[Senate Hearing 106-486]
[From the U.S. Government Printing Office]

                                                        S. Hrg. 106-486




                               BEFORE THE

                              COMMITTEE ON
                          GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION


                             MARCH 2, 2000


      Printed for the use of the Committee on Governmental Affairs

                     U.S. GOVERNMENT PRINTING OFFICE
63-639 cc                    WASHINGTON : 2000

For sale by the Superintendent of Documents, Congressional Sales Office
         U.S. Government Printing Office, Washington, DC 20402


                   FRED THOMPSON, Tennessee, Chairman
WILLIAM V. ROTH, Jr., Delaware       JOSEPH I. LIEBERMAN, Connecticut
TED STEVENS, Alaska                  CARL LEVIN, Michigan
SUSAN M. COLLINS, Maine              DANIEL K. AKAKA, Hawaii
GEORGE V. VOINOVICH, Ohio            RICHARD J. DURBIN, Illinois
PETE V. DOMENICI, New Mexico         ROBERT G. TORRICELLI, New Jersey
THAD COCHRAN, Mississippi            MAX CLELAND, Georgia
ARLEN SPECTER, Pennsylvania          JOHN EDWARDS, North Carolina
JUDD GREGG, New Hampshire
             Hannah S. Sistare, Staff Director and Counsel
                     Ellen B. Brown, Senior Counsel
              Susan G. Marshall, Professional Staff Member
      Joyce A. Rechtschaffen, Minority Staff Director and Counsel
                Deborah Cohen Lehrich, Minority Counsel
                 Darla D. Cassell, Administrative Clerk

                            C O N T E N T S

Opening statements:
    Senator Thompson.............................................     1
    Senator Lieberman............................................     3
    Senator Akaka................................................     5
    Senator Collins..............................................    16
    Senator Edwards..............................................    18

                        Thursday, March 2, 2000

Kevin Mitnick....................................................     6
Jack L. Brock, Jr., Director, Governmentwide and Defense 
  Information Systems, Accounting and Information Management 
  Division, U.S. General Accounting Office.......................    21
Roberta L. Gross, Inspector General, National Aeronautics and 
  Space Administration...........................................    23
Kenneth Watson, Manager, Critical Infrastructure Protection, 
  Cisco Systems, Inc.............................................    33
James Adams, Chief Executive Officer, Infrastructure Defense, 
  Inc............................................................    35

                     Alphabetical List of Witnesses

Adams, James:
    Testimony....................................................    35
    Prepared statement...........................................    88
Brock, Jack L., Jr.:
    Testimony....................................................    21
    Prepared statement...........................................    55
Gross, Roberta L.:
    Testimony....................................................    23
    Prepared statement...........................................    71
Mitnick, Kevin:
    Testimony....................................................     6
    Prepared statement...........................................    47
Watson, Kenneth:
    Testimony....................................................    33
    Prepared statement...........................................    83


Copy of S. 1993..................................................    92
Questions for the record submitted by Senator Akaka and responses 
    Jack L. Brock, Jr............................................   113
    Roberta L. Gross.............................................   116
    Kenneth Watson...............................................   119



                        THURSDAY, MARCH 2, 2000

                                       U.S. Senate,
                         Committee on Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:05 a.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Fred 
Thompson, Chairman of the Committee, presiding.
    Present: Senators Thompson, Collins, Lieberman, Akaka, and 


    Chairman Thompson. The Committee will be in order, please. 
I am afraid we are going to have a vote. I guess it is on right 
now, so we will have to leave momentarily, but let us see if we 
can get a little something accomplished before we have to 
    Today, the Committee on Governmental Affairs is holding a 
hearing on the ability of the Federal Government to protect 
against and respond to potential cyber attacks. This Committee 
spent considerable time during the last Congress examining the 
state of Federal Government information systems. Numerous 
Governmental Affairs Committee hearings and General Accounting 
Office reports uncovered and identified systemic failures of 
government information systems, which highlighted our Nation's 
vulnerability to computer attacks from international and 
domestic terrorists, to crime rings, to everyday hackers.
    We directed GAO to study computer security vulnerabilities 
at several Federal agencies, including the Internal Revenue 
Service, the State Department, the Federal Aviation 
Administration, the Social Security Administration, and the 
Department of Veterans' Affairs. From these and other numerous 
reports, we learned that our Nation's underlying information 
infrastructure is riddled with vulnerabilities which represent 
severe security flaws and risks to our national security, 
public safety, and personal privacy.
    Every year, the government gathers information on every one 
of us because we give the government this information in order 
to obtain government services, like getting Social Security 
benefits, veterans' benefits, Medicare, or paying taxes, and 
yet, year after year, this Committee continues to receive 
reports detailing security breaches at these same agencies. 
Sometimes these things improve. Agencies usually will respond 
to specific GAO recommendations or to a particular Inspector 
General report. But this is a band-aid approach to protecting 
information systems, that is, fixing the system little by 
little, problem by problem after it is revealed that it is no 
longer secure.
    What is most alarming to me is that after all this time and 
all these reports, there is still no organization-wide approach 
to preventing cyber attacks and the security program management 
is totally inadequate. I am afraid it is another example of how 
difficult it is to get the Federal bureaucracy to move even in 
an area as important as this.
    Those reports highlight that an underlying cause of Federal 
information security vulnerabilities is inadequate security 
program planning and management. When GAO studied the 
management practices of eight organizations known for their 
superior security programs, GAO found that these organizations 
manage information security through continuous management 
activities, which included specific practices to support their 
information security principles. We think this is lacking in 
the Federal Government.
    And we think agencies must do more than establish programs 
and set management goals. Agencies and the people responsible 
for information systems in those agencies must be held 
accountable for their actions, and I believe that Congress 
should examine how we can provide assistance to the agencies to 
ensure that they have the resources necessary to maintain 
information technology security preparedness at all times.
    It is clear to me, based on GAO report after GAO report, 
that what needs to emerge in government is a coordinated and 
comprehensive management approach to protecting information 
which incorporates the efforts already underway and takes 
advantage of the extended amount of evidence that we have 
gathered over the years. The objective of such an approach 
should be to encourage agency improvement efforts and measure 
their effectiveness through an appropriate level of oversight.
    In order to develop such an approach and begin to find 
solutions to the problems which have been identified, we 
concluded that a more complete statutory foundation for 
improvement is needed. That is why Senator Lieberman and I 
introduced S. 1993, the Government Information Security Act, at 
the end of last year. The primary objective of our bill is to 
address the management challenges associated with operating in 
the current interdependent computing environment.
    Our bill begins where the Paperwork Reduction Act of 1995 
and the Clinger-Cohen Act of 1996 left off. These laws and the 
Computer Security Act of 1987 provide the basic framework for 
managing information security. We recognize that these are not 
the only things that need to be done. Some have suggested we 
provide specific standards in the legislation. Others have 
recommended we establish a new position of a national chief 
information officer or even a national security czar. These 
things should be considered and these issues and more will be 
brought up during our hearing today.
    The witnesses before us represent a broad array of 
experience and expertise in the area of information security. 
First, we have Kevin Mitnick, who has described himself as a 
reformed hacker.
    Next, we will hear from Jack Brock, who is the Director of 
Governmentwide and Defense Information Systems at GAO, and 
Roberta Gross, Inspector General for NASA. Both of them have 
done significant work in the area of Government information 
    We will also hear from Ken Watson, who is the Manager of 
Critical Infrastructure Protection at Cisco Systems, Inc., and 
James Adams, the CEO and co-founder of iDEFENSE.
    I welcome all of you and look forward to your testimony 
about the cyber threats that we face today and how we can work 
together to fashion solutions to the many problems associated 
with computer security.
    Senator Lieberman.


    Senator Lieberman. Thank you very much, Mr. Chairman. 
Thanks for calling this hearing on a topic of enormous concern 
to all of us. The security of our digital information is 
something that affects every one of us on a daily basis and 
should be taken as seriously as the security of our property, 
of our neighborhoods, of our communities, of our Nation, and in 
the worst case, as seriously as the security of our lives.
    The reach of the Internet and the alacrity with which it 
has achieved that reach is the story of the closing years of 
the 20th Century and the beginning of the 21st Century. Enabled 
by the remarkable innovation in information technology, we are 
fast approaching a time when the world will always be on, 
always connected, always open for business. It will be a fast 
environment marked by increasing efficiency and decreased cost. 
But it also will be intensely competitive and without 
boundaries. Almost every institution we rely on in our daily 
lives is feeling the effect of this latest technological 
    Just last month, the General Services Administration's 
Chief Information Officer, Bill Piatt, wrote something that I 
think all of us in government should keep in mind, ``From the 
perspective of our bosses, the citizens, electronic government 
is neither an option to be chosen nor a mandate to be decreed. 
It is simply expected.''
    So the basic goals of e-Government, which are the 
electronic delivery of information and services, are the same 
as government's goals have always been, as enumerated in our 
Constitution and the laws that we have adopted pursuant to it. 
But if government is going to be plugged into the networked 
world as an active permanent presence, we will have to protect 
the confidentiality, the integrity, and, of course, the 
availability of the information contained on government 
    We must be acutely aware of the range and content of the 
information at stake here. It covers everything from the 
movements of our armed forces and the deployment of our most 
powerful weapons to accumulated data about the economy and the 
financial markets, to support for our transportation networks, 
to the most private information about the American people, such 
as tax, wage, and medical records.
    The information in far too many cases today is wide open to 
exploitation, from pranksters to terrorists and every 
disaffected person in between. The fact that the GAO has 
labeled as ``high risk'' virtually the entire computer security 
system of our government is just unacceptable. We must take 
action, and quickly, to get the government's computer security 
systems off of the high-risk watch list.
    Last year, Senator Thompson and I, and this Committee, 
looked into what went wrong in the Federal investigation of Dr. 
Wen Ho Lee, the former Los Alamos nuclear laboratory scientist 
who is charged with downloading classified information to an 
unclassified computer. Mr. Lee has been indicted now. The 
Justice Department is still investigating other areas and, of 
course, his guilt or innocence is yet to be determined. But the 
case should focus everyone's attention on the vulnerability 
that comes with reliance on computers. So, too, should the more 
recent revelations of former CIA Director John Deutch, who 
maintained sensitive information on his home computer.
    The hacking of government sites, including those at the 
Senate, the FBI, the White House, Interior, and the Department 
of Defense is actually becoming a near daily occurrence, and I 
would not be surprised if scores of other government sites have 
also been invaded. But the truth is, we will never know because 
monitoring intrusions, much less reporting them, is not 
    There are many reasons Federal computer-based information 
is inadequately protected, but the underlying problem, 
according to GAO, who we will hear from this morning, is poor 
management. In some cases, this is a cultural problem. Our 
concentration on security simply has not grown at the same pace 
as our reliance on computers. That is why the Government 
Information Security Act of 1999, which Chairman Thompson and I 
have introduced, is a beginning step toward correcting this 
fundamental shortcoming. The bill would put every government 
agency on notice that it must implement a computer security 
plan which will be subject to annual independent audits, report 
unauthorized intrusions, and provide security awareness 
training for all its workers.
    There are a number of areas we have not addressed in our 
bill yet and we will be asking for input on how best to handle 
them. For example, the government needs to increase 
dramatically the number of trained information security 
professionals. In that regard, I am intrigued by President 
Clinton's proposal for a Federal Cyberservice at universities 
based on the ROTC model, and we need incentives for 
universities to train more people in this area.
    We also need to consider what to do to keep the government 
informed of technological changes in computer security so we do 
not fall behind. The President's proposal to establish a 
National Institute for Infrastructure Protection sounds like a 
good idea if it provides assistance with R&D and technical 
    Mr. Chairman, I am hopeful that the proposal that you and I 
have made will stimulate significant debate and early action. 
Our bill is a work in progress. I know that we anticipate 
hearing from a broad range of interested parties. We have got 
to particularly listen to those in private industry who have 
made, I think, much more headway than we in the public sector 
have in protecting the security of computer-based information, 
because we do not need to reinvent the wheel here, a very high-
tech wheel. We need to share experiences and exchange ideas to 
learn what works best.
    I think we have put together a very interesting group of 
witnesses today. I look forward to their testimony, which I 
know will help us craft the best possible legislation to secure 
the government's vast and important treasury of information. 
Thank you very much.
    Chairman Thompson. Thank you very much.
    We are down to a minute or 2 on the vote, so we will recess 
for a few minutes to vote.
    Chairman Thompson. Let us go back into session.
    Senator Akaka, did you have a statement.


    Senator Akaka. Thank you very much, Mr. Chairman. Thank you 
for scheduling this hearing. I have a longer statement, Mr. 
Chairman. I will ask that my longer statement be made part of 
the record.
    Chairman Thompson. It will be a part of the record.
    Senator Akaka. I just have a few points to make, three of 
them, to be exact. First, computer hacking has gone beyond the 
stage of being mischief making. Too much money is being lost. 
Hacking is a crime, but it has also become an act of 
international aggression. Last year, there were more than 
20,000 cyber attacks on Defense Department networks alone.
    Second, current technology has so far failed to provide 
adequate safeguards for critical infrastructure networks. We 
have little ability to detect or to recognize a cyber attack 
and even less capability to react.
    Third, the President has unveiled his national plan for 
information systems protection. This, I feel, is a good 
proposal and deserves the immediate support of Congress.
    Again, Mr. Chairman, my thanks to you. The legislation you 
have introduced on this subject, S. 1993, is something that we 
need to address immediately, and the Government Information 
Security Act is an important contribution. I look forward to 
today's discussion. Thank you, Mr. Chairman.
    Chairman Thompson. Thank you very much.
    [The prepared statement of Senator Akaka follows:]

