b"<html>\n<title> - COMPUTER SECURITY: ARE WE PREPARED FOR CYBERWAR?</title>\n<body><pre>[House Hearing, 106 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n \n            COMPUTER SECURITY: ARE WE PREPARED FOR CYBERWAR?\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                 SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,\n                      INFORMATION, AND TECHNOLOGY\n\n                                 of the\n\n                              COMMITTEE ON\n                           GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED SIXTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             MARCH 9, 2000\n\n                               __________\n\n                           Serial No. 106-160\n\n                               __________\n\n       Printed for the use of the Committee on Government Reform\n\n\n  Available via the World Wide Web: http://www.gpo.gov/congress/house\n                      http://www.house.gov/reform\n\n                                 ______\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n67-018 CC                   WASHINGTON : 2000\n\n\n\n                     COMMITTEE ON GOVERNMENT REFORM\n\n                     DAN BURTON, Indiana, Chairman\nBENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California\nCONSTANCE A. MORELLA, Maryland       TOM LANTOS, California\nCHRISTOPHER SHAYS, Connecticut       ROBERT E. WISE, Jr., West Virginia\nILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York\nJOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York\nSTEPHEN HORN, California             PAUL E. KANJORSKI, Pennsylvania\nJOHN L. MICA, Florida                PATSY T. MINK, Hawaii\nTHOMAS M. DAVIS, Virginia            CAROLYN B. MALONEY, New York\nDAVID M. McINTOSH, Indiana           ELEANOR HOLMES NORTON, Washington, \nMARK E. SOUDER, Indiana                  DC\nJOE SCARBOROUGH, Florida             CHAKA FATTAH, Pennsylvania\nSTEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland\nMARSHALL ``MARK'' SANFORD, South     DENNIS J. KUCINICH, Ohio\n    Carolina                         ROD R. BLAGOJEVICH, Illinois\nBOB BARR, Georgia                    DANNY K. DAVIS, Illinois\nDAN MILLER, Florida                  JOHN F. TIERNEY, Massachusetts\nASA HUTCHINSON, Arkansas             JIM TURNER, Texas\nLEE TERRY, Nebraska                  THOMAS H. ALLEN, Maine\nJUDY BIGGERT, Illinois               HAROLD E. FORD, Jr., Tennessee\nGREG WALDEN, Oregon                  JANICE D. SCHAKOWSKY, Illinois\nDOUG OSE, California                             ------\nPAUL RYAN, Wisconsin                 BERNARD SANDERS, Vermont \nHELEN CHENOWETH-HAGE, Idaho              (Independent)\nDAVID VITTER, Louisiana\n\n\n                      Kevin Binger, Staff Director\n                 Daniel R. Moll, Deputy Staff Director\n           David A. Kass, Deputy Counsel and Parliamentarian\n                    Lisa Smith Arafune, Chief Clerk\n                 Phil Schiliro, Minority Staff Director\n                                 ------                                \n\n   Subcommittee on Government Management, Information, and Technology\n\n                   STEPHEN HORN, California, Chairman\nJUDY BIGGERT, Illinois               JIM TURNER, Texas\nTHOMAS M. DAVIS, Virginia            PAUL E. KANJORSKI, Pennsylvania\nGREG WALDEN, Oregon                  MAJOR R. OWENS, New York\nDOUG OSE, California                 PATSY T. MINK, Hawaii\nPAUL RYAN, Wisconsin                 CAROLYN B. MALONEY, New York\n\n                               Ex Officio\n\nDAN BURTON, Indiana                  HENRY A. WAXMAN, California\n          J. Russell George, Staff Director and Chief Counsel\n                Bonnie Heald, Director of Communications\n                           Bryan Sisk, Clerk\n           Trey Henderson, Minority Professional Staff Member\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on March 9, 2000....................................     1\nStatement of:\n    Gerretson, Jim, director of operations, Information \n      Assurance, ACS Defense, Inc.; Mark Rasch, senior vice \n      president and legal counsel, Global Integrity Corp.; and \n      James Adams, chief executive officer, iDEFENSE.............   161\n    Tritak, John, Director, Critical Infrastructure Assurance \n      Office, Department of Commerce; John Gilligan, Chief \n      Information Officer, Department of Energy, and co-chair, \n      Security, Privacy, and Critical Infrastructure Committee, \n      CIO Council; Karen Brown, Deputy Director, National \n      Institute of Standards and Technology, Department of \n      Commerce; and Rich Pethia, director, Computer Emergency \n      Response Team Coordination Centers, Software Engineering \n      Institute, Carnegie Mellon University......................     5\nLetters, statements, et cetera, submitted for the record by:\n    Adams, James, chief executive officer, iDEFENSE, prepared \n      statement of...............................................   186\n    Biggert, Hon. Judy, a Representative in Congress from the \n      State of Illinois, chart on computer security management \n      key players................................................   196\n    Brown, Karen, Deputy Director, National Institute of \n      Standards and Technology, Department of Commerce, prepared \n      statement of...............................................    38\n    Gerretson, Jim, director of operations, Information \n      Assurance, ACS Defense, Inc., prepared statement of........   165\n    Gilligan, John, Chief Information Officer, Department of \n      Energy, and co-chair, Security, Privacy, and Critical \n      Infrastructure Committee, CIO Council:\n        Information concerning initiatives and activities........    22\n        Prepared statement of....................................    26\n    Horn, Hon. Stephen, a Representative in Congress from the \n      State of California:\n        Followup questions and responses.........................   159\n        Prepared statement of....................................     3\n    Pethia, Rich, director, Computer Emergency Response Team \n      Coordination Centers, Software Engineering Institute, \n      Carnegie Mellon University, prepared statement of..........    46\n    Rasch, Mark, senior vice president and legal counsel, Global \n      Integrity Corp., prepared statement of.....................   173\n    Tritak, John, Director, Critical Infrastructure Assurance \n      Office, Department of Commerce, prepared statement of......     9\n    Turner, Hon. Jim, a Representative in Congress from the State \n      of Texas, prepared statement of............................   152\n\n\n            COMPUTER SECURITY: ARE WE PREPARED FOR CYBERWAR?\n\n                              ----------                              \n\n\n                        THURSDAY, MARCH 9, 2000\n\n                  House of Representatives,\nSubcommittee on Government Management, Information, \n                                    and Technology,\n                            Committee on Government Reform,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 10 a.m., in \nroom 2247, Rayburn House Office Building, Steve Horn (chairman \nof the subcommittee) presiding.\n    Present: Representatives Biggert, Walden, and Turner.\n    Staff present: J. Russell George, staff director and chief \nclerk; Matt Ryan, senior policy administrator; Bonnie Heald, \ndirector of communications; Bryan Sisk, clerk; Ryan McKee, \nstaff assistant; Trey Henderson, minority professional staff \nmember; and Jean Gosa, minority staff assistant.\n    Mr. Horn. The hearing of the House Subcommittee on \nGovernment Management, Information, and Technology will come to \norder. Earlier this year, the Nation successfully met its first \ntechnological challenge of the new millennium, Y2K. Although \nthe time, labor, and $100 billion cost for this effort, private \nand public, we learned much from this experience. Those lessons \nwill be especially important now as we turn to the second \ntechnological challenge of the new year, computer security.\n    We are here today to learn. In April 1996, this \nsubcommittee held a similar information hearing on the year \n2000 computer problem. Our questions will be many of the same \nquestions we asked in that hearing 4 years ago. We want to know \nthe dimension and scope of these cyber attacks. We want to know \nwhat efforts are being undertaken toward solving the problem, \nand we want to know what the Federal Government is doing to \naddress this problem.\n    Since the early 1990's, the worldwide use of computers and \ncomputer networks has skyrocketed. The Internet has \nrevolutionized the way governments, nations, and individuals \ncommunicate, and the way to conduct business. The Internet and \nelectronic mail are now available 24 hours a day to anyone with \na desktop computer, a modem, and a telephone line. Yet, without \nrigorous efforts to protect the sensitive information contained \nin these computer systems, many of the Nation's essential \nservices, telecommunications, power distribution, national \ndefense, and so on down the line are vulnerable to cyber \nattacks.\n    Over the last few weeks, several of the Nation's most \nviable Internet websites have fallen prey to ``denial-of-\nservice computer attacks.'' Although these attacks disrupt \nessential business services, they only scratch the surface of \ncyber attacks that may be taking place in other highly \nintegrated computer networks.\n    Our first panel of witnesses today will discuss the \nvulnerability of the Nation's vital computer systems and the \nGovernment's efforts to protect them. Our second panel, from \nthe private sector, will demonstrate how easy it is to invade \nor hack a computer system, and what organizations can do to \nprotect these systems. We welcome each of you and we look \nforward to your testimony.\n    If you will stand and raise your right hands, we will swear \nyou in.\n    [Witnesses sworn.]\n    Mr. Horn. The clerk will note that all four witnesses \naffirmed the oath. We will start with Mr. Tritak, Director of \nCritical Infrastructure Assurance Office, Department of \nCommerce. Mr. Tritak. I might say, the way we work here, once I \nannounce you, your full statement is automatically put in the \nrecord.\n    The staff has read it and when we have had a chance, we \nread it. We then want you, if you could, to summarize it in 5 \nminutes. Do not read it, whatever you do, but give us from your \nheart what this problem is. That is what we are interested. \nWhen you are all done, we will then have questions, 5 minutes \non each side when those Members come here. We will try to get a \nrounding out of what the testimony is.\n    So, Mr. Tritak, you are first.\n    [The prepared statement of Hon. Stephen Horn follows:]\n    [GRAPHIC] [TIFF OMITTED] T7018.001\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.002\n    \n  STATEMENT OF JOHN TRITAK, DIRECTOR, CRITICAL INFRASTRUCTURE \nASSURANCE OFFICE, DEPARTMENT OF COMMERCE; JOHN GILLIGAN, CHIEF \n   INFORMATION OFFICER, DEPARTMENT OF ENERGY, AND CO-CHAIR, \n SECURITY, PRIVACY, AND CRITICAL INFRASTRUCTURE COMMITTEE, CIO \n COUNCIL; KAREN BROWN, DEPUTY DIRECTOR, NATIONAL INSTITUTE OF \n  STANDARDS AND TECHNOLOGY, DEPARTMENT OF COMMERCE; AND RICH \nPETHIA, DIRECTOR, COMPUTER EMERGENCY RESPONSE TEAM COORDINATION \n   CENTERS, SOFTWARE ENGINEERING INSTITUTE, CARNEGIE MELLON \n                           UNIVERSITY\n\n    Mr. Tritak. Thank you very much, Mr. Chairman.\n    I am grateful for this opportunity to appear before you \ntoday to begin a dialog with you and your committee on the \nissues relating to critical infrastructure assurance and \ncomputer security. In the way of talking about infrastructure, \none of them I want to mention is that my slides just showed up. \nIf you do not mind, I would like to just put them up before \nyou.\n    Mr. Horn. Sure. Keep talking. They can put them up.\n    Mr. Tritak. In any event, Mr. Chairman, Americans have long \ndepended on delivery of essential services over the Nation's \ncritical infrastructures. The need to assure the delivery of \nthese services against significant disruptions has been a \nconcern of infrastructures, owners, and operators for as long \nas there have been electric power plants, telecommunications \nsystems, airlines, railroads, banking, and financial services. \nIn other words, critical infrastructure assurance itself is not \nnew.\n    What is new is the increasing reliance on information \ntechnology and computer networks to operate those \ninfrastructures. This growing reliance introduces new \ncomplexities, interdependencies, and potentially \nvulnerabilities. The threat that individuals, groups, and \nnation states are seeking to identify and exploit these \nvulnerabilities is real and growing.\n    [Chart shown.]\n    Mr. Tritak. In recognition of this, President Clinton \nissued PDD-63 establishing the protection of the Nation's \ninfrastructures as a national security priority. As you can see \nfrom the chart, Mr. Chairman, PDD-63 sets forth an ambitious \ngoal. It calls for a national capability by 2003 to protect our \ncritical infrastructure from intentional attacks that could \nsignificantly diminish the Federal Government's ability to \nperform essential national security missions and to ensure \ngeneral public health and safety, State and local government's \nability to maintain order, and to deliver minimal essential \nservices to the public.\n    Three, the private sector's ability to ensure the orderly \nfunctioning of the economy and the delivery of essential \ntelecommunications, energy, financial, and transportation \nservices. The important conclusion of PDD-63 is that critical \ninfrastructure assurance is a shared responsibility. With 90 \npercent of the Nation's infrastructures being privately owned \nand operated, the Federal Government alone cannot guarantee its \nprotection.\n    In response to the issuance of PDD-63, the Federal \nGovernment had to organize itself in order to meet the \nchallenges posed by this unique national security challenge. A \nnational coordinator for security, infrastructure protection, \nand counter-terrorism was created to oversee national policy \ndevelopment and implementation, as well as to advise the \nPresident and national security advisor on the same.\n    My Office of Critical Infrastructure Assurance Office was \ncreated to coordinate policy development for the national plan, \nto assist agencies in analyzing their critical infrastructure \ndependencies, and to coordinate national education and \nawareness efforts. The National Infrastructure Protection \nCenter was created at the FBI to serve as a threat assessment \ncenter, focusing on threat warnings, vulnerabilities, and law \nenforcement.