[Senate Hearing 106-889]
[From the U.S. Government Publishing Office]
S. Hrg. 106-889
CYBER ATTACKS: THE NATIONAL PROTECTION PLAN AND ITS PRIVACY
IMPLICATIONS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TECHNOLOGY, TERRORISM,
AND GOVERNMENT INFORMATION
of the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
on
EXAMINING THE VULNERABILITY OF U.S. SYSTEMS TO CYBER ATTACK, FOCUSING
ON THE ADMINISTRATION'S NATIONAL PLAN FOR INFORMATION SYSTEMS
PROTECTION AND ITS IMPLICATIONS REGARDING PRIVACY
__________
FEBRUARY 1, 2000
__________
Serial No. J-106-62
__________
Printed for the use of the Committee on the Judiciary
U.S. GOVERNMENT PRINTING OFFICE
68-776 CC WASHINGTON : 2001
COMMITTEE ON THE JUDICIARY
ORRIN G. HATCH, Utah, Chairman
STROM THURMOND, South Carolina PATRICK J. LEAHY, Vermont
CHARLES E. GRASSLEY, Iowa EDWARD M. KENNEDY, Massachusetts
ARLEN SPECTER, Pennsylvania JOSEPH R. BIDEN, Jr., Delaware
JON KYL, Arizona HERBERT KOHL, Wisconsin
MIKE DeWINE, Ohio DIANNE FEINSTEIN, California
JOHN ASHCROFT, Missouri RUSSELL D. FEINGOLD, Wisconsin
SPENCER ABRAHAM, Michigan ROBERT G. TORRICELLI, New Jersey
JEFF SESSIONS, Alabama CHARLES E. SCHUMER, New York
BOB SMITH, New Hampshire
Manus Cooney, Chief Counsel and Staff Director
Bruce A. Cohen, Minority Chief Counsel
______
Subcommittee on Technology, Terrorism, and Government Information
JON KYL, Arizona, Chairman
ORRIN G. HATCH, Utah DIANNE FEINSTEIN, California
CHARLES E. GRASSLEY, Iowa JOSEPH R. BIDEN, Jr., Delaware
MIKE DeWINE, Ohio HERBERT KOHL, Wisconsin
Stephen Higgins, Chief Counsel
Neil Quinter, Minority Chief Counsel and Staff Director
(ii)
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Kyl, Hon. Jon, U.S. Senator from the State of Arizona............ 1
Feinstein, Hon. Dianne, U.S. Senator from the State of California 18
CHRONOLOGICAL LIST OF WITNESSES
Statement of John S. Tritak, Director, Critical Infrastructure
Assurance Office, Washington, DC............................... 20
Panel consisting of Marc Rotenberg, Executive Director,
Electronic Privacy Information Center, Washington, DC; and
Frank J. Cilluffo, senior policy analyst, Center for Strategic
and International Studies, Washington, DC...................... 46
ALPHABETICAL LIST AND MATERIAL SUBMITTED
Cilluffo, Frank J.:
Testimony.................................................... 53
Prepared statement........................................... 57
Kyl, Hon. Jon: Prepared statement of Jack L. Brock, Jr., Director
Governmentwide and Defense Information Systems, Accounting and
Information Management Division................................ 4
Rotenberg, Marc:
Testimony.................................................... 46
Prepared statement........................................... 49
Tritak, John S.:
Testimony.................................................... 20
Prepared statement........................................... 39
APPENDIX
Questions and Answers
Responses of John Tritak to Questions from Senators:
Kyl.......................................................... 69
Biden........................................................ 76
Feinstein.................................................... 77
CYBER ATTACK: THE NATIONAL PROTECTION PLAN AND ITS PRIVACY IMPLICATIONS
----------
TUESDAY, FEBRUARY 1, 2000
U.S. Senate,
Subcommittee on Technology, Terrorism,
and Government Information,
Committee on the Judiciary,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., in
room SD-226, Dirksen Senate Office Building, Hon. Jon Kyl
(chairman of the subcommittee) presiding.
Also present: Senators Feinstein and Bennett [ex officio.]
OPENING STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE
STATE OF ARIZONA
Senator Kyl. The subcommittee will please come to order.
Let me first welcome everyone to this hearing of the
Subcommittee on Technology, Terrorism, and Government
Information. Today, we will examine the National Plan for
Information Systems Protection, released by the President on
January 7, and its implications regarding privacy. This is the
fifth public hearing we have held on cyber protection in the
last 2 years, and the first where we can finally review the
long overdue National Plan mandated by the 1996 Defense
Authorization Act.
The United States, of course, is the most technologically
sophisticated country in the world. Today, virtually every key
service in our society is dependent on computer technology--
electric power grids, air traffic control, nuclear warning,
banking, just to name a few examples. Highly interdependent
information systems control these infrastructures.
With the benefits of technological advances comes a new set
of vulnerabilities that can be exploited by individuals,
terrorists, and foreign nations. Our enemies don't need to risk
confronting our powerful military if they can attack
vulnerabilities in our critical information infrastructure.
According to the National Security Agency, more than 100
nations are working on information warfare tactics. There have
already been a disturbing number of attacks on U.S. information
systems, exposing our Achilles heel to any potential adversary.
At our last hearing, Michael Vatis, from the FBI, described
how Russia conducted a ``series of widespread intrusions into
Defense Department, other Federal Government agencies, and
private sector computer networks.'' Additionally, China is
reportedly considering forming an entirely new branch of the
military for information warriors.
A recent article in the Chinese Liberation Army Daily
assessed that the integration of Web warfare with ground combat
will be essential to winning future conflicts. Moreover a
recent book titled ``Unrestricted Warfare,'' written by two
Chinese Army colonels, proposes tactics for developing
countries like China to use to compensate for their military
inferiority versus the United States. One scenario described in
the book envisions a situation where the attacking country
causes panic through cyber attacks on civilian electricity,
telecommunications, and financial markets. These examples
underscore the severity of the threat facing the United States.
In light of these concerns, I authored an amendment to the
1996 Defense Authorization Act directing the President to
submit a report to Congress ``setting forth the results of a
review of the national policy on protecting the national
information infrastructure against strategic attacks.'' This
ultimately culminated in the National Plan before us today,
which is more than a year overdue.
I am pleased that the Plan calls for specific milestones
with timetables for securing our Nation's information systems,
although its goals are modest and merely a first step. I hope
the administration considers the Plan a living document that
must be reviewed and revised with new technological advances
and discovered vulnerabilities. This will be a complicated and
expensive process, but it is vital to protect our national
security and way of life. To support the effort, I am
encouraged that news reports indicate the President's budget
will include a $160 million increase in spending on cyber
security initiatives.
