me 
get it straight. If you don't hear, it isn't there?'' I think 
that overconfidence in current capabilities and the 
unwillingness to ``think out of the box'' will lead to 
complacency. You need to look before you can see the threat. I 
support innovated efforts to look where no one has looked 
before.
    I'd like to share a couple of short stories, and I will 
keep it to the first one in the interest of time. In early 
1995, I was running a vulnerability assessment on a large 
number of Internet connected systems operated by the Department 
of Defense--a Department of Defense organization. During the 
assessment, I entered a computer that was used by software 
developers to maintain the source code for a communications 
package. The source code was clearly unclassified, but it was 
disturbing for me to know its only use was on a classified 
network. A ``total systems'' approach was not used when 
implementing a support structure for the communications 
package.
    Others have demonstrated similar events over the last 
couple of years, and we'll still continue to have these 
problems.
    I'd like to address the Y2K vulnerability issue. A recent 
newspaper article brought to light a problem of outsourcing Y2K 
remediation and the threat of foreign nation states inserting 
backdoors for future year. I believe this is a valid threat and 
agree it needs to be addressed today. On the other hand, many 
Fortune 500 companies have been outsourcing source code 
development and maintenance for years. A large number of these 
U.S. companies have permanent network connections into their 
corporate networks to facilitate the work from overseas. I can 
tell you that without intrusion detection or traffic analysis, 
these foreign companies have the potential to run free and 
obtain unauthorized access to U.S. corporate proprietary 
information.
    In summary, I would recommend programs that support a total 
risk management approach to infrastructure assurance. I 
recommend protecting the critical path and the life cycle of 
high-value infrastructure, not just the end product. Keeping 
vigilant in the search for vulnerabilities and new threats. I 
fully support the requirement for collaboration between 
government and commercial organizations. We will not survive as 
a country without a framework of trust, dialogue, and 
collaboration. I look forward to working with this Subcommittee 
and others on this issue within the months to come.
    Again, thank you for the opportunity to speak, and I'd be 
happy to answer any questions.
    [The statement of Mr. Rich follows:]

    [GRAPHIC] [TIFF OMITTED] T0842.027
    
    [GRAPHIC] [TIFF OMITTED] T0842.028
    
    [GRAPHIC] [TIFF OMITTED] T0842.029
    
    [GRAPHIC] [TIFF OMITTED] T0842.030
    
    [GRAPHIC] [TIFF OMITTED] T0842.031
    
    [GRAPHIC] [TIFF OMITTED] T0842.032
    
    Chairwoman Morella. We thank you very much, Mr. Rich, and 
it's now my pleasure to recognize Mr. Bennett.

                 STATEMENT OF WAYNE D. BENNETT

    Mr. Bennett. Thank you, Chairwoman Morella, Chairman Horn, 
members of the Subcommittee. My name is Wayne Bennett. I'm a 
partner at the law firm of Bingham Dana, and I chair the 
Commercial Technology Practice Area at our firm. Thank you for 
inviting me to this hearing.
    The nearly boundless creativity of the criminal mind will 
likely one day result in a billion dollar computer fraud. But I 
believe the apparent increased risk presented by the Y2K 
remediation effort is more than offset by the improvements in 
remediation procedures that have been implemented at large and 
mid-sized companies precisely to deal with the behemoth Y2K 
effort. When the billion dollar fraud occurs, its connection to 
the Y2K remediation effort will be more in the nature of 
serendipity than statistical inference, and law enforcement 
will be in a better position to identify the perpetrator 
because of the changes that the Y2K effort has brought.
    Consider the recent testimony of Gary Beach, Publisher of 
CIO Magazine, before the Senate Special Committee on the Y2K 
Technology Problem. I'm a member of the CIO Magazine editorial 
advisory board, and I can attest to the efforts that 
organization has made to look past the Y2K hype and its 
coverage. While the purpose of Gary's testimony was to report 
the results of a Y2K tracking poll, Gary added a particularly 
incisive thought at the conclusion of his remarks that one 
positive legacy of the Y2K exercise is that many companies were 
finally moved to undertake comprehensive inventories of their 
information technology systems.
    I would expand on that notion of a positive legacy. The 
learning at many corporate IT departments, particularly at mid-
sized corporations, has been greatly enhanced since the Y2K 
wake-up call went out. My clients are from diverse industries, 
including banks, mortgage companies, manufacturers, 
distributors, broker dealers, grocers, IT hardware, software, 
and services lenders, and e-commerce companies. Many of them 
contacted leading experts to teach their IT personnel the best 
industry practices for implementing their Y2K projects, and 
they're applying that learning to their maintenance activities 
generally.
    Before the Y2K exercise, systems maintenance was in some IT 
shops just a tedious chore that was relegated to anonymous 
junior programmers. Maintenance was a stepchild, and many IT 
departments struggled with version control, documentation, and 
accountability. Often IT personnel would open a source code 
file and find no written clue regarding who worked on the code 
last, what changes had been made, or even when or why it was 
changed.
    The best maintenance practices recently introduced by 
consultants have a by-product. Many systems environments are 
now more secure than they were just a couple of years ago. For 
example, the introduction of project notebooks requiring formal 
sign-offs by responsible employees and contractors have 
employees staking their reputations on their work. Each sign-
off indicates that a software routine is ready and that it 
successfully integrates into the larger system. Testing 
naturally becomes more comprehensive. Validation efforts are 
enhanced to ensure that no unwanted changes have been 
introduced into the system. Internal and external auditors 
review project notebooks as part of their Y2K and technology 
operations audits. Reports are generated at each management 
level until a summary is presented to the board of directors. 
Visibility and accountability at every level has increased. 
Security has been enhanced.
    Trap doors and the attendant risk of major fraud have been 
around since shortly after the beginning of commercial 
computing.
    Then you enacted the Computer Fraud and Abuse Act of 1986, 
the Information Infrastructure Act of 1996, the Economic 
Espionage Act of 1996, and the No Electronic Theft Act of 1997. 
The criminal laws are in place. Now, with the introduction of 
better maintenance practices, the forensic evidence is more 
likely to be available to track down a wrongdoer.
    A billion-dollar fraud is inevitable at some point since no 
security system is completely airtight. But is it more likely 
now as a result of the Y2K effort? I don't think so.
    Consider the current criminal opportunity. With increased 
scrutiny of every line of code, choosing this juncture to hide 
nefarious software in systems is akin to the decision of a 
second story man choosing to burglarize the police chief's 
house. Some burglars may find the prospect challenging, but 
most won't and those that do will find the going rather rough.
    At the July 22nd Senate Y2K hearing, Senator Bennett put 
the question of the reported increased security risk to a panel 
of IT executives. The panelists acknowledged that the security 
risk is increasing every day because of the increase in 
computer usage generally. But they also responded that the 
procedures implemented to perform Y2K remediation make them 
more confident today that while they can never fully prevent a 
security problem, they can at least better now detect a 
security problem.
    These procedures can fail, so we need to be ever vigilant 
about security. But we should also be careful about any message 
that we send to those thousands of employees and contractors 
who are honestly and diligently trying to solve the Y2K 
problem.
    The Nation's IT personnel are right now working at a 
breakneck pace doing thankless, yeoman's work against an 
unforgiving deadline. If they succeed in their Herculean task, 
some--perhaps even some here today--will question why we spent 
billions of dollars on a crisis that never came about. If they 
fail, they will be blamed.
    At this point, I suggest that we let the security officers 
quietly pursue their jobs while we lend all necessary support 
to the employees and contractors working on the Y2K effort--
without any inadvertent suggestion from any quarter that any of 
them might be criminals, even in the face of continuing risk. 
The job of fixing the Y2K problem and the consequences of 
failure are so enormous that the ongoing risk of fraud pales by 
comparison. We should keep our focus over these next critical 
few months.
    Thank you for your time.
    [The statement of Mr. Bennett follows:]