    Thank you, Mr. Chairman and Senator Lieberman, for providing the 
opportunity to discuss cybersecurity. In this new age of information 
warfare, no issue is of more vital importance to our security.
    A cyber attack against our national information infrastructure 
would affect the integrity of our telecommunications, energy, banking 
and finances, transportation, water systems, and emergency services. As 
the Ranking Member of the Subcommittee on International Security, 
Proliferation, and Federal Services, I applaud all efforts to call 
attention to this issue. It is one in which the Subcommittee has also 
been involved. The Chairman and Ranking Member deserve great credit for 
the effort that they have made to heighten awareness of the threat 
while proposing methods to counter the threat.
    Computer hacking can no longer be labeled benign mischief. Once, 
those who gained unauthorized access to government and private sector 
computer networks were heralded as technical icons, whose exploits were 
lionized by the popular media. That is not the reality any more. Now 
hacking is a Federal crime at the very least--at the worst, an 
international act of aggression. As Deputy Secretary of Defense John 
Hambre has stated, ``We are at war--right now. We are in a cyber war.''
    Total losses from cyber fraud, including loss of service, recovery, 
and restoration costs, are estimated to be in the hundreds of millions 
of dollars. We now know that hostile countries have, or are developing, 
the capability to engage in overt and covert information warfare.
    Last year alone there were more than 20,000 cyber attacks on 
Department of Defense networks alone. Astonishingly, we do not know who 
was behind the majority of those attacks.
    In 1998, during a period of increased tensions with Iraq over 
United Nations weapons inspections, over 500 U.S. military, civilian 
government, and private sector computer systems were attacked. What was 
first thought to be a sophisticated Iraqi cyber attack proved to be a 
rather unsophisticated, yet highly effective attack by two juveniles 
from California with the cooperation of several individuals in Israel.
    Last month, cyber-based denial of service attacks had a dramatic 
and immediate impact on many Americans and resulted in the loss of 
millions of dollars when several large e-commerce sites were shut down 
for several hours.
    Just recently a student at a major university was arrested and 
charged with hacking into Federal Government computers at the National 
Aeronautics and Space Administration (NASA) and the Department of 
Defense where he was able to read, delete, and alter protected files 
and intercept and save log-in names.
    Clearly, cybercrime has become a pervasive problem. And it is 
getting worse. According to FBI Director Louis Freeh, cybercrime is one 
of the fastest evolving areas of criminal behavior and a significant 
threat to our national and economic security. The escalation of 
cybercrime is rapidly overwhelming our current capability to respond.
    Current technology has thus far failed to provide adequate 
safeguards for critical infrastructure networks. The Internet is 
international, knowing no boundaries and no ownership. Any attempt to 
stifle its growth and development would be counter productive to the 
economic interests of America. A variety of easy to use sophisticated 
hacker tools are freely available on the Internet, available for use by 
anyone in the world with an inclination to mount a cyber attack.
    Today, the United States has little ability to detect or recognize 
a cyber attack against either government or private sector 
infrastructures and even less capability to react. Nevertheless, we 
must, through cooperative public and private sector efforts, develop 
adequate defensive technologies to neutralize threats. Without new 
defenses, it is likely that attacks will occur with greater frequency, 
do more damage, and be more difficult to detect and counter.
    In January 2000, President Clinton unveiled his ``National Plan for 
Information Systems Protection,'' which proposes critically needed 
infrastructure improvements with milestones for implementation. This 
multifaceted plan promotes an unprecedented level of public/private 
cooperation, and proposes 10 programs to assess vulnerabilities, and 
significantly enhance capabilities to deter, detect, and effectively 
respond to hacking incidents. It also calls for vital research and 
educational enhancements to train adequate numbers of desperately 
needed information security specialists and sustain their perishable 
    Our continued leadership and prosperity in the global economy may 
well hinge on our national commitment to act as leaders in bringing 
information assurance to the global information environment we have 
helped to create. I commend the Chairman and Ranking Member for their 
leadership in calling attention to this particularly insidious problem 
by their introduction of S. 1993, the Government Information Security 
Act. I welcome our witnesses, and look forward to hearing their 
testimony today.

    Chairman Thompson. Our first witness will be Kevin Mitnick. 
Mr. Mitnick, thank you for being with us here today. Please 
introduce yourself. Your full statement will be made a part of 
the record. If you could summarize that for us, we would 
appreciate it very much.