In securing the critical infrastructures that provide our
way of life, we must be careful that it doesn't occur at the
expense of civil liberties. We need to update our current legal
framework to reflect the revolution in information technology,
to strike the right balance between security and civil
liberties.
The reality is that doing nothing to enhance our cyber
security, in fact, erodes the privacy and civil liberties of
Americans by making public information accessible to any hacker
with a computer and a modem. Let me repeat that. The reality is
that doing nothing to enhance our cyber security, in fact,
erodes privacy and civil liberties of Americans by making
information accessible to any hacker with a computer and a
modem. The National Plan's implementation must consider the
reasonable privacy issues that must be discussed and
appropriately balance them with security interests.
Our witnesses are well-suited to address these issues. Mr.
John Tritak, Director of the Critical Infrastructure Assurance
Office, is responsible for the development of the National
Plan. He will summarize the Plan and speak to the privacy
issues it raises.
Our second panel--Mr. Frank Cilluffo, senior policy analyst
at the Center for Strategic and International Studies, and Mr.
Rotenberg, Executive Director of the Electronic Privacy
Information Center--will testify about the balance between
security and civil liberties in implementing the Plan. Please
note that Mr. Barry Steinhardt, from the ACLU, was also invited
to testify, but respectfully declined.
I also want to acknowledge excellent testimony that I am
going to put in the record from the General Accounting Office.
Jack Brock, who is the Director of the Governmentwide and
Defense Information Systems Accounting and Information
Management Division, is here today, and I very much appreciate
the fine testimony that he presented on critical information
and infrastructure protection which will be put in the record
here.
[The prepared statement of Mr. Brock follows:]
[GRAPHIC] [TIFF OMITTED] T8776.001
[GRAPHIC] [TIFF OMITTED] T8776.002
[GRAPHIC] [TIFF OMITTED] T8776.003
[GRAPHIC] [TIFF OMITTED] T8776.004
[GRAPHIC] [TIFF OMITTED] T8776.005
[GRAPHIC] [TIFF OMITTED] T8776.006
[GRAPHIC] [TIFF OMITTED] T8776.007
[GRAPHIC] [TIFF OMITTED] T8776.008
[GRAPHIC] [TIFF OMITTED] T8776.009
[GRAPHIC] [TIFF OMITTED] T8776.010
[GRAPHIC] [TIFF OMITTED] T8776.011
[GRAPHIC] [TIFF OMITTED] T8776.012
[GRAPHIC] [TIFF OMITTED] T8776.013
[GRAPHIC] [TIFF OMITTED] T8776.014
Senator Kyl. Senator Feinstein, would you like to make your
opening statement?
STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM THE
STATE OF CALIFORNIA
Senator Feinstein. Thanks very much, Mr. Chairman, and
thank you for your leadership. As always, it is a pleasure to
work with you.
The subject today we discuss is, I think, one of the most
important we face. In my view, the security of information and
networks will be the biggest national security issue of the
decade and one that I think deserves the close oversight of
this committee.
I think the events of the last few weeks alone remind us of
the importance of information security. Just a few days ago,
the National Security Agency publicly admitted what may be the
biggest single intelligence failure in its 48-year history.
From Monday until late Thursday of last week, NSA's computers
were unable to process the millions of communications
intercepts flowing in from around the world from U.S. spy
satellites. The system that was down is the same one used to
track terrorists such as Osama Bin Laden.
And just a month ago, on New Year's Eve no less, another
critical United States spy satellite system crashed. This was
the same day that numerous terrorist attacks were planned
against American citizens, but fortunately prevented. And this
crash occurred after the satellite system had been extensively
tested for Y2K bugs.
These recent failures of some of our most important and
sensitive computer systems have jeopardized our national
security and the safety of our citizens. They remind us that
our critical infrastructures are governed by computer networks
and systems, and that if these networks and systems are
disrupted or disabled, American citizens will be left
vulnerable to economic disruption, to possible injury, and to
possibly death.
Of course, computers not only process signals intelligence,
but are responsible for the delivery to virtually every
American of electric power, oil and gas, communications,
transportation services, banking and financial services, and
other vital needs. These computers present a tempting target to
hackers, to terrorists, and hostile nations because, given our
military supremacy, few adversaries would wish to fight the
United States in a conventional war on a traditional
battlefield.
Moreover, because so many of our computers are
interconnected often through the open architecture of the
Internet, there may be less reason for a hostile party to try
to terrorize us with bombs, tanks, or planes. With a few
keystrokes on a computer keyboard half a world away, such a
party could wreck colossal damage. And every single day,
someone tries to cause such damage.
In fact, the computers controlling our critical
infrastructure are under practically continuous assault.
Everyday, assailants make hundreds of unauthorized attempts to
gain access to crucial computers. For example, last year there
were some 20,000 reported cyber attacks on Department of
Defense networks and systems alone, an almost four-fold
increase from the previous year. And many attacks go
undetected, which means that the numbers are almost certainly
higher than reported.
I think Americans like to think that the United States has
not been invaded since the War of 1812. But, in fact, we are
invaded everyday. A foreign army once burned the White House
and the Capitol in this very city. But now an intruder could
cause even greater damage to our Government without even
setting foot in the country.
As U.S. Deputy Secretary of Defense John Hamre has said,
``We are at war right now, we are in a cyber war.'' This war is
largely invisible unless, of course, a cyber attack succeeds,
and that has meant that every American is not as aware of the
threat of cyber attacks as they should be. Indeed, it is hard
to visualize a cyber attack.
Moreover, even if an attack is detected, it is difficult to
determine who is making it and where it is coming from. Through
the magic of the Internet, an attack from next door can seem to
come from the other side of the world. It is much easier to
think of a person or persons physically attacking sites such as
Pearl Harbor, the World Trade Center, the Khubar Towers in
Saudi Arabia, or the Murrah Building in Oklahoma City than
mounting an electronic assault on a computer.
But it is a great mistake to think that terrorists nowadays
will only, or even primarily, target government installations
or military bases. In fact, 90 percent of critical
infrastructure is owned or operated by the private sector.
Thus, the battlefield has shifted to public and private
computer networks, and society itself has become more, not
less, vulnerable to terrorist threats.
While cyber threats seem invisible, they can have serious
effects when they succeed, and in recent years there have been
a number of incidents of that. In 1999, hackers in China and
Taiwan engaged in a cyber war. One expert suggests that Taiwan
computers suffered 72,000 cyber attacks in August 1999 alone,
while two Taiwanese attacks on China damaged 360,000 computers
and caused $120 million in damage.