    [GRAPHIC] [TIFF OMITTED] T0842.033
    
    [GRAPHIC] [TIFF OMITTED] T0842.034
    
    [GRAPHIC] [TIFF OMITTED] T0842.035
    
    [GRAPHIC] [TIFF OMITTED] T0842.036
    
    [GRAPHIC] [TIFF OMITTED] T0842.037
    
    [GRAPHIC] [TIFF OMITTED] T0842.038
    
    [GRAPHIC] [TIFF OMITTED] T0842.039
    
    [GRAPHIC] [TIFF OMITTED] T0842.040
    
    [GRAPHIC] [TIFF OMITTED] T0842.041
    
    [GRAPHIC] [TIFF OMITTED] T0842.042
    
    Chairwoman Morella. Thank you very much, Mr. Bennett. I'm 
glad we, you know, ended with you because then you put another 
perspective on the concept of computer security being 
important, but not necessarily, I was going to say, increased 
because of Y2K. I understand also you were at the--what used to 
be called the National Bureau of Standards.
    Mr. Bennett. Yes, I was.
    Chairwoman Morella. Which is now NIST, which has been very 
much involved with our computer security system and more 
legislation coming up on that.
    As you could tell, we do have a vote coming up. Maybe I 
could start off by asking one question, and then we could 
recess for about 15 minutes, if you'll all be here, and then 
continue with questions. Unless you wanted to start off with a 
question, Chairman Horn?
    Mr. Horn. I'll be glad to, if you'd like. I don't know if 
you want to go vote and then I can go vote and keep the show on 
the road. Whatever you'd like.
    Chairwoman Morella. All right. He's got a great idea. I 
will go vote, and then he will keep this--keep it going, and 
then I'll come back.
    Mr. Horn. Mr. Bennett, I was interested when you said the 
criminal laws seem to be in place. Is that true in every state? 
Have we done an analysis of that? Mrs. Morella and I can 
request the American Law Division to look at that now that 
you've raised the question.
    Mr. Bennett. Well, I think the federal laws are in place. 
In fact, there was just a recent article in, I believe, 
Computer World where a defense attorney based in San Francisco 
was complaining that the federal laws are set up so that her--
this is not surprising--that her clients are having a tough 
time going and are pleading out instead of going to trial 
because they risk very severe criminal penalties. I do not 
know, however, on a state-by-state basis what the answer is.
    Mr. Horn. Any comments from anyone else here on that point?
    Well, the $1 billion does catch a headline, and that's, I 
think, more likely to be banks. What will happen with the non-
banks where you could not have money to move, is blackmail. And 
the question would be: To what degree can we already cope with 
blackmail, the disgruntled employee that was mentioned? No 
question about it. You could--with a smart programmer, you 
could have chaos within a computer system.
    Mr. Miller. Mr. Chairman----
    Mr. Horn. Mr. Miller.
    Mr. Miller. Mr. Chairman, we had Mr. Scott Charney, who 
heads the Criminal Division area of computer crimes speak at a 
conference we cosponsored last week with George Mason 
University. And Mr. Charney indicated in his public comments, 
at least--and maybe the Subcommittee would want to contact him 
directly, but I think I would agree with Mr. Bennett--that the 
federal laws are pretty strict.
    The challenge is finding the miscreants and prosecuting 
them. But I think they feel that the laws are pretty strict, 
and they've been fairly successful in prosecutions. State laws, 
I don't have any information on them.
    Mr. Horn. If it is blackmail and it isn't moving money 
around from accounts here to accounts abroad and so forth, how 
do we deal with the blackmail aspect?
    Mr. Miller. They're both federal statutes, as I understand 
it. I'm not a lawyer.
    Mr. Horn. Have we had much computer security blackmail?
    Mr. Miller. I've been told of stories anecdotally. 
Nothing's been reported publicly.
    Mr. Horn. Well, I realize it's like rare-book libraries. 
They don't want to talk about it, and that was the mistake of 
their life because now that they started talking about it, you 
find these people. And the thief just had a field day, can walk 
off with all the precious books, and they did it at Harvard and 
Yale and my own university and so forth. But it just seems to 
me we need a strategy here in educating chief executives. As we 
went through the Y2K bit in the last year, one of the things 
that discouraged me was the bad advice that their lawyers gave, 
which was, Chief, don't say anything, then they can't do 
something to you in court. Well, that's utter baloney because 
they'll do you for not doing anything, and we really needed 
CEOs to provide some leadership, which they finally woke up and 
did.
    But how would you deal with this in this way to get top 
management to understand that they've got to do some strategies 
and tactics here to protect themselves in the interest of their 
stockholders?
    Mr. Pucciarelli. Congressman Horn?
    Mr. Horn. Yes?
    Mr. Pucciarelli. If I could just say, in my opinion, 
security is to computers what safety was to automobiles in the 
1960s. We have a relatively immature technology, relatively in 
the context of 20 and 30 years versus 100 years. And what goes 
with a new technology is a certain exuberance and a denial of 
some of those risks.
    And I think what happens over time, the experience of using 
the technologies, of understanding the consequences, and 
understanding the implications will bring to light to the 
executives and to the leadership of the organizations that use 
these tools the risks. So rather than delegating the leadership 
and management of these systems to technical specialists, the 
executives will become more involved and more active in 
establishing security procedures for the overall enterprise.
    Mr. Horn. Now, with the Presidential Directive--by the way, 
if you have your mikes still on, turn them off so we don't get 
a feedback
    On the Presidential Directive, how active has the security 
community and the information technology community been helpful 
in that? And where are we in the progress under the 
Presidential Directive?
    Mr. Miller. I think there's some good news and there's some 
bad news there. I think the good news is that the various 
government agencies are trying to come up with a plan. We saw a 
leaked version of it in the New York Times very recently, an 
article by Mr. Markoff which focused on just the privacy issue. 
But there has been extensive consultation, and I do commend the 
people in the government for trying to get as much industry 
input as possible into the process.
    As an example of bad news, though, Mr. Chairman, I'll give 
you one specific example. We were designed by the Department of 
Commerce, as I mentioned in my testimony, as the sector 
coordinator for the information technology sector along with 
the Telecommunications Industry Association and the U.S. 
Telephone Association. That office within the U.S. Department 
of Commerce is probably going to be defunded in the year 2000. 
So, on the one hand, we are trying to undertake activities in 
conjunction with the Department of Commerce agency. On the 
other hand, the Department of Commerce, even though they did 
request some money, apparently it's not a very high priority. 
Congress hasn't seen it as a high priority. So we're going to--
may find ourselves on October 1st being designated by the 
sector coordinator of an office that no longer exists.
    Mr. Horn. Well, we thank you for alerting us because we 
ought to keep on top of that.
    I'm going to have to declare a recess now so I don't miss a 
vote. So we're in recess until Mrs. Morella returns to chair 
the meeting. Thank you very much.
    [Recess.]
    Chairwoman Morella. Thank you, gentlemen and others, for 
bearing with us as we had two votes instead of one vote. And 
matter of fact, one was on----
    Mr. Horn. Patent policy.
    Chairwoman Morella. Yeah, patent policy, which might 
interest some of you.
    Ms. Rivers is here from Michigan, and I guess I'll start 
off with a question or two and then let Ms. Rivers ask any 
questions.
    Mention was made--I think you, Mr. Miller, mentioned the 
Presidential decision, Directive 63, which was issued in May of 
1998, and that explains the Administration's policy on critical 
infrastructure protection. Incidentally, we had the first House 