\n    For each infrastructure sector that could be a target for \ninfrastructure cyber or physical attacks, a single government \ndepartment or agency was established as a lead agency for \nworking directly with representatives from private industry.\n    [Chart shown.]\n    Mr. Tritak. Earlier this year, President Clinton issued the \nfirst version of the national plan. Displayed before you is the \ncover. It says a lot about what the plan is and is not. First, \nthe plan focuses on the cyber dimensions for securing critical \ninfrastructures and underscore the new challenges posed by the \ninformation age. That is not to say that physical \ninfrastructure protection is no longer important. It is.\n    Future versions of the plan will reflect that importance. \nIn fact, the plan is designated 1.0 and subtitled, An \nInvitation to a Dialogue For a Good Reason. It is very much a \nwork in progress. It concentrates on the Federal Government's \nefforts in infrastructure protection. The plan acknowledges \nthat this is not enough. We must work closely with industry and \ninclude them in the national planning process.\n    We must also deal with the fact that there is an \ninternational dimension to national information assurance, as \nwell as a domestic one. Of course, we must work closely with \nyou in the Congress to ensure that your concerns, ideas, and \ninterests are reflected in subsequent versions of the plan.\n    [Chart shown.]\n    Mr. Tritak. To meet the goal of PDD-63, the national plan \nestablishes 10 programs for achieving three broad objectives. \nFirst, steps must be taken to identify the key elements and \nsystems that constitute our critical infrastructures. Their \nvulnerability to attack must be assessed and plans must be \ndeveloped to address those vulnerabilities.\n    In so preparing, we hope to prevent attacks from reaching \ntheir target in the first place. Next, should such attacks \noccur, we must develop a means to identify, assess, and warn \nabout them in a timely manner. The attacks must then be \ncontained. Disrupted services must be restored and affected \nsystems must be reconstituted.\n    Finally, we must lay a strong foundation upon which to \ncreate and support the Nation's commitment to achieving the \nfirst two objectives. These include coordinated research and \ndevelopment, training, and employing information security \nexperts, raising awareness, and, where appropriate, identify \npotential legal or legislative reforms.\n    [Chart shown.]\n    Mr. Tritak. The President requested $2 billion for critical \ninfrastructure protection in his fiscal year 2001 budget \nrequest. This represents a 15 percent increase over fiscal year \n2000 funding. Of this, 85 percent supports protection of agency \ninfrastructures; 72 percent goes to supporting critical \ninfrastructure efforts within the national security agencies.\n    Our President proposes a number of key initiatives in his \nbudget request. I will just highlight a few. The Federal Cyber \nService Initiative seeks to redress the shortage of information \nsecurity expertise in the Federal Government. This shortfall \nreflects the scarcity of college-level programs in information \nsecurity. It also reflects the inability of the Government to \ncompete for highly skilled workers in this area.\n    Our goal is to recruit, train, and retain a cadre of IT \nspecialists for Federal service. The Federal Intrusion \nDetection Network will serve as a centralized burglar alarm \nsystem for critical computer systems within civilian government \nagencies. Intrusion Detection Systems will be installed and \noperated by the civilian agencies. Alarm data indicating \nanomalous computer activity will be sent through the agency, by \nthe agency to the GSA for further analysis.\n    Only if there is evidence of criminal behavior will data be \nsent to the NIPC and law enforcement. FIDNet will not monitor \nany private network traffic. It will comply with all existing \nprivacy laws. The Partnership for Critical Infrastructure \nSecurity attempts to build on the efforts already underway \nbetween government and industry.\n    It seeks to bring the individual sectors together to \nencourage a cross-sectoral dialog as a common concern, such as \nthe growing interdependencies among the infrastructure owners \nand operators. The Partnership also provides a form for \ninfrastructure owners and operators to engage other interested \nstakeholders, including the audit community, insurance \ncommunity, Wall Street, and the investment community, and of \ncourse mainstream businesses who are the ultimate consumers of \ninfrastructure services.\n    Now, the partnership is dedicated to the belief that once \nindustry recognizes a business case for action, economic self-\ninterest in the market can go a long way toward addressing the \nchallenges of infrastructure assurance. That is not to say that \nself-interest in the market alone can solve these problems, \nbecause they cannot. Where they cannot, and what national \nsecurity interests of their country requires, the Federal \nGovernment must step in to address any gaps and vulnerabilities \nthat may exist.\n    Last month, over 200 representatives of more than 120 \ncompanies began to organize their participation in this \nPartnership. I think the Partnership represents a good step in \nnot only addressing issues of common concern, but also for \nindustry to take a lead in addressing the problems that \nconfront us today. When you have good partnership between \nindustry and government, we are better able to identify and \ndefine our respective roles so that where there\nare gaps, where the market cannot address a problem of concern \nto the Nation, we can fill that gap.\n    Given the limited time, Mr. Chairman, I am going to \nconclude my remarks here and I look forward to your questions.\n    [The prepared statement of Mr. Tritak follows:]\n    [GRAPHIC] [TIFF OMITTED] T7018.003\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.004\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.005\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.006\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.007\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.008\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.009\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.010\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.011\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.012\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.013\n    \n    Mr. Horn. Thank you very much. I would appreciate it at \nthis point in the record if you would submit the national plan \nfor the record. So, without objection, it will be put right \nafter this point.\n    We now go the next gentleman who is very familiar to this \ncommittee. You are doing a fine job. Mr. John Gilligan, Chief \nInformation Officer, Department of Energy, and Co-Chair, \nSecurity, Privacy, and Critical Infrastructure Committee of the \nChief Information Officer Council. Mr. Gilligan.\n    Mr. Gilligan. Thank you, Chairman Horn.\n    As you noted, I come before the committee speaking in both \nmy role as Chief Information Officer of the Department of \nEnergy and as well the Co-Chair of the Federal CIO Council \nSecurity, Privacy, and Critical Infrastructure Committee. As I \nprepared for this testimony, I gave a lot of thought to what I \nviewed were the two critical issues that I face as a Federal \nCIO. I would like to spend a moment addressing these issues for \nyou.\n    Up-front, let me tell you that my biggest issues are not \ntechnology challenges. The primary challenge is educating and \nconvincing line management that computers and networks, as well \nas the information they possess and process, should be treated \nand managed as mission-essential and strategic organization \nresources. Let me illustrate my point with an example.\n    Last summer, at one of the Department of Energy \nlaboratories we conducted a security audit. The laboratory was \nevidenced as having the best firewall within the Department, \nvery good security policies, and adequate protection of our \nclassified systems. However, that same organization had a \nnumber of instances of what I refer to as no-brainer security \nweaknesses. For example, there were a number of computer \nsystems that had software configurations that were years out of \ndate.\n    In this case, they were not taking advantage of dozens of \npatches that had fielded to upgrade the security of those \nsystems over the years. In addition, there were a number of \nsystems where their passwords, including system administrator \npasswords were easily guessed, or in some cases even used the \nterm ``password.'' These and other weaknesses provided relative \nease of a potential hacker to break into the laboratory's \nunclassified computer system.\n    As I evaluated this apparent paradox, the same organization \nhaving both the best and the worst security practices, the root \nissue became clear to me. The organization was not focusing on \ninformation technology as an overall laboratory resource, \nrather only sub-sets of the systems and networks were being \npro-actively managed. Most of the unclassified computers were \nprocured and operated as work center or personal resources.\n    I have found similar dichotomy at a number of other daily \nsites. The problem at this lab was not the absence of sound \nsecurity policies or lack of security technology knowledge, but \nthe fact that management of computers had become highly \ndecentralized and, in many cases, was a personal task. I found \nthat the number of system administrators approached the number \nof laboratory employees.\n    The security audit findings highlighted to the laboratory \ndirector and senior management that they had fundamental \nproblems with information technology management. The solution \nrequired a fundamental change in how computers, networks were \npurchased, installed, and operated. I firmly believe that this \nis the most significant and pervasive problem facing Federal \nagency CIOs.\n    A second challenge I face is working with Federal managers \nin the Department of Energy in determining how much security is \nenough. That is, how much is adequate? In the past, primary \nsecurity focus was on the protection of national security \ninformation, classified systems, and more easily controlled \nmainframe computers. Adequate security was defined by security \ngurus, in most cases, with much input from line management, and \ndefined, in most cases, in absolute terms.\n    Today, we use computers for a wide variety of missions \nwhere it is not cost effective or appropriate to apply the same \nprotection mechanism or security policies in all cases. We have \ninformation relating to national security. Personnel data and \nbusiness operations must be protected to ensure \nconfidentiality. On the other hand, we have public websites \nwhere we want to protect the integrity of the information. In \naddition, there are mission impact and perception factors which \ninfluence what is adequate, as well as rapidly changing \nthreats, missions, and technologies.\n    Federal security policies require an assessment of risk to \nguide management decisions on what is adequate. Sounds easy. I \nwould submit that it is not. The Federal Government is also \nheld to a very high standard and one that continues to change \nand become more stringent over time. In my testimony, I have \nincluded some status updates within the Department of Energy on \nour recent security activities. I will not detail them here.\n    I would like to, however, turn for a few minutes to the \nwork of the CIO Security, Privacy, and Critical Infrastructure \nProtection Committee, which I co-chair with Roger Baker, CIO of \nthe Department of Commerce, and Fernando Robano, CIO of the \nDepartment of State. Our committee is developing a set of \nproducts that we believe will augment and accelerate \nimprovements in implementing adequate levels of protection in \nassuring appropriate privacy of Federal information and \nsystems.\n    I would like to submit for the record a brief summary of \nour committee activities.\n    [The information referred to follows:]\n    [GRAPHIC] [TIFF OMITTED] T7018.014\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.015\n    \n    Mr. Gilligan. I would also like to highlight a few of the \ncommittee's efforts. Our project to develop and Information \nTechnology Security Maturity Framework is intended to help \nguide agencies and senior government officials in establishing \nand maturing an effective cyber security program. Following the \nexample of the successful Software Capability Maturity \nFramework developed by Carnegie Mellon University, the \nInformation Technology Security Maturity Framework recommends \nthe building block approach to security.\n    Emphasis is placed at lower levels on critical foundation \nactivities, such as documented policy, and clearly defined \nassigned responsibilities, as well as robust training and \nsecurity assessment of progress. I have brought a display that \nsummarizes the six levels of security maturity described in the \ndraft framework. The Security Committee believes that all \nagencies should be working toward achievement of level 2 in the \nnear term.\n    This level describes what is called a documented security \nprogram. It is based on policy and guidance from the General \nAccounting Office, the Office of Management and Budget, and the \nNational Institute for Standards and Technology. The committee \nis working to develop specific evaluation criteria, a checklist \nguide that could be used for level 2, as well as further \ndefinition of level 3.\n    We have invited the Software Engineering Institute and the \nGeneral Accounting Office to participate in the refinement of \nthe framework. The committee also has initiatives in the \ndevelopment of a tool that will allow us to identify and make \navailable the Federal agency's best security practices. We are \ndeveloping sample agency policies and guidelines dealing with \nsecurity and privacy.\n    We are working to accelerate the use of so-called public \nkey encryption. We are working with the Information Technology \nAssociation of America in the development of security solution \nbenchmarks, linked to common electronic services such as \nfinancial track statues with the public, benefit inquiries over \nthe web, and electronic submission of contractor pricing \nproposals.