                 TESTIMONY OF KEVIN MITNICK \1\

    Mr. Mitnick. Great. Good morning. It is an honor to be 
here. I am glad that you value my opinion. It is interesting to 
note that the United States was my adversary in years of 
litigation, and despite that fact, I am with you here today.
    \1\ The prepared statement of Mr. Mitnick appears in the Appendix 
on page 47.
    Chairman Thompson. I have seen those documents several 
times, United States of America versus some individual. It is 
kind of intimidating, is it not?
    Mr. Mitnick. It sure is. Despite that, I am ready, willing, 
and able to assist, and that is why I am here today. I have 
written a prepared statement. That way, I can just read it and 
hopefully will answer some questions.
    Hon. Chairperson Thompson, distinguished Senators, and 
Members of the Committee, my name is Kevin Mitnick. I appear 
before you today to discuss your efforts to create legislation 
that will ensure the future security and reliability of 
information systems used by the Federal Government. As you 
know, I have submitted my written remarks to the Committee. I 
would like to use this time to emphasize some of those remarks 
and to introduce a few ideas that I did not include in my 
written testimony.
    I have 20 years' experience circumventing information 
security measures and can report that I have successfully 
compromised all systems that I targeted for unauthorized access 
except one. I have 2 years' experience as a private 
investigator and my responsibilities included finding people 
and their money, primarily using social engineering techniques.
    Breaching information security measures is a difficult 
undertaking. As I stated in my prepared remarks, my success 
depended on exploiting weaknesses in computer systems and 
network security and the use of social engineering techniques. 
However, even the sophisticated techniques I have exploited for 
2 decades depended on the lack of commitment by software 
manufacturers to deliver software free of security weaknesses.
    The manufacturers of operating systems and software 
applications are under enormous pressure to deliver their 
products to the market with new features and are unwilling to 
thoroughly test their software under current market conditions. 
As a result, operating systems and applications contain 
security flaws that allow people with the required time, money, 
resources, motivation, and persistence to exploit those 
weaknesses. The Federal Government has no control over the 
security weaknesses that software manufacturers permit to reach 
the marketplace. Thus, it is imperative to enhance other 
security measures to overcome these shortcomings.
    The average American's confidence in the public telephone 
system is misplaced. Here is why. If I decided to target a 
computer system with a dial-in modem, my first step would be to 
use social engineering techniques to find the number of the 
modem. Next, I would gain access to the telephone switch that 
controls the number assigned to the modem line. Using that 
control, I would redirect the modem number to a log-in 
simulator that would enable me to capture the passwords 
necessary to access the target machine. This technique can be 
performed in real time to capture dynamic passwords that are 
changed once per minute.
    All of the actions I just described would be invisible to 
anyone monitoring or auditing the target computer security. 
What is important here is to consider the big picture. People 
use insecure methods to verify security measures. The public's 
confidence in the telephone system as secure is misplaced, and 
the example I just described demonstrates the reason why.
    The human side of computer security is easily exploited and 
constantly overlooked. Companies spend millions of dollars on 
firewalls, encryption, and secure access devices and it is 
money wasted because none of these measures address the weakest 
link in the security chain, the people who use, administer, 
operate, and account for computer systems that contain 
protected information.
    It is my understanding that this Committee oversees 
information security for the Internal Revenue Service and the 
Social Security Administration. In the United States v. 
Czubinski, an IRS employee was convicted of wire and computer 
fraud, the same crimes for which I spent 5 years in Federal 
prison. It is not lost on me that Mr. Czubinski's conviction 
was overturned by the First Circuit Court of Appeals as the 
court found that he never deprived the IRS of their property 
interest in the confidential information he accessed just to 
satisfy his personal curiosity, the same circumstances which 
precisely match the crimes to which I plead guilty in March 
    Ironically, in their publicly filed briefs, the government 
revealed the name of the computer system used by IRS employees 
and the commands reportedly used by Mr. Czubinski and IRS 
employees in general to obtain confidential taxpayer 
information. I would like to bring to this Committee's 
attention how I successfully breached information security at 
the IRS and the Social Security Administration using social 
engineering techniques before 1992, which just so happens to be 
beyond the applicable statute of limitations. [Laughter.]
    I called employees within these agencies and used social 
engineering to obtain the name of the target computer system 
and the commands used by agency employees to obtain protected 
taxpayer information. Once I was familiar with the agency's 
lingo, I was able to successfully social engineer other 
employees into issuing the commands required to obtain 
information for me using as a pretext the idea that I was a 
fellow employee having computer problems. I successfully 
exploited the security measures for which this Committee has 
oversight authority. I obtained confidential information in the 
same way government employees did and I did it all without even 
touching a computer.
    Let me emphasize for the Committee the fact that these 
breaches of information security are ongoing and even as I 
stand before you today and that agency employees are being 
manipulated using social engineering exploits despite the 
current policies, procedures, guidelines, and standards already 
in place at these agencies.
    S. 1993 is an important step toward protecting the 
confidentiality, integrity, and availability of critical data 
residing in government computer systems. However, after 
successfully exploiting similar security measures at the IRS 
and the Social Security Administration, as well as some of the 
planet's largest technology companies, including Motorola, 
Nokia, Sun Microsystems, and Novell, I am concerned that 
enacting this law without vigorous monitoring and auditing 
accompanied by extensive user education and training will fall 
short of the Committee's admirable goals.
    In closing, I would be happy to offer my knowledge and 
expertise to the Committee regarding methods that may be used 
to counteract the weakest link in the security chain, the human 
element of information security. That is it. Thank you.
    Chairman Thompson. Thank you very much. That was very short 
but very powerful, Mr. Mitnick. Thank you very much.
    It seems, in essence, what you are telling us is that all 
of our systems are vulnerable, both government and private.
    Mr. Mitnick. Absolutely.
    Chairman Thompson. We had the members of The L0pft here a 
couple of years ago, some of the computer hackers, who 
basically told us the same thing. They said they could shut 
down the Internet and it was not a real problem. As I sit here 
and listen to you, you are one individual. Obviously, you are 
very bright, but there are a lot of very bright individuals out 
there. It makes you wonder, if one individual can do what you 
have done, what in the world could a foreign nation, with all 
the assets that they would have at their disposal do.
    Mr. Mitnick. It is pretty scary.
    Chairman Thompson. The point, and I think it is one that 
you make, is that we really do not know to what extent we 
already have been compromised, and the fact that we do not know 
or that other people or entities have not taken advantage of 
that or done something bad to us yet does not mean that we have 
not already been compromised in some way, is that not true?
    Mr. Mitnick. It is a possibility.
    Chairman Thompson. You also point out that the key to all 
of this, we sit here and think of systems and programs and all, 
but you point out the key is personnel, that that is the 
weakest link. No matter what kind of system you have, unless 
you have personnel that are adequately trained, adequately 
motivated--can you explain the importance of the personnel 
aspect to this and what you think we might be able to do about 
    Mr. Mitnick. In my experience, when I would try to get into 
these systems, the first line of attack would be what I call a 
social engineering attack, which really means trying to 
manipulate somebody over the phone through deception. I was so 
successful in that line of attack that I rarely had to go 
towards a technical attack. I believe that the government 
employees and people in the private sector, that their level of 
awareness has to be--you have to do something to raise their 
level of awareness that they could be the victim of some sort 
of scam over the telephone.
    What I might suggest is maybe a videotape be made that 
would demonstrate somebody being manipulated over the phone and 
the types of pretexts and ruses that are used and maybe that 
will make somebody think the next time they get a phone call. 
The problem is, people do what they call information mining, is 
where you call several people within an organization and you 
basically ask questions that appear to be innocuous, but it is 
really intended to gain intelligence.
    For instance, a vendor might call a company and ask them 
what software, what are you currently using, what computer 
systems do you have, to sell them a particular product, because 
they need to know that information, but the intent of the 
caller might be to gain intelligence to try to target their 
computer systems.
    So I really have a firm belief that there has to be 
extensive training and education to educate the users and the 
people who administer and use these computer systems that they 
can be victims of manipulation over the telephone, because like 
I said in my prepared statement, companies could spend millions 
of dollars towards technological protections and that is money 
wasted if somebody could basically call somebody on the 
telephone and either convince them to do something on the 
computer which lowers the computer's defenses or reveals the 
information that they are seeking.
    Chairman Thompson. So you can compromise a target without 
ever even using the computer?
    Mr. Mitnick. Yes. For example, personally, with Motorola, I 
was working at a law firm in Denver and I left work that day 
and just on an impulse, I used my cellular telephone and called 
Motorola, their 800 number, and without getting into details of 
how this, because of the time constraints, is by the time I 
left work and by the time I walked home, which was about a 20-
minute period, 15- to 20-minute period, without any planning or 
anything, I was able to, by the time I walked to the front 
door, I had the source code to the firmware which controlled 
the Motorola Ultralight telephone sitting on a server in 
Colorado. Just by simply making pretext telephone calls within 
that 15- to 20-minute period, I had the software. I convinced 
somebody at Motorola to send the software to a particular 
    Chairman Thompson. So this has to do with personnel, it has 
to do with training within a larger umbrella of management.
    Mr. Mitnick. Absolutely, and I think the management has to 
be from top down, and the whole idea here is to protect the 
information regardless of whether it resides on a computer 
system or not, because whether or not this information is 
printed on a printout or is sitting on a floppy disk, it is 
still information which you want to protect against any type of 
confidentiality breach and the integrity of the information 
from being modified or destroyed.
    Chairman Thompson. These are the things we are trying to 
address in our bill.
    Mr. Mitnick. Yes, I read the bill.
    Chairman Thompson. We appreciate your comments on that. One 
of the questions we are going to have to deal with is whether 
or not we ought to be more specific in terms of training, for 
    Mr. Mitnick. I think you should be, because----
    Chairman Thompson. We vest the responsibility, but we kind 
of end it there and leave it up to the agencies to take it from 
there, but some have suggested that we might be more specific 
and more precise in exactly what kind of training we ought to 
    Mr. Mitnick. Yes, I think that is important because I am 
not privy to this information, but I assume that there are 
policies, procedures, guidelines, and standards in effect for 
protecting information at these agencies, just by protecting 
the information without regard to the computer systems. I think 
by explaining my background and experience with the Committee 
today that you can see that those policies and procedures were 
easily circumvented.
    So what the Committee has to--I guess what has to be done 
is there has to be a way to figure out what the Federal 
Government could do to protect its information, and just 
enacting a law or policies and procedures may not be effective. 
I do not know. I think it really depends on really training the 
systems administration staff, management, and the people who 
use, administer, and have access to the information about all 
the different methodologies that could be used to breach 
computer security, which is not only just the human element. 
You have physical security, you have network security, and you 
have security of computer systems. So it is a very complex 
issue, so you have to be able to get people on board that would 
know how to protect each different area.
    Chairman Thompson. We are not interested in another overlay 
of statutory requirements, and you are right, there are plenty 
of laws on the books that have to do with information systems 
in general. Technology has changed and the government has not 
changed with it, and what we have discovered is that although 
we have a lot of laws on the books, there is no comprehensive 
management scheme out there. There is no way to measure and 
evaluate the effectiveness of what anybody is doing. We will 
have a GAO witness here in a little while and we will go over 
the fact that for a few years now, we keep being told that 
government is ineffective. It is not working. It is not doing 
the job. So we go back and Congress does more. So that is what 
we are trying to do here and your testimony is very helpful.
    We have other Senators here, so I will pass. Senator 
    Senator Lieberman. Thanks, Mr. Chairman.
    Mr. Mitnick. Can I make a comment?
    Chairman Thompson. Yes.
    Mr. Mitnick. And, by the way, private investigators and 
information brokers today obtain confidential taxpayer 
information from Social Security and the IRS and they are doing 
it as we speak. You can go to any private investigator and hire 
them to do this.
    Chairman Thompson. We have had testimony to that effect.
    Mr. Mitnick. So obviously it is somebody who has access to 
the computer either illegitimately or somebody that is taking 
payola to reveal this information that is within the agency.
    Chairman Thompson. Thank you.
    Senator Lieberman. Thanks. Mr. Mitnick, thanks for your 
testimony. You have been very illuminating and helpful. My 
staff lifted up some clips in preparation and one of them 
described you as ``arguably the most notorious computer hacker 
in the world.'' I thought I would ask you if you would be 
comfortable, as we confront this problem, helping us to answer 
the question of ``why?''
    I mean, in one sense, the ``why'' of a certain number of 
people, national certainly in security areas is clear. If a 
foreign government, such as the Serbs during the Kosovo 
conflict, or some subnational group of terrorists tries to 
break into our computer systems, that is a pretty clear 
    But this is not like most crime waves. To a certain extent, 
as I read about your story and hear about others in the kind of 
daily breaking of government computer systems, it seems to me 
that there is a different sort of motivation. In some sense, it 
almost seems to be the challenge of it. If you would, just talk 
about why you, or if you want to third personalize it, why 
people generally become hackers.
    Mr. Mitnick. Well, the definition of the word hacker, it 
has been widely distorted by the media, but why I engage in 
hacking activity, my hacking activity actually was--my 
motivation was the quest for knowledge, the intellectual 
challenge, the thrill, and also the escape from reality, kind 
of like somebody who chooses to gamble to block out things that 
they would rather not think about.
    My hacking involved pretty much exploring computer systems 
and obtaining access to the source code of telecommunications 
systems and computer operating systems because what my goal was 
was to learn all I can about security vulnerabilities within 
these systems. My goal was not to cause any harm. It was not to 
profit in any way. I never made a red cent from doing this 
activity, and I acknowledge that breaking into computers is 
wrong and we all know that. I consider myself a trespasser and 
my motivation was more of--I felt like an explorer on these 
computer systems and I was trying--it was not really towards 
any end.
    What I would do is I would try to obtain information on 
security vulnerabilities that would give me greater ability at 
accessing computers and accessing telecommunications systems, 
because ever since I was a young boy, I was fascinated with 
communications. I started with CB radio, ham radio, and 
eventually went into computers and I was just fascinated with 
it. And back then, when I was in school, computer hacking was 
encouraged. It was an encouraged activity.
    Senator Lieberman. Who encouraged it?
    Mr. Mitnick. In school. In fact, I remember one of the 
projects my teacher gave me was writing a log-in simulator. A 
log-in simulator is a program to trick some unknowing user into 
providing their user name and password, and of course, I got an 
A---- [Laughter.]
    But it was encouraged back then. We are talking about the 
1970s. And now, it is taboo. A lot of people in the industry 
today, like Steven Jobs and Steven Wozniak, they started out by 
manipulating the phone system and I think even went to the 
point of selling blue boxes on Berkeley's campus, and they are 
well recognized as computer entrepreneurs. They were the 
founders of Apple Computer.
    Senator Lieberman. Yes. The fork in the road went in 
different directions in their case.
    Mr. Mitnick. Just slightly. [Laughter.]
    Senator Lieberman. Well, maybe there is still time. You are 
young, so there is still time.
    Your answer is very illuminating again. Part of what you 
are saying struck me, which is unlike other forms of trespass 
or crime, you did not profit at all.
    Mr. Mitnick. I did not make a single dime, but that is not 
to say--one of the methods how I would try to avoid detection 
and being traced was to use illegitimate cellular phone numbers 
and electronic serial numbers to mask my location.
    Senator Lieberman. Right.
    Mr. Mitnick. I did not use this to avoid the cost of making 
a phone call, because most of the phone calls were local. I 
could have picked up a phone at home and it would have been a 
flat rate call. I did it to avoid detection, but at the same 
time, it was cellular phone fraud because I was using airtime 
without paying for it.
    Senator Lieberman. Were you aware as you went through this 
pattern of behavior that you were violating the law?
    Mr. Mitnick. Oh, of course, yes.
    Senator Lieberman. You were? Were you encouraged or at 
least not deterred by the fact that you had some confidence 
that there were few or no consequences attached to it? There 
are cases where people know that they are doing something 
illegal, but they think that the prospects of being apprehended 
and charged are so slight that they go forward nonetheless.
    Mr. Mitnick. Well, that is true, because as you are doing 
some illegal activity, you are not doing a cost-benefit 
analysis--well, at least I was not doing a cost-benefit 
analysis. I did not think of the consequences when I was 
engaging in this behavior. I just did it, but I was not 
thinking about, well, if I were to get caught, I would have 
these consequences. It was just focusing on the activity at 
hand and just doing it.
    Senator Lieberman. Because of what you described before as 
the thrill of it or the challenge of it, the adventure.
    Mr. Mitnick. It was quest for knowledge, it was the thrill, 
and it was the intellectual challenge, and a lot of the 
companies I targeted to get the software was simply a trophy. I 
would copy the code, store it on a computer, and go right on to 
the next without even reading the code.
    Senator Lieberman. Interesting.
    Mr. Mitnick. I mean, that is a complete different 
motivation of somebody who is really out for financial gain or 
a foreign country or a competitor trying to obtain information, 
like economic espionage, for instance.
    Senator Lieberman. Right, very different. Clearly, as a 
lawmaker, part of why I ask these questions is because I wonder 
whether if we raise the stakes, that is to say we set up 
security systems that make detection more likely and increase 
penalties for this kind of trespass, Internet trespass, whether 
there is a prospect of deterring the next Kevin Mitnick.
    Mr. Mitnick. You are talking about enacting further 
    Senator Lieberman. Yes, raising the prospects that a so-
called hacker is going to be detected, for one, and then 
second, raising the criminal penalties for the hacking.
    Mr. Mitnick. I would encourage you to come up with a method 
of prevention and detection, and I encourage the computer 
industry today to look to methods to better detect intrusions 
and, again, extensive user training and education on how to 
prevent the human exploitation.
    For instance, in my case, I was basically doing this out of 
the curiosity rather than for financial gain, and what is 
interesting to note is in that case I described in that U.S. v. 
Czubinski case, where this was an IRS agent who obtained 
confidential taxpayer information and was eventually 
prosecuted, his convictions were reversed by the First Circuit 
Court of Appeals because what the court held is that Mr. 
Czubinski did not deprive the IRS of their property interest in 
this information because he had no intent to use or disclose 
the information he obtained.
    That is the same circumstances as in my case. I was not 
doing it to use the information or disclose it to anybody. It 
was the trophy. So it is a very interesting issue of whether I 
really engaged in computer trespass or fraud, because fraud is 
where you deprive somebody of their money or property, and in 
my case, while it was a gross invasion of privacy, I never, in 
my opinion, deprived any of these companies of their software 
or used it to their detriment. So that is the difference in my 
    Then you have people out there who are working for private 
investigators, trying to obtain confidential information like 
from the IRS or Social Security and through State and local 
government agencies to sell. Information brokers sell it to 
private investigators who have clientele that are trying to 
find information on people.
    Senator Lieberman. You know, I hate to suggest a waste of 
your talent, but as I listen to you, I think you would make a 
great lawyer. [Laughter.]
    Mr. Mitnick. Well, I do not know if you are convicted of a 
felony, if they would allow you to be admitted to the bar.
    Senator Lieberman. That is harder to do. [Laughter.]
    Let me ask you just a few more questions.
    Mr. Mitnick. Maybe I could get a Presidential pardon.
    Senator Lieberman. Yes. Maybe we will come back.
    Chairman Thompson. We have a lot of criminal lawyers around 
    Senator Lieberman. Yes, we do. [Laughter.]
    Chairman Thompson. Nothing personal.
    Senator Lieberman. The response of the people attending was 
much more enthusiastic than we might like. [Laughter.]
    Mr. Mitnick, building on what you have just said, 
obviously, you have been away, involuntarily, from the world of 
computers for a number of years now. I wonder if you feel that 
the techniques that you used are still useful today and whether 
they have retained their relevance in light of all the change 
that has occurred, and whether you have any sense that today's 
computer security systems are more sophisticated than they were 
when you were involved in your hacking.
    Mr. Mitnick. Well, I can say that the social engineering or 
the exploiting the human element of computer security, I think 
is in the same state as it was 5 years ago before I went to 
    Senator Lieberman. Yes.
    Mr. Mitnick. However, by reading materials and magazines 
and reading advertisements, I know that the industry is 
building security products to try to protect information that 
resides on computer systems. I have not had a chance to 
evaluate it, but it is simply if somebody has the resources, 
the time, money, and motivation, they can get into any 
computer. The only thing that the Federal Government and 
private sector can do is to reduce the threat. You cannot 
reduce it to zero----
    Senator Lieberman. Make it harder.
    Mr. Mitnick [continuing]. You can only make it harder, and 
hopefully, the attacker will find it difficult that they will 
go to the next guy, just like people do at home. They put a 
lock on the door. If somebody really wants to get in, they are 
going to go through a window, and you can only make it more 
difficult so they try to go to the next guy. Then if somebody 
is really targeted, government information or trying to target 
information in the private sector, I think it would be 
extremely difficult to prevent, and that is why management is 
so important to really encourage systems administrators and the 
users of these computer systems, maybe to do some sort of 
rewards program, or if information is breached under their 
control, there should be some punishment.
    I have not really given it that much thought, but for the 
human element, I think it is still in the same state, and I 
believe there have been some technological improvements, but 
the Internet, do not forget, the Internet started out as the 
ARPANET, which was pretty much academia, government agencies, 
and universities sharing information and the protocols were not 
developed with security in mind. They were developed to allow 
these individuals or these companies to share information and 
to co-work on projects, and now everybody is scrambling because 
of the e-commerce to build security on top of a weak 
foundation. Maybe what should be considered is building a 
strong foundation.
    Senator Lieberman. Well said. I am struck by your emphasis 
on the human element as the weak link in this computer security 
chain and it conforms to other information we have heard that 
the so-called cultural factors, in some cases just plain 
negligence or inattention by people in charge of computers, 
leads to most of the problems in security that we have.
    Let me ask one last question and then yield to my 
colleagues. In the question of security, as we think about 
computer security as it affects our national security, we 
naturally think of defense. But I have read some material that 
makes, I think, the good point that a hostile group or Nation 
wanting to do harm to the United States might not only go after 
traditional defense targets but might try to incapacitate power 
grids, for instance, public utility grids or transportation 
information systems or even stock or commodities markets.
    To the best of your knowledge and experience, would you say 
that those essential but non-defense systems are probably as 
vulnerable as you have described systems to be generally?
    Mr. Mitnick. Perhaps. If you have the resources of a 
foreign government, what would stop a foreign government from 
putting operatives to work in the companies to develop the 
hardware and software that is utilized by these groups, or the 
power grid, transportation, and these things of national 
importance, and put some type of back doors or some type of 
flaw in the operating system or the software applications that 
allows them to have access. I mean, they can go to those 
extremes and they have the resources to do it.
    Senator Lieberman. Your answer leads me to just ask one 
last question: You have talked about the prominent role of what 
you have described as social engineering, which is to 
manipulate unwitting employees. I know it is hard to state a 
percentage on this, but would you guess that most hacking is 
being done in that way-by the manipulation of the cultural 
weaknesses, the human weaknesses? And to that extent, how much 
does hacking depend on successful human penetration of a system 
as opposed to technological penetration of a system without any 
assistance from anybody inside, with the assistance from inside 
coming either knowledgeably, that is, by somebody who has been 
placed in there, or just unwittingly by a negligent employee?
    Mr. Mitnick. In my experience, most of my hacking involved 
the social engineering exploitations, but I think that most of 
the hacking out there is really the weaknesses that are 
exploited in the operating systems and the software 
applications, because if you go on the Internet, you can simply 
connect to computer sites that basically have scripts of the 
exploit scripts, so anybody that has access to a computer and 
modem could download these exploits and exploit these 
vulnerabilities that are in the operating systems developed by 
the software manufacturers.
    That is why I brought out the point that I think it is 
important for the software manufacturers to be committed to 
thoroughly testing their software to avoid these security flaws 
from being released to the marketplace.
    Senator Lieberman. It is a very important point.
    Mr. Mitnick. And maybe government and private industry, if 
these companies are not committed to it, is maybe going with 
another company.
    Senator Lieberman. Thanks, Mr. Mitnick. You have been very 
helpful. I think you have turned your unfortunate experience in 
the past into some very constructive support this morning. 
Thank you.
    Mr. Mitnick. Thank you for having me.
    Chairman Thompson. How much time did you actually serve?
    Mr. Mitnick. Fifty-nine months and 7 days.
    Senator Lieberman. Five years.
    Chairman Thompson. Fifty-nine months?
    Mr. Mitnick. I do not know how many minutes or hours.
    Chairman Thompson. Well, you know if instead you had raised 
millions of dollars for political campaigns, you would have 
gotten probation. [Laughter.]
    Senator Collins.