hearing on the critical infrastructures report. The 
infrastructures include telecommunications, banking and 
finance, and all the essential government services. The 
directive requires immediate Federal Government action, 
including risk assessment and planning to reduce exposure to 
attack.
    Maybe I'd start off with you, Mr. Miller, in responding to 
this, but I want to hear from the others, too. In your opinion, 
has the implementation of this directive been effective? And 
why or why not? Does more need to be done?
    Mr. Miller. The process has been a little slower than I 
think many of us anticipated, but maybe that's all for the 
good. The trial CIAO office, which everyone sort of chuckles 
at, but the Critical Information Assurance Office, which has 
coordinated the development of the longer-term plan, has been 
somewhat slow, but they have to engage numerous federal 
agencies. They have done a good job, Madam Chair, I believe, of 
trying to engage industry and academia in getting input in the 
development of that plan. So I think they are moving forward in 
a reasonable pace to come up with a plan.
    It's very tricky, though, because the exact lines of 
responsibility between the private sector and government--there 
may be differing views, as I suggested in my testimony. The 
private sector may believe that the government needs to be less 
involved, and some people in government want to be more 
involved.
    The point I mentioned to Chairman Horn while you were away 
was some of the things that disturb us, for example, is the 
government, to industry, is not necessarily someone we like to 
work with all the time. I have a little bit of concern about 
it. One of the departments, however, I think industry is most 
comfortable with is the Department of Commerce. The Department 
of Commerce in the National Telecommunications Information 
Agency, headed by Assistant Secretary Irving, has 
responsibility for this critical information issue, and we were 
designated, along with two other associations, as a sector 
coordinator for the IT industry.
    But now it looks like they are going to have no money for 
FY 2000. There was a request for a small amount of money, I 
believe $3.5 million, for FY 2000, but, candidly, I don't think 
it's very high on the Administration's priority list. And from 
what I understand, with all the pressures that you all have to 
cut domestic spending, that money may disappear.
    So that's an example of where we thought there were good 
plans in place to try to move forward, and we were excited 
about the opportunity to be the sector coordinator for the IT 
industry. But if that agency funding goes away and there's 
nothing in Commerce for us to work with, then in some sense 
industry's role is back to square one. At least my sector's 
role is back to square one.
    Chairwoman Morella. Would any of the other panelists like 
to comment on that? I'm going to ask a question also that you 
might want to respond to at the same time. Do you think we need 
a computer security czar? I don't mean to overuse that term, 
but somebody in the Federal Government such as the role that 
John Koskinen has played with Y2K that will be an oversee also 
of critical infrastructures, computer security. Mr. 
Pucciarelli?
    Mr. Pucciarelli. Congresswoman, first a quick comment on 
the Presidential Policy Directive 63. In general, the entire 
area of cyber warfare and security is moving extremely quickly. 
It's very difficult to design a solution, just from an 
engineering perspective to design a solution to address a 
threat, and to do it and get it implemented in a timely 
fashion.
    If you look at the typical procurement cycle right now, 
from the time an engineering solution is designed until it's 
presented, run through for hearings, funded and implemented, it 
could take 2 years. The problem is, is that it's difficult to 
anticipate--it's virtually impossible to anticipate 2 years 
ahead of the threat what needs to be done because this area is 
moving so quickly.
    So just one comment on that is just I would counsel you to 
look at the time lines to actually acknowledge the threat, 
design a solution, and implement it.
    As far as your question on the computer security czar, I 
think there's a plus and a minus. My own personal perspective 
and the perspective of the GartnerGroup is that security is an 
enterprise issue. It is not an issue that belongs dedicated to 
somebody who sits in the back room of the organization or off 
to the side in an ancillary role. So I think there's a risk 
with setting up a czar in that it might be viewed as something 
that is the domain of the technical specialists.
    I think the challenge is how do we elevate security to an 
executive issue and an executive priority, and if a computer 
security czar was able to portray the issue with that type of 
presentation, I think there's an opportunity to have a very 
positive impact.
    Chairwoman Morella. Mr. Rich.
    Mr. Rich. I support his statement. I think having a 
computer security czar would probably be not a good idea, that 
security is part of an infrastructure, an enterprise 
implementation, and that we need to support the current 
infrastructure assurance directives that have been put out 
there.
    Chairwoman Morella. Mr. Bennett, would you like to comment 
on----
    Mr. Bennett. I think that anything that's done has to draw 
some very clear lines between government and corporate 
enterprises. I think that the prospect of a czar might actually 
frighten some corporations who may have some operations that 
are even part of what you might consider infrastructure. I 
mean, I think that there are a lot of large corporations out 
there that would be happy to just have government approve their 
international use of very strong encryption methods and then 
stay out of the picture as far as their own security is 
concerned until such time as there is--where their own security 
procedures fail, and then they'll want the help of law 
enforcement officials to try to track down whoever did it.
    Their biggest issues right now do not involve a billion-
dollar fraud. If they look past Y2K and they're talking about 
people taking things from them, they're worried about 
competitive intelligence.
    Chairwoman Morella. Would either of you like to comment on 
Directive 63?
    Mr. Rich. I haven't been myself involved a great amount 
with the directive. From what I've observed and talking with 
others, I support Mr. Miller's comment on that it's moving 
maybe not as fast as some would expect, but I think it's moving 
in the right direction. And I've seen a lot of corporations now 
starting to talk to the government. I like the idea of 
collaboration and trust. Unless we can get the point across to 
the commercial organizations that the government can help and 
not mandate or dictate and more or less work together, I think 
we'll get longer--further down the path.
    Chairwoman Morella. I didn't mean to be rigid when I said 
computer security czar. I guess I'm thinking to implementation 
of current policies in terms of coordinating. There is no doubt 
in my mind we lack that in the Federal Government, but we can 
get into that in some other questioning.
    I would like to now recognize Ms. Rivers.
    Ms. Rivers. Thank you, Madam Chair.
    Mr. Miller, I have a question regarding funding you raised 
in your written commentary, and I apologize that I wasn't here 
for the testimony. But in your written statement, you raised 
concerns that the $3.5 million that is now being allocated for 
CIIAP is inadequate in your view or barely adequate. Are you 
aware that the Commerce, Justice, State bill, appropriations 
bill that we're going to vote on this afternoon, zeroes out 
that program? And what will the effects be of that decision?
    Mr. Miller. I heard--I haven't actually seen the language 
of the legislation, Congresswoman Rivers, but I heard that they 
were going to zero it out. I think that would be most 
unfortunate from the perspective of private industry.
    Clearly, the issue of information security has spread 
throughout the government--the Department of Defense, the 
Department of Justice, National Security Agency, et cetera, et 
cetera. And, by the way, in response to Congresswoman Morella's 
question, I would support a czar for exactly that reason.