In 1998, two California high school kids were among a group
suspected of penetrating and compromising at least 11 sensitive
computer systems in U.S. military installations and dozens of
systems at other government facilities, including Federal
laboratories that perform nuclear weapons research.
In 1998, a Swedish man launched a cyber attack on the 911
emergency system in southern Florida, disabling part of it. In
1998, a disgruntled New Jersey man cyber bombed his employer's
computers, destroying files and corrupting backup tapes. He
caused $10 million in damages. In 1997, a teenager used his
computer to cripple an FAA control tower in Massachusetts. And
even where assailants do not succeed, cyber attacks raise
important issues about information security and information
warfare.
In 1999, individuals who may have had ties to Russian
intelligence--Senator Kyl just spoke about this--carried out a
series of massive cyber attacks, targeting the computer systems
of the Department of Defense, the Department of Energy,
military contractors, and various universities.
In 1999, just days after NATO began bombing missions over
the former Republic of Yugoslavia, hackers began trying to
crash NATO's e-mail communications system. Experts suspect a
terrorist secret society known as Black Hand.
In 1997, a Joint Chiefs of Staff exercise proved that a 35-
man team who were instructed not to use any classified tools or
break any U.S. law could, in fact, disable parts of the U.S.
electric power grid and cripple portions of our military
command and control systems in the Pacific and emergency 911
systems in the United States.
We have just begun to address the threat of cyber attacks.
Presidential Decision Directive 63, issued in 1998, makes
critical infrastructure protection a national security priority
and commits us to protecting effectively our critical
infrastructures within 5 years.
PDD-63 calls for a comprehensive National Plan for
protection of our critical infrastructure within 6 months of
the issuance of the directive. We now have that Plan, albeit 14
months late. I hope and am eager to examine how that Plan will
work, what changes should be made to it, and how we can assist
the Government in realizing the Plan's promise.
I believe very strongly that we have an obligation to
protect this Nation from the threat of cyber terrorism and
information warfare in a way that maintains and strengthens
America's privacy and civil liberties. They may or may not
conflict at certain points. That is what we are here to
explore. But I think the point I want to make is the
overwhelming importance of the mission. There is no question
that that mission is going to grow greater in the days to come.
Thank you, Mr. Chairman.
Senator Kyl. Thank you very much for an excellent
statement, Senator Feinstein.
Our first witness is Mr. John Tritak, director of the
Critical Infrastructure Assurance Office. He is the principal
administration official responsible for the formulation of the
National Plan.
Mr. Tritak, we will place your full written statement in
the record and invite you to make any summary remarks you would
like to at this time.
STATEMENT OF JOHN S. TRITAK, DIRECTOR, CRITICAL INFRASTRUCTURE
ASSURANCE OFFICE, WASHINGTON, DC
Mr. Tritak. Thank you very much, Mr. Chairman, Madam
Ranking Member. It is truly an honor to be here and finally to
be able to discuss the National Plan. I am going to keep my
remarks very brief because I think really the purpose of this
hearing and other hearings is to engage in a dialog.
You will notice that the National Plan, the very cover of
the National Plan says a number of things which I think bear
emphasizing at this point. First and foremost, this is Version
1.0. This is not meant to be a complete document. Final
solutions have not been presented.
One of the things that became very clear since taking over
the CIAO and bearing responsibility for pulling this effort
together is just how complex the undertaking really is. I think
the PDD which calls for a plan to be presented within 6 months
was overly optimistic. I think it was well-intended at the
time, but frankly as we got into it and saw what was entailed,
it took much longer than expected.
Putting aside the fact that whenever you have to coordinate
the efforts of 22 agencies, that in itself is a time-consuming
process, there were really fundamental issues that had to be
addressed and wrestled with. And I can say happily that what we
are presenting in the Plan is, I think, a good, solid first
step toward achieving the goal the President set forth in PDD-
63 for developing a capacity to defend the Nation's
infrastructures.
As I indicated, the goals are rather ambitious. It is
calling for nothing short of an ability for the United States
to be able to defend itself against deliberate attacks against
its infrastructures. In order to do so, we are talking about
actions that not only need to be undertaken by the Federal
Government, but also State and local government and private
industry.
I have said in previous testimony that this issue of
critical infrastructure protection is perhaps the first
national security challenge this country has ever had where the
Federal Government alone cannot solve the problem. It is not a
question of simply allocating resources, procuring equipment,
and solving the problem. Since 90 percent of these
infrastructures are owned and operated within private industry,
it calls for a very new and unprecedented relationship with
private industry in order to achieve a national goal.
I want to emphasize, under this goal, one of the things I
add here is the importance of upholding civil liberties and
privacy. After all, the whole point of this exercise in
defending our Nation's infrastructures is to protect our way of
life and the values that we cherish. It would do very little to
serve that interest if we undermined those civil liberties and
privacy rights that we enjoy today.
The challenge is not whether or not to trade off privacy
and civil liberties and security, but how we protect civil
liberties and privacy in the information age. When this country
was formed, it began as an agrarian economy. It then moved to
an industrial economy that presented those challenges to civil
liberties and privacy, and we dealt with them.
We are now moving into an information age. That, too,
presents new challenges. But I am confident that engaging in a
dialog, which we hope will begin today and continue, will be to
ensure that whatever policies and proposals are set forth by
the Federal Government and whatever actions are taken to assure
the delivery of critical services over our Nation's
infrastructures that we continue to protect and uphold the
civil liberties and privacy rights of American citizens.
By now, I hope you have both the executive summary of the
National Plan as well as the full report. I will not obviously
go into any great detail about the National Plan, but what I
would like to do is at least provide an overview of the
structure.
In order to meet the ultimate goal of defending the
Nation's infrastructures by 2003, the Plan is organized around
three objectives. The first is to prevent such attacks from
occurring and, should they occur, to minimize the effect those
attacks may have on the delivery of critical services.
One of the first and important steps in doing so is to
evaluate what the critical assets that perform these critical
services and deliver these services are; having done so,
identify both the interdependencies with private industry as
well as the interdependencies between government agencies,
identify those vulnerabilities and develop plans for addressing
them.
Second is to develop an ability to detect, analyze, and
evaluate intrusions and attacks against our Nation's
infrastructures, and develop plans for responding and
reconstituting those systems. Under this objective, we have
four broad programs.
One is to develop a multitiered detection, intrusion, and
warning system that will enable government agencies to
determine whether or not an attack is underway and to be able
to deal with that information in a way that contains the
problem and doesn't spread to other agencies and affect
delivery of critical services.
Second is to develop the intelligence and law enforcement
capabilities with a view toward focusing on critical
infrastructure protection; three, to encourage information-
sharing both between government agencies, within private
industry, and between government and private industry. Fourth
is to build on the lessons of Y2K and to begin to explore ways
in which the Government can facilitate response,
reconstitution, and recovery.
