[House Hearing, 106 Congress]
[From the U.S. Government Printing Office]







           ENHANCING COMPUTER SECURITY: WHAT TOOLS WORK BEST

=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
                      INFORMATION, AND TECHNOLOGY

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 29, 2000

                               __________

                           Serial No. 106-181

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
69-819 DTP                  WASHINGTON : 2001

_______________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Printing 
                                 Office
Internet: bookstore.gpo.gov  Phone: (202) 512-1800  Fax: (202) 512-2250
               Mail: Stop SSOP, Washington, DC 20402-0001




                     COMMITTEE ON GOVERNMENT REFORM

                     DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland       TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut       ROBERT E. WISE, Jr., West Virginia
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
STEPHEN HORN, California             PAUL E. KANJORSKI, Pennsylvania
JOHN L. MICA, Florida                PATSY T. MINK, Hawaii
THOMAS M. DAVIS, Virginia            CAROLYN B. MALONEY, New York
DAVID M. McINTOSH, Indiana           ELEANOR HOLMES NORTON, Washington, 
MARK E. SOUDER, Indiana                  DC
JOE SCARBOROUGH, Florida             CHAKA FATTAH, Pennsylvania
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
MARSHALL ``MARK'' SANFORD, South     DENNIS J. KUCINICH, Ohio
    Carolina                         ROD R. BLAGOJEVICH, Illinois
BOB BARR, Georgia                    DANNY K. DAVIS, Illinois
DAN MILLER, Florida                  JOHN F. TIERNEY, Massachusetts
ASA HUTCHINSON, Arkansas             JIM TURNER, Texas
LEE TERRY, Nebraska                  THOMAS H. ALLEN, Maine
JUDY BIGGERT, Illinois               HAROLD E. FORD, Jr., Tennessee
GREG WALDEN, Oregon                  JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California                             ------
PAUL RYAN, Wisconsin                 BERNARD SANDERS, Vermont 
HELEN CHENOWETH-HAGE, Idaho              (Independent)
DAVID VITTER, Louisiana


                      Kevin Binger, Staff Director
                 Daniel R. Moll, Deputy Staff Director
           David A. Kass, Deputy Counsel and Parliamentarian
                    Lisa Smith Arafune, Chief Clerk
                 Phil Schiliro, Minority Staff Director
                                 ------                                

   Subcommittee on Government Management, Information, and Technology

                   STEPHEN HORN, California, Chairman
JUDY BIGGERT, Illinois               JIM TURNER, Texas
THOMAS M. DAVIS, Virginia            PAUL E. KANJORSKI, Pennsylvania
GREG WALDEN, Oregon                  MAJOR R. OWENS, New York
DOUG OSE, California                 PATSY T. MINK, Hawaii
PAUL RYAN, Wisconsin                 CAROLYN B. MALONEY, New York

                               Ex Officio

DAN BURTON, Indiana                  HENRY A. WAXMAN, California
          J. Russell George, Staff Director and Chief Counsel
                   Matt Ryan, Senior Policy Director
                           Bryan Sisk, Clerk
                    Trey Henderson, Minority Counsel




                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on March 29, 2000...................................     1
Statement of:
    Brock, Jack L., Jr., Director, Governmentwide and Defense 
      Information Systems, U.S. General Accounting Office, 
      accompanied by Jean Boltz, U.S. General Accounting Office..     7
    Collier, Paul, division general manager, Identix, Inc........    39
    Nelson, Dave, Deputy Chief Information Officer, National 
      Aeronautics and Space Administration.......................    27
Letters, statements, et cetera, submitted for the record by:
    Brock, Jack L., Jr., Director, Governmentwide and Defense 
      Information Systems, U.S. General Accounting Office, 
      prepared statement of......................................    13
    Collier, Paul, division general manager, Identix, Inc, 
      prepared statement of......................................    42
    Horn, Hon. Stephen, a Representative in Congress from the 
      State of California, prepared statement of.................     3
    Nelson, Dave, Deputy Chief Information Officer, National 
      Aeronautics and Space Administration, prepared statement of    30
    Turner, Hon. Jim, a Representative in Congress from the State 
      of Texas, prepared statement of............................     5

 
           ENHANCING COMPUTER SECURITY: WHAT TOOLS WORK BEST

                              ----------                              


                       WEDNESDAY, MARCH 29, 2000

                  House of Representatives,
Subcommittee on Government Management, Information, 
                                    and Technology,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10 a.m., in 
room 2154, Rayburn House Office Building, Hon. Stephen Horn 
(chairman of the subcommittee) presiding.
    Present: Representatives Horn and Turner.
    Staff present: J. Russell George, staff director and chief 
counsel; Matt Ryan, senior policy director; Bonnie Heald, 
director of communications; Bryan Sisk, clerk; Ryan McKee, 
staff assistant; Trey Henderson, minority counsel; and Jean 
Gosa, minority assistant clerk.
    Mr. Horn. A quorum being present, the Subcommittee on 
Government Management, Information, and Technology will come to 
order.
    This is the second in a series of hearings to examine 
computer security concerns in the Federal Government. The 
subcommittee's first hearing 3 weeks ago shed light on two 
important topics, awareness of the increasing number of 
computer threats against Federal and private computer systems, 
and the need for a coordinated Federal effort to meet this 
challenge.
    History is full of claims of developing the ultimate 
weapon, whether it was a battleship, a supersonic fighter jet, 
or a weapon capable of massive destruction. Today's computer 
systems and networks provide the newest frontier, the weaponry 
of knowledge. With only a few keystrokes, computers provide 
massive amounts of information, information that only a decade 
ago would have taken months or years to compile. It is, of 
course, imperative that these computers and the wealth of 
information they contain be protected.
    Nearly all computer networks are vulnerable to attack at 
some level, but steps can be taken to prevent or reduce those 
intrusions. Organizations must focus on two areas, physical 
security and information security. No one would buy an 
expensive house, furnish it, then walk away leaving the doors 
wide open. Physical assets must be protected. Yet many 
organizations fail to take basic precautions to protect either 
their facilities or their computer systems.
    Electronic government and electronic commerce trends should 
continue to dictate the way important data are exchanged. From 
tax refunds and health records to credit card purchases and 
Social Security numbers, organizations must demonstrate that 
the information flowing into their computers is secure. Tools 
are available to help organizations and citizens protect their 
computers against unwanted and unruly intruders. However, they 
must be carefully used to ensure that they lead to meaningful 
improvement. Today our witnesses will talk about some of these 
tools that can enhance computer security at little or no cost. 
We welcome our panel of witnesses. We look forward to their 
testimony.
    [The prepared statement of Hon. Stephen Horn follows:]
    [GRAPHIC] [TIFF OMITTED] T9819.001
    
    Mr. Horn. It is now my pleasure to call on the ranking 
member of the subcommittee, Mr. Turner of Texas, for an opening 
statement.
    Mr. Turner. Thank you, Mr. Chairman. This is the second in 
a series of hearings that the chairman has designated to 
discuss the issue of computer security in the Federal 
Government, and it is apparent to all of us that we have become 
increasingly dependent upon computer systems and the Internet. 
It represents one of our greatest strengths, but perhaps also 
one of our greatest weaknesses and vulnerabilities.
    While we rely extensively on electronic data, we have 
become increasingly vulnerable. The General Accounting Office 
has stated that our computer security system is not where it 
needs to be to protect ourselves from cyberinvaders. We lack an 
overall comprehensive program in the Federal Government to 
protect our computer system, and billions of dollars in Federal 
assets and large amounts of sensitive data are at risk to the 
threat of hackers, both foreign and domestic.
    I am pleased that the chairman has chosen to focus upon 
this issue of computer security, and I look forward to hearing 
from each of our witnesses today.
    Mr. Horn. I thank the gentleman.
    [The prepared statement of Hon. Jim Turner follows:]
    [GRAPHIC] [TIFF OMITTED] T9819.002
    
    [GRAPHIC] [TIFF OMITTED] T9819.003
    
    Mr. Horn. Let me tell you the procedure here. Some of you 
have testified here before, but when we introduce you, and we 
will go in the order it is on the agenda, your statement, as 
written, is fully in the record. What we would like you to do 
is spend 5 minutes and at the most 8 or 10 to summarize your 
statement, not read it to us. We can read. Then we have more 
time for dialog between the three of you and dialog with the 
Members here today.
    So we, as you know, swear in all witnesses before these 
subcommittees of government reform, and if you will stand, 
raise your right hand, we will swear you in.
    Anybody that is going to give you advice, swear them in, 
too.
    [Witnesses sworn.]
    Mr. Horn. The record will note that three witnesses and one 
helper affirmed the oath.
    So we will now start with Mr. Brock of the U.S. General 
Accounting Office, part of the legislative branch of Congress, 
who does a wonderful job on both programmatic and fiscal 
matters.
    Mr. Jack Brock is no stranger to this subcommittee. He is 
Director of Governmentwide and Defense Information Systems for 
the U.S. General Accounting Office, otherwise known as GAO.
    Mr. Brock.