    But, clearly, the government is perceived by many people in 
industry as kind of threatening, particularly if you're talking 
to national security people or law enforcement people. To the 
extent the industry is comfortable, I think they're most 
comfortable talking to the Department of Commerce, and so 
that's a logical place for business to communicate. And zeroing 
out that budget item from within NTIA I think would be most 
unfortunate. Even a relatively small amount, $3.5 million, is 
better than nothing, and I think the problem is--I've spoken to 
Assistant Secretary Irving about this--is he's already had 
severe budget cuts over the last 2 or 3 years, and if this 
money gets cuts down, he can't find it to take out of hide 
somewhere else. So I'd hope that the Congress would take 
another look at that, and whether $3.5 million is exactly the 
right number or not, I don't know. But I hope the Congress 
would take another look at that and put some funding in there 
because that would make industry much more comfortable in terms 
of working with government.
    Again, there's no disrespect to the FBI or the Defense 
Department, but if we have to talk to somebody, it's a lot 
easier to talk to the Commerce Department.
    Ms. Rivers. Thank you.
    Mr. Pucciarelli, I have a question for you. In your 
comments, you talk about a 70 percent probability that there 
would be at least one electronic theft of a billion dollars, 
which--I may not have it right, but that would seem to be the 
biggest theft in our history. I mean, I don't think we've ever 
had a billion dollar theft. And you use the terminology that 
really reflects sort of the science of statistics.
    How did you arrive at that?
    Mr. Pucciarelli. What we do, Congresswoman, is, as part of 
our recommendations at GartnerGroup, we have a practice of 
assigning a probability to a particular prediction. And the 
reason that we assign probabilities is so that our clients have 
an ability to take these predictions and appropriately factor 
them into their business plans. The probabilities were not 
scientifically derived. They were arrived--derived based on 
judgment, and there is an explanation of the probability 
process in my formal written testimony which has been submitted 
to the Committee.
    Ms. Rivers. How do you translate a probability--or a 
judgment into a 0.7 likelihood?
    Mr. Pucciarelli. A 0.7 likelihood, in terms of how we 
explain that to our clients and advise that to our clients, is 
we would say that you should assume that this is likely to 
happen. If you--if it had a 0.8 probability as an example, we 
would say assume it will happen. So with a 0.7 probability 
there is still some risk that it won't happen. The range of 
probabilities that we publish goes from 0.6 to 0.9.
    The whole notion and the whole purpose of this piece of 
research was to advise our clients to escalate their risk 
management practices. And in the context of that, what we are 
really saying with the probabilities is that we believe it's 
likely that there will be at least one large outrageous theft.
    Ms. Rivers. So what you're saying is it's really not a 
scientific tool, it's a sales tool?
    Mr. Pucciarelli. No. That's--not at all, Congressman. What 
my point was, it's not a sales tool at all. What it is is it's 
a way for management within our client organizations to 
appropriately weigh the probability.
    Ms. Rivers. That's what I'm trying to understand, given my 
training, is how you are creating your probabilities, what you 
are actually using that can be replicated by someone else. 
Looking at the same data, can they come up with the same 
conclusion?
    Mr. Pucciarelli. The way that we actually create the 
probabilities is based on--first of all, it is not data. It 
is--it is qualitative interactions with our clients and 
qualitative assessments of what's going on in the environment. 
The intention of the probabilities is to factor them into the 
management process within our clients. So the idea is that we 
can give our clients a degree of confidence as to how sure we 
are that this will happen.
    Ms. Rivers. What are the elements that you weigh in coming 
to this conclusion?
    Mr. Pucciarelli. We look at three different major aspects 
in forming a probability. First we do primary research, which 
is to look at the specific area. And as I testified earlier, we 
did that based on direct examination and in conversations with 
our clients, what was going on in terms of the process itself. 
We then review preliminary findings with our clients and ask 
their opinions and their assessments of our recommendations. 
Then the third and most important thing is, before we publish a 
recommendation and assign a probability, we--as a community of 
analysts, GartnerGroup has over 700 analysts review the major 
policy statements, and as a community of analysts, we have to 
agree on what those probabilities are, and we have to agree 
what the major statements are.
    So this forecast represents a consensus position of 
literally hundreds of people within our organization to 
support--and it has to agree with their qualitative and 
quantitative observations as well.
    Ms. Rivers. Okay. Thank you.
    Thank you, Madam Chair.
    Chairwoman Morella. Thank you, Ms. Rivers.
    Chairman Horn.
    Mr. Horn. I've had 5 minutes, so let everybody else go, and 
then I'll have one question.
    Chairwoman Morella. Mr. Turner from Texas.
    Mr. Turner. I will yield to Mr. Horn.
    Chairwoman Morella. Chairman Horn? I mean, I'll ask a 
question.
    Mr. Horn. Let me just ask one question. I've appreciated 
the various papers you four gentlemen have submitted.
    You've suggested, Mr. Miller, that we grade federal 
agencies on computer security, much like we currently do for 
the year 2000 work. And I'm just curious, What categories of 
criteria in relation to this subject would you suggest and use?
    Mr. Miller. I think, Mr. Chairman, your grading system the 
last 3\1/2\ years or so for the government's reliability and 
readiness for Y2K has been a tremendous tool toward driving 
them toward the successes that you mentioned in your statement 
earlier today, and you deserve a great deal of credit, as does 
Congresswoman Morella, for focusing attention.
    A similar system, I believe, could be developed. I'm not 
prepared to give you the exact criteria, but things like the 
percentage of spending on IT devoted to computer security, the 
attention paid by senior management to computer security; 
reports of intrusions and detections of intrusions could be 
another metric that you could look to. So I think you could 
get--probably put together a fairly straightforward and easily 
agreed upon list of indicia that you could use to use your 
excellent grading system, and I think that would help drive the 
agencies toward more attention to this problem.
    Mr. Horn. Where do--where are the data on intrusions kept? 
Is it simply by agency? Does OMB have any information that 
they've collected over the years?
    Mr. Miller. There are two sets of data. There are data from 
the private sector, which are reported to what's called CERT, 
the Computer Emergency Response Team, at Carnegie Mellon 
University. They're, of course, voluntary reports. And to go 
back to Congresswoman Rivers' question about hard data versus 
theoretical data, I do note that the number of incidents 
reported to CERT has increased dramatically over the last few 
years.
    Within the government, my understanding is that they don't 
necessarily share information among agencies, and that's one of 
the issues being looked upon--looked at within the PDD-63, is 
to exactly how do you make sure that all the information is 
being shared appropriately among the agencies.
    Mr. Horn. Are the Carnegie information--are those data 
accessible?
    Mr. Miller. In some cases, the specifics are accessible, 
and sometimes it's just the generic numbers. I think one of the 
biggest challenges that this issues faces, as Mr. Pucciarelli 
was suggesting in his earlier comments, is how much willingness 
is there among companies as they mature to share information. 
Certain industries such as the financial services industry have 
already been exposed. Citibank had a relatively large potential 
theft several years ago, and so Citibank is now wanting to talk 