    Senator Collins. How can I follow that, Mr. Chairman?
    Chairman Thompson. You had better choose your excitement 
more carefully in the future.
    Mr. Mitnick. I think that is a good idea.
    Senator Collins. Mr. Chairman, I want to first commend you 
and Senator Lieberman for holding this hearing to highlight the 
pervasive vulnerability of our private sector and government 
computer systems.
    Mr. Mitnick, I was struck by your emphasis, as was Senator 
Lieberman, on the human element involved, because I think we 
often think of computer security in terms of technological 
safeguards or the physical security of the computers in 
restricting access. Yet your experience as well as the recent 
revelations about the former CIA Director's carelessness with 
his home computer suggest that we may be overlooking what is 
the most important factor, which is the human element.
    In general, do you think there is a lack of awareness of 
the risks of the human element, both in the private sector and 
in the public sector? I am particularly thinking of at the 
higher levels of corporations and government agencies. I think 
training tends to occur at the lower levels, and yet the risk 
may be just as high at the higher levels. Could you comment on 
    Mr. Mitnick. I think the greater risk is at the lower 
levels. I do want to make a point. When you order a pizza, how 
they verify that you are the one that ordered it is by calling 
you on the telephone to verify that that is you. Well, you have 
got to really look at the big picture, and because there is a 
false reliance placed on telecommunications systems, such as 
the public telephone network, which is easily exploitable.
    So, for instance, if I were to call you at your--what I did 
is offer to do a demonstration today if the government would 
give me immunity, but there was not any time. But anyway, what 
somebody could actually do is if they have access to the 
telephone switch, they could actually manipulate it so you can 
call back a legitimate number that you think you are calling to 
verify the authenticity of the request, but that number has 
been rerouted to the attacker. So because of the reliance on 
faxes, on voice mail, on telephones in general to verify the 
legitimacy, and that is easily exploitable, that is what makes 
it so easy to exploit the human element.
    Senator Collins. How easy is it for a computer hacker to 
use work done by others--I am told it is called an attack 
script--in order to hack into a computer? Would such a person 
even have to really understand how the computer code was 
written in an attack script in order to use it to hack into a 
    Mr. Mitnick. Not really. If there is a shell script or a 
script is written where they just run it and it gives them the 
super-user privileges or system administrator privileges, they 
really do not have to know how it is working, and what is 
unfortunate, you have a lot of people out there that have 
access to those scripts that really do not know what they are 
doing, so if they get into a computer and obtain system 
administrator-level privileges, they could easily destroy 
information or damage the computer by trial and error and 
without realizing what they are doing because they do not have 
the knowledge or the experience on that particular type of 
computer system. So it is concerning.
    Senator Collins. Another issue that you raised earlier was 
that when the Internet was in the early stages of development, 
the emphasis was on sharing information, accessibility, 
openness, free exchange of ideas. The emphasis was not on 
security and that has made us vulnerable in some ways.
    Do you think that is also a problem with the growth of e-
commerce, that there has been insufficient attention given to 
security, that the emphasis has been on accessibility, ease of 
use, making it easy for people to make purchases? Do you think 
the private sector has been a little bit slow in turning its 
attention and investing in the security of its systems?
    Mr. Mitnick. Well, unfortunately, because I was unavailable 
for the last 5 years and e-commerce just started after I was 
sent away, I was not really able to keep up with it. But today, 
everybody is reluctant to use their credit card over the 
Internet because they think somebody is going to get their 
credit card number and defraud them. I think that there is a 
loss of confidence in using the Internet, especially with doing 
financial transactions, because mostly you hear about these 
media reports of these people being able to circumvent security 
so easily.
    What is interesting is people will go into a restaurant and 
will hand their credit card number to a waiter or waitress and 
they have no problem with that, but they are afraid to type 
their number onto the Internet because they figure it could be 
captured, which is a possibility, but I think what is 
interesting is I think there is limited liability if someone 
were to obtain your card and use it without permission. There 
is maybe a $50 to $100 liability.
    Maybe security systems have to be created that would raise 
the level of confidence that the public has in using the 
Internet for e-commerce.
    Senator Collins. Thank you, Mr. Mitnick. I just want to 
wish you well as you go on with your life. You clearly have a 
great deal of talent and intelligence, and it seems to me, as 
we have been discussing, that you paid a pretty heavy price for 
your crime and I wish you well.
    Mr. Mitnick. Thank you very much.
    [The prepared statement of Senator Collins follows:]

    Mr. Chairman, I appreciate the work you and Senator Lieberman have 
done on the important topic of the security of the computer system of 
the Federal Government.
    The Internet offers unprecedented openness and accessibility. Those 
same attributes make it vulnerable to attacks by unauthorized users. 
The pervasive vulnerability of our computer systems raises the specter 
of malicious attacks by terrorists rather than simply the relatively 
benign intrusions of teenagers.
    As one expert in computer security recently stated, ``The Net 
changes the nature of crime. You don't need skills to be an attacker. 
If you are going to make counterfeit bills or burglarize a building, 
you need certain abilities. On the Net, you download an attack script 
and click here.''
    The sophistication of computers has been matched by the opportunity 
for malicious activity based on information obtained through the 
Internet. In my view, this creates an increased ability for a greater 
number of people to threaten government computers.
    We have an excellent group of individuals on the panels today who 
can share their view of what the government can do to better protect 
its computer system. I look forward to their testimony.

    Chairman Thompson. Thank you very much. Senator Edwards.


    Senator Edwards. Thank you, Mr. Chairman.
    Good morning, Mr. Mitnick.
    Mr. Mitnick. Good morning.
    Senator Edwards. I am from North Carolina and actually live 
in Raleigh and I remember vividly----
    Mr. Mitnick. I have been there. [Laughter.]
    Senator Edwards. You were big news for a long time in 
Raleigh. I remember it very well. Let me ask you about a couple 
of things. In answering one of Senator Lieberman's questions 
about why you got involved in hacking to begin with, I was 
listening to the words you were using and they sounded very 
much to me like a description of addictive behavior. Do you 
believe that addictive behavior is involved with folks who are 
habitually involved in hacking like you were?
    Mr. Mitnick. I am not sure I would consider it addictive 
behavior. It was just an activity I was intensely interested 
and focused on, because ever since I was a young boy, I was 
interested in telecommunications and computers and that was 
just my calling, just like somebody is very interested in 
sports and every day they go out and practice. I am not sure 
that you can really equate it to like a physical addiction. But 
then again, I am not a health services professional, so I would 
not know.
    Senator Edwards. No, I understand. But did you feel like 
you yourself were addicted to this hacking behavior?
    Mr. Mitnick. I enjoyed it. I would say it was a distinct 
preoccupation, but I do not think I could label it as an 
addiction, per se.
    Senator Edwards. Did you ever try to stop?
    Mr. Mitnick. I did stop for a while, and then at that time 
that I was not engaging in that behavior, the Department of 
Justice, specifically the FBI, sent this informant to target 
me, and basically, I got hooked back into computer hacking 
because of the enticements that this fellow that they sent to 
target me, enticed me back into that arena.
    Senator Edwards. What advice would you give to other 
hackers, or probably more importantly, potential hackers?
    Mr. Mitnick. That is hard to say. I would have to really 
think about that. I do not encourage any activity which 
maliciously destroys, alters, or damages computer information. 
Breaking into computer systems is wrong. Nowadays, which was 
not possible for me when I was younger, computer systems are 
now more affordable and if somebody wants to hack, they can buy 
their own computer system and hack the operating system and 
learn the vulnerabilities on their own system without affecting 
anybody else with the potential for causing any type of harm.
    So what I would suggest is if people are interested in the 
hacking aspect of computers, they can do it with their own 
systems and not intrude upon and violate other personal or 
corporations' privacy, or government.
    Senator Edwards. Do you think it is possible to use things 
like click stream data to identify people who are least 
potentially going to----
    Mr. Mitnick. Excuse me, to use what?
    Senator Edwards. Click stream data. Do you know what that 
    Mr. Mitnick. No.
    Senator Edwards. OK. Do you think there is some way to 
identify people who are likely to become engaged in hacking 
just based upon their patterns of behavior in using their 
computer systems?
    Mr. Mitnick. I do not know.
    Senator Edwards. You said in your testimony, and maybe 
someone has asked you this and I did not hear it, that in 20 
years of experience in circumventing information security 
measures, you have been able to successfully compromise all 
systems save one.
    Mr. Mitnick. That is true.
    Senator Edwards. Which one?
    Mr. Mitnick. It was a computer system run by an individual 
and this computer was at his home and it was in the U.K., in 
England, and I was unable to circumvent the security on that 
system because I did not have control of BT, which was British 
    Senator Edwards. So there is nothing about the security 
system itself that gives us a lesson on how we can make systems 
more secure?
    Mr. Mitnick. See, a real important point is the more people 
that have access to a computer system, the easier it is to 
penetrate because--well, of course, for the social engineering 
exploit, like in government or in large corporations, it is 
very easy. But the less people that have access to the computer 
system, the less vulnerable it is, and in this particular 
instance, it was one person and it was his home machine, so it 
was extremely difficult and this person was very, very sharp on 
computer security issues. In fact, this individual is the one 
that found security vulnerabilities in the VMS operating system 
which was manufactured by Digital Equipment Corporation, and 
why I targeted this individual was to basically find and obtain 
all the security flaws that he discovered in the operating 
system because my goal was obtaining information on all 
security vulnerabilities so I would be effective at being able 
to compromise any system that I chose to compromise.
    Senator Edwards. One last thing. In North Carolina, we have 
a company called Red Hat.
    Mr. Mitnick. Linux?
    Senator Edwards. Yes. They have been, as you know, very 
successful. I had a meeting a few weeks ago with Bob Young, who 
is the founder of that company, and I was just curious whether 
you--and based on my discussions with him, I had some feeling 
that there was at least the potential for these open source 
software systems to be more secure. Do you have any views about 
    Mr. Mitnick. Yes. I think that is true, the reason being is 
they are open for inspection by the public at large and in so 
doing, just like with systems that utilize encryption, I think 
those security flaws could be readily identified and published 
and fixed rather than in a proprietary system where it is not 
open to the public and then you maybe have the individuals that 
find these holes do not report them and they use them to 
exploit vulnerabilities and access computer systems without 
anyone knowing the better, or without detection.
    Senator Edwards. Thank you very much. Good luck to you.
    Chairman Thompson. Thank you very much, Mr. Mitnick. You 
have been very, very helpful to us. Good luck to you.
    Mr. Mitnick. Thank you.
    Chairman Thompson. Thanks for being with us today.
    Mr. Mitnick. It is an honor to be here today.
    Chairman Thompson. I would like to introduce our second 
panel, Jack Brock, Director of Governmentwide and Defense 
Information Systems at GAO, who is responsible for most of the 
work done by the GAO for this Committee over the last few 
years. Also on the panel is Roberta Gross, the Inspector 
General for NASA, who has done much work in the area of 
computer security and even has a special investigative unit on 
computer crimes, so thank you for being with us.
    We always take more time with our first panel, whether it 
is one witness or 10. We are going to have to be out of here in 
about an hour, so as far as we are concerned and the panels are 
concerned, let us keep that in mind and do what we can.
    Mr. Brock, do you have any opening comments to make?


    Mr. Brock. Yes, sir. I could actually spend my entire time 
reading you a list of the reports that we have done on computer 
security, many of these for your Committee.
    \1\ The prepared statement of Mr. Brock appears in the Appendix on 
page 55.
    Chairman Thompson. Could you summarize all that?
    Mr. Brock. Absolutely.
    Chairman Thompson. Would you say there is a bunch?
    Mr. Brock. There are a lot.
    Chairman Thompson. All right.
    Mr. Brock. Unlike Mr. Mitnick, when we go into agencies, we 
are doing so with the full knowledge and authorization of the 
agencies we go in. A long time ago, when we did computer 
security work, we examined agencies' controls and we would 
comment on those controls and we would say the controls are 
inadequate and the agency would say, well, no, they are 
adequate, so we disagree with you.
    A few years ago, we started doing our own testing of the 
controls. We do not call it hacking, we call it penetration 
testing. We have been uniformly successful in getting into 
agencies. The reports that we have done for your Committee over 
the past few years at NASA, State, DOD, and the IRS, indicate 
that, typically, agencies have very poor controls.
    EPA, which we have just released a report on a couple of 
weeks ago, we went in through their firewall, which offered 
virtually no protection. We had access to their mainframe 
computer center, which had almost no controls set up, and we 
were able to wander around the agency almost at will. It was 
not really difficult.
    At another agency where the firewall offered better 
protection, we did what Mr. Mitnick was referring to as social 
engineering. We simply call people and say, I am Joe Blow. I am 
the system administrator. Here is my telephone number. Call me 
back. We are having a problem with your account. Give me your 
password, and you can call this number and check it. It is 
amazing how many people just call you right back and give you 
the password.
    If that does not work, you just gain access to the building 
and walk around and you find computers that are open. You find 
the computer monitors with the password in a sticky on it. It 
is not very difficult to get access.
    So as we have gone to agency after agency after agency, the 
specific weaknesses are usually technical. There is a technical 
reason that we are getting in. The software has a hole in it. 
The firewall is not very good. It is not very rigorous. 
Password protection is weak, or whatever.
    We, frankly, after doing many of these and we are doing the 
same report over and over, we said, there has got to be a 
better way of doing this, and at your request, we looked at 
agencies or at organizations that have good computer security, 
and there we found that good management attention to the 
problem is the secret. It is much like if you have a house and 
you have wood rot and people come in and they say, well, you 
have got a problem, and you patch it over with a little putty, 
you still have that underlying weakness.
    We found when we were going into agencies and pointing out 
specific computer weaknesses, that these weaknesses would be 
corrected. They would patch it. But the underlying causes, the 
poor management, the lack of management attention, the lack of 
budget, all of these things really did not fix the underlying 
problem. So it was like sticking your finger in the dike. You 
would plug up one hole and another hole would spring out 
somewhere else and things would leak through. That is the 
condition we find at agencies, and we find it consistently.
    One of the things that your bill does is it changes the 
direction of the computer security legislative framework. The 
Computer Security Act is inherently flawed in that it is built 
on a system-by-system basis. It starts with the premise that 
computer security can be fixed at the system level when really 
it needs to start at the management level. I would like to 
briefly go over a few features in your bill that we think are 
very commendable and we would encourage that if legislation is 
being considered, that these items be kept.
    First of all, it incorporates the best practices that we 
found at leading organizations, in other words, those 
management practices that agencies or organizations undertook 
to, in fact, provide a secure framework throughout their 
    Second, your bill requires a risk-based approach to be 
implemented by agency program managers and technical 
specialists. Let me just talk about this a little bit. If you 
do not know what your risk is, and risk is a function of the 
vulnerability of the system, a function of the threat to the 
system and a function of the value of the information of the 
process that that system controls. If you do not understand 
your risk, you are not going to put in the right kind of 
controls, you are not going to have the right kind of training, 
you are not going to have the right kind of testing. Rarely do 
we find agencies that do a good job at determining the risk 
they face, and again, without determining the risk, you are not 
going to know what sort of controls need to be put into place.
    Third, your bill provides for an independent audit and we 
think that is an absolute must. An independent audit gives OMB, 
oversight committees, such as yourself, and agencies themselves 
an opportunity to see how well do controls work, how well do 
training policies work, how well are they doing as a management 
entity in terms of providing good computer security over our 
information resources.
    Finally, it also eliminates the distinction between 
national security and non-national security systems. Right now, 
there is a dividing line. We have actually gone to some 
agencies and talked to them about computer security and they 
say, we do not have any classified information. Therefore, 
computer security is not an issue with us. And by having that 
distinction between national security and non-national 
security, we think that in many agencies, it creates a barrier 
to having an effective agency-wide security program.
    If I could just indulge you for a moment more, we would 
like to talk about a couple of features that we think you 
should consider. The first of those, and you alluded to this in 
your opening remarks, is that we believe there should be 
mandatory standards put into place and that these standards 
should be in two parts. The first part would be a standard set 
of data classifications which would be used by all agencies, 
for example, risk levels ranging from one to whatever, and that 
data would be classified in one of these risk elements, ranging 
from things that you did not care that much about, information 
that was not particularly sensitive, was not particularly 
vulnerable, all the way to national security information.
    In turn, this would lead to a set of mandatory control 
requirements that would set minimum requirements for each of 
these data classifications. We believe if this were instituted 
across the government, it would improve the ability of the 
government to enforce computer security, it would improve the 
ability of managers to provide a minimal level of support for 
their agency, it would permit better targeting of resources, 
and it would improve the ability of the independent auditors to 
do a good job.
    Finally, we think there is also a need for stronger central 
guidance. I think the lessons learned from Y2K is that a strong 
central hand, in this case, John Koskinen, really can provide 
much needed oversight and impetus to agencies in terms of 
making sure that they are following good practices, making sure 
that budget submissions are responsive, and in general, 
providing the leadership that seems to be lacking in computer 
    That is my brief statement, and I would ask you, Mr. 
Chairman, that my full statement be included in the record.
    Chairman Thompson. All statements will be made a part of 
the record. Thank you very much.
    Chairman Thompson. Ms. Gross, thank you.