\n    I would like to conclude my remarks with some \nrecommendations from my perspective as co-chair of the \nSecurity, Privacy, Critical Infrastructure Committee. The first \ntwo recommendations deal with funding for security. First, I \nrecommend that organizations specifically identify and analyze \ntheir expenditures in cyber security. In this regard, I suggest \nthat we work with the government and industry to establish and \nrefine benchmarks against which line managers can assess \nwhether their investment is comparable to similar \norganizations.\n    Work by the Gardner Group suggests that a reasonable range \nfor cyber security spending is somewhere between 1 and 5 \npercent of an organization's spending for information \ntechnology. Second, I would recommend consideration of \nincreased funding for a set of governmentwide security \ninitiatives that are focused not on multi-year research or \nproduct development, but on short-term immediate operational \nbenefits for Federal agencies.\n    I note that most of our CIO Council cyber security efforts \nare focused toward ongoing operational support. Furthermore, I \nrecommend that we continue to tightly tie our cyber security \nefforts with other initiatives to improve overall management of \ninformation technology resources from an enterprise \nperspective.\n    Finally, I suggest that we continue to focus our education \nefforts toward government managers. I believe managers need to \nknow how to make risk tradeoffs. What they need is greater \nawareness of their responsibility in managing information \ntechnology as a strategic resource, as well as simple \nbenchmarks and metrics, such as funding levels and a maturity \nframework, against which they can evaluate organization-\nspecific risks, as well as the progress of their cyber security \nprograms.\n    This concludes my testimony. I look forward to your \nquestions.\n    [The prepared statement of Mr. Gilligan follows:]\n    [GRAPHIC] [TIFF OMITTED] T7018.016\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.017\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.018\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.019\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.020\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.021\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.022\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.023\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.024\n    \n    Mr. Horn. Thank you very much, Mr. Gilligan.\n    Our next witness is Ms. Karen Brown, the Deputy Director, \nNational Institute of Standards and Technology, otherwise known \nas NIST. With the Weather Bureau there, I wonder why we cannot \nbe MIST? Anyhow, the Department of Commerce. Thank you for \ncoming.\n    Ms. Brown. Thank you.\n    Thank you Mr. Chairman and members of this subcommittee for \nthe invitation to speak to you today about computer security \nissues. Computer security continues to be an ongoing and \nchallenging problem that demands the attention of the Congress, \nthe executive branch, industry, academia, and the public. \nComputer security is not a narrow technical concern.\n    The explosive growth in electronic commerce highlights the \nNation's ever-increasing dependence upon the secure and \nreliable operation of our computer systems. Computer security \nhas a vital influence on our economic health and our Nation's \nsecurity, and we commend the committee for your focus on this \nsecurity. Today, I would like to address NIST computer security \nactivities that contribute to improving computer security for \nthe Federal Government and the private sector.\n    I would also like to briefly describe for you our proposed \nnew program activities for next year. Under NIST statutory \nresponsibilities, we develop standards and guidelines for \nagencies to help protect their sensitive, unclassified \ninformation systems. In meeting the needs of our customers in \nboth the public and private sector, we work closely with \nindustry, Federal agencies, testing organizations, standards \ngroups, academia, and private sector users.\n    As awareness of the need for security grows, more secure \nproducts will be demanded in the marketplace. Addressing \nsecurity will also help ensure that electronic commerce growth \nis not limited because of security concern. What does NIST do \nspecifically? To meet these responsibilities in customer needs, \nwe first work to improve the awareness of the need for computer \nsecurity, which is an ongoing effort.\n    Additionally, we research new technologies and their \nsecurity implications. We work to develop security standards \nand specifications to help users specify security needs, and \nestablish minimum security requirements for Federal systems. We \ndevelop and manage security testing programs in cooperation \nwith the private sector to enable users to have confidence that \na product meets a security specification.\n    We also produce security guidance to promote security \nplanning and secured system operations in administration. I \nwill briefly discuss the need and benefits of each. First, \nthere is a need for timely, relevant, and easily assessable \ninformation to raise awareness about risk, vulnerabilities, and \nrequirements for protection of information systems. This is \nparticularly true for new and rapidly emerging technologies \nwhich are being delivered with such speed in the Internet age.\n    We host and sponsor information sharing among security \neducators, the Federal Security Program Managers' Forum, and \nindustry. We seek advice from our external advisory board of \ncomputer experts. We meet regularly with members of the Federal \ncomputer security community, including the Chief Information \nOfficer of the Security Committee, and the Critical Information \nAssurance Office.\n    We actively support information sharing through our \nconferences, workshops, webpages, publications, and bulletins. \nA second need is for research on information technology \nvulnerabilities and cost effective security. When we identify \nnew technologies that could potentially influence our customer \nsecurity practices, we research these technologies and their \npotential vulnerabilities.\n    We also work to find ways to apply new technologies in a \nsecure manner. The solutions we develop are made available to \nboth public and private users. Research helps us to find more \ncost effective ways to implement and address security \nrequirements. The third is the need for standards and for ways \nto test that standards are properly implemented on products. \nFor example, cryptographic algorithms and techniques are \nessential for protecting sensitive data and electronic \ntransition.\n    NIST has long been active in developing Federal \nCryptographic Standards and working in cooperation with private \nsector voluntary standards organizations in this area. We are \ncurrently leading a public program to develop the Advanced \nEncryption Standard [AES], which will serve 21st Century \nSecurity needs. Another aspect of our standards activity \nconcerns public key and key management infrastructures.\n    We have been actively involved in working with industry and \nthe Federal Government to promote the security and inter-\noperability of such infrastructures. Standards help users to \nknow what security specifications may be appropriate for their \nneeds. Testing complements this by helping users have \nconfidence that security standards and specifications are \ncorrectly implemented in the products they buy.\n    Testing also helps reduce the potential vulnerabilities \nthat products contain that could be used to attack systems. For \nover 5 years, we have led the Cryptographic Module Validation \nProgram, which has now validated about 90 modules, with another \n50 expected this year. This successful program utilizes private \nsector accredited laboratories to conduct security conformance \ntesting of cryptographic modules against the Federal standard \nwe developed and maintain. Many of these activities are being \ndone in cooperation with the Defense Department's National \nSecurity Agency in our National Information Assurance \nPartnership.\n    The goal is to enable product developers to get their \nproducts tested easily and voluntarily, and for users to have \naccess to information about test products. Under this program, \nwe have also led the development of an international mutual \nrecognition arrangement, whereby the results of testing in the \nUnited States are recognized by our international partners, \nthus reducing costs to the industry.\n    Advice and technical assistance for both government \norganizations and private sector is the fourth need. While I \nhave given you a few examples of NIST work, I obviously have \nnot covered everything. I want to emphasize there is still much \nmore to be done.\nPlease keep in mind that approximately $6 million of direct \ncongressional funding supports both our Federal and industry \ncomputer security responsibilities. This is plainly not enough.\n    Thank you.\n    [The prepared statement of Ms. Brown follows:]\n    [GRAPHIC] [TIFF OMITTED] T7018.025\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.026\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.027\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.028\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.029\n    \n    Mr. Horn. Thank you very much. That was very helpful \ntestimony. We now go to our last witness on this panel. I must \nsay, Mr. Pethia, everywhere I talked and saw people in the last \n3 weeks putting this panel together, the first magic word was \nCarnegie Mellon. So, we are glad to have you come here. We hope \nto visit your campus sometime. You can show us around.\n    Mr. Rich Pethia is the director, Computer Emergency \nResponse Team Coordination Centers, Software Engineering \nInstitute at Carnegie Mellon University in Pittsburgh.\n    Mr. Pethia. Mr. Chairman and members of the subcommittee, I \nwould like to thank you for the opportunity to come and talk to \nyou today about computer security. Today, I would like to \ndescribe a number of the trends that impact security on the \nInternet. I will illustrate the results of those trends and \nthen outline some steps that I think will help us all \neffectively manage the increasing risk of damage from cyber \nattacks.\n    My perspective comes from the work that we do with the CERT \nCoordination Center. The Center is charted to respond to \nsecurity emergencies on the Internet, and to work with both \ntechnology producers and technology users to facilitate \nresponse to major security problems. Since 1988, we have \nhandled over 24,000 separate security incidents, and analyzed \nmore than 1,500 separate computer vulnerabilities.\n    The current state of Internet security is cause for \nconcern. The vulnerabilities associated with technology used on \nthe Internet put government, business, and individuals at risk. \nSecurity is influenced by many factors. An organization that \nwishes to improve its security has to deal with a lot of \nissues. First of all, the Internet itself is growing at an \namazing rate.\n    As the technology is being distributed, so is the \nmanagement of that technology. System administration and \nmanagement often fall upon people who do not have the training, \nskills, resources, or interest needed to operate their system \nsecurely. This problem is about to get worse. Now that we have \ndirect Internet connection to homes, schools, libraries, and \nother venues that do not have training and security staff.\n    These always-on rarely protected systems will allow \nattackers to continue to add new systems to their arsenal of \ncaptured weapons. Intruder tools are becoming increasingly \nsophisticated and also becoming increasingly user-friendly and \nwidely available. This technology is evolving like any other.\n    Sophisticated developers of intruder programs package their \ntools in user-friendly forms and make them widely available. As \na result, even unsophisticated intruders can use them.\n    On the technology side, when vendors release patches or \nupgrades to solve security problems, organizations' systems \noften are not upgraded. The job may be too time consuming, too \ncomplex, or just too low a priority for the system \nadministration or staff to handle. There is little evidence of \nimprovement in the security features of most products. Today, \nwe continue to receive new vulnerability reports in second \ngeneration and third generation products.\n    Developers are not devoting sufficient effort to apply \nlessons learned about the sources of vulnerabilities and doing \nthe engineering work necessary to remove them. Finally, \nengineering for ease of use is not being matched by engineering \nfor ease of secure administration. Today, we would all find it \nludicrous to safely operate and drive an automobile, a person \nwould have to be a master mechanic.\n    Yet, today we expect our computer users and novice system \nadministrators to have detailed technical knowledge of all the \nintricacies and nuances of the technology. We are simply \ndeveloping technology that is not fit for use in today's \nenvironment. Because of these and other factors, organizations \nand individuals who are using the Internet become vulnerable to \nvarious kinds of cyber attack, including the denial-of-service \nattacks that were widely publicized in February.\n    The key point about this attack, this attack type, is that \nalthough an organization may be able to harden its own systems \nto help prevent having its systems used as a part of a \ndistributed attack vehicle, there is essentially nothing a site \ncan do with currently available technology to prevent becoming \na victim of these coordinated denial-of-service attacks.\n    The best an organization can do today is get ready to \nrespond and have its response capabilities in place, should it \never become the victim of one of these attacks. These attacks \nwork by having intruders compromise vulnerable systems. They \ncollect these vulnerable systems into aggregated attack \nnetworks. These networks act in unison to attack a single \nvictim.\n    The network can be activated remotely at a later site by a \nmaster computer. Communication between the master and the \nnetworks is encrypted, often making it difficult to locate the \nmaster. Once activated, these tools proceed on their own. They \nare rapidly evolving. Individual nodes in the attack network \ncan be automatically reprogrammed to change the type of attack \nso that it becomes increasingly difficult to build defenses \nagainst this technology.