 STATEMENT OF JACK L. BROCK, JR., DIRECTOR, GOVERNMENTWIDE AND 
 DEFENSE INFORMATION SYSTEMS, U.S. GENERAL ACCOUNTING OFFICE, 
   ACCOMPANIED BY JEAN BOLTZ, U.S. GENERAL ACCOUNTING OFFICE

    Mr. Brock. Thank you very much, Mr. Chairman. Good morning 
to you. Good morning, Mr. Turner.
    I would like to note that my license plates say Native 
Texan.
    I would also like to introduce Ms. Jean Boltz. Ms. Boltz is 
a senior manager in my group and actually directs a great deal 
of our computer security work.
    Mr. Horn. That's B-O-W-L-T-Z.
    Mr. Brock. B-O-L-T-Z.
    Mr. Horn. I am glad I asked.
    Mr. Brock. I know you have had a prior hearing on computer 
security, and in that hearing you discussed the importance of 
good security, but good computer security is important to every 
facet of government operations. It assures the integrity and 
the confidentiality of information and key processes. It is 
important to national security. It is important to other 
critical operations. It is important in assuring the integrity 
of transactions between the government and its citizens; and as 
e-commerce and e-government become more prevalent, it is the 
cornerstone of making sure that those services actually achieve 
the objectives of better government, more efficient government, 
more productive government.
    What we found, though, in our work, as you have noted, is 
that at virtually every major agency that we go to computer 
security, the computer security practices within those agencies 
doesn't match the importance of the topic. We or other 
independent auditors whose work we reviewed have found serious 
computer security weaknesses in virtually every major Federal 
agency, and these weaknesses threaten or potentially threaten 
the ability of these agencies to protect the confidentiality of 
key data, to perform critical operations, and assure the 
integrity of important financial and data transactions. I have 
identified several examples in my testimony, but I would just 
like to quote here what we found at EPA, which is our most 
recent report.
    We found serious and pervasive problems that essentially 
render EPA's agencywide information security program 
ineffective. We found that the current security program 
planning and management is largely a paper exercise that has 
done little to substantially identify, evaluate, and mitigate 
risk to the agency's data and systems.
    What we found essentially, Mr. Chairman, that EPA has a 
central network, and most of EPA's business functions operate 
off that network. We were able to penetrate the firewall, which 
was largely ineffective, penetrate limited access controls, and 
essentially could have had access to most of the information 
and processes that ran throughout the entire agency. So the 
entire agency in this case was vulnerable.
    EPA is not alone. Recent reports at DOD, at NASA--Mr. 
Nelson will be talking about that in a moment--the State 
Department, the National Finance Center, the Veterans 
Administration all had serious weaknesses. I would, at the risk 
of preempting Mr. Nelson, say that they have made substantial 
strides in improving their program, and our limited followup 
work has substantiated those improvements.
    I would like to spend just a moment, if I could, going over 
the common problems that we find at agencies, and we have a 
chart that I would refer you to. Mr. Mike Gilmore is up there 
handling the charts.
    First of all, computer security programs have to support 
the organizational mission and goals of the agency. They can't 
be divorced from what the agency does, or they are not 
relevant.
    Running across the agency is an entitywide security program 
planning and management. This is what assures the relevancy of 
your computer security program to what you are trying to 
achieve at the agency. And then under that we have found a 
series of problems that are present in most of our reviews. 
First of all, many agencies do not have relevant security 
program planning and management, and we are going to talk about 
that in a little bit, but that's the root of the problem. When 
you look at access controls--access controls, you were talking 
about a house, access controls represent the fence around the 
house. They represent the lock on the door. They are not in 
place.
    Here we are talking mainly about processes that provide 
authentication that you are who you say you are and, second, 
that limit your rights to material that's relevant to you.
    Software development and change controls. We are actually 
doing an assignment for you right now and we are meeting with 
your staff next week to go over the results of that. That means 
that when you change software, when you make changes in code, 
or when new software is introduced, that is tested to make sure 
that you are not maliciously--you are inadvertently introducing 
new weaknesses into your application, we find that to be a 
common problem in many agencies, where that testing is not 
done, and weaknesses are then inserted into an application that 
was previously strong.
    The next one is on service continuity controls, there you 
want to maintain the ability to recover from disaster, or if 
the worst happens, that you are able to take strides to recover 
your operations and to move forward. Many agencies that we have 
gone to do not have good service continuity controls, would not 
be able to reconstruct their principal systems, and would have 
difficulty bringing--coming back up to speed in an acceptable 
amount of time.
    System software controls, these are really sort of the 
heart and brains of many systems. These are the basic operating 
systems, the utilities, that if you don't have good controls 
over these, a hacker or an intruder can go in and assume 
control over the entire network by becoming a systems 
administrator and assuming higher powers than he or she should.
    And then finally segregation of duties, if you don't 
separate the duties from the person who writes the code, the 
person who inserts the code, the person who tests, the various 
people who have some element of authorities over the computer 
security, then you run the risk of empowering one person or a 
small number of people with too much authorities. It is much 
like someone who might have authorities over receiving funds, 
recording those funds, disbursing those funds, and then doing 
the final accounting. The more you place those duties in the 
hands of one or a very small number of people, you run the risk 
of malfeasance.
    These are the problems, and you requested that we prepare 
for you a listing of things that you could do to fix the 
problems. This really falls into two categories: Is what can 
you do right now, and what do you need to do on a long-term to 
have more permanency? Again, I am going to go back to your 
house example.
    Ideally, in a house you have some sort of an alarm system, 
a fire suppressant system, or whatever. In this case, the house 
is on fire. Building a fire suppressant system isn't going to 
do you much good. You have to throw a pail of water on it right 
now. So we have identified a number of actions that an agency 
can do now.
    Any agency could start on this this afternoon and work on 
it. So, again, I would refer you to the next table up there, 
and we have identified a number of things in our work that can 
be done. The diagram there is designed so that if you take 
these actions, you will, in fact, be compressing risk and 
minimizing risk. The first thing you need to do is to increase 
awareness at all levels, and at the management levels managers 
need to be aware that this is their information, these are 
their programs, that poor computer security endangers their 
activities that they have accountability and responsibility 
for.
    At the user level, you need to make users aware that 
actions they take in terms of poor password control, sharing 
passwords, not following agency procedures and processes may, 
in fact, endanger the system, and at the technical level system 
administrators need to be aware that if they don't take their 
actions seriously, if they don't have the right kind of 
training, if they don't institute software patches or whatever, 
they are also endangering the system. So there needs to be a 
much higher level of awareness in most agencies.
    Second, you have to make sure that the controls you have 
work. I know there are going to be tools demonstrated here 
today. Every agency has tools, and when we go into agencies, we 
frequently find that those tools aren't working. They are not 
turned on. They are not monitored. So agencies are spending 
money for tools, but they are not using the tools. It is very 
similar to the set of tools I have in my garage that my father 
gave me when I moved here from Texas 27 years ago. He said, you 
will need these tools, and I am sure I do need the tools, but 
they are still in the tool box.
    The same thing with many agencies. Tools are present, but 
they are not turned on, they are not monitored. You are really 
not sure that they are working or not.
    Third, is implementing software patches. The Carnegie 
Mellon CERT-CC has said in most of the intrusions they get, 
most of the incidents that are reported to that organization 
exploit known vulnerabilities, and for most known 
vulnerabilities there are existing patches that could be 
implemented. Many agencies are aware of the patches. They don't 
follow the advisories that are coming up from the vendors, they 
don't follow the advisories that are coming out from the CERT, 
or they don't follow the advisories that come out of their own 
agencies. By not patching software with known holes, they are 
leaving in place known vulnerabilities that offer a hacker or 
an intruder an opportunity to enter into their system.
    Next, is to identify and propagate pockets of excellence. 
Almost every agency we go to, regardless of their overall 
program and whether it is good or bad, have individual centers 
or individual programs that work really well. Unfortunately, 
they are working in concert with other programs that don't work 
so well, and so sometimes the good effect there is mitigated. 
But if agencies would identify those pockets of excellence, use 
those as best practices within the agency, where the agency 
culture to some degree has already accepted these practices, 
propagate those across the agency, there would be opportunities 
for immediate improvements.
    Finally, to focus on the most common vulnerabilities first, 
when we go into agencies, we find throughout the agency that 
there are a few set of problems that come up time and time 
again, and surprisingly enough, when we go from one system 
administrator to the other, they are frequently not aware of 
the problems that their compatriot down the hall is facing. 
These need to be shared within the agency. Those need to be 
addressed first.
    Further, we are finding that many of these common problems 
also exist across agencies, and, again, there is very little 
sharing of that information across the agency.
    If we could turn to the next chart, please.
    And these are things agencies can do now. However, computer 
security is very dynamic. The technology is changing in a 
hurry. The tools are changing. The techniques that intruders 
might be using are changing. So the program really has to have 
a sense of structure in order to make sure that the computer 
security program is dynamic and, in fact, changes as the threat 
and risk changes.
    About 2 years ago we did a study of leading organizations 
that had good computer security, and we found a common set of 
practices in these agencies that we believe are appropriate for 
Federal agencies to use. In fact, the Federal CIO Council 
endorsed these practices, and several agencies have included 
them within their own policy and structure.
    The S. 1993, the computer security bill introduced by 
Senators Thompson and Lieberman earlier this year, also 
incorporates these practices, they start off with a central 
focal point for computer security. Regardless of whether the 
agency is decentralized or centralized, the central focal 
point--there was always a central focal point. I think this is 
true at NASA, where NASA is highly decentralized, and yet Mr. 
Nelson is the central focal point for security.
    The real cornerstone of that, though, is that agencies need 
to assess the risk and determine needs. Without risk 
assessment, you can't move to that next box and have effective 
controls and policies. Your controls and policies need to be 
built on your risk assessment. They need to be appropriate for 
the risks that you are facing and, from that, promote 
awareness. Again, you can increase awareness at all levels on a 
general level, but at some point the awareness needs to be 
focused on your exact controls that you are using, how to use 
them, and on the risks that you are facing so that people 
throughout the organization can take appropriate action; and 
then, finally, monitor, and evaluate.
    There are two parts to that. First, managers need to do 
their own self-evaluation so that they can continually assess 
where the agency is; and second, there needs to be an 
independent evaluation, something that we might do or the NASA 
IG might do that would allow both the agency and the oversight 
agencies or committees such as yourself to take a look at what 
is going on within the agency. We feel that if this framework 
was adopted, truly adopted, by agencies, it would go a long 
ways toward correcting the common problems that we see.
    By establishing a framework, we think that an agency can 
fulfill several key tasks: One, that agency actions are 
appropriately controlled and coordinated; that the testing 
tools are appropriately selected and tested; that personnel 
involved in using the tools are trained; that good practices 
and lessons learned are shared on an agencywide basis; that 
controls are systematically tested to ensure that they are 
effective; and that appropriate risk management decisions are 
made regarding the best way to address and identify problems.
    I would just like to highlight that a little bit. If you do 
not assess the risk, the controls that you have implemented may 
or may not be appropriate. You may well be spending too much 
money. You may not be spending enough money. But almost 
certainly you will have the wrong kind of control in place, and 
you really won't address your company'S problems.
    In conclusion, we also believe, Mr. Chairman, there needs 
to be some reconsideration of the current legislative 
framework. The Computer Security Act and A-130, which provides 
the regulations for the Computer Security Act, really is a 
system-based piece of legislation. It is based on making every 
system good and that the accumulation of those good systems 
will, in fact, represent a good agency program. I don't think 
that works. It hasn't worked. Legislation needs to be 
considered that would, in fact, provide a management framework 
and a management perspective.
    Also CSA has two categories of information. It is 
classified or nonclassified, sensitive or nonsensitive. 
Actually, information is graduated. Some systems are at a very 
low level of risk. Some are at a high level of risk, and 
policies need to be implemented that really reflect that 
gradation. It doesn't recognize the need for an independent 
audit, and second--or third, it doesn't recognize the need for 
more prescriptive guidance that would give agencies more of a 
framework.
    Finally, there is no call for central leadership, somebody 
that can stir the pot, somebody that can make sure that things 
are being done, someone that can provide leadership across the 
government.
    That completes the summary of my statement, Mr. Chairman.
    Mr. Horn. Thank you very much, Mr. Brock. That's a most 
helpful summary.
    [The prepared statement of Mr. Brock follows:]
    [GRAPHIC] [TIFF OMITTED] T9819.004
    