Finally, objective three, Senators, is really what
undergirds the achievement of objectives one and two. It
involves coordinating research and development among Federal
agencies to ensure that there is not unnecessary duplication.
It involves training and employing IT security experts.
Today, there is, in fact, a shortfall in this capability.
We need not only to ensure that those who are already
responsible for this mission have state-of-the-art training,
but also to encourage the recruitment of new expertise into the
Federal Government, as well as in private industry.
Three, raise cyber security awareness. I think it is fair
to say that one of the biggest challenges to this effort
overall is awareness and appreciation of what we are talking
about. This need for awareness is not only at the Federal
Government level; it also requires raising awareness within
private industry about how this is different from the
challenges that they faced in the past, and, finally, to raise
awareness with the American public itself.
Fourth is to develop and explore legislative and legal
reforms that may improve information-sharing. One of the
important ways in which this country can defend its
infrastructures is to share information within the Government
and between government and industry. We need to look at ways in
which we can encourage that without those that are sharing the
information incurring unnecessary liabilities. And, finally, to
repeat yet again, all this has to be done within the context of
protecting civil liberties and privacy rights.
In the rollout of the National Plan, President Clinton
mentioned briefly his budget overview for critical
infrastructure protection. As this chart indicates, the request
will be for $2 billion, which will be a 15-percent increase
over last year, with 85 percent of that budget being used to
actually protect the infrastructures of the respective Federal
Government agencies, with the remaining 15 percent being used
for outreach programs with private industry.
Seventy-two percent of the total will be requested for the
national security agencies. They bear a very special
responsibility in this critical infrastructure area, so it is
appropriate that they would at this stage get the lion's share
of the budget. Also, the national security agencies have the
most mature programs, and one of the goals of this Plan is to
begin to rectify that balance by bringing up to speed the
civilian agencies. And then, finally, a 31-percent increase in
research and development in programs designed to address
specific challenges of critical infrastructure protection.
Finally, Senators, I would just like to highlight very
briefly some of the key initiatives, the goal of which is
really two-fold. One is to establish the Federal Government as
a model for information security. Recognizing that we are
asking private industry to bear an increasing responsibility
for the defense of the Nation's infrastructures, it is
important that the Federal Government itself be a model of
information security and computer protection.
We have laid out a number of initiatives designed to do
that. First and foremost is to develop the personnel within the
Federal Government to do this. As I have indicated before,
there is, in fact, a shortage of information security
expertise, not only within the Government but within private
industry. The ability of the Federal Government to draw that
expertise, given the enormous market pull for people coming
right out of college to go to private industry--we are
exploring a number of ways in which we can recruit and retain
some of these people to build a cadre of information technology
expertise within the Federal Government.
One of the principal programs in that regard is a ROTC-like
program called the Service for Scholarship Program which is
designed to assist undergraduates and graduate students through
their education, with the understanding that upon graduation
they would serve a certain period of service within the Federal
Government.
FIDNet, of course, I have a feeling we are going to be
talking about in some detail, so I will come back to that when
we have our discussion.
Senator Kyl. I wish you would discuss it now, if you would.
Mr. Tritak. Oh, absolutely. Senator, the Federal Intrusion
Detection Network is intended to serve, in essence, like a
Federal burglar alarm for civilian government computer systems.
It is designed to allow Federal agencies to protect those
critical computer systems that the public relies on for
delivery of important services. This system is only government
civilian systems. It does not connect in any way to private
sector computer systems.
The Department of Justice has actually undertaken a
preliminary review of the FIDNet concept and has determined
that it is compliant with existing Federal laws under ECPA. The
key issue here, Senator, is to recognize that daily, as you
have indicated in your testimony, and as Senator Feinstein has
indicated in her testimony, Federal Government agency computer
systems are, in fact, being attacked. Some of the information
out of those computer systems is actually vital to the privacy
rights of American citizens.
This problem is not going to go away. The question is how
we are going to deal with it. The current proposal for the
FIDNet is for a pilot program. The concept as it is right now,
we believe, is consistent with all privacy statutes and civil
liberties statutes. As it goes on through development, at each
stage it is going to have to be reviewed to ensure that
compliance is adhered to.
At each stage, we will be discussing with you, the private
sector community, and others how this is being implemented so
that there is an understanding and there is an acceptance of
what we are doing from the get-go. Of course, at this point
some of the legalities of this matter actually turn on very
technical details and design features. That is why it is
impossible at this stage in the concept to say how it will work
and what it will do and what will remain compliant. What I can
assure you is that whatever architecture is actually developed
for the FIDNet program, it will be consistent. If those
architectures are not consistent, they will not be adopted.
I would like to now turn, Senators, very quickly to the
need for building public-private partnerships. The President
announced in his rollout address the establishment of an
Institute for Information Infrastructure Protection. The
purpose of this institute is not to create a new building, a
new establishment to duplicate ongoing efforts in
infrastructure protection. The goal here is to really fill gaps
in what may exist in critical infrastructure protection.
As you know, with the President announcing CIP as a
national priority, agencies do have ongoing efforts to address
their own needs in this area. However, since much of what is
needed for infrastructure protection lies within private
industry itself, it is important to have a mechanism by which
government and private industry can work together to identify
potential gaps where the market itself does not permit a
solution and to ensure that monies from the Federal Government
can be inserted back into private industry to develop high-
risk, high-payoff technologies which will benefit not only
private industry but, by extension, the American people.
Finally, Senator, I would just like to touch briefly on the
Partnership for Critical Infrastructure Security. This is an
area I am particularly proud of because what it is trying to do
is bring together all the communities that are necessary to
resolve this issue.
Today, we have lead agencies interacting with their private
sector counterparts to address sector-specific concerns of
critical infrastructure protection. What we are trying to do in
this effort is to draw those efforts together and to include a
broader community of business interests, to include the risk
management community which is going to be responsible for
assessing, creating metrics, and holding accountable companies
to first adopt and then enforce security measures on their
computer systems. It will also include the broader business
community who actually depends on these critical
infrastructures in order for them to do their business.
We envision as this partnership evolves that we also will
include the privacy community and others who have a stake in
this outcome. I can tell you the first meeting was held in
December. Over 90 companies attended. It was chaired by
Secretary Daley. We are now moving to the first working group
session later this month, in which industry is actually taking
the lead on identifying those issues of concern with regard to
critical infrastructure protection. So what we are really
trying to do here is to develop a real partnership where
hopefully we will discover market solutions, allow the market
to come up with solutions as to how to deal with these problems
and not regulation.