\n    Clearly, we have entered a new era in the Internet, where \nthe power of the Internet itself is now being used to attack \npeople who are connected to it. At the CERT, we constantly \nmonitor trends and watch for new attacks and tools. We became \naware of this new form of denial-of-service attack in late \nAugust, early September 1999. Denial-of-service attacks are not \nnew.\n    These kinds of attacks have been around since 1994, with \nsignificant increases in 1996 and 1998. By the end of \nSeptember, it was evident that this was a new form of attack. \nIt was something we had never seen before. We called together a \nworkshop of 30 international experts who came together for 2 \ndays in Pittsburgh and produced a paper that explains the \nthreat posed by these intruder tools, as well as guidance to \norganizations about how to protect themselves and be prepared, \nand how to be ready to respond.\n    This paper, along with other advisories, were issued to the \ncommunity in December. We have had a series of communications \nout to the Internet community. The problem is serious. It is \ncomplex. A combination of approaches must be used to reduce the \nrisks associated with this ever-increasing dependence on the \nInternet. First of all, we need better ability to collect, \nanalyze, and disseminate information on assurance issues.\n    A lot of what we do today is reactive. We see a problem. We \nanalyze it. We understand what just happened. That is no longer \nadequate. New forms of attack are now happening at Internet \nspeed, both automated attacks, like these distributed denial-\nof-service attacks, as well as new forms of viruses, such as \nMelissa that showed up in March of this year.\n    Today, we need to find analysis methods that build a \npredictive early warning capability. We need to be able to \nunderstand what is going to happen before it happens, which \nmeans we need new ways of analysis. In addition, better \nattention paid to collecting information. There has been a lot \nof discussion and debate about instrumenting networks to \ncollect data to watch the traffic on the network to anticipate \nwhat the problems might be.\n    Certainly, there is a need to be concerned about privacy, \nbut we have to find some way to balance our need to collect \ninformation about the operation of networks with our need to \nkeep individual transactions and user's activities private. \nUntil we get a better view into what is happening on our \nnetworks, we are going to have a very difficult time defending \nagainst new forms of attack.\n    Third, we need to invest in better education and training \nto raise the level of security and security awareness. In \nparticular, we need to focus on bringing the understanding of \nsecurity issues to senior and middle management in government, \nas well as in industry. Until there is management commitment, \nand management commitment of resource to solve this problem, \nlittle is going to happen. Part of that includes encouraging \nthe development of comprehensive security programs with well-\ndefined responsibilities for managers, users, and system \nadministrators.\n    Finally, all of this is only going to help us mitigate the \nproblem, stem the flow of quality that we are having. It will \nnot solve the problem. In order to get ahead of this problem, \nwe need to support research and development activities that \nwill lead to a new generation of technology on the Internet and \nother broad-scale networks. Systems that are easier to secure, \nsystems that do not require so much constant attention, systems \nthat do not repeat the vulnerabilities of the past, the long-\nterm solution is better technology.\n    That is going to take years. Until we get there, we need \nbetter management approaches. Thank you.\n    [The prepared statement of Mr. Pethia follows:]\n    [GRAPHIC] [TIFF OMITTED] T7018.030\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.031\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.032\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.033\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.034\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.035\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.036\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.037\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.038\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.039\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.040\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.041\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.042\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.043\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.044\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.045\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.046\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.047\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.048\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.049\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.050\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.051\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.052\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.053\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.054\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.055\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.056\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.057\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.058\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.059\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.060\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.061\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.062\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.063\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.064\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.065\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.066\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.067\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.068\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.069\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.070\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.071\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.072\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.073\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.074\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.075\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.076\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.077\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.078\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.079\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.080\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.081\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.082\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.083\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.084\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.085\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.086\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.087\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.088\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.089\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.090\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.091\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.092\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.093\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.094\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.095\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.096\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.097\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.098\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.099\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.100\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.101\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.102\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.103\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.104\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.105\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.106\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.107\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.108\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.109\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.110\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.111\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.112\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.113\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.114\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.115\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.116\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.117\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.118\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.119\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.120\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.121\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.122\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.123\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.124\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.125\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.126\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.127\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.128\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.129\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.130\n    \n    Mr. Horn. Thank you very much.\n    We will now go to questioning. It will be 5 minutes to a \nside. We will get everybody in here in three rounds, if you \nneed them.\n    [Pause.]\n    Mr. Horn. This looks like a vote.\n    What I want to do is start on one issue. Then I will yield \nto Mr. Turner. As I listened to the comment about maybe we need \na tzar in this area, usually my spinal column starts wiggling. \nAs a student of Russian history, I keep wondering what happened \nto a lot of tzars and who is Rasputin in this operation? So, I \nguess I would ask, is the Koskinen model a good one for this?\n    Now, with the Koskinen model, then when Mrs. Maloney and I \nwrote the President, then talked to him and said, look, you \nhave got to get somebody to coordinate this effort. Some were \nwaving the flag for a tzar. I was not. The way it worked out, \none, the President picked a person that he had known before he \nwas President and had trust in.\n    No. 2, we made him assistant to the President, which is the \nhighest rank you can have in the White House hierarchy. No. 3, \nhe was not in OMB. He was housed near there. The President had \nhim and the President spread the word to the Cabinet that this \nis serious business, when they finally got around to it.\n    No. 4, they called on each of the Deputy Secretaries that \nreally run departments and obviously involved the Chief \nInformation Officers, who are the people we ought to be \nspending the time to be the managers they are supposed to be of \ncommunications and information in their particular agencies. \nSo, I guess I would simply like to get the feeling of you as to \nwhether that was a successful model that we could also apply to \ncomputer security and not have some tzar in OMB.\n    Of course, as you know, I am trying to split the management \npart out of OMB. It might well roost there, but the fact is the \nmodel I think worked the way it did. I do not know if any of \nyou want to take that and say, hey, there is another way to \nlook at this. Go ahead. Mr. Gilligan.\n    Mr. Gilligan. Sir, let me give you some perspectives. I \nthink the model with the particular individual, John Koskinen, \nworked extremely well. I think there were a number of factors \nthat made it work well, one of which was the personal \ncharacteristics and strength of John Koskinen. I think there \nwere also some other factors that made it effective. That was \nthe urgency and the immediacy of Y2K heightened the interest \nacross the board.\n    There was a need and a willing acceptance of someone to \nhelp lead the effort across government and across really the \ncountry. It is not clear to me that an exact parallel to that \nwould work as effectively in computer security. I know that \nthere has been some frustration, and there continues to be at \nall levels, with our difficulty of pulling together across-\ngovernment activities in this area.\n    So, it is clear that we need to emphasize and we need to \nwork in that area. Obviously it is something the CIO Council is \ntrying to address, and yet we realize that we have limited \nabilities as well. So, while I would not specifically endorse \nthe exact model, I think we need to continue to look for some \nway to better leverage our across-government efforts in this \narea as a part of our solution.\n    Mr. Horn. Any other thoughts on this? Mr. Tritak.\n    Mr. Tritak. I would agree with those comments.\n    Mr. Horn. So, you would like that model?\n    Mr. Tritak. I think what is intriguing about the Koskinen \nand the Y2K effort generally is, in many respects, the Y2K was \nyour first critical infrastructure challenge to the United \nStates. It had a lot of things going for it. First of all, \nthere was a recognition. In fact, industry actually led the \nway. The government took a little while to get onboard.\n    There was an acknowledgment of what the challenge was. \nThere was a known problem. The people rallied for it. I think \nthat when you look at the Koskinen model, it is important to \nlook at what the factors of success were. You have identified \nquite a few of them. He was viewed as having the authority. He \nworked very closely with the Cabinet. The Cabinet knew that \nwhen he walked into the room, who he was, and what he stood \nfor.\n    We certainly cannot under-emphasize the importance of a \nleadership and view it as someone who is speaking with \nauthority on behalf of the President; especially when you are \ntalking about across-agency issues, which critical \ninfrastructure really is all about. If you look at the way this \nhas evolved, there was a time probably when the Computer \nSecurity Act was actually passed where you could talk about a \ncomputer system within an agency. It was that agency's system.\n    Now, you are looking more at an interconnected set of \nsystems. You have to ensure, in terms of the government as a \nwhole providing a service to the Nation, that you have strong \nlinks across government agencies, as well as within them, so \nthat you do not create weak links in the chain. Now, with that \nsaid, I think that we have to look very closely about how the \nchallenges, as ongoing, differ from the Y2K experience before \nyou talk about institutionalizing a new position.