    [GRAPHIC] [TIFF OMITTED] T9819.005
    
    [GRAPHIC] [TIFF OMITTED] T9819.006
    
    [GRAPHIC] [TIFF OMITTED] T9819.007
    
    [GRAPHIC] [TIFF OMITTED] T9819.008
    
    [GRAPHIC] [TIFF OMITTED] T9819.009
    
    [GRAPHIC] [TIFF OMITTED] T9819.010
    
    [GRAPHIC] [TIFF OMITTED] T9819.011
    
    [GRAPHIC] [TIFF OMITTED] T9819.012
    
    [GRAPHIC] [TIFF OMITTED] T9819.013
    
    [GRAPHIC] [TIFF OMITTED] T9819.014
    
    [GRAPHIC] [TIFF OMITTED] T9819.015
    
    [GRAPHIC] [TIFF OMITTED] T9819.016
    
    [GRAPHIC] [TIFF OMITTED] T9819.017
    
    Mr. Horn. I might add, I mentioned that all of your texts 
will be in when we introduce you. So will your resumes.
    The next gentleman, the next two, have very rich resumes. 
Dr. David Nelson in particular has certainly been through the 
whole computer community, I can see, in terms of committees and 
responsibilities you have had.
    Currently, he is Deputy Chief Information Officer at the 
National Aeronautics and Space Administration.
    Mr. Nelson.

  STATEMENT OF DAVE NELSON, DEPUTY CHIEF INFORMATION OFFICER, 
         NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

    Mr. Nelson. Thank you, Mr. Chairman. Members of the 
subcommittee, I am pleased to appear before you today to 
discuss NASA's views on the security of our information 
technology environment. I have submitted my written statement 
for the record. My oral summary will be quite consistent with 
that of Mr. Brock.
    I would like to emphasize three points. My first point is 
the importance of a sound management framework for information 
technology security. Two years ago, NASA did not have a 
satisfactory framework. Since then we have worked hard to align 
our policy, organization, funding and objectives for effective 
security.
    This began with senior management attention and support, 
including the recognition that information technology security 
is required for safety of lives and property. In an internal 
study, we benchmarked ourselves against good organizations and 
copied the best of what we found. We accepted the 
recommendations of the General Accounting Office review of NASA 
security that Mr. Brock referred to.
    Our actions included issuing up-to-date policy, 
establishing a senior Council to set strategic directions, 
clarifying management responsibilities, budgeting for key tasks 
and collecting metrics of progress.
    NASA places operational responsibility for information 
technology security on line management, complemented by a cadre 
of computer security professionals who provide technical 
assistance and oversight.
    I have mentioned budgets and metrics. If I could have the 
chart, please.
    This chart shows one of our metrics. Plotted is the number 
of serious incidents. Those are things like destruction of 
data, theft of passwords, or damage to software, versus on the 
X axis the percent of the information technology budget that is 
spent on security. Each point is a specific center, and the 
data is real. Notice the trend line. As you start from the 
left, as the percentage of budget increases to about 2 percent, 
the number of incidents levels off. This suggests that spending 
about 2 percent of information technology budget on security 
gives a good return on information. Spending less increases 
risk, as shown by the trend line. Spending more may not add 
much return. We have compared notes on this metric with leading 
companies. They see the same sort of trend and the same sort of 
sweet spot.
    Now, this metric isn't perfect, but it gives us a place to 
start. Metrics like this are our headlights. They guide our 
actions and indicate where we need to work harder.
    My second point is the importance of training. NASA is a 
highly technical organization. We create and modify leading-
edge information systems to serve our missions. Security risk 
evolves as threats and, as a result, vulnerabilities change, so 
our personnel must understand the principles of effective 
security and apply them to changing situations. Program and 
project managers must be trained to evaluate risks and 
vulnerabilities in designing and maintaining systems entrusted 
to them. System administrators must be trained to properly 
configure and upgrade their systems, to recognize attacks and 
to respond to them. Users must be trained to practice good 
security, to recognize certain types of attack, and to know how 
to get help.
    Over the last 2 years, NASA has developed or acquired new 
training material for managers, system administrators, and 
users. This training is now mandatory for all civil servants, 
and we are gathering metrics on its delivery. In addition, NASA 
has requested comments on a draft regulation that would require 
NASA contractors to adhere to the same standards of training 
that apply to civil servants.
    My last point is the importance of appropriate tools. 
Security tools, which are a combination of computer hardware 
and software programs, help to protect systems and defend 
against attacks.
    The technical details of a particular attack may be very 
complicated, but once the attack is understood, defense against 
it can be incorporated into a tool that is easy to use by a 
trained person.
    Organizations with modest funding, but substantial 
technical skills can obtain free, reputable tools from the 
Internet that offer good capability. However, they may not be 
well-documented or supported and may be somewhat difficult to 
use. NASA tends to purchase key commercial tools and augment 
them with free tools. Obviously, purchased commercial tools 
have a higher initial cost. However, they are often easier to 
use and may have a lower sustaining labor cost.
    Most successful attacks are enabled by a relatively small 
number of weaknesses, as Mr. Brock has observed. These include 
lack of virus detection software; trivial passwords that can 
easily be cracked, that means decrypted; failures to install 
patches for well-known software vulnerabilities; and poorly 
configured computers with open vulnerability holes. Tools help 
us to deal with each of these classes of problems. In my 
written statement, I have described a number of these and the 
practices that NASA uses.
    New problems keep appearing, along with new defenses. Thus, 
the tools and their use must evolve. There is no substitute for 
good proactive management that can respond quickly and 
effectively. Unfortunately, easy-to-use tools for attacking 
systems are also available on the Internet, and they are 
constantly getting better. This means it takes less skill to 
mount a sophisticated attack than it used to. The ecologists 
would call this a classic predator-prey situation in which both 
predator and prey evolve quickly to secure competitive 
advantage.
    In conclusion, NASA is facing the challenge of the evolving 
security universe by marshalling effective management, 
effective training, and effective technology. We are in an 
environment of increasingly numerous and serious threats, along 
with systems whose vulnerabilities tend to increase as they 
become more complicated.
    Fortunately, our tools and process allow us to make 
progress in dealing with this environment, but it is a never-
ending process. We take response--we take seriously our 
responsibility as stewards of the public's space and 
aeronautics information and systems. We are committed to 
working with other agencies of the executive branch and with 
the Congress to ensure that we maintain the proper balance 
between accessibility of research results and protection of our 
information technology investment.
    Thank you for the opportunity to testify before you today. 
I look forward to answering your questions.
    Mr. Horn. Well, thank you very much.
    [The prepared statement of Mr. Nelson follows:]
    [GRAPHIC] [TIFF OMITTED] T9819.018
    
    [GRAPHIC] [TIFF OMITTED] T9819.019
    
    [GRAPHIC] [TIFF OMITTED] T9819.020
    
    [GRAPHIC] [TIFF OMITTED] T9819.021
    
    [GRAPHIC] [TIFF OMITTED] T9819.022
    
    [GRAPHIC] [TIFF OMITTED] T9819.023
    
    [GRAPHIC] [TIFF OMITTED] T9819.024
    
    [GRAPHIC] [TIFF OMITTED] T9819.025
    
    [GRAPHIC] [TIFF OMITTED] T9819.026
    
    Mr. Horn. Those bells show that there is a vote on the 
floor, so we are going to have to go into recess for 20 minutes 
before we will take up Mr. Collier and then the questions. So 
relax.
    [Recess.]
    Mr. Horn. The subcommittee will now end the recess for the 
voting on the floor, and we will begin with Mr. Paul Collier, 
division general manager of Identix Solutions.
    You might want to tell us a little about Identix Solutions. 
Put in a plug so I can understand it.
    Go ahead, Mr. Collier.

 STATEMENT OF PAUL COLLIER, DIVISION GENERAL MANAGER, IDENTIX, 
                              INC.