Senator I think at this point I will conclude my remarks,
and I welcome any questions.
Senator Kyl. Thank you very much, and I am sure that
overview at least indicates the breadth of the effort that is
being undertaken here. While both Senator Feinstein and I have
been critical of the administration for not acting with enough
speed in this matter, we both recognize, I am sure, that it is
a complicated and ongoing challenge that will require, as I
said, a continuing evolution in your program. And that is fine,
but it is important to start and we are at least appreciative
of this report on that effort.
One of the interfaces with this program that the Judiciary
Committee will have, of course, is determining whether there
are any legal changes that will be necessary in our laws to
help implement this or to ensure that as it proceeds it can, A,
be effective, and, B, not improperly infringe on any
constitutional rights of Americans.
I made the point, and I tried to stress the point in my
opening statement that if we do nothing, Americans' privacy
will, in fact, suffer. I mean, the whole point of providing
protection to our infrastructure is to prevent unauthorized
entry into these systems in a way that can compromise people
and government and businesses' private information. So the
whole point of this is to protect the American public.
There are those, on the other hand, who view the effort in
some respects as potentially damaging to civil liberties. And I
would like to focus on that because of all the areas in which
this subcommittee will be working with this critical
infrastructure issue which has ramifications that apply to many
other committees here in the Congress--the Government
Operations Committee, the Intelligence Committee, the Armed
Services Committee, and so on--our committee's jurisdiction
will surely impact this privacy issue. And so I wanted to focus
in on that and that is why I asked you to talk a little bit
more about FIDNet.
Now, what I would like to do as a prelude to asking you
some specific questions is to describe with a little bit more
particularity the kinds of information that you anticipate will
be collected and analyzed on the FIDNet program, and if you
could also describe the degree of maturity of the program. As I
understand it, you are basically just getting this off the
ground right now.
So could you address that briefly and then talk about the
kinds of things--in other words, how you envision this working.
You might want to even use an example. Let's say we find that
there has been a particular kind of incident. How would we be
reacting to that, at least hypothetically?
Mr. Tritak. Certainly, Senator, I would be happy to. First,
to underscore the remark that you made in closing your
question, and that is that we really are just getting off the
ground. What we have done so far----
Senator Kyl. By the way, may I interrupt you and
acknowledge the presence of Bob Bennett, the Senator from Utah,
who chaired the very successful Y2K--we just call it the Y2K
Committee. But while Senator Bennett probably would not
personally want to brag about this, I figure that the whole
reason we didn't have any problems with Y2K is because of the
work of his committee. Of course, I served on the committee.
Senator Feinstein. You are humble.
Senator Kyl. That is right.
But since Senator Bennett is not a member of the Judiciary
Committee, I wanted to acknowledge his presence here before you
gave your answer and indicate we will, of course, offer him an
opportunity to make some observations and ask questions here as
well, and we appreciate him being here.
I am sorry to have interrupted you.
Mr. Tritak. Senator Bennett, it is good seeing you again.
On FIDNet, Senator Kyl, first let's step back a little bit
and let's clarify what FIDNet is and what it is not. It has
been characterized as many things, including being a big
brother system, or a slippery slope to it. It is nothing of the
kind.
To begin with, as I have indicated, what we are talking
about here is a civilian computer intrusion detection system
within the Federal Government. Currently, today, an agency can
install intrusion detection systems at critical computer sites.
It can monitor the flow of traffic coming in, with a view
toward identifying potentially anomalous activity going on, a
virus, for example. When anomalous activity is done, systems
admin. today can review that information to determine what is
going on and what needs to be done. That authority exists
today.
What FIDNet is proposing--well, let me say one more thing
about that. Of course, given the nature of certain types of
attacks, what you will generally see are mappings that an
attacker will use at different agencies to try to develop an
overall plan before they actually attack a specific system.
They are not going to telegraph their intentions too clearly.
So what could be happening at one agency may only be a
small bit of what, in fact, is going on around, which could
actually be amounting to something very serious. No agency
alone is going to be able to make that determination or
ascertain what is, in fact, going on. So what the FIDNet is
proposing to do is in instances where anomalous activity has
been detected, the information about that anomalous activity
will be provided to the FEDSIRC, which is at GSA, for further
analysis, and to correlate other data of anomalous activities
occurring around Federal agencies to determine what that
anomalous activity means.
In the event that that anomalous activity appears
suspicious or even indicative of crime, that information would
then be further provided to the NIPC for analysis and if, in
fact, they determine that there is evidence of criminal
activity under Federal law enforcement.
There are several tiers going on here to ensure the
protection of privacy. Right now, if a systems administrator
detected anomalous activity and concluded that there was
evidence of criminal activity, they are obligated under law to
provide that information directly to Federal law enforcement.
Some anomalous activity is, in fact, ambiguous; it is not
clear what it means. You wouldn't want to send that to Federal
law enforcement, and that is not what is intended here. What is
intended here is to be able to make sense--drawing on activity
going around Federal agencies, to make sense of what that
anomalous activity means for that agency as well as for the
Government writ large, because in some instances that may be
our first indication that something is up.
If something is up, as I have said, and it suggests
malicious intent or even potential criminal activity, there is
a mechanism for providing that information on to the NIPC for
Mr. Vatis and his team to evaluate. At this point, Senator,
this is where the concept of FIDNet lies. Now, there are a lot
of details as to how that information is processed, how it will
be moved on to the FEDSIRC. And that is why I said that beyond
a threshold assessment, a preliminary assessment, we need to
further develop the FIDNet program with specific technical
options.
There will be RFP's issued, assuming that there is some
seed funding for it, and then those technologies and
capabilities will be assessed within the broader architecture
to ensure compliance with existing privacy laws. I say ensure
continued, as opposed to moving forward in the hopes that it
will fit privacy or, in fact, requesting that privacy laws be
changed in order to accommodate the system.
Senator Kyl. What kind of data will be collected by the
FIDNet program?
Mr. Tritak. The information that is monitored on an
intrusion detection system is really looking--basically, it is
set up to look for anomalous patterns. That information, if the
alarm would go off, would be extracted and that information
would then be provided to the FEDSIRC for further analysis.
Now, the details of what is contained in that packet, what
would be kept at the agency where it is allowed to be kept and
what would be moved on further for further analysis, is
something that really is a technical detail that I am not in a
position to answer right now because I don't know the answer.
Senator Kyl. OK; now, what is the potential then for
integrating the private sector--let's say the commercial
banking computer system--into this overall program and
interfacing with FIDNet to provide the burglar alarm for a
private sector computer network as we have with the Government
network?
Mr. Tritak. In short, none.