    Ms. Gross. Good morning. Thank you very much for inviting 
me here to testify on the act. I am here in a double capacity. 
I am here as the NASA Inspector General. I also head a task 
force that is looking at this bill on behalf of the Inspector 
Generals, and so I will weave in some remarks that will reflect 
some of the community remarks.
    \1\ The prepared statement of Ms. Gross appears in the Appendix on 
page 71.
    This is a world of limited budgets. We all know that. And 
in making decisions, agencies have to decide--Mr. Brock pointed 
that out--they have to figure out what is the risk to their 
systems. Obviously, in an agency like NASA, you are going to 
give a different kind of security to the public website than 
you would, for example, to protecting the astronauts on the 
space shuttle. So you have to make these risk/benefits and that 
requirement is a key element of this act.
    But there is a complication to agencies making investments 
in IT security. I think if you look at the Y2K issue, the 
problem of the change of the year for the computers, once it 
was a success, headlines were, this was maybe a hype and we 
spent too much money. Well, if it was not a success, there 
would have been a different set of headlines. So investment in 
IT security is very difficult for agencies to make, because if 
its security is working, you do not get headlines. But boy, 
when it does not work, you get headlines. I think recent events 
about the hackers attacking different systems, it makes 
headlines. But agencies do not see the visibility of IT 
security until it fails.
    I would draw your attention to the success of the Y2K 
coordinated efforts. I think it provides a model that is 
reflected in your bill about how to approach IT security. It 
was at the highest level supported and everybody plugged in. 
You had the President, OMB, agency heads, the CIOs, GAO, and 
the IGs, as well as the Congress in its exercise of oversight, 
and the focus worked. We entered the new millennium with 
minimal Y2K problems.
    This act asks many of the same players to have the same 
sustained focus, and that is key, a sustained focus. It was 
easy for Y2K, because it started rolling around and everybody 
started really focusing on it. But computer security is an 
ongoing effort, and I think it will be very helpful for this 
Committee and other committees with oversight to keep that 
sustained focus.
    We (NASA OIG) support the placement of the focus of OMB, 
the Deputy Director, having oversight. I think it gives a high 
level attention. Also the Deputy Director has a unique vantage 
point. The Deputy Director serves as the chair for the IG 
councils, the CFO, the chief financial officer councils, the 
CIO councils, and also the president management councils (That 
is the very senior level executives that head up the agencies). 
And so you have a person at a high level that is able to 
coordinate all these different councils for a government-wide 
focus and I think that was a good selection.
    You also make the heads of agencies to be accountable. 
Heads of agencies occupy bully pulpits. They are able to set 
the priorities of their agencies. Use the Y2K example. I can 
remember Dan Goldin saying, ``I am being held accountable and 
we are not going to fail.'' He had the bully pulpit and 
everybody heard. So this is enlisting again the heads of 
agencies, and you need to hold the agency heads accountable 
because they can change a culture of ``I do not care,'' or ``we 
are just scientists,'' or ``we just want information, how does 
it impact me?'' So that is a very important feature.
    In terms of the CIOs, we had a discussion with the IG 
working groups. Many in the working groups view these CIOs as 
not having resources, not having staff, not having budget. Some 
even characterize their CIOs as paper tigers. So this act gives 
a lot of responsibility to the CIOs and it is going to be 
important for OMB and for this Committee and other committees 
to make sure that those CIOs have the authority and the 
resources to do what this act is expecting.
    I would use the example of NASA. We have repeatedly made 
criticisms of the way that NASA establishes the CIO. He is 
doing the best he can, but he has no budget, or little budget, 
he has almost no staff, and NASA has decentralized the CIOs at 
each of the centers, and there are ten NASA centers. They (the 
center CIOs) do not report to him. He does not control their 
budget. He does not do their evaluation. The centers can give 
the CIOs collateral duties or they can decide what grade level 
the CIO should be: an SES, a 15, or a 14. If they do not agree, 
who do they report to? They report to the centers, not to the 
CIO, the head CIO. That decentralization and fragmentation 
impedes IT security.
    To further compound that problem at NASA they have 
bifurcated, not bifurcated, they have given each of the centers 
various tasks. In Glenn in Ohio, the Glenn Center does 
training. In Ames in California, that is the center of 
excellence for IT security. You go to Marshall and that is the 
center for the firewalls, and on and on. Each center is a 
little center of excellence and none of those people report to 
the CIO. He does speak with them. They do collaborate. They do 
have telecons. But is it any wonder that it takes a long time 
for NASA to get any policies and procedures?
    We have had reports pointing out instances where this 
decentralization and fragmentation, that whole kind of 
structure in and of itself weakens IT security, and we have 
more to say on that in my testimony, the written testimony.
    I want to get to the part of the act that has to do with 
the Inspector Generals. In terms of the OIG working group, we 
did have a problem with the act narrowly defining the 
independent external auditor. Under the act, if the IGs do not 
do the work, an external auditor can be hired, but we thought 
that that implies a financial orientation and it should be any 
qualified external entity, and that is just a wording change.
    But one of the things that the OIG working group commented 
on was they welcomed the act's tasking. They think you cannot 
be doing the high-risk work that agencies are facing without 
doing the review work, but the IGs will have to recruit, train, 
and retain a good cadre of professionals. That is going to 
require the support of the agencies and OMB and the Congress in 
supporting their budgets.
    In my written testimony, I went through how for the past 4 
years I have been recruiting a cadre of people in the audit 
arena and in the criminal investigative arena, as well as my 
inspectors, and that has taken time and these are a high-paid, 
qualified group. They are worth it. They are definitely worth 
it. But it does take time and it does take money and this group 
(Congress) has got to be supporting the budget that goes with 
    The last detail that I want to address is the section that 
talks about law enforcement authorities. The act requires that 
security incidents be reported to law enforcement officials, 
but it does not define that term. Where an OIG has a computer 
crimes division, then the agency system administrators need to 
report security incidents to and work closely with the IG 
special agents so that the agency ends up preserving evidence, 
maintaining chain of custody, and that you have the documents 
that you need and the materials that you need so that you can 
have a court case.
    The Department of Justice has made clear in writings and in 
its actions that it is not just the FBI that does the criminal 
investigations on computer intrusions, and in my written 
testimony, I have a letter, referred to a letter by Scott 
Charney, who was then the former head of the Department of 
Justice Computer Crimes and Intellectual Property Division, 
where he talks about other agencies that do and have the 
authority for computer crimes--Secret Service, Air Force audit 
and their investigative service, as well as NASA's Inspector 
General. But I think that is very important for this oversight 
Committee to understand that.
    Obviously, the Presidential Directive, PDD-63, established 
the NIPC, the National Infrastructure Protection Center, so 
that you can have the critical infrastructure reviews and 
investigations done by the FBI. But there are thousands of 
intrusions each year and every intrusion is not against the 
critical infrastructure. Indeed, at NASA, space does not even 
make the critical infrastructure. It is very important, then, 
that NASA have a good Inspector General's computer crimes unit, 
to have a group that has a focus on NASA as the victim.
    It is important that this Congress support the efforts of 
Inspector Generals to have a computer crimes unit. It takes 
training. It takes training people. You have to have a very 
qualified cadre of people. But if you recall, the Inspector 
General Act was to have the synergism of audits and 
investigations so that if you are doing an investigation and 
you see internal control problems, you also tell your auditor 
so that they can do a system-wide look-see. That synergism is 
very important and it is very important that the Inspector 
General communities have computer crimes units so that the IGs 
can make sure that they protect the victim agencies.
    In sum, I think you have the framework for a very good act. 
It has an oversight capacity, which I think is very important, 
and it also enlists the players that need to be there--OMB, 
heads of agencies, and CIOs. Thank you very much.
    Chairman Thompson. Thank you very much. You were invited to 
come because of the innovative approaches that you have at 
NASA, and you remind us how important the IGs are in this whole 
process, so thank you very much for what you are doing and your 
helpful testimony.
    Mr. Brock, let me address a few questions to you. The thing 
that jumps out at me first when I start to look at this, in 
February 1997, the GAO had a series of reports to Congress and 
things were so bad that this security problem was put on the 
high-risk list at that time. Late in that same year, 1997, the 
CIO Council, which is, of course, under the OMB, delineated it 
as a top priority. On March 31, 1998, the GAO filed another 
report on the consolidated financial statements and that report 
pointed out widespread deficiencies in terms of information 
security. Then again in September 1998, of course, we have this 
report entitled, ``Serious Weaknesses Place Critical Federal 
Operations and Assets at Risk.'' I do not know how much more 
pointed you could be than that.
    It is really outrageous that the Federal Government in an 
area of this sensitivity cannot do more faster. Since at least 
1997, it has been 3 years since we have known--at least--since 
we have known about the seriousness of this problem. We get 
report after report after report. If I were you guys, I would 
wonder why you are even in business and whether or not we pay 
any attention to you or not. This last report still points out 
serious deficiencies, still do not have any management in the 
system, and we are still extremely vulnerable, and it makes you 
wonder what in the world it takes to get anybody's attention.
    I look back at the current law and wonder, what are we 
doing to help the process? Are we overlaying an already complex 
process? I see we have given OMB responsibilities before. We 
have given agencies responsibilities before. Are we just 
telling them again to do it and we really mean it this time, or 
what are we really doing? I am playing devil's advocate with 
our own bill here, I guess, but are we really doing something 
here that is different from all of these other acts, the 
Computer Security Act, the Clinger-Cohen Act, Paperwork 
Reduction Act, on and on and on, the Privacy Act. I mean, you 
have a dozen pieces of legislation that in some way deal with 
this overall problem, so our solution is another piece of 
legislation. I am very skeptical, generally, of that problem.
    Now, I do not want to waste my time or yours on this unless 
we are really doing something that, for the first time, can 
have some accountability. Until people are held accountable, 
until somebody is fired or somebody loses some money or 
somebody is embarrassed more than we have been able to so far, 
nothing is going to change. It looks to me like we have a 
chance here maybe of having some accountability. With the 
Results Act and everything, everybody is talking about 
measurements and measuring results and accountability from 
those results. I do not know whether we mean it or not yet, but 
we are all talking about it now, and now we are bringing it to 
this problem, measurable outputs and things like that.
    First of all, is my assessment off base? If not, why has it 
taken so long to do anything and are we, in our bill, really 
doing anything that has a decent chance of making a difference?
    Mr. Brock. First, Mr. Chairman, as chairman of our 
oversight committee, I hope you were not really serious about 
wondering why we are in business. [Laughter.]
    Chairman Thompson. Well, I would have to ask the same thing 
about ourselves, would I not?
    Mr. Brock. I agree with your basic premise. It is a shame 
that you have to have a bill to mandate good management. I 
mean, clearly, it is not a crime now to have good management in 
agencies that said, we are going to do things the right way. 
But clearly, the reports that we have done for your Committee 
over the past few years have indicated agencies are not doing 
the things the right way, that something is broken, and that 
attention needs to be paid to this.
    I think the features you have in the bill, that many of 
these features are the kinds of things that are designed to 
pick things up by the nape of the neck and shake and grab 
attention. The independent assessments every year are a 
mechanism where you can identify weaknesses, where you can 
identify where accountability should lie and where it has not 
been exercised and where it gives the administration, as well 
as the Congress, an opportunity to take corrective action, and 
that is the next step. Pointing out the weaknesses, pointing 
out the management deficiencies is one thing, and then taking 
the next step to exercise that accountability is something that 
would still remain to be done.
    Chairman Thompson. I take it that you feel that we need to 
be more specific in establishing standards.
    Mr. Brock. Yes, sir.
    Chairman Thompson. Than the bill as currently drafted?
    Mr. Brock. Yes.
    Chairman Thompson. And we need to delineate what with 
regard to risk levels, a requirement that they be considered or 
we tell them how to consider it, or how specific should we get 
on the mandatory requirements in determining risk level and 
also how specific in the mandatory minimum requirements, I 
guess you might say, in addressing those levels? Obviously, we 
cannot deal with all that here today, but----
    Mr. Brock. Your bill starts off in the right direction on 
that by requiring agencies to do a risk-based assessment. But 
once they do the assessment, they need to be able to categorize 
that. We have this level of risk, or we have this risk level. 
What category should that be in? How risky is it?
    Chairman Thompson. That is really kind of management 101, 
is it not?
    Mr. Brock. Basically.
    Chairman Thompson. I guess they do need to be told to do 
    Mr. Brock. Basically, but if you had it consistent across 
the agencies, it would be much easier to have guidance that 
could be more easily developed and more easily taught and 
trained. But then the next step, if you are at a certain risk 
level, what are the minimum things you should do in terms of 
authentication, in terms of encryption, or in terms of 
independent testing to make sure that you are meeting those 
levels of control?
    Chairman Thompson. So it would be a mistake to let each 
individual agency determine what it needed to do to address 
these because they have not shown any indication that they have 
the capability or the motivation to do that, is that correct?
    Mr. Brock. Yes. I think it is----
    Chairman Thompson. You said it would be much easier to have 
minimum good standards that would apply to any agency.
    Mr. Brock. Right. I think it is appropriate for each agency 
to determine its risk that it faces, but then if you had the 
common standards. I think just the very process of developing 
those common standards would really create a rich dialogue and 
go a long ways towards improving a shared understanding among 
agencies about what some of the good features of computer 
security should be.
    Chairman Thompson. And third, you mentioned some stronger 
central guidance. Obviously, OMB has not been doing its job. 
They have responsibility here. Now their major objection to 
your report, I understand, was that you are focusing too much 
on our responsibility at OMB and they either do not think they 
have that or want it. They are pointing to the agencies, and 
the agencies, I am sure, are pointing to somebody else. So here 
we go with OMB again, which causes some people to say we need a 
new information security czar, because maybe OMB inherently, if 
the allocation of their resources and what is going on over 
there, maybe they are not the right ones to be bird-dogging 
this. They sure have not done a good job of it so far.
    What are we doing that is going to improve that situation? 
I understand that we cannot even tell where the money that we 
appropriate is supposed to go for, maybe it is not line item, 
but it is supposed to go for security enhancement. You cannot 
even find it. We do not know how it is being spent, in terms of 
information security, is that true?
    Mr. Brock. That is correct. We have trouble determining how 
much money is spent within each agency on computer security. I 
think Ms. Gross in her statement, when she talked about the 
similarities between the Y2K problem and how top managers 
within each agency felt accountable, and I think one of the 
reasons they felt accountable was really the strong role that 
the central manager, in this case, Mr. Koskinen, made in making 
sure they understood they were being held accountable.
    We do not have that situation on computer security. I think 
it should be closely examined as to whether there should be a 
computer security czar, though, and separate that from a CIO 
that would have responsibilities for other aspects for 
information management. We have rarely gone to a good 
organization that had good computer security, and we found out 
when we go there that they also have other good information 
management practices. It is part and parcel. We have never gone 
to a place that had poor information management, where they had 
poor lifecycle management, poor systems development efforts, 
poor software acquisition processes and had good computer 
security. It all runs together.
    Therefore, I would be reluctant to suggest that you 
separate computer security from the other aspects of 
information management. Next year, the OIRA reauthorization 
will be coming up and you will have an opportunity at that 
time, as well, to examine the Paperwork Reduction Act, the 
Clinger-Cohen Act, as well, and I think these are good 
questions to also bring up at that time.
    Chairman Thompson. We are looking forward to that, but we 
are not vesting responsibility there in this bill. We are 
bringing it to a little higher level than that, but thank you 
very much.
    Senator Lieberman.
    Senator Lieberman. Thanks, Mr. Chairman. Thanks to both of 
you. I think your testimony, both written and here today, has 
been really very direct and very helpful and you are both 
obviously quite knowledgeable. The Chairman has covered some of 
the areas I had an interest in, so I will be fairly brief.
    I take it that you agree not only with what Mr. Mitnick 
said, but what I have learned generally in my reading here, 
that a lot of the problems of computer security are cultural, 
which is to say human, correct?
    Mr. Brock. Yes.
    Senator Lieberman. Beyond management, which obviously is 
critical and at the heart of this, let me just ask you to speak 
a little bit more about the question of whether there should be 
consequences if a Federal employee fails to follow proper 
procedures relating to computer security. Or, on the other end, 
whether there ought to be consequences for exemplary behavior 
with regard to computer security.
    Mr. Brock. Yes, I would agree with that. The problem we 
have, though, and some Federal agencies are going to, that 
accountability is always at the technical level. Well, we have 
had a break-in, we have had a failure, it must be the guys in 
the computer room's fault or we would not have had this. And 
for specific weaknesses, that might well be true, but the 
accountability typically does not extend upwards into 
management, where an atmosphere has been created or budget 
resources have not been appropriated or whatever and those 
individuals also need to assume their share of the 
    In the private sector, we found very definite links and 
control mechanisms for measuring accountability, for measuring 
performance against that accountability and holding individuals 
responsible, whether they be system administrators or the 
system process owners.
    Senator Lieberman. How are they held responsible in the 
private sector?
    Mr. Brock. In one good example we have, managers have to 
define the risk. Along with the technical people, they agree 
upon the vulnerabilities and the threats. They then have to 
allocate money and resources to providing an appropriate level 
of protection and they sign off on that. At the end of the 
year, the independent audit comes in and, first of all, 
determines did you, in fact, appropriately determine the risk 
and are you appropriately protecting these to the level you 
agreed upon.
    In some cases, we found good examples where they made a 
business decision not to provide a level of protection, but it 
was a business decision and it was examined and agreed upon by 
the board. And in some cases, I believe that people were fired 
when they failed to meet the terms of their contract.
    Senator Lieberman. Ms. Gross, do you want to add anything 
about individual accountability here?
    Ms. Gross. Yes. I think what you have to do is first 
implement a training program----
    Senator Lieberman. Right.
    Ms. Gross [continuing]. Because this is very much a 
cultural thing. I mean, NASA, you go to, for example, the 
Goddard Space Center and its scientists, its engineers, they 
are collegial. They are talking with universities and they are 
interested in their earth science programs and they do not 
think about security. It is not until, for example, you will 
tell a scientist who is collecting data and working on a 
journal article, if somebody takes your information through the 
computer and publishes that information a year ahead of you or 
6 months ahead of you, do you care? Oh, they all of a sudden--
it comes home that it actually does impact them.
    Senator Lieberman. Sure.
    Ms. Gross. And I think the GAO audit on NASA pointed out 
they did not have a training program. They still do not. They 
are still getting it together and trying to work out what 
should be the appropriate training program, partially because 
they did not have IT security standards, so how can you develop 
your training program. But meanwhile, you have to have systems 
administrators trained. They expect to have it in 2001. You 
cannot wait until 2001. You have got to have systems 
administrators held accountable in some ways.
    So the issue on accountability is a lot more complex than 
just saying, you have got to be accountable and we are going to 
take action. On the other hand, on very simple, no-cost, low-
cost things that the agency can do, they should be held 
accountable. They are supposed to banner their systems, both 
for law enforcement and for downstream liability, it is 
supposed to say, this is a government computer, you are 
accessing a government computer, so the hacker knows he is 
trespassing. He cannot say, oh, I was just surfing. I was 
looking for America On-Line and look what I got, I got NASA.
    So bannering is simple, but it does not happen. In that 
case, if a system administrator is not going to banner the 
computer, we just take away the computer. They cannot do their 
science. That you can hold for simple, no-cost, low-cost, which 
we have identified and we can continue to identify. You can 
hold them accountable because it makes the agency safer right 
    On the other hand for some of the major accountabilities, 
you have to have risk assessments and you also have to then 
make sure that your systems administrators, and that is not 
insignificant numbers, are trained, and let me explain why I am 
saying it is not an insignificant number.
    For example, the Goddard Space Center, they said, how many 
of you think that you are system administrators, in other 
words, you have basically root access and have super controls 
of the computer. Nine hundred people need a basic training and 
an advanced training so that they can be systems 
administrators, and in many of those cases it is a collateral 
duty. They are not security specialists, they are scientists, 
but they have a very powerful computer system that networks 
with other systems, so they need training.
    So I am trying to put it in a context, because you can say, 
OK, we are going to hold people accountable and we should have 
very powerful consequences. I think that, definitely, agencies 
can start immediately, no cost, low cost. There is no reason 
why agencies cannot be bannering their computers. That is 
nothing new.
    Senator Lieberman. Right.
    Ms. Gross. There is no reason why people cannot be using 
passwords that are a little more difficult than the dictionary. 
I mean, the security office gives instructions on how to have 
better passwords. All those things, you can start holding 
people accountable for, and I think what you end up having to 
have is your CIO making a range of things that we expect 
tomorrow or next week, and these are the other things we are 
going to phase in, but it takes attention, and again, you start 
with the bully pulpit of the head of the agency. You (Congress) 
all have the bully pulpit also, and that is important, but the 
agency does, too.
    Senator Lieberman. Right. I think the intention of the 
bill--though it does more than this--is to raise up computer 
security as a priority consideration of Federal agencies and of 
individual Federal employees who have responsibility.
    Let me ask a last question of you, Mr. Brock. I am sure you 
know that the President proposed a Federal Intrusion Detection 
Network, FIDNet, to monitor patterns of intrusions in the 
Federal systems, which is supposed to be housed at GSA's 
Federal Computer Incident Response Capability office.
    Mr. Brock. Yes.
    Senator Lieberman. In your testimony, you mentioned the 
need to improve the government's ability to respond to attacks 
on computer systems. So my question is, just to build a bit on 
whether we need a stronger Central Incident Response Center, 
whether the President's idea and location is the right one.
    Mr. Brock. Well, those all go together.
    Senator Lieberman. Right.
    Mr. Brock. We do believe that incident response is 
important and that intrusion detection is important. A specific 
criticism we had of the President's plan was the fact that it 
focused so much on intrusion detection, you began to get the 
impression that that was the primary means they had of 
improving the government's or the Federal Government's computer 
security program.
    Senator Lieberman. You mean as opposed to all the other 
    Mr. Brock. As opposed to prevention, for example.
    Senator Lieberman. Prevention, right.
    Mr. Brock. One agency that we have gone to at EPA, they did 
a pretty good job of reporting and recording their intrusions. 
They did a very bad job of doing anything to prevent those 
intrusions or in analyzing those intrusions in order to take 
corrective action.
    So intrusion detection is important. It is important to 
share that information with other agencies so that you can 
learn from it. So to that point, we strongly support sharing 
the information. We would strongly support some sort of 
incident response capability so that you could take action, but 
it needs to be part and parcel of an entire program and should 
not be the primary or the only focus of such a program.
    Senator Lieberman. Thanks very much. Thank you both. That 
was very helpful.
    Chairman Thompson. Thank you very much. We could spend a 
lot of time with the both of you. You have been very helpful 
today and we will continue to work together on this. We 
appreciate your contribution to this and your fine work.
    Mr. Brock. Thank you.
    Ms. Gross. Before I go, I would like to just incorporate 
into the record my full written testimony.
    Chairman Thompson. Absolutely. All statements will be made 
a part of the record.
    Ms. Gross. And both Senators, I would like to leave for you 
all, we have done a ``Clearing Information From Your Computer's 
Hard Drive'' pamphlet. Mr. Mitnick was saying how easy it is at 
the lowest levels to end up having intrusions. This is when you 
excess your computer and you get a nice new super computer and 
you think you have deleted all your files and what happens is a 
lot of your information that you think is very sensitive is 
going out to schools, to prisons, etc. We have some on the desk 
and I certainly draw this to your attention. Thank you.
    Chairman Thompson. Thank you very much.
    On our third panel, we are fortunate to have Ken Watson, 
Manager of Critical Infrastructure Protection at Cisco Systems, 
Inc., and James Adams, who is the CEO and co-founder of 
iDEFENSE. Both of these gentlemen are known in the industry as 
experts on the issues related to information protection and 
    Gentlemen, thank you very much for being with us here 
today. Mr. Watson, do you have an opening statement to make?