\n    I think certainly some of the ingredients that you \nindicated bear close scrutiny and attention on that. In fact, \nyou could make the case that, that kind of leadership becomes \neven more essential in some regards when the known threats are \nnot as immediate, but you know they are out there and they \ncould happen at any time as opposed to a date-specific.\n    Mr. Horn. Any other comments on this?\n    I will yield 5 minutes to the gentleman from Texas. If you \nwould like, we could recess now to go vote, and then come back, \nand then start with your 5 minutes. Is that OK with you?\n    Mr. Turner. That is fine.\n    Mr. Horn. OK. We are going to be in recess then for 20 \nminutes so we can get these two votes.\n    [Recess.]\n    Mr. Horn. This subcommittee will be in order. We will \nproceed with the questioning. It is 5 minutes for Mr. Turner, \nthe ranking member from Texas.\n    Mr. Turner. Thank you, Mr. Chairman.\n    I appreciated your comments. I really get the impression \nthat what you were saying to us is that there is a lot of work \nthat has got to be done in the area of new technology before we \nwill ever have any hope of really having a secure Internet. I \nguess I was kind of curious as to what types of things you are \ntalking about? We made the comparison a minute ago to the Y2K \nproblem.\n    To me, what we are talking about today dwarfs the Y2K \nproblem. In that arena, we had a date certain we were working \ntoward. We knew if we made it past that date, we had succeeded. \nThe government was able to provide a coordinating role for both \nthe public and the private sector. This challenge seems to be \nso much greater. When you say we need better technologies, what \nkinds of things are we talking about?\n    Mr. Pethia. First of all, the driving factor behind my \nbelief is that more and more devices attached to Internet are \ngoing to become consumer items. I think we are already there \nwith personal computers. We are almost there, even with some \ndevices like routers and fire walls, when you think about \nhaving these things installed in libraries, in doctors' \noffices, and in places where you would not expect to find \nsomeone with a degree in computer science.\n    That is going to continue. We are going to have all kinds \nof devices at home. We are going to have hand-held portable \nunits. We are going to have cell phones connected, as we \nalready do, into the Internet. So, from one perspective what we \nneed to do is to make security much simpler than it is today. \nYou can configure a very secure personal computer, be it a Unix \nbox or a Microsoft Windows box.\n    All of the mechanics are there to do that, but it is not \neasy. It takes a lot of understanding and a lot of knowledge. \nNot only do you have to get it right the first time, you have \nto keep it that way over time as you add new applications into \nyour personal computer. So, if you think back to the 1960's \nwhen all computers were hard to use in all kinds of ways, the \nindustry responded very well with a lot of research and \ndevelopment in easy-to-use, in fact ease of use was the buzz \nword for the industry back then.\n    We need the same effort today, in terms of security \ncontrols and security mechanisms. Bring those controls and \nmechanisms to the point where the average user could use them. \nI think that is sort of a near-term, by ``near-term'' I mean a \n2- to 3-year effort that could show some results, significant \nresults, major results in that period of time.\n    Mr. Turner. I forget the name of the group or company that \nis certifying whether something is secure or not. I read about \nit somewhere. Is that the kind of thing that would motivate the \nprivate sector to be sure they develop their products in a way \nthat they can be secure?\n    Mr. Pethia. I think that kind of thing will certainly help. \nI think the tension is going to be between the length of time \nit takes to do the evaluations and the market forces that keep \ndriving new products. Very often, the situation of doing an \nexhaustive evaluation takes time. By the time you are through \nwith that evaluation, the marketplace has already moved on to \nthe next generation of products. I think we have to struggle \nwith that issue.\n    Mr. Turner. That seems to be one of my greater concerns \nbecause this field moves so fast. It is always the private \nsector that is moving forward. We had some government effort \nover there, though it is not in one place right now. It seems \nthat the government effort, even if we consolidate it, is \nalways going to be a step behind what is really going on in the \nprivate sector.\n    So, it is forcing you to try to think of private sector \nincentives to try to make this all happen. I cannot get it in \nmy mind that the government is going to be able to keep up with \nit.\n    Mr. Pethia. I think the private sector interest is rising. \nI think as more and more damage happens on the Internet, people \nare going to begin to understand that investing in security is \nsomething they are going to need to do in order to keep their \nbusinesses operational. So, I think that is happening. I see a \nbig increase in private sector interest today, over just a year \nago. That trend has been going on for several years.\n    I think the marketplace, in my opinion, has become \ncomplacent. The marketplace is currently accepting whatever the \nvendors produce. I think an awareness campaign and an \nunderstanding that technology can be changed; technology does \nnot have to be the way it is today is something that would help \nmove, first of all, the consumer to a better understanding of \nthe kind of quality the consumer should expect from a product.\n    Then finally, the technology producers, as they begin to \nsee a marketplace for that new product, to begin to produce. \nThere is a place where I think government campaigns focused on \nbroad-scale awareness, understanding, helping the consumer, \nboth in government and outside government, understand that \ntechnology possibilities exist beyond what we have available to \nus today, I think, would go a long way to spur that kind of \neffort.\n    Mr. Turner. Is it a reasonable suggestion to think in terms \nof a second Internet? After all, we are even getting to the \npoint where much of what takes place can even be done in a \nwireless mode. Is there a reason to consider that there could \nbe more than one Internet? That there are secure Internets so \nthat we can solve some of our national security type problems \nand others in a way that we know that we are protected?\n    Me. Pethia. Certainly, I think there are some needs for \nhigh security in some applications where those networks and \nsystems will remain isolated and should remain isolated from \nthe broad Internet. I think the last 10 years of history has \ntold us that the Internet is going to continue to evolve. It is \ngoing to continue to lure people because of the broad \nconnectivity that is available over the Internet, and also \nbecause of the dramatic lower cost of operating on this huge \nnetwork where everybody shares the expense.\n    I think the economics are going to continue to push most \norganizations toward the Internet. I think the challenge as to \nrather than trying to isolate from the Internet, the question \nis how do we go about fixing the Internet so that we can all \nenjoy the level of security that we need?\n    Mr. Turner. Your effort at Carnegie Mellon, through the \nComputer Emergency Response Team, seems to me to be an \nexcellent private sector initiative. Do you think government is \ncapable of duplicating that or will it be best left to efforts \nlike yours?\n    Mr. Pethia. I think it is going to take a combination of \nefforts. There are within the government a number of computer \nemergency response teams in the DOD, in the Department of \nEnergy, and in some of the other agencies. There is the FedCIRC \nactivity which we actually participate in. So, I think there is \na large government effort there. One of the advantages that I \nthink we have is that in addition to the reactive work that we \ndo, we are also housed in a research university.\n    So, in the private sector where you can have these kinds of \nreactive capabilities to help us understand what the problem \nis, but also marry with that a research and development \ncapability we can move toward solution. That, I think, is a \ngood combination. So, there perhaps is a way where government \ncan team with organizations in the private sector, with the \ngovernment doing some of the response reactive work, ensuring \nthat they have close working relationships with technology \nresearchers so that the researchers really understand what the \nreal problems are.\n    Mr. Turner. Thank you, Mr. Chairman.\n    [The prepared statement of Hon. Jim Turner follows:]\n    [GRAPHIC] [TIFF OMITTED] T7018.131\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.132\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.133\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.134\n    \n    Mr. Horn. I thank the gentleman.\n    Now, I yield to the gentlewoman, the vice chairman from \nIllinois, Mrs. Biggert to question the witnesses for 5 minutes.\n    Mrs. Biggert. Thank you, Mr. Chairman.\n    If I could ask unanimous consent to include my opening \nstatement.\n    Mr. Horn. Without objection, it will be so ordered as read \nat the beginning, after Mr. Turner's opening remarks.\n    Mrs. Biggert. Thank you.\n    This is a question for all of you. What is the real threat \nfrom cyber terrorists to the Federal agencies' mission critical \nsystems? I know that is a broad question, but how does the \nadministration's recently released National Plan for \nInformation Systems Protection address the plans to mitigate \nthese terrorist threats? I think when we were talking about \nY2K, we had our mission critical systems. I think that was what \nwas really addressed there. First of all, is there a threat \nfrom the terrorists?\n    Mr. Tritak. Well, I think the national plan makes clear \nthat the threats posed by cyber terrorists as well as nation \nstates is growing. I would urge you, if you have not already, \nto get a briefing by Mr. Michael Vaddis at the National \nInfrastructure Protection Center who could give you a lot more \ndetail, an appropriate level of detail than I can get into. One \nof the reasons for PDD-63 stemmed from a Presidential \ncommission which asked the question, what are the new threats \nto the Nation? The cold war is over. It is unlikely that anyone \nwould be foolish enough again to take on the United States with \narmed forces. So, what are they?\n    That question was initially prompted, of course, by a \nnumber of events that were happening in the mid-1990's, the \nTowers' bombing, Oklahoma City. What is going on here? The \nrecommendation of that commission was to say that the critical \ninfrastructure of this country are increasingly becoming \nvulnerable to types of attacks that could be delivered over the \ninformation super highway.\n    Why? Because as was indicated earlier, traditional \ninfrastructures are increasingly relying on computer networks, \nnot only to receive e-mail, but actually perform operational \nfunctions of their business. As you move further and further \ninto deregulation, the need to cut your costs to make the \nmargins up, you are going to be relying more and more on \ninformation technologies to perform functions which \ntraditionally may have been performed by manual labor for \nexample.\n    Also, in the past, if a computer operational system went \ndown, say in the electric power industry, they have ways of \nshifting over to manual type responses in order to keep the \nflow of services going. Now, over the long-term, more and more \nof those primary functions are performed by information \ntechnology, and if those systems are then networked either \nthrough the Internet or some wide area network systems, the \npotential for someone being able to get in and cause damage \nincreases.\n    Now, I am glad you also mentioned the critical systems \nbecause this is a very important thing about critical \ninfrastructure assurance. What we are concerned about are those \nsystems within our critical infrastructures which, if \ndisrupted, could cause immediate and significant harm to the \nNation's security, its economy, or the health and welfare of \nits people. If someone means to do harm, they are going to want \nto leverage their efforts to find weak links in the chain.\n    So, one of the purposes of the effort that is outlined in \nthe national plan is to begin to raise this issue with industry \nto make clear that this is more than just a hacking problem. \nFrankly, they deal with that now. They know that they are being \nhacked. Their websites are being looked at. The idea that if \nmore and more of their business relies on information \ntechnology, for example, banking and finance, e-commerce, where \nthe very nature of the revenue stream turns on information \ntechnologies. This is a different problem.\n    The same thing within the Federal Government. There was a \ntime when you could talk about a computer system within the \nFederal Government and it was the agency's system. It was \ninsular. It was self-contained. Now, like everywhere else, you \nare getting inter-connectivity between agencies. They are \ndepending on different services, both within government as well \nas outside of government.\n    This inter-dependency is one of the newer challenges. An \nagency can get their security concerns right, but if they are \ndependent upon systems which do not have their security right, \nthat is where the vulnerability lies. Your types of attacks \nwhich, again, Mr. Vaddis will be in a better position to talk \nto you about this, they are looking for the weak links. They \nare not simply going to willy-nilly take on any piece of the \ninformation infrastructure. They are going to look for where \nthe highest value payoff is going to come from.\n    Mr. Gilligan. I think Mr. Tritak has done a good job of \nsummarizing the significance of the threat and many of the \ncharacteristics that contribute to it. I would only add a \ncouple of thoughts. One, I think it is not just linkages \nbetween agencies, but linkages within sites and within agencies \nwhere you find I think unknowingly our interconnection.