    Mr. Collier. Thank you, Mr. Chairman. Thank you for 
inviting me to be a part of this distinguished panel today. My 
testimony will focus on technology available that offers a 
significant advance in the protection of computer networks and 
critical data systems.
    The greatest challenge we face in controlling access to 
computers and information is positive user authentication. 
Recent events show that the proliferation of the Internet, our 
increased reliance on computer-based information and the rapid 
growth of mobile computing has far outpaced our ability to 
secure these systems.
    Traditionally the use of passwords has been our best 
defense. Recent advances in password cracking software and 
increased computer processor speeds have required passwords to 
become more complex and changed more frequently.
    The human element in this new equation has been pushed to 
the limit. We now see more passwords written on the back of 
mouse pads, on desk leaves, and even on Post-It notes affixed 
to monitors. In addition, users tend to leave work stations 
logged on and unattended because of the added inconvenience.
    It should be noted that there is no single technology that 
can serve as a panacea for positive user authentication. 
However, a combination of available technologies, working in 
concert, can provide a significant advance in addressing this 
need. The positive user authentication model consists of three 
elements, something you have, something you know, and something 
you are: Something you have, such as a smart card with a 
digital certificate embedded in the microprocessor; something 
you know, a simple PIN, as few as four digits; and something 
you are, one or more biometrics.
    Someone can give an unauthorized individual their smart 
card or token and tell them their PIN number or password. The 
biometric is the only nontransferable element in this model. 
Briefly, a biometric is a quantitative measurement of a unique 
human attribute or behavioral characteristic, such as 
fingerprints, face, voice, iris pattern, etc.
    Using fingerprints as an example in this model, a finger is 
placed on a sensor and then scanned. The image of the 
fingerprint is then processed by a series of algorithms which 
convert it into a binary representation or template. This 
template is then compared to a reference template stored either 
on a computer or a card-based data storage medium. Like most 
biometrics, you cannot reverse-engineer this binary 
representation and recreate the fingerprint image.
    Fingerprint biometrics have been used in many civil and 
government programs for over 10 years. They have been very 
effective in reducing fraud, eliminating multiple identities, 
and securing access to sensitive areas.
    These wide-scale deployments have served as real-world 
proving grounds for this technology and involve many millions 
of people. Knowledge gained from these programs and applied to 
improvements and cost reductions help produce much of the 
commercial products available today.
    The Federal Government, in partnership with industry, has 
made a significant contribution to the evolution of biometric 
technology. Biometrics would not have advanced to their present 
level without the help of such agencies as the Department of 
Defense, the National Security Agency, the Departments of 
Justice, Energy, Treasury and the National Institute for 
Standards and Technology.
    Like many technologies, biometrics have become faster, 
better, and cheaper. An example, only a few years ago the cost 
to integrate fingerprint biometric technology was approximately 
$3,000 per computer. Recent advances have reduced the cost to 
less than $100 per computer. History has shown the ephemeral 
nature of benchmarks in information technology, and in the near 
future we can anticipate still further reduction in costs and 
improved performance.
    Commercial Off-The-Shelf products are entering the 
government market via GSA schedule and other procurement 
vehicles. The recent Smart Access/Common ID procurement by the 
General Services Administration represents a 10-year, $1.5 
billion governmentwide contract that includes provisions for 
biometrics used for both physical and logical access.
    Mr. Chairman, with your permission, I would like to 
demonstrate two of the products available today. The first is 
configured to demonstrate the positive user authentication 
model that I discussed earlier. The computer work station that 
you see here is in a locked mode. Attached to it is a keyboard 
with an integrated smart card reader and fingerprint scanner. 
These are commercially available, and the government has really 
taken to this particular one. The user takes his or her smart 
card, which, as you can see, has the smart card chip on the 
back, and inserts it into the work station. The log-on prompts 
the user to choose their log-on ID, enter the four-digit PIN 
number, which is the something-you-know portion--it is telling 
me I haven't put my finger on the scanner--and then place my 
finger on the scanner to complete the log-in process.
    If the user removes the smart card from the computer 
keyboard, the system locks.
    The second product, which is available commercially, many 
of the components of which were developed in conjunction with 
the National Security Agency, is a PC card which has a built-in 
fingerprint scanner. This is a simple replacement for password 
configuration that you see here. The user need only go up to 
the computer, place their finger on the scanner, and the log-on 
process is complete, nothing to remember.
    In 1998, several key companies founded the International 
Biometrics Industry Association. The charter is a nonprofit 
trade association to promote competition, establish an industry 
code of ethics, represent industry concerns, and serve as a 
single voice on major issues such as privacy, computer 
security, e-commerce, and legislative issues.
    I would like to thank the chairman for the opportunity to 
appear here today and demonstrate these products to you. Thank 
you, Mr. Chairman.
    Mr. Horn. Well, we thank you and your other two colleagues 
there.
    [The prepared statement of Mr. Collier follows:]
    [GRAPHIC] [TIFF OMITTED] T9819.027
    