    Mr. Watson. Thank you, Chairman Thompson, Ranking Member 
Lieberman, and distinguished Members who are here. I appreciate 
the opportunity to speak to you about network security best 
    \1\ The prepared statement of Mr. Watson appears in the Appendix on 
page 83.
    The last 8 years of my 23 years in the Marine Corps I spent 
helping to draft policy and doctrine for information warfare 
and taking joint teams and conducting information operations to 
integrate those into other military operations. When I retired, 
I went to work for WheelGroup Corporation, where I managed our 
security consulting team. We would do legal contracted security 
posture assessments in corporate networks and provide them 
reports of their vulnerabilities. When Cisco acquired 
WheelGroup, I transitioned to critical infrastructure 
protection and that is my role now at Cisco.
    That team just recently conducted a 6-month study of 
vulnerabilities in corporate networks and I have put together 
the top three to five vulnerabilities that were discovered in 
every area as the last two pages of my written testimony and it 
is just a table of what are the vulnerabilities and how do you 
fix them. It is important to note that the way this team works, 
it does not use anything like social engineering or other 
things that might cross the bounds into becoming illegal 
activities. They concentrate on working at the keyboard only 
and finding technical vulnerabilities and that is it.
    It is kind of interesting that they are continually 
successful in penetrating external defenses about 75 percent of 
the time, but once inside, they are about 100 percent 
successful in gaining unauthorized access between machines 
inside a network, and that would be true for government or 
private sector networks.
    Cisco systems is serious about network security and about 
its implications for critical infrastructures on which this and 
other developed nations depend. Few can argue that the Internet 
is changing every aspect of our lives. Internet economy is 
creating a level playing field for companies, countries, and 
individuals around the world. In the 21st Century, the big will 
no longer outperform the small. Rather, the fast will beat the 
    So how do you decide on a best practices solution? I would 
like to offer a simple way to organize network security 
technologies and practices and talk a little bit about what 
Cisco has seen in customer networks. Our model is not 
reinventing the wheel, but it is what we call the security 
wheel and it talks to five general areas where you can group 
technologies and practices and it is a management model.
    Good security must be based on policy. Employees must know 
what they can and cannot do with company systems or government 
systems and that they will be held accountable by whoever is 
the boss, the CIO or whoever is accountable, and those people 
should be accountable, also.
    The policy must also be risk-based, so I am in concurrence 
with a lot of what you have already heard today.
    After setting appropriate policies, a company or 
organization must methodically consider security as a part, an 
integrated part of normal network operations. This could be as 
simple as configuring routers to not accept unauthorized 
addresses or services, or as complex as installing firewalls, 
intrusion detection systems, authentication, and encrypted 
virtual private networks.
    A basic tenet of military combat engineers is that an 
unobserved obstacle will eventually be breached, and that is 
also true for networks. Hackers will eventually figure a way 
around or through static defenses. The number and frequency of 
computer attacks is constantly on the rise. There are no 
vacation periods. As such a critical part of the security wheel 
is to monitor the network, intrusion detection and other 
monitoring devices, so that you have 24 by 7 visibility into 
what is going on inside and outside the network.
    The next stop is testing the network. Organizations that 
scan their networks regularly, updating electronic network 
maps, determining what hosts and services are running, and 
cataloging vulnerabilities, and they should also bring in 
experts for independent network security posture audits once or 
twice a year to provide a more thorough assessment of 
    It is just like cleaning your teeth. We brush our teeth 
every day. Those are like your internal own network scans. And 
you go to the dentist once or twice a year and get an 
independent outside observation. It may be painful, but you get 
a lot of good out of it in the long run.
    Finally, there needs to be a feedback loop in every best 
practice. System administrators must be empowered to make 
improvements. Senior management has to be held accountable for 
network security. Those involved in day-to-day operations must 
have their attention.
    If you were to ask me, what is the most important step to 
do right now, I would give you two answers, one for the short-
term and one for the long-term. In the short-term, the best 
thing I think any company or organization can do is to conduct 
a security posture assessment along with a risk assessment to 
establish a baseline. Without measuring where you are, you 
cannot possibly figure out where you need to go.
    For the long term, the best thing we can do together is to 
close the alarming skills gap. The requirement for highly 
skilled security specialists is increasing faster than all the 
training programs combined can produce qualified candidates. 
Universities are having difficulty attracting both professors 
and students. The government is also having a hard time 
retaining skilled security professionals. We in the private 
sector are building and maintaining state-of-the-art security 
training programs and we are collaborating with education 
institutions and training partners to provide a wide base for 
    We are also helping the Office of Personnel Management to 
identify knowledge skills, abilities, and ongoing training 
requirements and career management and mentoring ideas for a 
Federal IT security workforce. This human resources issue is by 
far the most critical information security problem we face in 
the long term and the solution must be based on government, 
industry, and academic collaboration.
    Corporate network perimeters are blurring. That is also 
true for the lines between government and industry. The 
Internet knows no boundaries and we are all in this together. 
We are very enthusiastic about the new Partnership for Critical 
Infrastructure Security, a voluntary organization of some 120 
companies from across the country dedicated to improving the 
network security of our critical infrastructures.
    As we further build the relationship between the public and 
private sectors, we hope the great spirit of cooperation 
currently led by the Department of Commerce and the Critical 
Infrastructure Assurance Office will continue.
    We believe that confidence in e-commerce is increasing. 
Thirty-eight new web pages are being added to the World Wide 
Web every second. Our job, all of us, all of our job, is to 
raise the bar of security overall, worldwide, so that we can 
empower our citizens and customers to take full advantage of 
the Internet economy in the Internet century.
    Thank you very much. I will be glad to answer any 
    Chairman Thompson. Thank you very much. Mr. Adams.