\n    We are just about intermeshed in our network connectivity \namong systems that we have the same vulnerabilities. I think \nsecond, we really, in my view, have kind of two tiers of \nthreat. Unfortunately, a lot of our emphasis and visibility is \non what I will call the lower tier, which is a very \nunsophisticated, but today, because of the vulnerabilities, is \nineffective and gets a lot of visibility.\n    Now, I think there is one that is much more sophisticated. \nWe only get glimpses of it. In many cases, that is something we \ndo not share a lot of insight. It is almost masked. That is, we \nare seeing some of these lower sophistication threats. That is \nwhat we are focusing a lot of attention. I think we need to \nbecause you need to dampen those out of the system before you \ncan really start to focus and then get the protection that you \nneed to address the more sophisticated attack.\n    Ms. Brown. Well, I think both gentlemen have done a really \ngood job. I would only add that I think one of the key \nchallenges is not just today's problem, but the ongoing \nproblem. There is new software every month. There are new \nsystems every month. So, there is not a single fix, as in the \nY2K, as Mr. Turner and everyone has talked about. There was a \nsingle crisis. There was a single thing that we had to fix.\n    This is going to be an ongoing problem, and ever more \ndifficult in many ways to stay on top of as we become more and \nmore global. So, we need to look at what can we do today, but \nalso on the more fundamental things to make our systems \nfundamentally secure. How do we design the systems and how do \nwe design the software so it is not up to the user to fix and \nput the patches, which will always be there? Somehow, how do we \nfundamentally make the system more robust?\n    Mr. Pethia. I am building briefly on Mr. Gilligan's \nremarks; this idea of two tiers of threat. At the lowest level, \nand one of my big concerns, and the reason that I am advocating \nfor increased emphasis on analysis, capability, and data \ncollection is that the low-level threat, the amount of noise \ngenerated by that threat is now so huge. We literally get 50 \nnew incidents reported to us every day. We are only 1 of 90 \nemergency response teams, as well as a number of government \nagencies who focus on this issue.\n    There is so much activity out on the network today. It is \nvery difficult to pull out from all of that noise the one or \ntwo key things that you really need to pay attention to. In \norder to stay ahead of this problem, I think we are going to \nneed to become much more sophisticated in the way we collect \nand analyze incidents data. So we can look for those key \nindicators that there is something really significant going.\n    Mrs. Biggert. Thank you. Thank you, Mr. Chairman.\n    Mr. Horn. Thank you. May I suggest that if we have some \nadditional questions, that we have a time problem here. A \nnumber of us are involved in things that just go every 15 \nminutes, starting at around 12:05 p.m. So, if you do not mind, \nwe would like to submit some of these questions, I know that I \nhave, to you. Take your time, but we would love to have them in \nthe record at this point, your best thoughts, if that is OK \nwith you.\n    [The information referred to follows:]\n    [GRAPHIC] [TIFF OMITTED] T7018.135\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.136\n    \n    Ms. Brown. Thank you very much for the opportunity.\n    Mr. Horn. Well, we thank you. The chart here I particularly \nwant your comments. That is our question 5, for the majority. I \nthink you have it. Now, this was prepared by counsel, Mr. Ryan. \nHe is 100 percent Irish. I am only 50 percent Irish. It is not \neven St. Patrick's Day. I look at that. I looked for Jesse \nJackson on the floor. It looks like the Rainbow Coalition. He \nis serious about this and we are.\n    So, we would like your best shot at it, in terms of all of \nthese organizations and how they can work on computer security \nissues. The key question still remains on who is coordinating \nthis operation? Are there various ways, given the private \nsector, the Federal sector, the State sector, the local sector, \nthe non-profit sector? So, if you would struggle a little with \nthat, we would appreciate it.\n    Well, thank you very much for coming. We will now swear in \nthe next panel.\n    Mr. Horn. We have Mr. Jim Gerretson, Director of \nOperations, Information, Assurance, ACS Defense, Inc.; Mr. Mark \nRasch, senior vice president and legal counsel, Global \nIntegrity Corp.; and Mr. James Adams, chief executive officer, \niDEFENSE.\n    Gentlemen if you will just stand and raise your right-\nhands.\n    [Witnesses sworn.]\n    Mr. Horn. The clerk will note all three witnesses affirmed. \nWe will begin, Mr. Gerretson with you. It will be 5 minutes for \na summary. We are going to have to stick to that. We all have \nyour papers. If you were not in the room, they automatically go \nin at this point in full. If you can give us a summary, and \nthen we would like to have some questions before noon. Then we \nare going to have to break.\n    So, Mr. Gerretson, it is all yours.\n\n     STATEMENTS OF JIM GERRETSON, DIRECTOR OF OPERATIONS, \n INFORMATION ASSURANCE, ACS DEFENSE, INC.; MARK RASCH, SENIOR \n VICE PRESIDENT AND LEGAL COUNSEL, GLOBAL INTEGRITY CORP.; AND \n         JAMES ADAMS, CHIEF EXECUTIVE OFFICER, iDEFENSE\n\n    Mr. Gerretson. Mr. Chairman and members of the committee, \nthank you for giving me the honor of testifying today. I am \nhere today to give you a brief presentation on hacking. We \nbelieve that in order to start to fix your systems and \nnetworks, that you have to understand the enemy, and hackers \nreally are the enemy. The following presentation will take you \nbriefly through what we call the hacker protocol and \ndemonstrate just some of the tools and techniques used by \nhackers to gain access to your systems.\n    All of the tools that you are going to see today are freely \navailable on the Internet or you can go to a local computer \nshow on a weekend and, for $10 per CD, buy a full CD of \ndifferent types of hacks. The current data base that we have \ncontains over 3 gigabytes of data. What you see on the screen \nbefore you is what we call the hacker protocol. Different \npeople may use different terms, but professional hackers in \nnation states that implement hacking as warfare do follow the \nsame concepts.\n    The thing that is important to recognize here is this is \nhighly structured in its approach and in its planning. A good \nhack, for better or for worse, is invariably a well-thought-\nout, well-executed operation.\n    Mr. Horn. I might add on that very useful chart that, that \nwill be placed in the record at this point, without objection. \nAll other charts will be put in appropriately where they have \nbeen used by the witness or the staff. So, all of those charts \nwill go in the final hearing report.\n    Mr. Gerretson. Thank you, sir.\n    [Slide shown.]\n    Mr. Gerretson. The first phase of the hacking protocol is \nintelligence gathering. This is primarily an espionage \noperation. There are many facets to it. Social engineering is a \nlarge part. I may act as a user calling up a help desk and say \nI have forgotten my password. Help desks are setup to be very \nhelpful. They will frequently say, the default password is, or \nyour network is. So, I get a lot of information that way.\n    Open source materials such as newspapers, prospectuses, and \nlibrary magazine articles are also a wonderful way of getting \ninformation. You hear the term a lot, but ``dumpster diving'' \nis also a very popular way of getting information on your \nsystem.\n    [Slide shown.]\n    Mr. Gerretson. Once we have done the intelligence \ngathering, the next step is to do reconnaissance. Again, to \ndefine the target. Your domain host is the name of your \ncomputer system on the network. I want to know what I have got, \nsee if I can attack it, and how I can attack it. This is what \nwe are going to show you. It is a freely available program \ncalled NMAP. We are going to take that information that we have \ngathered and scan your network to determine what is there. The \nprogram that we are using is called Ping Sweep.\n    [Slide shown.]\n    Mr. Gerretson. In simple terms, my computer is going out to \nyour network and saying, hello, are you there? Your computers \nare coming back and saying, yes, I am. What you see here, with \nthese being listed, are computer targets that have come back \nand said, I am here. What we have now done is identified a \ntarget set. We are not wasting our time.\n    [Slide shown.]\n    Mr. Gerretson. The next slide, we are going to take one of \nthose targets that we have identified and go and look for \nadditional information. What we are trying to do is find out \nwhat services are open, as you see, I am pointing out. These \nare all considered services on a computer. This one, for \nexample, is finger, which we will talk about in a second.\n    What we are doing is finding a means to attack your system. \nWe are also going to go out to try to find out the operating \nsystem that your computer is running which is again identified. \nOnce we have this information, we can now go and do specific \nprobes. What we are going to do is take that information and \nlook for a way to get into your system.\n    [Slide shown.]\n    Mr. Gerretson. This presentation that we are going to show \nyou now is one of the tools called Finger. It is an information \ngathering tool, you are seeing it used in a way it was never \nintended to be used. In order to attack and control the system, \nyou need three things. You need a valid user name. You need a \nvalid password, and you need a host address from the computer \nsystem that is allowed to talk to you.\n    If you look across here, as I am highlighting ``student \none,'' I now have a valid ID and I now have a valid computer \nsystem that I am talking from. I have two of the three items \nthat I need to attack this system.\n    [Slide shown.]\n    Mr. Gerretson. This next scan, web servers as we are all \naware, are a wonderful target for attack. It used to be that in \norder to do the attack, I had to know all of the systems and \nall of the vulnerabilities. Now, I have a tool that will run it \nfor me automatically. It requires very little work on my part. \nIt identifies the server type that is running and will simply \ngo out and scan all of the CGI weaknesses on this web system. I \ndo not even have to know what these systems are now.\n    I do not have to know what these vulnerabilities are. It \njust tells me it finds one. I go out to my tool kit, pull in \nthis particular attack and away I go. Once we do that, we are \ntrying to get a toehold on the system. This is basically I just \nget into your box any way I can. I cannot control the data. I \ndo not need it, but I am on it and it gives me the next step.\n    [Slide shown.]\n    Mr. Gerretson. The next step is to go from just being a \nuser into what we call the root or administrator level of the \nsystem then we really do own this box. I am going to skip this \nexample.\n    [Slide shown.]\n    Mr. Gerretson. We are going to go and actually break into \nthis system and take it over. It acts as a user system. What \nthis program does is it shows us actually going in and doing an \nattack on the system that in a matter of about 15 seconds turns \nus into the root administrator of the box, simply from being a \nuser. Once we have gotten control of the system, there are a \nlot things we can do.\n    We could kill this box. We could take the information. But \nwhat we do want to do is use it again later. So, we are going \nto hide our track. We do not want people to know we are there. \nWe can do that by deleting files or modifying log files. We are \ngoing to show you a quick example of how we just simply modify \na log file.\n    [Slide shown.]\n    Mr. Gerretson. This is a program called Wipe. We have a \nuser account. We are called ``Reacher.'' We get into the \nsystem. If the system administrator were to check his logs, he \nwould say, why is this guy here. But we have gone and wiped it. \nWe are no longer there. We are now invisible to the person that \nruns this machine.\n    [Slide shown.]\n    Mr. Gerretson. We can put Trojans on the system. A Trojan \nis a program that will look like something that is a valid \nprogram that is supposed to be there, but in effect it is a \nprogram that does a lot of bad things. In this brief example, \nlisten. We can record every keystroke you type on the system. \nWe can turn on your sound system. So, if you have a microphone, \nwe can record everything that is said in the area, and you will \nnever know what happened.\n    [Slide shown.]\n    Mr. Gerretson. Now, sounds bad and it gets worse. I will \nmake a bold statement that if you are connected to the network, \nand if I have enough time and want to make the effort, I can \nhack you. The only sure fire way to protect your system is to \ndisconnect it from the network. Take out your floppy. Take out \nyour CD and then lock it up in a secure room. Anything short of \nthat, eventually it can be had.\n    It sounds pretty bad, but there is hope. It is not all bad; \njust mostly bad. The first thing is you have to have a \nvulnerability assessment. You have to know what your security \nposture is. Second, we believe in the defense-in-depth \napproach. It is vital. There is no single solution to make your \nsystem secure. You have to have layered approachs that \ncomplement each other.\n    The next thing, training is the key. As the earlier \nwitnesses said, there are good people out there, but they just \ndo not understand security. One of the key things to recognize \nis the solution that works today may not work in 6 months. You \nwill never have a final solution. You are constantly \nreassessing.\n    Thank you for your time.\n    [The prepared statement of Mr. Gerretson follows:]\n    [GRAPHIC] [TIFF OMITTED] T7018.137\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.138\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.139\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.140\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.141\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.142\n    \n    Mr. Horn. Thank you very much.\n    We now have our second witness, Mr. Mark Rasch, who is the \nsenior vice president and Legal Counsel for the Global \nIntegrity Corp. Perhaps you would like to tell us a little bit \nabout the corporation.\n    Mr. Rasch. Yes, thank you, Mr. Chairman.\n    I work for Global Integrity Corp. It is a company that does \ninformation security consulting work for the private sector. \nSo, our clients tend to be things like banks, insurance \ncompanies, Fortune 100 companies that take the problem of \ninformation protection. Notice I used the term ``information \nprotection'' and not computer security. They take that problem \nseriously.