about this publicly. You can get them to go to any conference, 
any open meeting, and they'll come and talk about it. But if 
you ask 99 percent of all financial institutions or other types 
of organizations, ``Do you want to admit times that you've had 
intrusions or thefts or breakdowns?'' most of them are going to 
be totally silent, totally mum.
    So one of the challenges we've had as an industry, Mr. 
Chairman, is figuring out how to get companies to share 
information in a way that will help everyone fight off other 
potential intrusions and threats, but at the same time not be 
concerned that proprietary information will leak out or that 
their competitors will get an advantage or it will leak to the 
press and hit the stock price, et cetera. So companies are 
always trying to balance these two things off. It's not just 
the legal issue which you raised before in regard to the Y2K. 
It's a whole set of potential down sides to exposing 
information as opposed to the one up side, which is to sort of 
be a good citizen and by reporting the information about an 
intrusion that you had, you may save somebody else or you may 
help to protect the entire economy. And we are not yet at a 
position, I think, where the leadership of business in this 
country has made that balance of that equation and said in all 
cases we will share information. And one of the reasons is that 
they're not sure about sharing information.
    Let me just bring one more specific problem to your 
attention, is the Shelby amendment. I think industry supports 
the Shelby amendment generally. We believe that federally 
funded research results should be available to the public. And 
what Senator Shelby has done is good. But my companies have 
come to me and said, Now, what if we share information and 
there's some kind of federal grant involved with the 
organization that has that information and we believe it's 
confidential and then a FOIA request comes in? Government FOIA 
exemptions can't be used because it's a private sector 
organization. Then what do we do?
    So I think that's not--it's an unintended consequence of 
the Shelby amendment which is something we're trying to puzzle 
through right now.
    Mr. Horn. Yeah, well, as you know, we're going to struggle 
through on that, and you have to protect the people that, let's 
say, are trying to win the Nobel Prize or something. We 
shouldn't have their data all around and polluted. That will 
get tested soon enough. And we don't want to discourage 
science. On the other hand, we don't want to--in this 
situation, we're talking about, we don't want to have sitting-
duck targets because they say, boy, look at all the entries 
there, let's see if we can do it. And I suspect that's worrying 
some. The Good Samaritan law has helped on the year 2000 a bit, 
and industry plants have been working with each other, from the 
best we can understand on that. I don't know if that's your 
feeling or not. There's much sharing of information.
    Mr. Miller. Definitely. But it took legal action to do it. 
But, again, if Long Beach State, your former institution, set 
up a classified center and encouraged companies to provide 
information and they got Federal funding somehow, what does the 
Shelby amendment do to that data? It supposed to be sanitized. 
It's supposed to be protected within this research center 
within the university. But can someone use--I don't know, but 
the questions have been asked. Can someone use the Shelby 
amendment to come in and say I want access to all that data? 
And suddenly the whole confidentiality system breaks down, the 
trust breaks down, and no one supplies information to the Long 
Beach State center. We've lost the whole purpose of the 
organization in the first place.
    Mr. Horn. Are there any questions and thoughts that none of 
you have mentioned that you now would like to make? This is at 
least my wrap-up question. Mrs. Morella might have many more. 
But just what are we missing that we haven't really focused in 
on?
    Mr. Rich. Mr. Chairman, I'd like to make a quick comment 
there. In the spirit of PDD-63, rather than requiring--or 
asking people to give you their particular data on break-ins, 
if we take a baby step and say how about sharing threat 
information-these are people that are trying to touch you and 
look at your networks but not successful in getting in--that 
would be a first step in establishing the trust relationship.
    Mr. Horn. That's a good suggestion.
    Chairwoman Morella. Thank you, Chairman Horn. That's great.
    This is so reminiscent of Y2K when we talk about failure to 
and concern about sharing information and the coordination that 
is necessary. And, of course, we're talking about computer 
security that is troubled particularly because of Y2K 
compliance.
    With regard to the Shelby amendment, it's interesting that 
here we are in the room where the ranking member, George Brown, 
is the one who's introduced the legislation to get rid of the 
Shelby amendment, and, of course, I've heard from National 
Institutes of Health and a number of other institutions like 
that that are hoping that--Mr. Miller, that you can--we can 
work out some kind of a compromise.
    I--in terms of where information may come from, I can 
remember years ago, GAO, you know, when they came out with 
their list of high-risk areas, they had Y2K there, and they've 
had computer security there for some time. That maybe another 
source of information to have GAO do further reporting. And, of 
course, they've done a number of reports on problems with 
computer security, particularly in DOD. And I wonder, the 
inspector generals, would they not also be looking at this, or 
should we be telling them to begin to look at this? I don't 
know if any of you are cognizant.
    Mr. Pucciarelli.
    Mr. Pucciarelli. Congresswoman, I think that the whole 
issue of computer security could clearly fall into the domain 
of the inspector generals, and I think that depending on which 
agency is looked at, I think you'll see different degrees of 
activity in the area. I think that there's clearly an 
opportunity to raise the issue on the agenda of the IGs, and, 
again, I'll come back to my point earlier. The real challenge 
is how do we get the leadership of the organizations involved 
as well.
    Yes, the IG is the means by which to do it, but the 
challenge is how do we get it to the executives.
    Chairwoman Morella. And you mentioned--Mr. Miller, you 
wanted to comment.
    Mr. Miller. I agree exactly with what Mr. Pucciarelli is 
saying. That's why I endorse your idea of the czar, as long as 
the czar is conceptualized the way Mr. Koskinen has 
conceptualized the role, not that the czar----
    Chairwoman Morella. Right.
    Mr. Miller [continuing]. Is to fix everything himself or, 
if it's a czarina, herself; but that, number one, that person 
has the authority to go directly to Cabinet officers and make 
sure that the Cabinet officers personally are paying attention 
to the issue; that that person has the ability to work with the 
private sector by organizing them by sectors, as Mr. Koskinen 
has done very effectively. He's not trying to fix the problems 
with the electricity industry or the retail industry, but he's 
working with the appropriate private sector groups to do that.
    Also, he or she would be able to coordinate among the 
different agencies, and, frankly, it's a little confusing to 
the private sector to know whether we should talk to people at 
the CIAO or Mr. Hamre at DOD or people at the NIPC or people at 
Commerce. It would be a little bit easier to, if there were 
someone who had a central role and also had access directly to 
the President and Vice President, as I believe Mr. Koskinen 
does on Y2K issues.
    Chairwoman Morella. And looking at the private sector, Mr. 
Pucciarelli, you mentioned in your statement that many firms 
have not taken--you used the term ``adequate steps''--to secure 
and audit the year 2000 remediation process. I wonder, what do 
you mean by adequate steps?
    Mr. Pucciarelli. Congresswoman, in forming this scenario 
that I identified, one of somebody stealing a large amount of 
money, I started from the premise that somebody would do it. 
And then I posed the question back to my clients and said how 
likely is this to happen. And the response back from the 