    [GRAPHIC] [TIFF OMITTED] T9819.028
    
    [GRAPHIC] [TIFF OMITTED] T9819.029
    
    [GRAPHIC] [TIFF OMITTED] T9819.030
    
    [GRAPHIC] [TIFF OMITTED] T9819.031
    
    [GRAPHIC] [TIFF OMITTED] T9819.032
    
    [GRAPHIC] [TIFF OMITTED] T9819.033
    
    [GRAPHIC] [TIFF OMITTED] T9819.034
    
    [GRAPHIC] [TIFF OMITTED] T9819.035
    
    [GRAPHIC] [TIFF OMITTED] T9819.036
    
    [GRAPHIC] [TIFF OMITTED] T9819.037
    
    [GRAPHIC] [TIFF OMITTED] T9819.038
    
    [GRAPHIC] [TIFF OMITTED] T9819.039
    
    [GRAPHIC] [TIFF OMITTED] T9819.040
    
    [GRAPHIC] [TIFF OMITTED] T9819.041
    
    [GRAPHIC] [TIFF OMITTED] T9819.042
    
    [GRAPHIC] [TIFF OMITTED] T9819.043
    
    [GRAPHIC] [TIFF OMITTED] T9819.044
    
    [GRAPHIC] [TIFF OMITTED] T9819.045
    
    [GRAPHIC] [TIFF OMITTED] T9819.046
    
    [GRAPHIC] [TIFF OMITTED] T9819.047
    
    [GRAPHIC] [TIFF OMITTED] T9819.048
    
    [GRAPHIC] [TIFF OMITTED] T9819.049
    
    [GRAPHIC] [TIFF OMITTED] T9819.050
    
    [GRAPHIC] [TIFF OMITTED] T9819.051
    
    Mr. Horn. Let me just ask you about the biometric 
technology chart. While going over to vote and coming back, I 
talked with Mr. Tauzin, who is very interested in this, and he 
is going to have a meeting of the Internet group here on May 
19th and 20th. So we hope what will come out of this testimony 
of yours and the previous panel a couple of weeks ago will be 
helpful.
    One of these patterns is rather interesting to me. A few 
years ago, the Immigration and Naturalization Service put on a 
demonstration in a room in the Capitol, various things they 
could do to identify people. I was fascinated by the one where 
you put your hand in.
    Is that on your chart, the vein patterns, paren, hand? Is 
that the one, or is that separate from that?
    Mr. Collier. They are different technologies, though they 
are essentially similar.
    Mr. Horn. Looking at the spread of your fingers, and they 
claimed it was better than fingerprints.
    Mr. Collier. Well, we all have claims, I guess. The hand 
geometry system used by the Immigration and Naturalization 
Service, I think, were deployed in their INS-Pass Program and 
are still working to this day. Hand geometry is a viable 
technology. Fingerprints appear to be what the government has 
embraced because of the long experience with them.
    Mr. Horn. Yes. So is there any sort of works on this that 
will give us an idea as to which is the better of the two 
between fingerprints and the hand pattern? Anybody research 
that?
    Mr. Collier. I believe they both have their place. There 
are about 15 different biometric disciplines. There is no one 
discipline that fits all scenarios. The real issue comes down 
to cost per seat, per deployment. Some of the biometrics 
available are extremely effective, but may cost $100,000 per 
unit to deploy. It is never going to see widespread deployment 
at that cost.
    There are studies that have been done by the National 
Security Agency that are available. There are studies done by 
the National Biometric Test Center at San Jose State 
University, and Sandia Laboratories did some studies several 
years ago for the Department of Energy.
    Mr. Horn. This is a question really for all of you, and 
that's based on the testimony. It appears many computer 
security tools are free or at little cost, and I guess the 
question is this: Why aren't more agencies taking advantage of 
all the security tools readily available to them? What is your 
experience on that?
    Mr. Brock. Well, I think that many tools are free, are 
readily available. Many of the tools you can actually download 
from the Internet or are made available from vendors free or 
low charge.
    What we have seen is that agencies inconsistently use the 
tools, or they don't provide the appropriate training to 
understand how to use the tools, or they don't even know how to 
turn the tools on. So while the tools are available, they are 
just not used properly. That seems to be the biggest problem 
that we have found.
    Mr. Nelson. I would agree and would add there is motivation 
and resources involved. As I said in my testimony, nothing is 
free because there is a labor cost. Many system administrators 
were sort of pressed into the job. They weren't well-trained. 
It is a new field, and many of them are overloaded because 
management doesn't appreciate the importance of security, so 
that even if they know in principle the tools are available, 
finding the time to acquire them, to understand them, and to 
deploy them and to then take action based on them is a pretty 
big load.
    As I indicated in my testimony, at NASA we have deployed 
uniform suites of commercially acquired tools because our 
study--I won't say it was a thorough study, but we looked at 
the cost of labor and the ease of use, and we found that the 
commercial tools were a better buy for us, but then augmented 
by selected free tools. No tool is perfect.
    Mr. Horn. I was interested in your testimony where you put 
the stress on training and supervision, and you remind me now 
on management we put a measure through here, and it is, I 
think, almost law, or it is still in the Senate, and that would 
be to give the new President, whoever that is, a chance to 
relate to the top management that he would bring in. 
Ordinarily, between the Cabinet, the independent agencies, 
that's about 30. Then you have got about 300 Commissioners and 
Under Secretaries, so forth.
    I think we definitely ought to get on that agenda, then, 
their understanding of this type of security management. If it 
goes up that high, and they don't understand it, I think it 
will--and staff will note this, and we will put it in maybe 
even as two words or something in what is coming out of the 
Senate.
    Mr. Nelson. What we did at NASA at the Administrator's 
direction, the Chief Information Officer and I--I am Deputy 
Chief Information Officer--visited each of our 10 centers and 
headquarters and gave hands-on training briefings to the center 
senior and middle managers.
    Now, that wasn't a lot of time, but it emphasized that we 
meant business, and we talked about metrics. We talked about 
actions we were taking. We talked about their responsibilities. 
It seems to be working. So I would commend the administration 
to think of something like that.
    Mr. Horn. Yes, I agree. The way we got leadership finally 
on the Y2K thing in the executive branch was when Mr. Koskinen 
was picked and went around and sat down with all the Deputy 
Secretaries of each department to get them to understand that 
this was serious business.
    Any other comments on that? Mr. Collier.
    Mr. Collier. The tools that are available at little or no 
cost need only the person's desire to implement them. We 
constantly see Windows basic tools for securing systems totally 
inactive. It is a tradeoff between security and convenience. 
Biometrics, we feel, brings both to the party in the sense that 
it does give you the speed. It is not something else to flip on 
and flip off. It is not something else lengthy to remember. If 
we look at what we have done at passwords to overcome this 
ability for people to break into our systems by finding out 
what our passwords are, it is not the dog's name anymore; it is 
not a simple thing that you can keep for a year, or your wife's 
maiden name. It is an upper/lower case, full eight-character 
ASCII 2 set. It is extremely difficult for anyone to remember 
that. Change it every 30 to 60 days, and give them three or 
four to remember, it can bring about a problem.
    So I think the real issue is utilizing the tools that are 
available and making the operators understand that the security 
is important at the risk of what little inconvenience it is 
going to cause.
    Mr. Horn. Well, with reference to this subject, where on 
the Internet can organizations and citizens find these tools? 
Is it there?
    Mr. Nelson. Let me speak to that. In my testimony I 
indicated two sites. One, is our own NASIRC site, 
www.nasirc.gov. The second, that I indicated was the Carnegie 
Mellon CERT that I think Jack also mentioned. They have a good 
set of tools.
    With search engines and other news groups, it is probably a 
half-hour to get started. I mean, this is very easy to do. This 
is probably the easiest step. There is the step of, well, what 
is good and what is not so good; what is easy to use, what is 
not so good--what is not so easy to use. But access is the easy 
part.
    Mr. Brock. I would agree with that.
    Mr. Horn. Intrusion detection tools can either be manual or 
labor-intensive. Is there a better way to monitor potential 
intruders?
    Mr. Brock. Intrusion detection tools are a necessity. What 
is difficult about intrusion detection tools is actually 
following up. I mean, if you--you have an intrusion detection 
tool, and you are logging in intrusions, you need to followup. 
The issue that we found at many agencies is if they have 
intrusion detection tools, and they are logging them in, 
frequently they are not following up on the incidents to take 
corrective action or to do something to stop the intruder. 
That's why they are labor-intensive. You have to look at each 
one individually.
    I can't recall any intruder detection tool that would 
automatically fix the problem or stop the intrusion. At some 
point somebody has to intervene.
    Mr. Nelson. Let me speak to that. Right now, and I agree 
with what Mr. Brock said, right now it is manual, it is labor-
intensive. At NASA we require that every incident be reported 
to the IT security manager at the center, and then to our 
NASIRC, which we use as a coordination means.
    So we send out encrypted alerts to our security people at 
all centers based on the incidents reported by each center. 
Many of those incidents are detected by the intrusion detection 
tools. The securities managers followup with the system 
administrators to get things fixed. Again, that's quite manual.
    What we are looking at and what I would encourage the 
industry to work harder on is automated, if you will, 
artificial intelligence means to identify intrusions and 
identify a recommended course of action. One of the things we 
are looking at doing, we have not done it yet, is to gather 
from each center--see, we are using the same tool--into a 
centralized analysis location what those tools are reporting 
and apply the artificial intelligence to the set of reports. We 
find that if one NASA is--one NASA center is being attacked, 
often several others are. These are coordinated attacks. But I 
repeat, the artificial intelligence tools for analysis do not 
appear to exist yet. It is an area that NASA is tracking 
carefully, and we hope that in the next year or two we will see 
something we can start to deploy.
    Mr. Brock. If I could just add to that, Mr. Chairman, 
that's true. The intrusion detection tools are very immature at 
this point, and they are evolving. Again, another risk is that 
as--is once an agency or an individual buys a tool, that tool 
is changing rapidly, and the intrusion detection tools, they 
are changing very rapidly, and they are not at a stage of 
maturity now where they are going to provide the final answer.
    Mr. Horn. Is there any way you can tell with the intrusion 
that the--the type of computer is doing that, or is it just 
hopeless? Because I am looking at individuals have one capacity 
generally; foreign governments do have another capacity. If any 
of them have something such as a Cray computer in terms of what 
they can spin around and test things against to break through 
particular firewalls, I am just curious about that.
    Mr. Nelson. Usually we can tell what is called the source 
Internet protocol address, and that identifies the location of 
the attacker fairly well. Occasionally those addresses can be 
what they call spoofed, which means they are faked, but 
typically we can identify that.
    Now, your discussion about the difference between an 
individual and a foreign country, I wouldn't make too much of 
that because groups of individuals are acting together, and the 
power of modern, even personal computers and certainly work 
stations is fully adequate to mount an attack that is very 
serious.
    So we pay a lot of attention to individuals. Obviously when 
we sense that it is a better organized group, all the way up to 
a government, we pay particular attention to it, but we 
wouldn't want to make too fine a point on that distinction.
    Mr. Horn. Any other thoughts on that?
    OK. Mr. Brock, you mentioned in your statement that poor 
security planning and management is, ``the rule rather than the 
exception.'' So why is this posture the rule and not an 
exception?
    Mr. Brock. I wish there was a real simple answer to that 
and that it would be easy to fix. It is, unfortunately, like a 
lot of other issues, and very similar to the Y2K issue, is that 
it--the actual computer security break-ins, the failings there 
are technical. The correction is a management issue. There have 
to be resources devoted to it. There have to be dollars, and 
there has to be training, and the people that own the 
processes, that own the information, that are accountable for 
that need to be accountable for computer security. That is not 
the case, and until that ownership occurs, I don't think you 
will see widespread, systematic repair of the poor computer 
security problems.
    I think that happened in Y2K, in large part because of the 
intensive oversight in Congress, in large part because of Mr. 
Koskinen coming on board, in large part because Federal 
managers were made aware there was a crisis. Those three 