\n    What we are trying to protect here is not the computers \nthemselves, but the information that is contained on those \ncomputers. So, the perspective that I bring is what the private \nsector sees as the problem and what the private sector is \ntrying to do itself to try to solve the problem. One of the \nthings we noticed is that the Commerce Department issued a \nreport in the last couple of days that indicates that U.S. \nretail e-commerce sales for the fourth quarter of 1999, that is \nOctober through December, was about $5.3 billion.\n    What has happened is this Internet that we created 20 years \nago is being asked to do something that it was never designed \nto do. That is to support a national economy; to support a \nnational infrastructure that it was never designed to do. So, \nwhat happens is we have this distributed computer network, \nwhich was essentially unsecured. All of the security to that \nnetwork is essentially added afterwards.\n    That is being designed now and being asked to protect the \ncritical infrastructure. The attacks that we saw a few weeks \nago against Yahoo, Ebay, and others also demonstrated another \nproblem. As a lawyer, this is one that concerns me much more \nthan what concerned me about the year 2000 bug problem, from a \nlitigation standpoint. That is that we are only as secure as \neverybody else on the Internet.\n    As the previous panel discussed, these are targets of \nopportunity. People attack systems because they can get in. \nThey attack the ones that they feel that they can get into. \nAlso, the fact that even if you have done stuff to harden your \nsystem, people will break into other people's systems and use \nthose to attack you. So, what we have is a serious looming \nlitigation problem, or what we would call downstream liability.\n    If you are attacked by somebody and the attack is coming \nfrom another corporation that did not secure the systems, and \nyou go to your lawyer and ask, can we sue, which is always the \ndumbest question to ask a lawyer because the answer is always \nyes. The question is who are you going to sue, the 17- or 18-\nyear-old hacker, if they are ever identified, or the \ncorporation from whom you are attacked?\n    So, the idea of a worldwide web that is dependent upon the \nsecurity of everybody else creates targets of opportunities, \nnot just for hackers, but for lawyers as well. One of the \nproblems also that we have seen is a massive increase, not only \nin the use of the Internet and the use of the Internet for \nelectronic commerce, but of these types of criminal activity.\n    For example, from 1998 to 1999, theft of intellectual \nproperty increased from 15 percent. Unauthorized access by \nhackers from inside is up 28 percent. Insider abuse to the \nInternet is up 17 percent. System penetration by external \nparties increased 32 percent. Why is this happening? The first \nreason is that attack technologies are becoming very easy to \nuse. So, as Mr. Gerretson just showed, you can go to any hacker \nconvention, pick up a copy of this disk, put it in your \nmachine, and knowing no more than a lawyer, which is a fairly \nlow standard I would say, put this in your machine and launch \nan attack on any computer on the Internet.\n    You do not need to know a lot. It is point and click and \nyou are in. So, the tools are getting easier to use. They are \nbecoming more widely available. In addition, with the growth of \nthe Internet, you have tens of thousands and probably of \nmillions of insecure computers out there that are used as \ntargets of opportunity and methods of attack. The software is \nbecoming increasingly complex and much more difficult to \nsecure.\n    Software manufactures who are building this software are \ntrying to design it to be functional. If you are coming out \nwith a new word processing program or you are trying to come \nout with a new operating system, and you are under competitive \npressures to get it out to market, you want to make sure that \nit is functional. Until companies demand security and the \ngovernment demands security as an integral part of \nfunctionality, I do not think the manufacturers are going to \nship these things as being at least more secure.\n    So, these are some of the problems. What is the private \nsector doing? Well, speaking just for Global integrity, we are \ndoing two things working with the financial services industry, \nwhich I think is a model for both the government and for other \nprivate sector enterprises. One of them is something called the \nBITS Laboratory that we are working with the Banking Industry \nTechnology Secretariat and a consortium of banks.\n    What they are doing is they are developing a series of \nsecurity standards. We at Global, are testing computer \nproducts, hardware, software, and other types of products, \nagainst the security criteria. The idea is that the marketplace \nthen will say, for example, banks will say unless your software \nhad been tested against these criteria, we will not buy it. \nUnless it is pre-configured to be in a secured manner, we will \nnot buy it.\n    So, we are using the marketplace as a method of trying to \nensure security. The second thing is the Financial Services \nInformation Sharing and Analysis Center [FSISA]. This is \nsomething that we are doing. Financial services industries, \nbanks, insurance companies, and the like have a secure method \nof sharing information amongst themselves about attacks and \nvulnerabilities.\n    Let us face it, they do not want to tell people that they \nhave been attacked, but they are happy to share information \namong themselves, if that will lead to more security. These are \nsome of the models that are currently in place. We need to do \nmore in the private sector and in the government sector to help \nsecure the infrastructure.\n    Thank you.\n    [The prepared statement of Mr. Rasch follows:]\n    [GRAPHIC] [TIFF OMITTED] T7018.143\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.144\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.145\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.146\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.147\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.148\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.149\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.150\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.151\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.152\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.153\n    \n    Mr. Horn. Thank you very much.\n    Our next witness and the last one on this panel is Mr. \nJames Adams, chief executive officer of iDEFENSE.\n    Mr. Adams. Chairman Horn and members of the committee, I \nwant to thank you very much for inviting me here today. Few \nrevolutions are accomplished without bloodshed. Already as we \nplunge headlong into the knowledge age, we are beginning to \nreceive the initial casualty reports from the front lines of \nthe technology revolution.\n    From the headlines, you would think that the recent denial-\nof-service attacks were the beginning of the end of cyber world \nas we know it. Nothing could be further from the truth. These \nwere mere in-breaks on the audio-V commerce. Consider instead \nthat some 30 countries have aggressive, offensive information \nwarfare programs. All of them have America firmly in their \nsights.\n    Consider too that if you buy a piece of hardware or \nsoftware from several countries, among them, some of our \nallies, there is real concern that you will be buying doctored \nequipment. It will syphon copies of all material that passes \nacross that hardware or software back to the country of \nmanufacture.\n    The hacker today is not just the stereo-typical computer \ngeek with a grudge against the world. The serious hacker today \nis much more likely to be in the employ of government, big \nbusiness, or organized crime. Consider the band of Russian \nhackers who, over the past 2 years, have syphoned off an \nenormous amount of research and development secrets from United \nStates corporate and government entities in an operation code \nnamed Moonlight Mays television.\n    I would like to focus on this nexus between the public and \nprivate sectors, and on the government's efforts to respond to \nthe growing threat. A couple of illustrations to begin; 20 \nyears ago, some 70 percent of all technology development was \nfunded by the public sector. Today, that figure is under 5 \npercent. In other words, in the course of one generation, every \ngovernment agency should have changed how it does business.\n    Has that happened? No. Looking ahead for that same 20-year \nperiod, we will see the following. The ordinary computer that \nyou have on your desk will have the computing capacity of the \nhuman brain. At the same time, research offers the possibility \nof our ability to manufacture perfectly the human body. So, in \nthe course of a generation, our view of life, death, family, \nsociety, and culture, the bed rocks of our way of life down \nthis century will have changed forever.\n    Is government or the private sector thinking and planning \nfor such fundamental change? No. One further point; the pace of \nthe revolution is accelerating rapidly. Yet, the pace of change \nwithin government seems to be exactly the same today as it was \n10 years ago. How has the government responded so far? Well, \nthere has been the usual President's Commission and then the \nPrincipal's Working Group, then the bureaucratic compromise \nthat nobody really wanted, and then the national plan which \narrived 7 months late and was not a plan at all, but an \ninvitation to further discussion.\n    [Chart shown.]\n    Mr. Adams. These two charts that I brought today illustrate \nthe current chaos. What you see is a totally disorganized \norganization chart. One that, if it were in the private sector, \nwould be a sign of eminent bankruptcy. You see no clear \nleadership. You see duplication of efforts; the waste of \nbillions of dollars of taxpayers' money, and the struggle by \nstovepipe agencies to retain power, influence, and money.\n    In other words, there is no coherent strategy and the \ntactics are not about winning a war, but about preserving turf. \nThere are, of course, some notable exceptions to this. You have \nheard from one of them today, John Tritak. What is needed today \nis an outside entity with real power to implement drastic \nchange in the way government approaches technology and the \nunderlying security of its systems.\n    What is needed most is a personal entity that would draw on \nskill sets in many areas that will overlap those of the CIO, \nCFO, or CSO, and most of the other officers or entities in any \norganization. Let us give this new person the title of chief of \nbusiness assurance. He or she would be in charge of the Office \nof Business Assurance. Business assurance is more than \nsecurity, more than technology, and more than a combination of \nthe two.\n    It is an understanding of the whole environment and what \nthat means for a business or a public sector operation. The \nCBA's task would be to continuously gather and synthesize \ninfrastructure-related trends and events to intelligently \nevaluate the technological context within which the \norganization operates, to identify and assess potential \nthreats, and then to suggest defense action.\n    Viewed from the positive side, to assess the technological \nrevolutions' opportunities and propose effective offensive \nstrategies. The Office of Business Assurance must be a totally \nindependent organization with real teeth and real power within \ngovernment. There is much in common between government and \nindustry when it comes to the challenges and the opportunities \nthat the technology revolution poses.\n    Both sectors face a common threat. Both sectors share \ncommon goals. Both employ technologies that are, in essence, \nidentical. Both must work together to protect each other. I \nwill leave you with this thought. You will employee total \ntransformations of the way business and government is conducted \ninternally and externally going forward. We have heard a great \ndeal in recent months about the potential of a digital divide \nthat is developing between the computer-haves and the computer-\nhave-nots.\n    I believe there is another digital divide that is growing \nbetween the American Government and its citizens. If this \ncommittee's efforts do not move forward in changing this \nculture inertia, there is real danger that the digital divide \nthat exist between the government and the private sector will \nonly widen. We cannot afford a situation where the governed \nfeel that their government is out of touch and increasingly \nirrelevant to their lives.\n    Thank you.\n    [The prepared statement of Mr. Adams follows:]\n    [GRAPHIC] [TIFF OMITTED] T7018.154\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.155\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.156\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.157\n    \n    [GRAPHIC] [TIFF OMITTED] T7018.158\n    \n    Mr. Horn. Thank you. All three of you have made some really \nexcellent suggestions. Let me start some of this query. Let me \nnote that, Mr. Rasch, you were very active before you took your \ncurrent job. You were a trial attorney with the Fraud Section \nof the Criminal Division of the U.S. Department of Justice. You \nleft the Department in 1991. You were the sole attorney in the \nComputer Crime Unit. That was on a part-time basis.\n    The Computer Crime and Intellectual Property Section of the \nDepartment of Justice today consist of 18 attorneys. The \nInternet consisted of perhaps 60,000 computers. Then you have \nmade some very thoughtful things. Let me pursue this. I turned \nto Mr. Ryan, the counsel to the subcommittee, when you were \ntestifying. I said, let us draft a bill that would make this \nsimply illegal.\n    Now, how does the Justice Department, what does it use to \nbe able to get after hackers now? What laws? Do you need new \nlegislation which would ban them and get those out of here?\n    Mr. Rasch, the principal statute that exist to prosecute \nFederal computer crimes is 18 U.S.C. Section 1030, which is the \nFederal computer crimes statute. That focuses on activities. \nFor example, intentionally accessing a computer without \nauthorization or disrupting authorized access to a computer. \nSo, for example, the recent attacks and the denial-of-service \nattacks squarely come within the ambit of that statute and are \nbeing aggressively investigated and could be prosecuted under \nthat.