practitioners in the field was that, in general, the level of 
security in their opinion was not very high. And that was one 
of the reasons why I went forward with this research and deemed 
it appropriate to recommend to the executive leadership of the 
various organizations to take as a given that this is a likely 
event and to implement risk management activities, which was 
really the underpinning of what my research was.
    It basically said you as leaders of these organizations 
need to implement risk management because the details--the 
people that are actually doing it, the practitioners, believe 
that there is a relatively high risk.
    Chairwoman Morella. Is implementing an independent 
verification validation process going to mitigate the problems 
and the trap doors?
    Mr. Pucciarelli. To implement a comprehensive security 
program, we have to cover three specific areas. We have to 
cover people, process, and products. And when talk about 
people, a metaphor might be to look at the bar exam. If we were 
to look at process, it might be the equivalent of the FDA 
certifying a surgical procedure, or a process might be the 
certification of a particular software development process. And 
a product might be the equivalent of the regulation that DOT 
has for automobiles to meet safety standards or, in the public 
domain, the UL underwriting seal of approval.
    To get true security, we're going to have to approach it 
from all three fronts.
    Chairwoman Morella. I'm glad you wanted to respond, Mr. 
Bennett, because I really felt I had to give you an opportunity 
to engage since your point is that it's not Y2K that is the big 
problem with computer security. So, sir?
    Mr. Bennett. Well, I think I stated my point on the 
relationship. I think they're both very important issues. I 
just don't see them--the statistical inference there. But with 
respect to the independent audit and the IG's role, it seems to 
me that the independence of both an IG or an outside auditor is 
one piece and the only piece that should be independent of line 
management. While auditing on the one hand has to be 
independent, someone has to come in and say how good a job 
you're doing, there are a couple of stages that have to come 
before that, and those, if you're ever going to make this work, 
it seems to me, have to be done by line management because they 
have to believe in what they're doing.
    Now, in defense, there may be a different weighing that 
takes place. How much--there's a certain drag on productivity 
that's going to happen when you implement extra security 
procedures. You try to minimize it, but it happens. That--
where--how much of a drag on productivity you're willing to 
tolerate may be different if I'm trying to keep secret the 
Nation's defense secrets. At the same time, if I'm a 
corporation and I am trying to keep competitive information out 
of my competitor's hands, which is very important, there's a 
different drag on my productivity that I might accept.
    So line management, first of all, has to decide how 
important is it and to what level are we going to protect it or 
try to protect it. And then there has to be an implementation 
process, all of which should stay within line management. And 
only then, after you've done those two steps, it seems to me, 
without sort of alienating line management, who you need to do 
those two steps, then there's a role for an outsider to come in 
and say, okay, how good a job are you doing?
    Chairwoman Morella. Prioritize, organize, then verify.
    Mr. Rich. I'd like to recommend that we take a look, as was 
mentioned here earlier about process, that over a period of 
time in my time working in the government we had process, 
accreditation for systems for security. And over a period of 
time, the accreditation process failed to work because it 
wasn't updated, that we would do the checklists and everything 
was great. I think as the IG goes through the process of 
checking, somebody should be checking the IG. Maybe that's the 
computer security czar that you mentioned, as an oversight 
position, that we have to keep up with the technology that 
we're looking at as we go through that.
    Chairwoman Morella. Thank you.
    Mr. Turner.
    Mr. Turner. I was really interested in knowing what 
suggestions any of you might have regarding how we might 
strengthen law enforcement in this area. It seems that it's an 
area that we're really very ill equipped to deal with. We don't 
have the expertise in local district attorney's offices. I'm 
not even sure we have it in the Department of Justice.
    But I think we really--there seems to be a need to take a 
good look at the existing criminal laws. Obviously, some of the 
laws fit. Theft is theft, I guess, no matter how you accomplish 
it. But in any of the intrusions that don't result in outright 
theft of dollars, I'm just not sure that the penalties are out 
there, the laws are out there to really effectively deal with 
this, nor is there the expertise available to fully prosecute 
what appears to me, from listening to your testimony, to be a 
growing area of criminal activity.
    Am I correct on that? And do any of you have any 
suggestions you might----
    Mr. Miller. I think that's a very important point, Mr. 
Turner. We're working very close with the Justice Department 
Criminal Division on this, and they have asked, for example, to 
help us help them put together a list of experts, cyber 
experts, that they can call upon for--when they need to do 
prosecutions so that the Assistant U.S. Attorneys around the 
country, when they're referred these cases, frequently do not 
have the kind of expertise that they may have in securities 
fraud or other kinds of more traditional non-digital fraud. And 
so we are working with Mr. Scott Charney and Attorney General 
Reno to help put together a list of those experts that the 
Assistant U.S. Attorneys can call upon.
    Also, I have been told that the Justice Department is doing 
training for state and local officials on cyber crime, 
detection, investigation, prosecution. But how extensive that 
is, I don't really know. You can contact the Justice 
Department. I don't have any data on how many--how many 
training sessions have been done.
    I understand that when they do offer them, they are heavily 
subscribed, that there's clearly a lot of interest among law--
local law enforcement officials to get this kind of training. 
But how extensive the training is currently, I don't know.
    Mr. Bennett. Congressman?
    Mr. Turner. Yes?
    Mr. Bennett. I believe you have the laws. You have got your 
Computer Fraud and Abuse Act. You have the Espionage Act, which 
covers trade secrets, and both of those have attempt parts to 
them.
    You also have a fair amount of expertise. It is growing 
within the Department of Justice, but there's a fair amount of 
expertise. When we call up on behalf of our clients and there's 
been a problem, we do not get a befuddled person who has either 
no interest or expertise in the area. We're generally directed 
to somebody who does that for a living.
    I think the only problem we're running into is the usual, 
and that is, you've got to have enough time and so you've got 
to allocate scarce resources even in the Department of Justice. 
And the way they've allocated it, to use one example, one of my 
clients called up, and someone had scanned their ports looking 
for a way in, and they were very concerned that some--a 
specific competitor, in fact, might have been the one doing it. 
And they wanted to get to the bottom of it. And when we called 
up, it seemed to us that there was a bright line from the 
United States Attorney's Office, and that was, really, if you 
can show us that they got in, then that's going to put it into 
one basket over here and we're going to have the time to be 
able to address it. If, on the other hand, you don't know 
because your firewall software maybe only tracks unauthorized 
attempts and maybe perhaps doesn't track authorized entries 
that might have been fraudulent, then we're--maybe you ought to 
go the civil route and try to discover this by suing the ISP 
and getting the name and then going after them and finding out 
who it is on your own.
    And, clearly, you don't want to go down both those paths, 
and we could really understand it. We ended up going down in 