elements have not yet been put in place for computer security.
    Mr. Horn. Well, you have put them very well, and that's 
what I was leading to, in the sense that when Mr. Koskinen came 
on board as assistant to the President, he worked with the 
Chief Information Officer's Council and got the best out of 
them. And I guess I would ask, does the Federal Government need 
one organization or one high-ranking information technology 
officer to coordinate security planning and management? Do we 
need to continue a sort of Koskinen situation and relate it to 
security?
    Mr. Brock. That's an excellent question. I guess when you 
start off saying that's an excellent question, that means you 
are going to be wondering about my answer.
    Mr. Horn. Is there an excellent answer?
    Mr. Brock. I hope so.
    Mr. Horn. We are college professors. We ask questions. We 
don't answer them.
    Mr. Brock. Well, I will go ahead with the answer now.
    The--I believe there needs to be a Federal CIO. I think 
very strongly that the information management issues, the 
information technology issues that run across agencies are 
serious. It is not just in computer security, but it is in 
terms of how you control your investment dollar. It is do you 
have an architecture that will support your business needs and 
your technical needs. There are a series of issues that need to 
be addressed on a consistent basis.
    I think the CIO Council has done a reasonable job of 
looking at some of these, but they are not in power. They don't 
have budget. They don't have staff. They are volunteers on 
this. There needs to be someone who is providing more 
direction, more leadership.
    Now, in terms of--and I believe that in this case a Federal 
CIO would also be responsible for computer security.
    Similarly, if you decided that computer security was an 
important issue in terms of critical infrastructure protection, 
where you were also involving the private sector and you were 
involving physical security as well, I could easily see a role 
for a national coordinator for critical infrastructure 
protection that might be separate from a Federal CIO who would 
be dealing primarily with agency responsibilities.
    Mr. Horn. I have one reservation here, having been in the 
largest educational system in the country, which is California 
State University system. When you put somebody in the system 
headquarters, everybody sort of says, oh, that's their problem, 
and pretty soon they forget that it is their problem. They are 
the campus administrators; that's where it happens. It doesn't 
happen in headquarters. They never educated a student in their 
life. A university does, and so do our departments. They are 
mission-oriented, and they are producing things. I worry if, 
say--to say, well, that isn't my business, let those people 
over in OMB; or if we can separate it into the Office of 
Management or the Office of Budget, and that's what worries me. 
Doesn't that really sort of let up the heat on the individual, 
the independent agencies, Cabinet departments?
    Mr. Brock. If I could go back to the Y2K experience, I 
think that even though there was a national coordinator with 
Mr. Koskinen, he clearly held agencies accountable for their 
actions, as did the President. I was here for several hearings, 
and you were holding those agencies accountable.
    I think you can keep the heat on the agencies. That's where 
the responsibility lies for good computer security.
    Mr. Horn. Right.
    Mr. Brock. But the focal point, the Federal CIO, could 
assist in that. I do not think that the Federal focal point 
should become the stopgap; that this will solve the problems. 
That still has to occur at the agencies, but certainly a CIO at 
the national level could propagate good practices, could 
leverage resources that were available to that individual and 
serve a role, frankly, very similar to the one that Mr. 
Koskinen served.
    Mr. Horn. Yes. We had a specific time period that wasn't 
going to be for 10, 20, or 100 years. It was just going to be a 
few months, and that's really what it boiled down to. And the 
job was very well done obviously, but that's--I need that 
balance, I think.
    Mr. Brock. Yes.
    Mr. Horn. So you don't have people say, hey, it isn't my 
problem, they do that over there, and wash their hands of it. I 
don't think that will help us at all.
    Mr. Brock. No, it would not.
    Mr. Horn. Yes. But we certainly ought to have somebody that 
had the right skills, people skills, so they aren't some czar. 
The czar makes my spine shudder. But so that they are a 
coordinator in getting people in the various systems that 
overlap to work together, that's the way I would view that 
coordinator role.
    Mr. Brock. I would agree. I think that the success of any 
coordinator or official like that does depend very much on that 
individual's personal skills in terms of working with a very 
diverse group of organizations who have different needs and 
different objectives. That's a difficult job, very hard job.
    Mr. Horn. That's right.
    Mr. Nelson, any thoughts on that?
    Mr. Nelson. Yes. Just to add a bit to Mr. Brock, I agree up 
to possibly whether a CIO, Federal CIO, is warranted. As you 
know, that's being debated within the administration, and I 
won't take a position on that.
    I agree with him that one does not want to separate the 
computer security aspects from other aspects of management. We 
are focusing on computer security today because, indeed, it is 
a new problem. I am an optimist, and I think we are going to 
get this problem under control, and if we have a legacy of a 
fragmented management approach, it is going to take on a life 
of its own.
    A number of years ago, I worked on environmental protection 
and on OSHA problems, and one of the things that I pushed on 
was to reintegrate those functions. I called them the OSHA 
Mafia, back with management, because management was abdicating 
its responsibility, and, frankly, the Mafia in some cases were 
running rampant with things that didn't make sense. Now, that's 
a very personal observation. It's not NASA's observation. But 
my experience in this area tells me that you want to integrate, 
you want to set high standards, you want to measure, you want 
to train, but you put the responsibility on the people who have 
to make the tradeoffs and get the job done.
    Mr. Horn. I agree with you completely on that. You say it 
very well.
    Mr. Collier, any further thoughts on this?
    Mr. Collier. Mr. Brock and Mr. Nelson both mentioned that 
communication between different agencies and even within a 
particular agency is a critical element here. Within the 
government, of course, the Critical Information Assurance 
Office paper that came out this past year points to that. The 
CIOs do have several venues in which they talk to each other. 
The Government Information Technology Services Board, I think, 
has done a good job in at least keeping the communication 
flowing between agencies.
    But I would tend to agree with you that to establish an 
individual to take on this responsibility may not be the proper 
way. The proper way to do this would be probably to continue 
the communications, the lines of discussions, between agencies.
    Mr. Horn. In your statement, Mr. Brock, you mentioned that 
your audits have shown that Governmentwide computer security is 
generally weak because current policies and controls are not 
operating effectively. You also stated that the General 
Accounting Office audits frequently find the same 
vulnerabilities over and over and over again.
    In your opinion, what would you specifically suggest that 
agencies do to strengthen existing policy or to create stronger 
policies? What is your thinking on that?
    Mr. Brock. The--you are correct. Our reports have found the 
same problem over and over again.
    A couple of observations. First of all, many of the 
policies have no relationship or a limited relationship to the 
problems that we are finding. They are not specific to the 
issues and problems that are within an agency. We believe that 
policies and procedures need to be based on the risk that the 
agencies are facing, and if you do a good risk assessment, you 
can then, in fact, determine policies and procedures that will 
minimize or mitigate those risks.
    Second, most agencies aren't testing their controls. They 
rely on GAO or IG to come in and do the test, so there is too 
limited information within the agency, one, about what the 
risks are and whether the policies would be reflective of 
reducing that risk, and second, are the controls in place 
working, are they being tested? Those are the things that we 
would do to, one, develop policies that are appropriate, and, 
second, to strengthen existing policies to make them more 
responsive.
    Mr. Horn. You also suggested that agencies develop and 
distribute lists of vulnerabilities. To whom would these lists 
be distributed?
    Mr. Brock. Well, first of all----
    Mr. Horn. Should it be GAO; should it be OMB; what, CIO 
Council?
    Mr. Brock. Everyone.
    Mr. Horn. All of the above?
    Mr. Brock. First of all, let's start within the agency. I 
believe I mentioned earlier within some agencies we would go 
to, they do not distribute such lists within the agency so that 
people that are literally down the hall are not getting these 
lists. So, first of all, you need to start within the agency.
    Second, there are other organizations, such as the CERT-CC, 
the Carnegie Mellon, the Fed CERT, the GSA runs, organizations 
that do have distribution mechanisms that are appropriate as 
well.
    Mr. Horn. Yet Dilbert and the cubicle is broken down?
    Mr. Brock. Yes.
    Mr. Horn. Mr. Brock, you stated that establishing a 
framework for managing security is important. What specific 
elements of the framework are missing at most agencies?
    Mr. Brock. If I could indulge Mr. Gilmore to put up the 
circular chart, the wheel.
    The risk management cycle, we believe, is the framework. I 
will go back to an answer I just gave you, that the framework 
has to start with a central focal point, the accountability. 
From there, determine what the risks are, develop controls 
based on that risk, promote awareness, and then continuously 
monitor and evaluate. That's the framework.
    Certainly there are things that you can do independent of 
that framework, or you don't have to implement everything in 
that exact cycle, but it is dynamic. It is continuous. The 
threat is growing. The threat changes. The technology grows. 
The technology changes. The services that an agency provides 
change. So the risk management cycle has to roll on a 
continuous basis.
    Mr. Horn. So it is interactive in many ways?
    Mr. Brock. Yes, sir.
    Mr. Horn. Gentleman, Mr. Nelson, Mr. Collier, what do you 
think about that approach there, just as one vision?
    Mr. Nelson. Yes. I agree with Mr. Brock. I would like to 
give you some examples of what we are doing at NASA along these 
lines.
    I said before that it starts with management. We have 
identified what we call special management attention systems. 
These are important computer systems for NASA's missions, and 
we are requiring 100 percent completion of security plans for 
those systems by this year, and we have asked our Inspector 
General to audit that, including the involvement of management 
in those plans and management signature on the readiness of 
those systems to operate.
    But we have had to operate in parallel because the risk is 
too great. So at the same time we have identified what we call 
the top 50 vulnerabilities in NASA, and we have distributed 
that list to every center. It was done by consensus, not 
somebody in a closet, but using the tools that I described, all 
of our systems are being audited for the presence of those 
vulnerabilities. When those vulnerabilities are detected, 
management is informed of them and asked to correct them, and 
then those systems are rescanned.
    Now, management, if in its interest it believes that some 
of those vulnerabilities must maintain because the risk is 
tolerable and the loss to mission is too great, they can do a 
waiver. But this forces them to act even before some of their 
plans are completed, because we think that it is too much of a 
crisis.
    Mr. Horn. OK. Any other comments on that question?
    Mr. Collier. I would agree that it is a management and 
policy issue. When the Department of Defense began its studies 
of biometrics back in the late 1980's, early 1990's, there was 
as much emphasis placed on the people interface to biometrics 
as there was on the technology side.
    I found that a very refreshing model. I mean, the human 
element is really what is the issue here. Technology pretty 
much does what we make it to do, and it keeps on doing it. In 
the area of security, however, the Department of Defense 
studies, especially of the National Security Agency, involved 
the study of time, motion, and the people's acceptance of a new 
way of doing things, and labor was definitely a part of the 
decisionmaking process.
    I think that's a critical element in moving forward, to 
remain dynamic enough to meet the threats as they continue to 
improve on a day-to-day basis.
    Mr. Horn. Mr. Nelson, any further comment on that question?
    Mr. Nelson. No, thank you.
    Mr. Horn. Mr. Turner has joined us. I am delighted to yield 
such time as he may need for questioning.
    Mr. Turner.
    Mr. Turner. Mr. Nelson, I wanted to ask you if you could 
describe for us the kind of computer intrusions and attacks 
that you have experienced. We talk about this all the time, and 