\n    Mr. Horn. Is there any first amendment concerns on this?\n    Mr. Rasch. Probably not. This is action and not speech. \nAlthough just as burning down a building may be an expression, \nit is certainly is not a protected expression. There are some \nfirst amendment concerns in the area of encryption and some \nlegislation. There is some case law on the question of whether \nor not software itself acts as a form of expression. That \nrelates to these type of hacker tools.\n    The dissemination of hacker tools themselves; whether or \nnot that type of dissemination is criminal. There are really \ntwo separate statutes that could be used there. One is the \nDigital Millennium Copyright Act which passed last year, which \nis right now being used in a civil lawsuit against the people \nwho attempted to reverse-engineer the DVD codes to allow them \nto pirate software and things like that.\n    So far, it has withstood a challenge on Constitutional \ngrounds. The second one would be 18 U.S.C. Section 1029 which \nmakes it illegal to disseminate what are called access devices, \nwhich could be such things as passwords and things like that.\n    Mr. Horn. Any comments on those?\n    Mr. Adams. I think you raise an interesting, Chairman. I \nwould just make this in addition to what Mark was saying. There \nhas been a great deal of focus on law enforcement. Of course, \nlaw enforcement has a prominent role to play in this. The speed \nof the revolution is such that, that is very much after the \nfact, obviously. An event has occurred. We failed and therefore \nwe have to do something about it.\n    By the time somebody is caught and prosecuted, the \nrevolution has moved several steps forward. So, we need to \nthink about what does the prevention look like in the globally \nvirtual environment in which we find ourselves. Then if that \nfails, of course you need something to follow that up. The \nfirst step has to be a much more comprehensive approach to \nprevention, warning, intentions, good intelligence, and so on.\n    Mr. Horn. At this point, I am going to turn the Chair over \nto the vice chairwoman, Mrs. Biggert, the gentle woman from \nIllinois. I, unfortunately, have other commitments that I have \ngot to do. I want Mr. Turner and Mrs. Biggert to get all of the \nquestions out that they can. So, thank you particularly for \nfunctioning and coming here.\n    Mrs. Biggert [presiding]. Mr. Turner, you are recognized \nfor questions.\n    Mr. Turner. Mr. Adams, you were showing us your two charts \nhere, which I guess were designed to display the multitude of \nefforts within various Federal agencies to deal with \ninformation system security. Rather than look at that as a \nfailed effort, I guess it shows that every agency is struggling \nto try to keep up with the problem.\n    There are obviously some things that we ought to do to \nconsolidate the effort. This battle is so dependent upon \ntechnical expertise. One of the battlefields where we should be \nfighting on is to figure out how to train people to work for \nthe good guys. There are probably people within these Federal \nagencies that are noted to be outstanding technical experts \nthat do good work in trying to find solutions and trying to \nmake the systems secure.\n    Are we going to be constantly behind the curve in terms of \nwhat government does? I think it is probably difficult to \nattract the best and the brightest to the public sector. I am \nsure that Global Integrity and others of the world are going to \nbe reaching out and trying to pay the salaries necessary to \nattract the people who could really create the defensive \nmechanisms you need.\n    Mr. Adams. I think those are very good points. We clearly \nface a very difficult dilemma. The government is at the front \nline here, as is the private sector. The private sector, my \nlargest number of recruits come from government agencies. The \nprivate sector is hiring the best and the brightest and moving \nforward very quickly. Clearly, there needs to be a relationship \nbetween the public and private sector. Look, for example, at \nwhat the CIA is doing to try and keep itself up to speed with \nthe pace of technology change.\n    It is doing that by establishing essentially a venture \ncapital arm that is the interface between the public and \nprivate sector. So, you have that on the one hand; different \nways of doing it. On the other hand, something that the Federal \nGovernment can do dramatically different is push education into \nthe system, so that what we are doing is seeding the next \ngeneration and the generation after that to keep itself up to \nspeed.\n    The Federal Government is going to be an enabler. It is not \ngoing to be able to mandate very much. This revolution is \noccurring outside of its orbit. So, it can do a lot of things \nto influence it. It needs to, I think, do that more creatively \nso that it is seeding the population. We have tremendous \nshortages of skills at the moment in the whole area of \ncomputers, and computer security, information security, and so \non.\n    So, how to tackle that more creatively and aggressively is \ngoing to be a very important issue which is partly where it all \ncomes back to leadership. You need to have a more creative and \npush-through process than we have at the moment.\n    Mr. Turner. If you were to have a free hand at creating an \nentity that would do that, what would it look like?\n    Mr. Adams. Well, I think what the lesson we have learned in \nthis revolution from the private sector is that if you take an \nold economy company and you try and transition it to the new \neconomy, this will largely fail. What you have to do is do the \nApple Computer model. You setup a new building, different \npeople, and put a pirate flag on the roof. They developed a \nculture and they forced something else into the system, which \nis why this idea of a Business Assurance, some sort of entity \nthat sits outside of the Federal Government that is able to \ncommunicate effectively with the private sector and with the \npublic sector and force through change.\n    What those charts illustrate is, as you rightly say, lots \nof people try to fix it. These are people of good will, by and \nlarge. They are unable to move collectively aggressively \nenough. They are falling further and further behind in the \nrevolution, which is this disconnect. It is very dangerous in a \ndemocracy. So, if you can have a way of driving through change, \nsomething with real power, the Koskinen model, but with muscle, \nnot just please will you all sit around the table.\n    If you do not do this, you will be held accountable for \nfailure. That is something where there is an opportunity \nperhaps because it is the private sector that has the expertise \nand the energy. That is going to continue to be the case. That \nis just going to be a fact of life. So, much better to try and \nfigure out a way to bridge that gulf, rather than say, well, we \ncan actually fix it all ourselves. It is all about a \npartnership between the private and the public sector, making \nthat work and then driving it into the public sector.\n    That is the trick for you all to try and come up with a way \nof creating something very muscular that will force change, \nrather than saying, well, let us get around to it in another \ncouple of years. Too late.\n    Mr. Turner. Although we obviously have to let the CIA do \ntheir own thing, would that kind of model work for the rest of \ngovernment?\n    Mr. Adams. I think it is too early to say at the agency. \nClearly, what we know is that they are bringing some \ninteresting technology back into the system. The problem comes \nthen is this is a voluntary exercise. We found this really cool \nstuff. We think you should use it. Can the culture be forced to \nchange? The CIA is a very inert bureaucracy like a lot of \ngovernment agencies. Will that drive it through?\n    I think it is an interesting model in creating the place \nfor dialog, but it is a difficult challenge. For example, there \nis a government agency that is currently revising its ways of \nprocuring things, trying to keep on the front of technology. It \nfeels that it is making a big step forward by doing changes in \n2 years; design and implementation in a couple of years. My \ncompany is not into design and implementation in 90 days. I \ncannot afford to do it because I am losing market share.\n    So, how do you change that culture to a place which is much \nmore reflective of what is happening in the private sector? It \nis a very difficult challenge. It has to, I think, have \nsomebody. You are talking about very big picture stuff here; \nbillions, and billions, and billions of dollars, where you have \na single entity that says you do this my way or it is not going \nto happen; so forcing it.\n    This is very counter-culture to the way governments \ntraditionally work. One of the great strengths of democracy and \nthe great strength of government entities is that they slowly \nevolve. They move forward to match a pace. Well, in a \nrevolution that is very hard because you cannot afford to \nevolve in the same way. You have to either become a \nrevolutionary or you get swept away. We have seen examples of \nthat throughout history.\n    That is why this is both a dangerous and a very challenging \ntime; dangerous because it can threaten the institutions that \nprovide stability, but a tremendous opportunity for America as \nthe leading Nation in the world to move with the revolution, \nembrace it, and drive it forward. The government and the \nprivate sector have to come together somehow to make that so.\n    Mr. Turner. Thank you.\n    Mrs. Biggert. Thank you. Mr. Gerretson and probably Mr. \nRasch, how vulnerable are home computer users? You mentioned \nthat the whole Internet is only as secure as the most \nvulnerable link. Then after that, if after they surf the web \nand turn off their modems, are there still risks to the system?\n    Mr. Gerretson. I will take the first shot at that. The \nfirst answer is if you are on a dial-up modem, you are \nvulnerable while you are connected. Cable modems and DSL are \nwidely becoming available now. They are always on. I run a \nprivate network at my house. I have a firewall. Every night I \nhave probably six to eight of what I call drive by shootings \nwhere somebody comes and just tries out my system to see if \nthey can get a hold of it.\n    The answer is they are very vulnerable. There is very \nlittle protection on them because it sits on there. Without \nthat firewall, I probably would have been one of what they call \nthe zombie machines attacking Yahoo and would have never known \nit. As the cable modems and the DSLs get more and more \nubiquitously available, it is a huge problem.\n    Mr. Rasch. I would mirror that. We did a study at Global \nwhere we left a cable modem on at a home PC and simply tested \nit to see how many times, without a firewall deliberately, to \ntest to see how many times it was attempted to be attacked. We \nfound that in 1 month, almost 6,000 attempted attacks on a home \nPC.\n    What was interesting about that study, however, was the \nfact that these attacks were coming from Eastern Europe, from \nAfrica, from Asia, as well as from the United States. So, these \nare coordinated concerted attacks on any computer that they can \nfind on the Internet. That would include home PCs in the \nalways-on mode; particularly, those on DSL connections or cable \nmodels.\n    Mrs. Biggert. So, in theory, these really then could lead \nyou into, let us say, a Federal agency through those computers?\n    Mr. Rasch. Absolutely.\n    Mr. Gerretson. That is right.\n    Mrs. Biggert. OK. Then we talked in the first hearing about \nthis chart with the yellow bubbles at the top and sides \nrepresenting the executive branch, and then those organizations \nthat also have a stake-hold in the Federal computer security.\n    [The information referred to follows:]\n    [GRAPHIC] [TIFF OMITTED] T7018.159\n    \n    Mrs. Biggert. So, to me, it looks very similar to your \nchart, Mr. Adams. The problem is that we have kind of a blank \nin the middle. So, would you all agree that we need an outside \ncoordinator to be in control of this to coordinate all of our \nefforts?\n    Mr. Gerretson. Well, ma'am, I would say that my first \nquestion when I saw this chart and I was talking to Mr. Ryan \nabout this is, who is coordinating the coordinators? It seems \nto be somewhat disorganized. I would like to make one little \nstatement about that. The one advantage that the Federal \nGovernment has is that they know they are screwed up. We do a \nlot of commercial work.\n    If you get outside of the IA Groups, they do not even know \nthey are in trouble. So, yes, you are lagging behind, in some \ncases, but, at least you know you are lagging behind. That is \nkind of contrary in view, but there are advantages to what you \nare doing. This is a problem.\n    Mr. Rasch. What I see as the problem is a definition of \nfunction. What we really need somebody to do is to say, not so \nmuch just coordinate the efforts, but say, alright, testing. \nThat is NIST. For developing new technologies, that is somebody \nelse. Basically, not so much coordinating, but defining who has \nwhat roles. One of the things that happened with the \ndevelopment of the Computer Emergency Response Team at Carnegie \nMellon, the CERT Team, it was a wonderful idea, and remains a \nwonderful idea, and works very well.\n    Now, we have dozens, and dozens, and dozens of computer \nemergency response teams. The problem with that is it is like \nliving in a town that has 20 different 911 numbers. So, you run \ninto a problem of who are you going to call. So, you need to \nreally define the functions first and then decide who is going \nto coordinate between and among those functions.\n    Mrs. Biggert. This has been very interesting. Obviously, \nyou have heard the bells. We have another vote. So, I think \nthat we will have to adjourn at this time. We will be having \nseveral more hearings. I know that we will be pursuing this \nmore in-depth. I agree with you that we are behind and we need \nto look at this problem. I think that this has been a great \nstart for this committee. So, I really appreciate you all \nparticipating and look forward to asking more questions of you, \nI am sure, in the future when we get into this.\n    So, without more, this committee hearing is adjourned.\n    [Whereupon, at 12:05 p.m., the subcommittee was adjourned.]\n\n                                   - \n\x1a\n</pre></body></html>\n"