this last instance, which was only a few months ago, going down 
the civil route and finding out that it was some teenage 
hackers attempting to get into a corporate--past a corporate a 
firewall. But the laws are certainly there. The expertise is 
there and growing, at least at the Federal level, and now it's 
just a matter of putting in a priority because I think they 
have enough to do with the actual break-ins at this point.
    Mr. Miller. Mr. Turner, my staff reminds me that Senator 
Leahy has introduced a bill to provide $25 million a year to 
the Department of Justice for state and local cyber crime 
training. So obviously Senator Leahy at least believes there's 
not currently sufficient funds and is trying to increase that.
    Mr. Turner. Thank you, Mrs. Morella.
    Chairwoman Morella. Thank you, Mr. Turner.
    It seems to me there could be a problem with companies 
overseas and the kind of security because they haven't had a 
check to do--an opportunity to do background checks of--and 
this made by the more prone to computer security problems with 
Y2K. Would any of you like to comment on that, maybe what we 
could do about it? You look ready, Mr. Bennett, then Mr. 
Miller.
    Mr. Bennett. I believe this problem's been with us for a 
while, and to try to put it in perspective, if you got three 
different levels of folks you might engage--and they've been 
engaged over the course of time, at least in corporate America, 
to work on IT systems there, your own employees, your domestic 
contractors, and then foreign contractors, and I would suggest 
that at this moment in most states in the United States you can 
learn not very much about your own new employees for starters. 
So, yes, it is true that there could be foreigners or 
contractors who could pose a definite threat to your IT.
    But right now, in the position of any ordinary employer--
not the government but an ordinary employer, we're just not 
permitted to get the kind of information you can get, and so I 
have a live threat right with my employees.
    A second quick point is that--put aside just for a moment--
I know it's not the scope here, but to try to put this in 
perspective, you've got the threat to your IT systems, and yet 
in many, many companies today, the most valuable information 
that they have walks out the door every single day with their 
employees. It is not sitting on their computer system.
    So when they put this whole thing into perspective for, you 
know, the billion dollar fraud over here and then the foreign 
threat and then even the domestic contractor threat, then the 
employee threat, what they're really worried about is: How can 
I find out information about the people who are here? And, 
moreover, where are they going to go? In the State of 
California, for example, companies cannot use non-competes for 
some good and wholesome reasons. And so that means that my 
employee can leave today, go down the street to my competitor, 
and use that information.
    Mr. Horn. I missed the word there. Companies cannot use 
what?
    Mr. Bennett. They cannot use--in California, as an example, 
one cannot include a non-competition clause in a contract with 
an employee to say, look, for 6 months after you leave here 
please don't go down the street--or you may not go down the 
street to our competitor to do the same kind of thing.
    Mr. Horn. As you were talking, I was thinking, the whole 
evolution of Silicon Valley is when somebody walked out and 
started their own firm. American productivity.
    Mr. Bennett. Absolutely correct. And now--and we've gotten 
a lot of great things from that. In addition, we've gotten 
ourselves a rash of trade secret lawsuits.
    Chairwoman Morella. It seems to me--you know how we have 
the metal detectors going into buildings such as ours? What we 
really need is a mental detector, and a mental detector would 
probably take care of a lot of that problem that you mentioned.
    Mr. Bennett. God forbid.
    Chairwoman Morella. Okay. Right.
    Mr. Miller.
    Mr. Miller. Two brief points. One is that there's 
currently, in addition to the overall challenge of the shortage 
of information technology workers in our country, there's a 
specific subset of that. There's a huge shortage of people with 
sophisticated security training or the ability to carry out 
these jobs. Going back to Mr. Pucciarelli's earlier point about 
people being one of the critical three elements, it's very 
important. I know a very large, sophisticated firm which is 
doing a lot of work on a contract basis for the government has 
1,500 positions to fill, and they have 1,000 people, and they 
can't find the other 500 because, first of all, you can't use 
foreign workers 99.9 percent of the time so you can't fall back 
on H(1)(b)s or anything like that. You can't even fall back on 
permanent residents. Most of the time they have to be U.S. 
citizens. They have to have security clearance. They have to 
have sophisticated training, et cetera, et cetera.
    So that's a big job. I know Attorney General Reno and other 
people are trying to focus on some kind of a cyber corps idea 
where there'd actually be government incentives, scholarships 
or a sort to encourage people to get the kind of sophisticated 
training that they could become specialists in information 
security. So I think that's an issue.
    Also, on the international front, Chairwoman Morella, I 
know that this is a huge issue in terms of laws. How do you 
enforce the security laws? And right now the U.S. Government is 
engaged in discussions with the G-8. Attorney General Reno I 
know is discussing with other members of the G-8, but it gets 
to be a huge issue in cyberspace. Let's talk about things like 
child pornography and getting access. What laws do you use? Do 
you let Muammar Qadhafi start issuing subpoenas for information 
that it wants to get from AOL because it believes somebody in 
Libya who's an AOL customer is violating the laws of Libya? How 
do you enforce those kind of laws? So there's some incredibly 
open-ended questions out there right now in terms of our cyber 
crimes on the international front which are just at the 
earliest, earliest stages of discussion right now.
    Chairwoman Morella. Mr. Rich.
    Mr. Rich. Yes. I'd like to mention a couple of months ago I 
went to a national infrastructure protection conference out in 
Denver, and I support the idea of Mr. Miller mentioning the 
cyber corps approach. I think that would go a long way, similar 
to the Peace Corps, in incentivizing those to bring up the 
awareness within the security area. And then they have a little 
payback to the government for helping them through school, or 
similar.
    Mr. Horn. If I might be yielded to for a question, I 
probably haven't unloaded on you my feelings on when that visa 
deal comes up. I was outraged by it. Why am I outraged by it? 
Very simply, we've got a community college system--certainly in 
California where it was founded, there's 107 campuses in 
California and we've got a Silicon Valley and San Diego, Orange 
County, and Santa Clara County, and popping up hopefully in 
other counties. And they need to work together, and we should 
not be importing people. We should be training our own people.
    When I think of the classrooms I go to where students are 
now exposed to computing, and it seems to me we're derelict 
both in education in California--and I've unloaded on many of 
the community college presidents and said, Where are you on 
this? And where are the CEOs in Silicon Valley that ought to be 
sitting down with them saying this is the kind of curriculum we 
need if they're going to be helpful to us? That was the whole 
purpose of the community college, was both vocational and 
academic. And you need both to be a good programmer.
    And I would hope that they would be working together so 
they could get the trained force. These are $60,000 jobs, and 
there are a lot of bright kids. Escalante showed that in the 
Los Angeles schools, you can teach young people to be as good 
as anybody, as good as they are at Harvard. And these students 
proved they could do it. And that's what we ought to be doing, 
but we need the equipment, which is--the state is always 
behind, every state in the Nation is behind when it comes to 
giving and granting and providing computer equipment. And if 