    Mr. Adams. Chairman Thompson, Ranking Member Lieberman, 
thank you very much for including me on this distinguished 
    \1\ The prepared statement of Mr. Adams appears in the Appendix on 
page 88.
    By way of brief background, my company, iDEFENSE, provides 
intelligence-driven products--daily reports, consulting, and 
certification--that allow clients to mitigate or avoid computer 
network information and Internet asset attacks before they 
occur. As an example, iDEFENSE began warning its clients about 
the possibility of distributed denial of service attacks, the 
kind of hacker activity that is capturing headlines currently 
around the world, back in October and November of last year.
    At the outset, I would like to commend you and your staff 
for crafting such thoughtful and badly needed legislation in 
the area of computer security for the Federal Government. We 
are currently in the midst of a revolution, the information 
revolution, which calls for dramatic and bold steps in the area 
of securing cyberspace. It is in this context that your bill 
takes a crucial step forward by shaking out the current culture 
of lethargy and inertia gripping the Federal Government. With a 
proposal to put teeth into the OMB's oversight of computer 
security issues, this bill is a solid step in the right 
    Why does this matter? Few revolutions are accomplished 
without bloodshed. Already, as we plunge headlong and terribly 
ill-prepared into the knowledge age, we are beginning to 
receive the initial casualty reports from the front line of the 
technology revolution and to witness firsthand the cyber 
threats that, if allowed to fully mature, could cause 
horrendous damage.
    The recent denial of service attacks were mere pinpricks on 
the body of e-commerce. Consider instead that some 30 countries 
have aggressive offensive information warfare programs and all 
of them have America firmly in their sights. Consider, too, 
that if you buy a piece of hardware or software from several 
countries, among them some of our allies, there is real concern 
that you will be buying doctored equipment that will siphon 
copies of all material that passes across that hardware or 
software back to the country of manufacture.
    The hacker today is not just the stereotypical computer 
geek with a grudge against the world. The hacker today is much 
more likely to be in the employ of a government or big business 
or organized crime, and the hackers of tomorrow will be all of 
that and the disenfranchised of the 21st Century who will 
resort to the virtual space to commit acts of terrorism far 
more effective than anything we have seen in the 20th Century.
    The government, in all its stateliness, continues to move 
forward as if the revolution is not happening. Seven months 
ago, my company won a major contract with a government agency 
to deliver urgently needed intelligence. The money was 
allocated, the paperwork done. Yet, it remains mired in the 
bureaucratic hell from which apparently it cannot be 
extricated. [Laughter.]
    Another government agency is trying to revolutionize its 
procurement processes to keep up with the pace of the 
revolution. They are proudly talking about reducing procurement 
times down to under 2 years. In other words, by the time new 
equipment is in place, the revolution has already moved on 8 
Internet years. In my company, if I cannot have a revolutionary 
new system in place within 90 days, I do not want it.
    The Thompson-Lieberman legislation is a good first step to 
try and control and drive the process that will bring the 
government up to speed with this revolution. I believe, 
however, that to effectively cope with the technology 
revolution, this proposal must be strengthened. What is needed 
is an outside entity with real power to implement drastic 
change in the way government approaches technology and the 
underlying security of its systems. Currently, jurisdictional 
wrangling, procurement problems, and a slew of other issues are 
seriously hampering the government's ability to stay current.
    The Thompson-Lieberman bill provides a framework to begin 
sorting through this mess. However, what is needed most is a 
person or an entity that will draw on skill sets in many areas 
that will overlap that of the CIOs, CFOs, CSO, and most of the 
other officers or entities that currently exist. Let us give 
this person the title of Chief of Business Assurance, or 
perhaps the Office of Business Assurance, to relate it directly 
to the Federal Government.
    The OBA's task would be to continuously gather and 
synthesize infrastructure-related trends and events, to 
intelligently evaluate the technological context within which 
the organization operates, to identify and assess potential 
threats, and then to suggest defensive action, or viewed from 
the positive side, to assess the technological revolution's 
opportunities and propose effective offensive strategies. The 
OBA must be a totally independent organization with real teeth 
and real power.
    There is much in common between government and industry 
when it comes to the challenges and the opportunities that the 
technology revolution poses. Both sectors face a common threat. 
Both factors share common goals for the well-being of America 
and her people. Both employ technologies that are, in essence, 
identical, and both must work together to protect each other.
    I leave you with this thought. In the near term, you will 
see total transformations of the way business and government is 
conducted, internally and externally. A failure to change to 
meet these new challenges is to risk the destruction that all 
revolutions bring in their wake. Proactive action is the route 
to survival.
    We have heard a great deal in recent months about the 
potential of a digital divide developing between the computer 
haves and the computer have-nots. I believe there is another 
digital divide that is growing between the American Government 
and its citizens. If this Committee's efforts do not move 
forward in changing this culture of inertia, there is real 
danger that the digital divide that exists between government 
and the private sector will only widen. We cannot afford a 
situation where the governed feel that their government is out 
of touch and increasingly irrelevant to their lives. By 
stepping up to the plate and tackling computer security with an 
innovative, bold approach, the Thompson-Lieberman bill 
significantly boosts the chances of reversing the current 
bureaucratic approach to a very dynamic problem.
    Thank you again for the honor of appearing before you.
    Chairman Thompson. Thank you, Mr. Adams. Very well said.
    You heard me mention, I am sure, a while ago about all of 
the reports and assessments and so forth over the last 2 or 3 
years pointing this out. Now, in addition to all of that, we 
have the President's first version of the National Plan for 
Information Systems Protection. The plan discusses the need to 
make the government a model for cyber protection.
    As I look at it, I see few concrete proposals as to how to 
do that. As you know, I am mindful of these overlays and these 
impressions that we try to leave sometimes that we are doing 
something when we are really not. Where does this plan fit into 
the solution to what we are talking about here today?
    Mr. Adams. Well, I would just say a couple things about 
that. First, the plan was 7 months late. It is not a plan, it 
is an invitation to dialogue, a very different thing. If you 
asked those who were involved in the formulation of the plan, 
they will tell you that it was a ``business as usual, 
government at work'' nightmare. Every meeting, 100 people would 
turn up. They would talk about not what was good for the Nation 
but what was good for their existing equities.
    The result was a bureaucratic compromise, which is the 
document that you see, that raises some interesting points. But 
a plan will actually emerge, I would guess, a year from now, 
longer. Meanwhile, we all march on. It requires, I think, more 
than that, and where the action will have to come from and the 
leadership will come from is exactly right here. It is not 
going to come from the Federal Government as we know it, 
because it is a revolution and governments do not become 
revolutionaries. They naturally evolve, which is a great 
strength in a democracy. But in the middle of a revolution, it 
is actually a threat and a challenge to us that we need to step 
up to try and meet.
    Chairman Thompson. So we are trying to do something very 
tough but very necessary, is what you are saying.
    Mr. Adams. Absolutely, and the great thing, I think, that 
you are doing is saying, yes, this needs to be done. The very 
difficult thing for you, as you were rightly articulating 
earlier, is how to force what needs to be done to actually 
occur, because you say to the OMB, an inert bureaucracy in its 
own right, you have to force other organizations to change. 
True, but how exactly, and typically, it does not work like 
    If you look at what the CIA is doing to try and embrace the 
revolution, they formed an outside organization, INCUTEL, that 
is driving technology revolution into the organization and 
pushing change from without to within, and to expect or ask 
organizations that are comfortable with business as usual to 
say, no, no, no, revolutionize, they will not do it. Imposition 
of change is the only way it will occur, and it will be 
resisted, but the consequence of not doing it can be very, very 
serious, and you can already see how relevant does anybody in 
Silicon Valley think the government is--not at all.
    Mr. Watson. If I might add a comment----
    Chairman Thompson. Yes, go ahead.
    Mr. Watson. Mr. Chairman, the plan is not a complete plan 
yet, but at least----
    Chairman Thompson. We are relevant in terms of the harm we 
can do them and how we can mess things up. From a positive 
standpoint, it is a very good question. Excuse me. Go ahead.
    Mr. Watson. But at least there was enough foresight in the 
Critical Infrastructure Assurance Office to at least get a plan 
started, and it is an invitation to a dialogue. They have asked 
industry to help complete this plan, add our perspective, bring 
in a physical dimension, look at the international aspects that 
are not in the current plan. I look forward to working with the 
Partnership, the big ``P'' Partnership that we just launched, 
to help make that come to pass.
    Chairman Thompson. It has taken 3 years since this all has 
been on the high-risk list, and now, when we cannot even take a 
baby step, we are talking about flying an airplane, and 
international and all these other high-sounding things which 
may eventually come about when China becomes a full democracy.
    Let me explore, you obviously feel like we have to have 
some kind of an outside entity. You refer to the OBA. Where 
does this individual fit into the process? What kind of entity 
are you talking about? Who is this person? How is this person 
selected? Who are they accountable to? I take it it is not 
within OMB, is what you have got in mind. Have you thought that 
through to that extent?
    Mr. Adams. I think OMB has got a long and traditional role 
in oversight and it does that job and has done so for a long 
time. It would be possible to have something sitting outside of 
OMB but working within the Federal Government structure but 
with a rather different mandate.
    If you look at the way industry sets up revolutionary 
change, it does so by--Steve Jobs and Apple is a good example. 
Put them in a different building, you set them outside the 
culture, you put a pirate flag on the roof, they develop their 
own language and culture and they come up with new and creative 
    What we see at the moment is the traditional organization 
says we will go to the traditional places, the traditional 
consulting companies. They are use to forming committees, 
punching button A, producing a report in 6 months. Everybody 
thinks about it and does not do anything. Meanwhile, the people 
who really are making this revolution occur are the very 
different organizations that are the dot-com companies, and 
there needs to be some mechanism for allowing them to have 
input into change.
    So I would envisage something where you, Congress, would 
mandate and budget a group that would have the ability and the 
authority to impose change. Now, there is a thought, to impose, 
and if you do not do it, you will be held accountable in a 
culture, remember, where many of the things that government has 
traditionally thought of as its own self.
    To take Cisco, for example, they have 26,000 employees. 
They have three people in the whole organization doing expense 
accounting. Now, in the government, you have hundreds and 
thousands or however many people doing the process that can be 
outsourced. So we need to think about this and how can we make 
government efficient, relevant, fast moving, changing, dynamic, 
and I do not believe that it can be done imposing internal 
    Processes and all of those things need to come from 
outside--technology, people, and processes. They will not be 
able to meet the technology because they cannot procure it fast 
enough. They cannot hire the people because they cannot afford 
them. We cannot, and we are paying much more money. And you 
will not have the processes because you need to impose them in 
a constantly dynamic way. So those three things will have to 
come from outside, and the only place that can mandate it, I 
think, is Congress, which will enforce it, enforce a different 
structure, a different way of thinking.
    Chairman Thompson. Thank you. Senator Lieberman.
    Senator Lieberman. Thanks. Again, thanks to both of you. I 
think, Mr. Chairman, we have had really excellent witnesses 
    Mr. Mitnick earlier made the allegation that part of the 
problem here, though, as you know, he focused on the human 
management problem, is that there is such competition, 
particularly among software manufacturers, to get the product 
out to the market quickly that they are not spending sufficient 
time to deal with potential security flaws in that software. In 
fact, you have actually gone one step to the other side, really 
stunningly, or to me, fascinatingly, in saying that some 
foreign manufacturers may, in fact, be putting, I do not know 
whether you would call it a virus or something in the system 
that allows it to divert information back to them to be more 
easily hacked.
    Let me ask you to go at both parts of that. First, whether 
Mitnick has a point that manufacturers are not spending 
sufficient time dealing with systems to stop security problems 
before they put their products on the market.
    Mr. Adams. Well, we clearly know that that is correct. The 
rush to market, speed is of the essence. You clearly do not 
waste time. They are able to get away with that partly because 
we are all rushing forward with the revolution and absorbing it 
as fast as we can, and partly because there is not any 
training, there is not any process, and people are not security 
    If there was, as Jack Brock was talking about earlier, a 
minimum benchmark above which you have to be, then there would 
become a market-driven demand. I am not going to buy this 
software because it just simply does not meet my minimum 
standard, but I will buy this because it does. So there will be 
a market-driven enforcer that would say, if you do not raise 
your standards to become more security aware, you are out of 
    Senator Lieberman. Yes. In other words, people who are 
doing it may advertise that as an attribute, for instance----
    Mr. Adams. Absolutely.
    Senator Lieberman [continuing]. Market it, and then, 
hopefully, you drive the market.
    Mr. Adams. My security is better than his security, so----
    Senator Lieberman. So you should buy mine.
    Mr. Adams. Exactly right.
    Senator Lieberman. Do you want to respond, Mr. Watson?
    Mr. Watson. Yes, sir. We do see market pressure to provide 
more secure products and that is why we do provide a whole 
range of them and everyone else is getting into that game, too.
    Senator Lieberman. Right. So that is happening now?
    Mr. Watson. It is happening. No. 1, demand from the market 
is speeding quality of service. No. 2 is security, and that may 
switch. We do not know. There is a great enabler that security 
brings to freedom of use of the Internet economy.
    Senator Lieberman. Say a little more about this other part 
of it, the other side, that some foreign manufacturers are 
putting in gaps, vulnerabilities in the system that they can 
then penetrate. Is that being done by them for private gain or 
is it being done by their governments or what is happening?
    Mr. Adams. If you look at the way, to take just 2, China 
and France, see the opportunity of the virtual space, they see 
this as no different from the terrestrial environment and there 
is a blurring, unlike in the United States, between the public 
and private sector. So what the Nation does, it does on behalf 
of the private sector.
    It was striking when I was in Moscow a couple of years ago 
talking to their intelligence people and their sort of security 
folks in the prime minister's office. They were obsessed by 
what they felt were American attacks in the virtual space. So 
any equipment they bought from overseas, computer software, 
hardware, they felt had bugs of one kind or another planted in 
    Senator Lieberman. That U.S. manufacturers had put in it?
    Mr. Adams. Yes. Now, I have no idea whether that is true or 
not. What we do know is that other countries are very 
aggressively, indeed, contacting the United States, both with 
their impregnated devices of one kind or another and attacking 
through the virtual space. The challenge that we have is that 