Senator Kyl. So the FIDNet program is designed to detect
intrusions into the Government interconnection of computers,
detect the nature of the activity, and if it is potentially in
violation of law, refer the appropriate information to the FBI?
Mr. Tritak. That is correct, sir.
Senator Kyl. One of the subsequent witnesses, Mr.
Rotenberg, says that there are--and I am quoting now--there are
other indications contained in materials that they received
under the Freedom of Information Act that the CIAO, which you
lead, intends to make use of credit card records and telephone
toll records as part of its intrusion detection system, and
suggests that that raises problems under U.S. law. Is that
correct?
Mr. Tritak. Senator, I have to be honest with you. I don't
know where that comes from. I think, in fairness, what it may
be referred to is that telephone companies have developed
technologies that look for certain patterns to suggest that
someone may be using a credit card that isn't theirs, you know,
activities which are beyond the normal patterns of activity
that the person who owns that credit card would do.
Under those circumstances, there is an alert and those
people are actually contacted to find out is this purchase--did
you intend this purchase, is this your purchase, and it is
really a service actually to the customers.
Senator Kyl. As a matter of fact, I can tell you one of my
employees had a cell telephone, got a bill with, I think, $600-
and some worth of telephone calls to Mexico. And about a day
later, she got a call from the company saying this doesn't look
like an expenditure that is consistent with your past use of
your telephone. She said, it is not; she said, I didn't make
those calls. They said, we didn't think so, don't worry about
it.
And this is part of the basis for the bill which came out
of this subcommittee a couple of years ago on cell phone
cloning to try to make it easier to prosecute people who do
that. So this was a use of information to help a consumer, a
customer who clearly was being taken advantage of by someone.
Is that the kind of information that you are talking about
here?
Mr. Tritak. Actually, I want to be very clear. It is not so
much the information. It is the technology that helps identify
certain patterns of behavior. First of all, I am not a
technologist, so I am doubly handicapped. But one of the
problems is that when you actually talk about how you identify
certain types of patterns that are suggestive of anomalous
behavior, we are talking about levels of detail and technical
gradients that are very difficult to communicate in normal
language.
What I think was referred to in Mr. Rotenberg's statement--
I obviously don't want to speak for him, but my understanding
to the extent that that ever came up was the fact is right now
there is a capability that can identify anomalous patterns. In
this case, it happens to be use of credit cards, or it could be
the use of the telephone.
It is the underlying technology that led to the creation of
that capability which is what I believe was one thing that was
raised as something to explore, not so much because we are
looking at collecting that sort of information or information
about a person or anything else that would be used in an
intrusion detection system.
Senator Kyl. And this is one of the reasons why you said
that you would be careful as you went on to ensure that any use
of that technology would not invade privacy.
Mr. Tritak. That is correct, sir.
Senator Kyl. And I will, of course, give Mr. Rotenberg a
full opportunity to explore his views on this later, but he
also says that based on a March 1999 memo from the Justice
Department to CIAO, FIDNet is a violation of the spirit of the
Federal wiretap statute, also the plain language of the Federal
Privacy Act and contrary to the fourth amendment.
What is your view on that?
Mr. Tritak. Well, I have to try to remember law school, but
I recall that wiretapping has to do with voice communications,
and we are not looking at that there. We are talking about
traffic that is coming in mainly e-mail.
Senator Feinstein. Say that again.
Mr. Tritak. I am sorry. My initial reaction, having not had
an opportunity to think through this as fully as perhaps I need
to, is that wiretapping refers to voice communications. We are
not looking at monitoring voice communications through an
intrusion detection system. The intrusion detection system is
designed to identify incoming e-mail traffic that may contain
anomalous malicious code or something, which may then actually
go into a computer system and cause damage. So we are really
monitoring different things.
Senator Kyl. One thing I would like to ask you to do is to
consider carefully the testimony of the second panel and to
perhaps respond to any points that you think are worth--I
shouldn't say worth responding to, but need response to ensure
that there is a complete understanding of the FIDNet program
from your point of view. And we would leave the record open for
sufficient time for you to respond to any comments that you
think require response.
I realize that we are catching you a bit unprepared on
these matters today, and perhaps at a subsequent hearing we can
have the people who really are the experts either in the law or
in the technology to further explore these issues.
Mr. Tritak. Senator, let me also add that in terms of some
of the things that you raise and Mr. Rotenberg will be raising
in his testimony, I think we need to take all that seriously.
All concerns about privacy should be taken seriously and we
ought to address them front-on.
I gave you answer about the wiretap law. I am not even sure
if it is correct. What I will do, though, is once it is raised,
to the extent I can respond to it today, I will. To the extent
I cannot, we will provide written answers specifically to
those.
Senator Kyl. Great, and I have some additional questions
which I will submit to you.
[The questions of Senator Kyl are located in the appendix.]
Senator Kyl. I would like to turn to Senator Feinstein now.
Senator Bennett, by the way, said he would be able to be back.
Senator Feinstein. Thanks very much, Mr. Chairman.
Mr. Tritak, just a quickie. On page 29 of the report, in
the chart it mentions that Federal departments and agencies
will submit a multiyear vulnerability remediation plan with
their fiscal year 2001 budget submissions to OMB, and then
annually afterwards. The ERT will work with the departments on
implementation. That is due to be completed in June 2000. Are
you going to make that date?
Mr. Tritak. Yes; let me make sure I--page 29, you said?
Senator Feinstein. Page 29, third one down, Federal
Department Initiatives to Strengthen Cyber Security.
Mr. Tritak. OK, and that would be----
Senator Feinstein. 1.3.
Mr. Tritak. Yes; well, each of the agencies, in fact, will
have contained in their budget plans for dealing with their
vulnerabilities and remediating----
Senator Feinstein. So that will be on time and this
subcommittee can expect it?
Mr. Tritak. Yes; that is not to say it is going to be
complete, and I will tell you that one of the things we are
actually undertaking at the CIAO is to assist agencies in sort
of focusing very clearly on what it is that they need to do in
order to fulfill the missions of PDD-63, and that is to
actually go into their agencies and identify those assets that
support national critical services, either in national defense,
promoting of economic security, or delivery of vital human
services, and having identified those assets to back into it to
identify with the nodes and networks that support those and
then conduct a vulnerability assessment.
With the institutionalization of the ERT, they will then go
in and say, OK, let's take a look at those nodes and determine
to what extent they are vulnerable and what do we need to do to
address them.
Senator Feinstein. I just view that as an important step.
Mr. Tritak. Very important, ma'am.
Senator Feinstein. And I just wanted to see if it was going
to get done on time.
Now, let me just read you a couple of sentences out of the
GAO draft report on critical infrastructure protection.