you're going to work on new generations, this is where Silicon 
Valley can take a tax writeoff, or wherever, and get something 
out of it.
    But your associations, it seems to me, would be very 
helpful to be where you get these people together, both the 
community college president and the CEO of a computer firm. We 
shouldn't have to be importing people from all over the world, 
and we shouldn't have to need a government program. I mean, the 
best education deal in America are the community colleges. 
There's very little tuition. At least in California it is; in 
Texas it is. So why aren't we taking advantage of that? Are we 
still going to just keep importing thousands of people? They're 
all wonderful people, but what about our own people? That's 
where I'm coming from.
    Mr. Miller. Did you want a comment, or is that just an 
observation?
    Mr. Horn. Well, I'm just saying--I'd like a comment, and I 
think--you know, where is that industry and where are those 
educators to be linked up to get the job done?
    Mr. Miller. Well, I do disagree with you on the immigration 
question, but I don't disagree with you on your fundamental 
point, Mr. Chairman. Our educational system is still an 
educational system designed for the industrial age, not the 
information age. And we are trying to work with community 
colleges. In fact, I recently met with the President of the 
American Association of Community Colleges to discuss potential 
collaborative activities. We're also working with particular 
outreach to minority communities. I think as you know, in the--
even though--for example, African Americans are 11 or 12 
percent of the overall U.S. workforce; they're only about 5 or 
6 percent of the IT workforce. So we're involved in some 
initiatives in that area, also.
    The challenge is to do both at the same time, though. It 
does take time for people to be trained and educated, and we 
have to incentivise them to come in. And I think that's why I 
was suggesting that government, cyber corps or IT tax credit 
training such as the legislation that Senator Conrad and 
Congressman Moran have introduced to try to create incentives.
    I do believe, Mr. Chairman, that community colleges are 
much more responsive than universities are in terms of 
adjusting their curriculum. And you have several in California 
which have done--moved relatively quickly. But it's--I think 
the late Governor of Florida once said, the only thing harder 
to move than a cemetery was the university faculty. So I think 
they find that trying to change, getting rid of Russian history 
and political science department for computer science 
departments isn't always easy; whereas, at community colleges 
they can move quite quickly. And certainly you see places like 
Contra Costa Community College. The one that's usually thrown 
up as the best example is Maricopa Community College in the 
Phoenix area where they work very closely with Motorola, Intel, 
and other semiconductor manufacturing firms for training.
    So I think we're getting there, Mr. Chairman. It's just 
slower than we'd like.
    Mr. Horn. Well, that's where you have to take these massive 
systems because most of that is done at the local college, and 
that's why I suggested the community college. There's more 
flexibility for the reasons we all know than in the major 
research universities around.
    But if you're doing it, I think that's wonderful. We don't 
need a government program to do it. We just need you guys on 
the phone, and gals, to work it out.
    Chairwoman Morella. I think we also need the partnerships 
of academia and the business sector and even government, you 
know, state government, maybe Federal Government in some way, 
also being kind of part of that partnership. But we have, 
Chairman Horn and I and Ranking Member Turner, been aware of 
the personnel needs throughout this whole thing, Y2K, now 
computer security, and we're trying to do something even 
legislatively on that, too, to increase fellowships and, as you 
mentioned, the cyber corps. We'll continue to work on that with 
your help.
    Just a wrap-up, if there are any comments from any one of 
you, real briefly, in terms of what we should be doing now 
since we have only that 149 days left to the end of--until we 
reach 2000, recognizing whether Y2K has been remediated or not 
with regard to computer security. Any final comments for us?
    Mr. Miller. My only concern is--and I don't think this is 
Mr. Pucciarelli's intention in releasing his report--is that 
people don't move more slowly on Y2K because they're concerned 
about information security. He's correct that information 
security has to be part of your Y2K, but I hope no one who 
reads that article uses that as an excuse not to do their Y2K 
remediation. I certainly know that wasn't his intent. I know 
that Gartner has been one of the strongest advocates for Y2K 
remediation. But one could imagine a situation where someone 
would misinterpret that message instead of the message being to 
be more conscious of security and say, well, that's one more 
excuse not to get my Y2K solution done. So I hope this hearing 
will help to send the message that that is not the intention. I 
assume Mr. Pucciarelli would agree.
    Chairwoman Morella. Thank you.
    Mr. Pucciarelli. Yes, Mr. Miller. I appreciate your 
comments.
    Congresswoman, one final thought that I have is that simply 
reminding folks, reminding organizations, enterprises, and the 
leaderships of those organizations of the need to redouble 
their efforts and maintain the appropriate risk management 
criteria while they complete their Y2K remediation activities. 
And I think that even having this hearing on this matter has 
served a very important purpose to that end. I think that 
encouraging the various federal agencies and departments along 
the same lines would also be of benefit.
    Again, clearly our intention was not to suggest that you 
should--that organizations should go slower, but to merely 
point out that risk management activities have a role as well.
    Chairwoman Morella. Thank you.
    Mr. Rich, a final comment?
    Mr. Rich. Yes, ma'am. I'd like to basically agree here with 
both of the gentlemen here in that people shouldn't slow down, 
they should pick it up a little bit and keep vigilant as we go 
toward the year 2000. And I hope these hearings will allow 
people to look at other aspects rather than just focus on Y2K 
remediation.
    Chairwoman Morella. Good point.
    Mr. Bennett.
    Mr. Bennett. I believe that if there are companies out 
there that are still doing serious remediation and are not now 
doing contingency planning, then they probably have even more 
serious issues than worrying about that trap that's probably 
been set somewhere in one of the other companies that's now 
doing contingency planning.
    Certainly a call has been made to the security officers, 
and they need to pay attention, as they always have. I think 
the message from this Subcommittee ought to be to keep focused 
on the Y2K effort.
    Chairwoman Morella. I want to thank all of you, and before 
we adjourn, I just want to mention the staff that have been 
very helpful always in contacting you and putting some things 
together: J. Russell George, who's with the Government Reform 
Subcommittee, Matt Ryan, Bonnie Heald, Grant Newman, Chip 
Ahlswede, and Seann Kallagher; our Technology Subcommittee, 
Jeff Grove and Ben Wu, and the clerk, Joe Sullivan. And there 
are others: Michele Ash, Trey Henderson, Earley Green, Jean 
Gosa; and the court reporter, Chris Bitsko. I think I covered 
everybody. Good.
    Thank you. You were just a splendid panel. I hope you'll 
feel free to contact us at any point with any of your 
suggestions or recommendations. And as usual, if we could--have 
other members who may have questions and any other questions we 
may have, if we may forward them to you. Great. Thank you.
    The Committee is now adjourned.
    [Whereupon, at 12:06 p.m., the Subcommittee was adjourned.]

    [GRAPHIC] [TIFF OMITTED] T0842.043
    
    [GRAPHIC] [TIFF OMITTED] T0842.044
    
    [GRAPHIC] [TIFF OMITTED] T0842.045
    
    [GRAPHIC] [TIFF OMITTED] T0842.046
    
    [GRAPHIC] [TIFF OMITTED] T0842.047
    
    [GRAPHIC] [TIFF OMITTED] T0842.048
    
    [GRAPHIC] [TIFF OMITTED] T0842.049
    