we still see the front line as a Nation as soldier/sailor/
airman/marine, our border. The front line actually is the 
private sector, because as you were rightly saying earlier, who 
is going to attack a soldier? You are actually going to attack 
the power grid or the telecom or you are going to steal the 
national intellectual property, and how easy it is because we 
do not actually understand the threat.
    The awareness among CEOs or CIOs in the private sector and, 
indeed, in the public sector, is lamentable, and yet the threat 
and the way the America's technological advantage, and the fact 
that we are the most wired Nation in the world, is being 
exploited on a daily basis is a national outrage, and yet here 
we are.
    Senator Lieberman. Is there any way for a purchaser of a 
software system with a bug in it to determine that there is a 
bug in it as they use it?
    Mr. Adams. You can, but it is very difficult. It is 
rather--I would say that there needs to be some way of a 
dialogue taking place between the traditional defenders of the 
nation-state, the intelligence community, the early warning 
    Senator Lieberman. Right.
    Mr. Adams [continuing]. And those that are in the front 
line and need to be defended. There is intelligence. There is 
information. There are things that you can do, but the degree 
of sharing of that knowledge is very, very limited indeed 
    Senator Lieberman. One of the things that strikes me, and 
you referred to it in a way, is that not only would a hostile 
power or group think about striking at purely private systems, 
but governmental systems and military systems even use private 
communication lines to convey information so that there is 
vulnerability in different ways. So what you just said is very 
important: There is more electronic interdependence of public 
sector and private sector than we generally acknowledge, and, 
therefore, a true solution to this security problem really has 
to be joint.
    Mr. Adams. That is right, and if you think about how we 
traditionally see the nation-state, we see it as the government 
and the private sector goes on and does its thing and helps the 
nation-state when war breaks out. In the virtual space, war is 
going to be a constant. It is no different, if you like, to the 
way we were with terrorism in the early 1970s, when Congress 
would have hearings about bombings and assassinations and the 
bombers and assassins could choose the time and place and the 
target. We were very undefended. We did not understand the 
    This is very similar to that, except the targeting has 
changed. The methods have changed. We are moving everything to 
the virtual space and the same actors are out there. It is just 
that we do not yet understand how to manage it, and it will be 
a comprehensive thing. There is no single fix. It is a series 
of things, some of them being done by Cisco with some of the 
excellent things that they make, some of them being done with 
the public-private partnership, some of them being driven by 
leadership that is going to come from people like yourselves.
    Senator Lieberman. Very interesting. As you both know but I 
think a lot of people out there do not know, it was the Federal 
Government, certainly through DARPA and the Defense Department, 
that did some of the initial work that led to the Internet and 
to the whole information revolution. Now, of course, we have 
fallen behind, certainly in this computer security part of it, 
behind the private sector that we in government gave birth to 
or spawned.
    Do you have any ideas for what we might do to help 
government both be a stimulator, an incentivizer of more 
sophisticated computer security technology? Or in a broader 
sense, thinking perhaps idealistically, what government can do 
to be a model itself, which it is not now, for computer 
    Mr. Adams. If I can give you one statistic first, 20 years 
ago, 70 percent of all technology development was funded one 
way or another in America by the American Government. Today, 
that is under 5 percent. So in a single generation, you had an 
absolute transfer of energy, drive, and power from public to 
private. So what that says is that there needs to be--the 
public sector is never going to be a model. It cannot move fast 
enough. It is never going to be a zero-sum game. You are never 
going to get rid of the problem. You are only going to be able 
to effectively manage it.
    So it is how to incorporate the private, how to see that 
the solution is outside and bring it in, rather than thinking 
about it being inside and imposing it out, and it is a very 
different way of thinking and a very radical way of thinking 
for government in its whole, because government in its whole 
tends to think that I am the answer, and in this case, that is 
not it.
    Senator Lieberman. I also serve on the Armed Services 
Committee. While this is not the perfect model and it is the 
minority of what happens, there is a lot more willingness to 
buy off-the-shelf today. In fact, some of our major defense 
systems are being built in a way that allows parts to be pulled 
out and the newest parts from the private sector to be put in 
over time, and maybe that is a model for computer security, as 
    Mr. Watson, do you want to respond?
    Mr. Watson. Yes, sir. First of all, it is true that the 
Internet knows no boundaries. There are no more perimeters, no 
more borders. It is all cyberspace.
    Two things, though. Industry tends to develop things at 
Internet speed and move a lot faster than most governments can 
move. Since industry owns and operates most of the 
infrastructures on which the government, both private 
government and the infrastructures that we run, depend, it is 
our responsibility to do our part to develop solutions and we 
are doing that.
    Also, in our studies, we have discovered that you can spend 
a lot of time studying the threat, but it is a lot more 
profitable to look at vulnerabilities and solve those to raise 
the bar of security. So that is the direction that we are 
taking. We are looking at vulnerabilities and addressing those. 
That is why it is important to do security posture assessments, 
risk assessments, to look at where you are and to know what you 
can fix at zero or little cost, as the NASA IG said.
    Two provisions of the S. 1993 bill, I think, are really 
important. One is that it does include security as an 
integrated part, component, of each agency's business model and 
it emphasizes training as essential. That is a multi-faceted 
problem. Training security specialists is something we need to 
do and training everybody in the awareness problem and how 
users can better exercise security is important.
    Senator Lieberman. Should we be building on the DARPA 
model? Although again, maybe the private sector is zooming so 
far ahead that we do not have to do that. But there are certain 
areas in which, over time, we have found that because of market 
pressures, the private sector may not invest enough in research 
and development and so the government gets involved to do that. 
Is this an area where we ought to be targeting more Federal 
money in R&D and computer security breakthroughs?
    Mr. Watson. Before we will know the answer to that, it is 
important to have some kind of a clearinghouse and finding out 
what industry is doing, what academia is doing, what the 
government could target its money so it is not duplicating 
efforts. And I think the vehicle that we have in place right 
now, it is just a beginning, is the Partnership for Critical 
Infrastructure Security, and maybe the PCIS recommendation for 
the Institute for Information Infrastructure Protection might 
be able to be that clearinghouse.
    Senator Lieberman. Right.
    Mr. Adams. I also think, though, that the way of--you take 
the DARPA model----
    Senator Lieberman. Right.
    Mr. Adams [continuing]. You speak to folks at DARPA now, as 
you, I am sure, know, they focus not so much on inventing the 
new but integrating what is there, a different thing. Private 
industry is moving very, very rapidly. Cisco invests more money 
in thinking about new stuff on securing the Web than the 
government could ever really get together.
    Senator Lieberman. So maybe there is not a need for us to 
do it if the market is driving it.
    Mr. Adams. But maybe there is a different way of doing it. 
I mean, what is there that the Federal Government can do to 
influence the outcome for the Nation? Education is 
fundamentally important. We go home at night, we unlock the 
door. We leave in the morning, we turn on the burglar alarm, we 
look the door, we make sure the windows are shut, and so on. 
Nobody is being trained in these elementary things.
    There is an enormous amount that could be done in education 
in schools, in universities, in funding programs, seed money 
that would ensure the security of the Nation going forward into 
this century rather than looking at, well, we have put in a 
spot of money here, but instead thinking about this in a 
national context. What is the best for the Nation as a whole 
that we, the Federal Government, can facilitate, because the 
private sector is continuing again to drive this revolution. So 
education is extremely important. Awareness is extremely 
important. And this is a major national security issue, so 
there are things that can be done from the Federal down to the 
local level.
    Senator Lieberman. Thank you both. You have been excellent 
witnesses. I appreciate your time.
    Mr. Watson. Thank you.
    Chairman Thompson. Could I ask, just very briefly, how 
would you sell that from a national security standpoint? We 
talk about educating the young people and bridging the gap 
between the rich and the poor and all that, but how would you 
articulate the necessity to do that from a national security 
standpoint? These are kids. They are obviously going to use it 
in the short-term for things other than that. But from a long-
term national benefit, are there not going to be just 
specialists that do that sort of thing? For the masses, it is 
certainly beneficial and maybe necessary, but does it really 
have to do with national security?
    Mr. Adams. I would not posture it quite like that. Let me 
give you a brief anecdote. I was in a meeting about national 
security, American national security, a little while ago 
talking about future threats, 5 to 10 years. There was general 
agreement that China is a very significant threat to the United 
    At that same meeting, one of America's leading high-
technology companies, they had one of their senior officers 
there and he was describing how they have had to make an 
investment decision about a new technology product that they 
are making, a new next step in the revolution. This is an 
American company. Where do we go? We go to the place where 
there is a customer base, where we have cheap labor and we have 
a high number of engineers. Where do they build their new 
factory? China. National security is irrelevant.
    So the argument is not national security. The argument is 
what is going to be the resource for America in this century. 
Answer, trained and qualified people who can manage and master 
the revolution. As part of that, as part of that education 
process, just as you get trained in sanitation or good health 
practices, so you get trained in good security practices. It is 
part of being trained as an information specialist.
    Chairman Thompson. In order to remain in a leadership 
position in the global economy, you have to maintain the 
productivity and, therefore, maintain your technological 
advantages, and, therefore, you have to have the educational 
    Mr. Adams. Exactly, and that is something that the 
government can absolutely influence the outcome of.
    Chairman Thompson. What kind of group was this that you 
said you just attended?
    Mr. Adams. I would have to talk to you about that outside.
    Chairman Thompson. All right.
    Mr. Watson. I would suggest incentives to collaborate with 
the private sector. Cisco networking academies are in all 50 
States and 25 foreign countries. We are adding security modules 
into that training. We build security training syllabuses and 
training partners deliver that training. We would view Federal 
requirements for security training as a market pressure and we 
would develop products and services to meet that demand.
    Chairman Thompson. Mr. Watson, in your background with 
regard to information warfare, do you subscribe to the notion I 
have heard some say that it is almost for sure that in any 
future military attack, one industrialized country against 
another, that it would probably be preceded by a cyber attack?
    Mr. Watson. I would say that was possible and maybe even 
    Chairman Thompson. What would you think, Mr. Adams?
    Mr. Adams. I would say that most countries that have an 
information warfare capability see that as a precursor to full-
scale war, and indeed, the full-scale war itself may occur in 
the virtual space. The interesting thing is that while America 
has a capability in this area, the lawyers have not yet decided 
what is war in the virtual space. So we may be attacked and in 
serious trouble before we can do anything about it.
    Chairman Thompson. One final thing. Senator Lieberman and 
you mentioned the shift of capability from the government to 
the private sector and now we are here in our legislation 
trying to decide what government should be doing, first of all, 
about itself and managing itself. You heard the GAO testimony 
about the government needing to decide minimum standards.
    I am wondering what is going on in the private sector out 
here. How is that going to interface with what we are trying to 
do? Should the government be setting standards for itself, 
minimum standards and as it is purchasing the hardware, 
software, servicing, and all from the outside, or should these 
be private standards determined by the private sector that we 
incorporate? Do you see what I am trying to get at? How does 
that interrelate?
    Mr. Adams. I think there are two different things that you 
are addressing. What we have at the moment as this revolution 
has unfolded is a multitude of standards--hardware, software, 
different in America, different in Britain, different in 
France, all over the world.
    Yes, it is a common arena, as Ken was saying earlier, and 
for the government or governments, more likely, the World Trade 
Organization to agree on a common standard is completely 
unrealistic, I think. It would take years and just will not 
    More likely will be if you go back to the housing problems 
at the beginning of this century in the United States, a 
tremendous amount of poor housing that were in very bad shape. 
Nobody could agree what to do about it, but when the insurance 
industry said, OK, here is a minimum standard or else you do 
not get insurance. If you do not have insurance, you cannot 
have a mortgage. Lo and behold, the standards raised up and the 
standards of housing went up with it. The market drove the 
solution, in other words, and I think exactly the same thing 
will happen here.
    There has been lots of talk about minimum risk standards 
and that needs to be applied. Two things will drive it. One 
will be down value chains. You are going to do business with 
me, you need to be affirmed at this risk level of some kind or 
another, certified at this risk level, and if you do not, then 
I am not going to do business with you.
    And the second will be the insurance industry, which will 
say, if you are going to be insured with me, just like if I 
issue you with a house insurance policy, you get 10 percent off 
for this burglar alarm, 15 percent off if you are connected to 
the police station, so it will be a similar thing in the 
virtual space. So those two market factors will drive it.
    Chairman Thompson. So instead of the government requiring 
certain standards of private industry, private industry would 
be requiring certain standards from the government?
    Mr. Adams. Exactly.
    Mr. Watson. And we are already working in that direction. 
We are beginning to dialogue with the insurance and audit 
industries to develop standards. There are no standards across 
the board for security posture assessments or penetration tests 
or white-hat hacking or whatever you want to call it. If you 
ask two companies to give you an assessment of your security, 
you will get two completely different answers because they are 
based on different standards.
    There is no standard training program for network security 
engineers to certify that someone has the skill required to do 
that kind of an assessment. There are no standard ratings for 
security in a network. How would you do that anyway? It would 
be an instantaneous security state, but how would you say, if 
you have a firewall, you have one level of standard. If you 
have a firewall, intrusion detection, and remote monitoring, 
you meet another security standard that could be insurable. 
Those are the kinds of questions that we need to address.
    Chairman Thompson. Well, you know the GAO has these best 
practices and so forth. Do we not have any minimal standards, 
without being so minimal that they are meaningless?
    Mr. Watson. They are just not defined yet.
    Mr. Adams. And there is no common language, we all speak--
it sounds similar, but we all interpret it differently and you 
can give yourself a tick in the box which actually you are 
nowhere near where you should be.
    Chairman Thompson. Thank you very, very much. We appreciate 
    Senator Lieberman. Thank you.
    Chairman Thompson. The record will remain open for 1 week 
after the close of the hearing. We are adjourned.
    [Whereupon, at 12:50 p.m., the Committee was adjourned.]
                            A P P E N D I X