I don't really have a good grasp on the scope of the problem. 
So can you quantify that and maybe give us some specific 
examples of how some hacker has invaded your system, what the 
consequences have been?
    Mr. Nelson. Yes.
    Mr. Turner. I know that we always read this is a widespread 
problem.
    Mr. Nelson. Yes.
    Mr. Turner. I don't think we have a real feel for how 
widespread it really is.
    Mr. Nelson. First of all, NASA experiences a lot of 
attacks, hundreds to thousands per month.
    Mr. Turner. You say hundreds to thousands?
    Mr. Nelson. Hundreds to thousands--of serious--to thousands 
per month of serious attacks.
    Mr. Turner. Hundreds to thousands?
    Mr. Nelson. Yes. And we are not unusual, although we may be 
are slightly favored.
    Let me give an example of an attack which has several of 
the elements we have been talking about in our testimony.
    I am not going to describe the center, but in this 
particular instance a system administrator observed that 
someone from a foreign country had logged into the computer and 
had no reason to think why that person should have--should be 
able to log into the computer. He did this by examining records 
logs, so he was doing the right thing.
    Now, he found by looking at the log that the person had 
used a well-known vulnerability to take over that computer; in 
other words, to achieve what is called root access. That's like 
god of the computer. You can do anything with the computer if 
you are root.
    Then the person used that vulnerability and his godlike 
powers to install what is called a password sniffer. This is 
software that observes the network traffic flowing by and looks 
for packets that have passwords in them. And he was able, the 
intruder, to grab a number of passwords, some of which were for 
accounts at another center. So using those passwords and then 
the ability to log on as a user, the attacker went to another 
center and attacked several other computers.
    Now, the sad part about this was that the initial 
vulnerability should have been fixed. The system administrator 
thought he had fixed it. He installed what is called a patch. 
It is a thing like a Band-Aid; it is like a patch that changes 
a software to get rid of the vulnerability, but the patch 
didn't take. It was a defective installation process, and the 
system administrator didn't know it. So he was hit twice with 
the same vulnerability.
    Now, we have had other attacks, and we keep track of how 
much they cost, that have had a direct cleanup cost in time and 
resources approaching half a million dollars, one attack. Of 
course, it affected a lot of computers.
    Mr. Turner. You say one attack cost half a million dollars?
    Mr. Nelson. Approached half a million, a little under. The 
numbers are not, of course, audit quality, but these are 
expensive attacks. It took--in the case that I am referring to 
of almost half a million dollars, it took about a month to put 
all of these computers back together again. It was a major 
problem.
    We have had centers actually take themselves off the 
Internet, in other words totally sever connections with the 
outside for a brief period of time, because they felt that they 
were being attacked, the risk was too high, they needed that 
time to fix things up.
    Now, the incidents that I am describing now are a year or 
two old, and we don't have such bad problems now, but we still 
get significant attacks.
    Does this help? Does this give you a sense of--oh, one area 
that I didn't describe is theft of data. We had an incident not 
too long ago where substantial number of documents were stolen 
by an Internet attack.
    Mr. Turner. And what--were those sensitive documents?
    Mr. Nelson. No, fortunately not. They were copyrighted. 
They had commercial value. They were not sensitive. And these 
particular documents were not resident on a NASA computer. It 
was a NASA account that was used, and there was a serious 
weakness in the vendor's security. But that's an example of an 
attack that NASA was peripherally involved with.
    Mr. Turner. So you say there are hundreds to even maybe 
1,000 attacks per month?
    Mr. Nelson. Correct.
    Mr. Turner. Now, have you been able to successfully 
determine the source of any of these attacks? Or do these 
things just go on daily, and you try to prevent them, but you 
don't know who did it?
    Mr. Nelson. We can determine the source of most of them, at 
least within the country, and maybe the organization. And we 
work closely with our Inspector General and then with the FBI, 
and several of these have been prosecuted and the perpetrator 
convicted. In a--on a regular basis, if we see an attack, we 
inform the organization that the attack is coming from, and 
often the attack is from someone not connected with that 
organization, but someone who has seized a computer, seized 
meaning this root access, god powers within the organization. 
The organization may not know it. That could be a government 
organization or a private organization in this country or 
abroad.
    So one wants to be careful saying we are being attacked 
from a certain country; they must be hostile. Maybe they are 
the victim.
    Mr. Turner. So there have been some convictions that have 
resulted from your investigation?
    Mr. Nelson. Yes, sir. Yes, sir.
    Mr. Turner. Would it be fair to say that the vast majority 
of the attacks, that the source of them are--that you never 
quite figure out who did it?
    Mr. Nelson. Yes.
    Mr. Turner. Or where they are from?
    Mr. Nelson. Yes. Not in who the individual was or what 
their motives were, that's correct. And attack isn't 
necessarily successful. I want to make it clear that when I 
talk about hundreds to thousands of attacks, I am including all 
of the incidents that we gather metrics on. The successful 
attacks would be a lot smaller, and increasingly we ward off 
those attacks. We use another metric of what is the success 
rate of incidents, and we are seeing the numbers turn over. It 
is sort of a nice payoff for the hard work we have gone through 
in the last couple of years that our numbers are getting 
better. The attack rates are going up. The successful attack 
rates are going down.
    Mr. Turner. Tell me the examples of intrusions from foreign 
governments or agencies of foreign governments.
    Mr. Nelson. I don't have data on that that I would be 
confident in saying, even in a conversation. So I am sorry, I 
do not have any data on attacks by foreign governments that I 
would have any confidence in reporting.
    You know, it is hard to know, when you have an attack from 
an IP address, even if that is located within an agency of a 
foreign government, is that the activity of a foreign 
government. To the best of my knowledge, we have no evidence of 
NASA attacks by agents of foreign governments, but I do not 
have high confidence in that statement because we do not have 
good data.
    Mr. Turner. The convictions that have resulted from the 
efforts, what kind of individuals are we talking about that 
have actually been convicted of a crime?
    Mr. Nelson. Our Inspector General would be a lot more 
authoritative on this, but I believe they have tended to be 
fairly young males working either alone or with others of like 
mind, but at least my knowledge is that they do not appear to 
be part of what one might call organized either crime or 
terrorism in the conventional sense. Their prime aim, as I 
recall--but I think if you would like we could submit for the 
record a response from our Inspector General, I could request 
it--but as I recall, they have not been industrial espionage 
cases or the like.
    Mr. Turner. I do think it would be helpful, with the 
chairman's permission, to ask you to at least give us some 
indication maybe for the last 2 or 3 years of the number of 
attacks, how they have been resolved, and whatever information 
you can provide us about the source of them, because at least 
by looking at it as a whole, we would get some picture for us 
to look at of how serious this problem really is.
    Is that possible to put that kind of data together to give 
us an overview?
    Mr. Nelson. Indeed, it would. If you will give us just a 
little leeway.
    We try to not advertise the successful attacks. Our 
experience is that one of the motivations for attackers is the 
recognition, if you will, the thrill. We are very leery of 
playing to that.
    Mr. Turner. I suspect that your reticence on that point is 
shared by many people in various agencies of the government, 
and I think one of the difficulties that we have as a committee 
in trying to address this problem is trying to get some data 
together to indicate how serious this problem really is.
    Mr. Nelson. We would be eager to work with you on getting 
data that is helpful to you.
    Mr. Turner. When you deal with these kind of intrusions, do 
you rely upon NASA employees, or do you rely on contractors to 
help you resolve them?
    Mr. Nelson. Both. Many of NASA's services are now operated 
by contractors, and so we have integrated those contractors 
into our operations. In our testimony--in my testimony, I 
mentioned that we have a draft regulation out for comment that 
would require the same training standards for our contractors 
as for ourselves. NASA has not outsourced or not contracted out 
our security responsibilities. So where we have contractors 
operating systems within our centers, or otherwise directly 
attached to NASA, we retain the responsibility and the 
capability for detecting and responding to attacks.
    Now, that response may be asking the contractor to do 
something. Since they are well-integrated now into our 
planning, they are eager to do that.
    I think the system is working fairly well, but it has added 
a complication of crossing these contract boundaries.
    Mr. Turner. Is it possible for an intruder to compromise 
the success of any of our missions? I know you have had a 
tremendous problem recently with success in some of the Mars 
missions. Is it possible that a problem could be created of 
that nature by an intruder into our computer systems?
    Mr. Nelson. We take pretty strong security precautions for 
mission-critical systems. Having said that, there is always a 
possibility. We are into risk management. Risk avoidance is 
very difficult. We do, though, take, as I said, very strong 
precautions, including in some cases simply severing the 
critical system, planned severing from any outside 
communication to minimize that risk, but we are talking about 
risk management, not risk avoidance.
    Mr. Turner. Thank you, Mr. Chairman.
    Mr. Horn. Well, we thank you. That was a very useful 
interchange, questions and answers.
    Let me go back, Mr. Nelson. Has your top 50 list of 
vulnerabilities been distributed outside of NASA?
    Mr. Nelson. Not to my knowledge. It was a list that we 
arrived at working among ourselves, and it is a list that we 
have programmed into our auditing tools. So it is, in effect, 
automated now. But I am not aware that we have distributed it 
outside the agency. There are other agencies that are doing 
similar lists, and I think the overlap would be pretty large.
    Mr. Horn. Well, would it be helpful if in a report from 
this subcommittee that we use some of that information if there 
are ones beyond NASA that differ, and then the question would 
be does that encourage hacking or doesn't it? But how we deal 
with it, I think we have to get the word out.
    Mr. Nelson. We wouldn't want it known what number 51 is, 
and 50 was a good round number, and that 50 will change. It is 
partly getting well. We have had to beat on this one, as I 
indicated earlier, to get managements attention, but we expect 
that next year's top 50 will be a different list, and it may 
not even be 50. But, yes, with appropriate precautions we would 
be willing to share that list, certainly, with responsible 
people in other agencies.
    Mr. Horn. On Mr. Turner's point, I just suggested to Mr. 
Ryan that we find from Justice how many have been jailed and 
where are they. I know a few are in the Atlanta prison, but I 
think it is good to get at least some of them. We don't have to 
make heroes out of them. We can say Mr. Blank and Ms. Blank or 
whatever, because I don't want to have this be the award system 
for hackers.
    Let me ask you, again, Mr. Nelson, another thing. You gave 
a very interesting chart when you said you are spending roughly 
2 percent of the funding for information technology on security 
provided adequate protection. Two percent seems like a very 
modest amount to spend on security, so I guess do you think 
that's pretty low, and should we invest more?
    Mr. Nelson. I can only speak for NASA, and we do gather 
budget data on our actual costs. Our information technology 
budget as a whole is about $2.1 billion, and our fiscal year 
2000 expenditure on information technology security is about 
$46 million, which is a little bit over 2 percent.
    Now, we don't know that that is optimally allocated. So I 
would say at first, my initial reaction is that NASA--and that 
increased quite a bit, by the way, from 1999 to 2000. But NASA 
is now spending about the right amount, and it is a case of 
efficient allocation so that we hit the most important things.
    Mr. Horn. So you think you are at the right level of 
spending on this then?
    Mr. Nelson. Approximately.
    Mr. Horn. OK.
    Mr. Nelson. Yes. Now, Mr. Collier, in your written 
statement, you explained that the prevalence of computer 
passwords written on the back of computer mouse pads, on desk 
leaves, and even on paper attached to computer monitors do 