In particular, we believe the Plan should place more
emphasis on providing agencies the incentives and tools
to implement the management controls necessary to
assure comprehensive computer security programs, as
opposed to its current strong emphasis on implementing
intrusion detection capabilities.
Then it says,
In addition, the Plan relies heavily on legislation
and requirements already in place that, as a whole, are
outmoded and inadequate, as well as poorly implemented
by the agencies.
Could you define for us the outmoded and inadequate
legislation so that we might do something about it?
Mr. Tritak. Well, I believe that what may be referred to
may be certain aspects of the Computer Security Act. I have not
done, in fact, an analysis or studied closely what GAO has said
in this regard. I would rather take that question and get back
to you than to simply talk off the top of my head.
Senator Feinstein. Would you, please?
Mr. Tritak. I would be happy to.
Senator Feinstein. This is directly within our jurisdiction
to update whatever legislation is outmoded and inadequate. So
if we could get that with specificity in the next week, if
possible?
Mr. Tritak. Yes, ma'am.
Senator Feinstein. Great. Thank you very much.
Just a couple of quick questions on your burglar alarm,
FIDNet. What is the legal authority for FIDNet?
Mr. Tritak. Well, the legal authority for FIDNet--I guess I
would sort of address it slightly differently. Is FIDNet
consistent with existing legal authority? One of the initial
analyses that had to be done was whether it was consistent with
ECPA, the Electronic Communications and Privacy Act. I usually
only refer to it by its acronym.
That makes very clear and puts very severe restrictions on
the monitoring of content in electronic communications.
However, it does also have some significant exceptions in order
to protect Federal Government information systems.
Senator Feinstein. But you are saying the legal authority
is within that Electronic Communications and Privacy Act?
Mr. Tritak. Right.
Senator Feinstein. OK.
Mr. Tritak. Now, it also needs to be consistent with other
laws, but that is one which we did as an initial matter. And
there was a preliminary, and I emphasize preliminary,
examination by the Department of Justice which found it to be
consistent.
Senator Feinstein. Now, Senator Kyl mentioned the wiretap
law. Do you agree with Justice that FIDNet must operate under
the Federal wiretap law?
Mr. Tritak. Senator, I am going to be honest with you. I am
going to need to take that question. I am not prepared to
answer the specific legal authorities with respect to FIDNet
and the wiretap law, and I think they deserve a thorough review
and response than what I can give you at this time.
Senator Feinstein. I appreciate it.
Mr. Tritak. I have a few tasks now to get back to you very
quickly on, and that will be one of them.
Senator Feinstein. Thanks. Do you see any legal problems
with GSA acting as a centralized authority with regard to
protection against network intrusions for the entire Federal
Government?
Mr. Tritak. I do not. I understand that there is the view,
although there has not been a formal legal opinion issued at
this time on this, that the GSA can serve as sort of a super
systems administrator in connection with the FIDNet program,
meaning that since it has authority to oversee all government
agency information and computer systems----
Senator Feinstein. That includes Defense, of course?
Mr. Tritak. Yes, although in this case the--yes, but in
this case the Defense Department has its own system entirely
and the FIDNet is not actually going to be tied into that.
Senator Feinstein. So FIDNet would not relate to----
Mr. Tritak. No; in fact, I am glad you said that. Right
now, there is an intrusion detection system at the Department
of Defense and that system has been up for a while. In fact, as
we proceed in developing FIDNet, obviously we want to benefit
from the experiences and lessons learned that the Department of
Defense has made in proceeding there. But this is only for non-
DOD Federal civilian government agencies. It is not networked
into the Department of Defense.
Senator Feinstein. Under the current version of FIDNet,
there would be a large new intrusions operations center at GSA.
Does this duplicate the mission of the National Infrastructure
Protection Center?
Mr. Tritak. I do not believe it does. The way FIDNet was
designed, first of all, it is very clear in ECPA that the
systems administrator cannot be an agent of law enforcement.
Now, I am not saying here that the NIPC is, in fact, an agent
of law enforcement because it is not. It is, in fact, an agency
designed to deal with indications of warning and analysis.
But the decision was made, in an abundance of caution, to
locate the FIDNet analysis center, if you like, or what
actually would be located at FEDSIRC--is to provide a place
where correlation can be done and an assessment of what
anomalous activity means. And only in cases where that
anomalous activity rises to the level of suspicion and perhaps
indicative of criminal activity would it then further sent to
the NIPC for analysis and they would make the final
determination of sending it to law enforcement based on their
own expertise and experience that they believe it needs to
move.
Senator Feinstein. A final question. The GAO report points
out that its audits have found repeatedly serious deficiencies
in the most basic controls over access to Federal systems. It
points out that managers often provided overly broad access
privileges to very large groups of users, and that affords more
individuals than necessary the ability to browse and modify or
delete sensitive or critical information.
What are you going to do about that?
Mr. Tritak. Well, as you have indicated earlier, and I
think it bears repeating here, critical infrastructure
protection is not going to be solved by technology alone. It is
only as good as the personnel, the technology, and the
processes that are put in place to do it. Your best intrusion
detection system, your best technology for combating cyber
terrorism goes out the window if it is not employed properly.
There is, in fact, an effort underway, and it is
contemplated in the National Plan to develop more uniform
standards across the Federal Government and to raise awareness
with government employees on the importance and need for
observing proper practices and standards for information
security.
I agree that right now the Government is not the model of
that. More works needs to be done. By the way, it is also not
wholly observed within private industry, and I think you would
find--and I think this is something you would really need to
talk to Mr. Vatis about, but probably many instances where
there have been problems, only some of them are because of
technological flaws. Some of them are because people were not
observing common security practices which, had they been
observed, they may have avoided the problem.
And this a big issue for the information technology
community because to simply say something is vulnerable is
suggestive that the vulnerability lies squarely with the
technologies, when, in fact, the vulnerability is systemic and
it requires dealing with all three.
Senator Feinstein. You mentioned earlier that you are going
to begin recruiting students and training students, et cetera,
to come into this. In our classified briefing, Senator Kyl and
I heard about this, and my concern has been that that is going
to take a very long time. And I wondered if, particularly with
respect to this security aspect, you had considered recruiting
from the private sector for a small period of time, say 6
months to 1 year, the outstanding security experts that we can
throughout America to really, in essence, do a kind of audit of
our departments, our management and security functions, and
make some specific recommendations.
Mr. Tritak. Well, first of all, Senator, let me say that I
think that is an excellent idea.
Senator Feinstein. But will it die an early death?
Mr. Tritak. Not necessarily. I think the only problem is
that industry itself is finding a shortage. I mean, they are
desperately trying to fill these positions themselves. That
said----
Senator Feinstein. I talked to one company that is in the
lead in this direction. I would be happy to tell you
afterwards.