exist. I know what you mean. I think it is all around Capitol 
Hill, too.
    In addition, you stated that remembering a PIN, the 
personal identification number, is a key piece of computer 
security. In your opinion, what can individuals do to better 
recall passwords?
    Mr. Collier. Aside from memory exercises, if we are going 
into this 8 character password with, again, a full keyboard set 
of characters, I think the idea is to do something to move away 
from these complex passwords. The positive user authentication 
model that I presented earlier is an effort to do just that. 
Again, we have the human being factor here at the edge of the 
envelope.
    Our company has clients, for instance, in the wire transfer 
business where they have 25 passwords to remember. Now, unless 
you are the Great Kreskin, it is pretty difficult to do that. 
So I think rather than trying to formulate ways to help people 
remember passwords, we have to find ways to eliminate them 
entirely, and I think the positive user identification model, 
which I think the DOD originally had come up with 10 years ago, 
is a move toward that.
    Mr. Horn. Does that mean a certain unit has to be built on 
every machine to do that in terms of the fingerprint and all of 
the rest?
    Mr. Collier. Biometrics are certainly one of the legs of 
the stool. The cost, again, is coming down greatly. Right now 
we are seeing it move into the mainstream, certainly in the 
commercial world, protecting enterprise systems within large 
corporations. The Federal Government is doing it at the 
division and command level now, and I think it is just a matter 
of time before we see biometrics not only in computers, of 
course, but in many, many areas of our lives where we have to 
remember passwords, PINs, and the like.
    Mr. Horn. If you had the, say, thumb identification to 
access your particular personal computer, is there any way a 
hacker getting into that would be able to digitize the lines 
and everything else so they could duplicate that?
    Mr. Collier. At the direction of the computer industry and 
the Department of Defense, primary responsibility from the NSA 
side of things, we have addressed the issue of intruder 
attacks, we do encrypt the signals coming out of the scanner, 
so they can't be sniffed. Our product in the sense of the 
templates is part of the operating system which is part of the 
layered security shell around the password protection. We do 
secure sessions between all pieces of hardware, as well as 
between client and work station. There have been a lot of 
efforts put into making this stuff spoof-resistant. James Bond 
might still be able to get in, but not the average user, that's 
for sure.
    Mr. Horn. Well, I was interested when one of you compared 
the need for looking at how you divide the issues in computer 
security are very much like a responsible accounting operation 
when you are handling a lot of money, and you want more than 
one, and my chief auditor said many years ago--he said, make 
sure everybody takes a vacation. The system--when they found 
one in another system in California where the vice chancellor 
just happened to be buying bales of hay for his ranch, but not 
the university ranch, he was charging it to the university, and 
the only way they found that was when he finally took leave and 
somebody said, gee, this is strange, and that was solved.
    That's, I think, what we have to do here. Is there 
something along that line that we ought to be telling everybody 
that runs a computer center in the Federal Government and how 
we could apply what people do in the finance and auditing in 
universities and corporations for standard practice?
    Mr. Brock.
    Mr. Brock. Segregation of duties is perhaps one of the most 
absolute basic controls there is for any type of operation, 
whether it is financial matters, as you were talking about, or 
computer security.
    In fact, when you look at any critical operation from 
beginning to end, you can make breaks in there where you say, 
we are going to have a division of labor, and in computer 
security, if you were looking at a process of changing 
software, you can make breaks from the people who make the 
change to the people who do the testing to the people who do 
the installation, to make sure that there is an independence 
there.
    You could do that for other aspects of security as well.
    Mr. Horn. Well, in other words, in your opinion, are 
Federal agencies susceptible to having one individual either 
intentionally or inadvertently render the computer system 
useless due to the lack of segregation of duties or separation 
of duties involved?
    Mr. Brock. I don't have the exact numbers now, but we 
have--maybe I do have the exact numbers.
    Mr. Horn. Ms. Boltz, glad you came today.
    Mr. Brock. We don't have numbers, but we did identify, for 
example, at the Department of Defense and VA that system 
program and security administration duties were combined. So 
the people who were establishing the controls were also doing 
the programming.
    At the FMS, we were saying that programmers had access to 
production data. So, in both cases they were able to combine 
pieces of information; if they had chosen to, could have taken 
over programs and assumed other responsibilities as well.
    This is fairly common. In some respects, it is done not out 
of a malicious intent. It is done because I think, as Mr. 
Nelson alluded to, you have too few people trying to do too 
many things.
    Mr. Horn. Any other thoughts on that, Mr. Nelson, Mr. 
Collier?
    Mr. Nelson. Yes, I would say I agree with Mr. Brock. 
However, in the scientific and technical area, the terminology 
may be different, and so one has to be a little careful not to 
be too rote in the prescriptions. What applies well to a 
financial system may not apply very well to a scientific data 
analysis system. The principles are correct, but the 
application has to be careful.
    Mr. Horn. Yes. Mr. Collier.
    Mr. Collier. You know, applications that we run into within 
the government, we have established some two-man rules in some 
cases. We have established complex procedures to ensure 
reduction in fraud, for instance, in transferring of funds, 
payment of benefits, etc. What I think biometrics and this 
security model bring to the party there, and that's what we are 
hearing from the government agencies, is we now have 
established the fact who was sitting behind the monitor when 
this fraud took place, not a matter of someone could have 
gotten my PIN or whatever. The banking industry has really 
embraced this because of the nonrepudiation issues and the home 
banking and wire transfers. As we get less and less on a face-
to-face human basis, the problem increases, and they are trying 
to do something about the future that we know is going to 
explode before it does.
    Mr. Horn. Thank you. Any other thoughts on that?
    Mr. Brock. No, sir.
    Mr. Horn. One of my last questions here will be, in your 
opinion is the current legal framework, which includes the 
Computer Security Act of 1987 supporting Federal information 
security requirements, is that adequate? What needs to be 
updated or modified? Are there things that should be dealt 
with? Mr. Turner and I will be glad to move that legislation, 
if there is need for it. What does the CIO Council think on 
some of these things?
    Mr. Nelson. Let me take that. In my opinion, the legal 
framework is pretty good. I am not a lawyer, so I will speak 
generally. But there is a potential problem that we are dealing 
with, and I think Mr. Brock alluded to it in his oral remarks. 
It has to do with classification.
    The laws governing classification in this country are 
rather strict with regard to national security systems, and as 
the importance of information security has increased and the 
role of commercial and private systems has increased in their 
aid to national defense, then the question of where strictly 
national security stops and broader areas that are related to 
security starts. And so the particular problem that we are 
having is that we believe that within NASA a compendia, that 
is, lists, of open serious vulnerabilities, such as, for 
example, would be turned up by what we call a penetration test 
where we hire somebody or on our own to go through all of our 
systems and look to see how hackers would get in, that those 
lists are very sensitive, and my understanding--and we have 
been working with our legal staff and with the National 
Archives and Records Administration, which has ultimate 
classification authority, on the criteria under which these can 
be classified.
    The issue is a little murky, but right now it looks like 
maybe they cannot be, not even at a confidential level. So it 
could be that some clarification of the extent of national 
security provisions in this gray area of civil systems closely 
allied with national security systems would be helpful.
    Mr. Horn. Well, that's very interesting because this is the 
subcommittee that has oversight for the National Archives and 
the Freedom of Information, and we try to balance all of that. 
If there isn't a need for classification, it shouldn't be 
classified. So I would welcome any thoughts you have on that, 
and I know Mr. Turner would also.
    So----
    Mr. Brock. Mr. Horn.
    Mr. Horn. Mr. Brock.
    Mr. Brock. Can I have a moment of disagreement? I have been 
agreeing with Mr. Nelson all along.
    I do not think the overarching framework is adequate. As we 
mentioned in the testimony, the Computer Security Act is based, 
I think, on an old way of doing things. It is based on an 
environment that existed before the Internet. It was based on a 
mainframe environment, and I believe that it was based on an 
environment where locks and keys were the prevalent security 
devices. It's system-based. It is not management-oriented. It 
misplaces responsibility and accountability. I think it needs 
to be overhauled.
    I think there needs to be more emphasis placed on 
management accountability. I think there needs to be more 
emphasis placed on risk assessments and risk determination. I 
believe there needs to be more emphasis placed on independent 
audit and management audit so that controls can be evaluated. 
Those are not present in the Computer Security Act.
    Now, as you know, there is no law against good management. 
There is no law or anything to prevent an agency from doing all 
of those good practices, but at the same time there is no law 
or legislation or regulation that really encourages that type 
of action and then provides a lever or an oversight mechanism 
to the administration or to the Congress for assuring that that 
framework is being met.
    Mr. Horn. Well, thank you, because that was the answer I 
was going to lead with a question, and I am so used to Joe 
Wilmingson following me around the country on Y2K that I always 
asked, and now I will ask you and anybody from GAO, to what 
degree have we not covered the questions that we should have 
covered. And you have just nailed one down, and I appreciate 
that.
    Would GAO and the CIO Council, Chief Information Officer 
Council, put their thinking caps on, and we would welcome 
taking a look at that again. We need to update it. It has been 
over two decades right now--or a decade and a half, I guess.
    So are there any other questions any of you think--and you, 
Mr. Brock, in particular--what else should we get on the record 
that we haven't put on?
    Mr. Brock. I think that my last response covered the one 
item, and we are continuing to work with your staff on a number 
of computer security issues as well, particularly as they might 
relate to e-commerce and other initiatives that are coming up. 
We are pleased to have the opportunity today to discuss these 
items with you.
    Mr. Horn. Well, we are glad to do it. We certainly welcome 
the comments of these witnesses, as well as the ones from our 
first panel. They were a very excellent group. Thank you, Mr. 
Collier, for coming.
    Mr. Nelson.
    Mr. Nelson. Yes, I would just like to maybe amend what I 
said so perhaps Mr. Brock and I can agree. In addressing your 
question on legal framework, I was responding from the 
standpoint of NASA or an agency as to whether the current law 
gets in our way of doing good things. But for an agency that 
does not wish to practice good management, a legal 
encouragement might not be out of order.
    Mr. Horn. Well, that's well said.
    I would tell you that this chamber operates not by 
consensus, but like a university does, and maybe NASA, but if 
we have 218 votes, we can do almost anything. But obviously we 
also could lose 218 votes if we haven't thought it through very 
well. So I thank you all.
    I want to thank the staff that worked on this hearing.
    You have been excellent witnesses.
    J. Russell George is in the doorway over there. Gosh, are 
you getting framed now over there or what? Staff director and 
chief counsel, and he works wonders. Matt Ryan to my left, your 
right, senior policy director, and who is a GAO alumnus, as are 
a number of our people; Bonnie Heald, director of 
communications, seated in the back there; Bryan Sisk, our 
clerk; Ryan McKee, the staff assistant; and for Mr. Turner's 
staff, Trey Henderson as counsel, and Jean
Gosa, the minority clerk. And our court reporter today is one, 
and that's Mindi Colchico, and we didn't have to wear you out 
and bring another one in, I take it. So thank you for coming 
again.
    With that, we are adjourned.
    [Whereupon, at 12 noon, the subcommittee was adjourned.]

                                   -