Mr. Tritak. I would love to hear who that is. That would be
great. In fact, I would say even when we get the scholarship
program going, if all goes well and if we get full funding, we
envision that the first graduating class having been trained
through these programs would be May 2002. So we are trying to
put this on a fast track as much as possible.
But I think even if we did get this program going, there
needs to be some kind of ongoing interaction between private
industry and the Federal Government in this because, first of
all, I think industry actually has an interest in the Federal
Government having secure computer systems. They, in fact,
depend on some of these systems for their own businesses.
And, second, the experiences that are gained in the Federal
Government are likely to be different in some respects from the
kinds of experiences they have in private industry. Since
government in some cases is one of the front lines of attack
against hostile forces, that kind of experience in how to deal
with it and respond to it would be extremely valuable to
private industry.
So I think that is a very good idea, and I would actually
like to speak to you afterwards about the companies who have
indicated a willingness to volunteer to support Federal
Government programs.
Senator Feinstein. Thank you very much. I appreciate it.
Mr. Tritak. Thank you, Senator.
Senator Kyl. Senator Bennett.
Senator Bennett. Thank you, Mr. Chairman. I very much
appreciate your indulgence in letting me participate in this
way, and I apologize for going in and out. We were in the
process of trying to gather a quorum up in the Banking
Committee so we could report out Alan Greenspan. We have
successfully done that and so I am here now.
I want to express my appreciation to you for your hearings
not only now, but previously. I think, as I have said
previously, that this issue is one that is going to be with us
a long, long time. It is only going to increase in its
intensity and its importance and we are just at the threshold
of beginning to understand it.
I have brought along a little visual aid this morning, Mr.
Chairman, and you can't see it too well from where you are. I
wish it were on a white background instead of a black
background, but that is a map of the world. Some people think
it is an abstract painting. Maybe someone could hold it up and
show it to the audience as well.
That is a map of the world, only it is a map of the
Internet. The most outstanding thing about that when you look
at it as a map of the world is that there are no oceans and
there are no continents. And when you start talking about
either national security threats or commerce in a world in
which there are no oceans and no continents, you realize that
we are not talking about a new tool to use in commerce or a new
weapon to use in war. We are talking about a whole new place.
We are talking about a whole new universe that is different
from any that we have structured our Government to defend or
our economy to market in in the past. That is why these
hearings are so important and the issues that we are addressing
are so important, and they are going to go on and on.
Now, in May 1998 President Clinton signed PDD-63, calling
for the development of a detailed Federal Plan, and we are
having the hearings now on the first cut of that Plan. It was
finally released this month. Unfortunately, it is over a year
late from the date that was set in PDD-63. It is an invitation
to a dialog, as the Plan itself says, and this hearing is going
to be part of that dialog.
Now, in my opinion, Mr. Chairman, there are two main
problems with the Plan. I don't mean to start out being
critical because I start out being grateful that we have it,
that we have something to talk about. But here is my reaction
to it.
First, the architecture of the Plan is flawed, the
structure is wrong. The FBI is given the coordination function,
which immediately raises suspicions on the part of industry and
questions about the role of the Department of Defense. The
greatest area of expertise in this challenge lies with the
Department of Defense and the National Security Agency, and
they are under the coordination of the FBI. That is one of the
reasons why you are holding this hearing, Mr. Chairman, because
the FBI is under the jurisdiction of the Judiciary Committee.
But the question about the FBI's expertise as opposed to that
contained within the DOD and the NSA is a structural question
that immediately comes to mind.
The second part of the first problem--the first problem is
the structure and now I am giving subtopics under that. The
second subtopic is that the Plan seems to me to focus primarily
on the hacker threat. I listened very carefully to the
President during the State of the Union message when he raised
this, and again I applaud him for raising it, and he too
stressed the hacker threat, the threat of irresponsible
hackers.
I think the broader threat that we face long term is going
to come from terrorist groups and eventually, if not
immediately, from hostile nation states that have the staying
power both financially and technologically far beyond that of a
teenage hacker operating out of his bedroom. And I wish the
Plan had focused on the broader threat of information warfare
and not the more narrow threat of a rogue hacker.
The third subpart of the flawed architecture is that the
Plan does not yet articulate a strategy for reconstitution and
recovery if an attack occurs. We had the experience in the Y2K
Committee of talking about contingency plans, and one of the
reasons that Y2K went so smoothly is that in many areas
contingency plans simply took over flawlessly and seamlessly.
And people said, gee, there was no Y2K failure, when, in
fact, there was, but there was no suspension of service because
the contingency plan was working. That is an analogy for the
focus on reconstitution and recovery, and there is nothing in
this Plan that focuses on that.
And the final aspect of the architecture that--well, I have
already talked about it; that is, that the role of DOD and NSA
is unclear, and those are the two agencies that have the most
expertise.
The second major problem with the Plan--this is parochial,
in a sense, because it looks at it from the standpoint of the
Congress. The Plan makes it almost impossible to follow the
money. Approximately nine committees in the Congress have some
kind of critical infrastructure protection oversight
responsibility. There is in the President's budget $2.04
billion spread over 15 agencies, and it becomes very difficult
to follow the money, very difficult for Congress to provide its
appropriate oversight responsibility when things are fractured
that much.
I would note that in the 2001 budget tagged for critical
infrastructure protection, $276 million is new funding. That is
more than a 10-percent increase, closer to a 12- to 15-percent
increase. I don't object to that increase. I think the issue is
serious enough that it justifies that increase, but it becomes
very hard to focus when the thing is spread so wide.
So, Mr. Chairman, I give the President and the
administration high marks for proceeding. I am glad the
National Plan is finally before us, even at this late date. I
know how devilishly difficult it must have been to put
together, and so I don't fault the administration too much for
being a year late. But I have to lay down my immediate concerns
in these two areas, and very much appreciate the opportunity to
share that with you this morning.
Thank you.
Senator Kyl. Thank you very much, Senator Bennett. As a
matter of fact, Senator Feinstein and I were just talking about
the criticisms which you leveled. These were criticisms that
were raised in earlier hearings that we had, as a matter of
fact, prior to the actual development of the Plan when we asked
whether or not it wouldn't be more appropriate to have a larger
role for the Defense Department, given the fact that our
national security is implicated when there is attack on other
government agencies than the Department of Defense. That
remains an ongoing concern that we have. We continue to
evaluate that and look into it with your assistance, as well.
Senator Bennett. Mr. Chairman, if I could raise an example
that I use sometimes when I give speeches on this subject--and
I will be giving another one around noon--we have in Utah a
steel mill, a very unusual place to put a steel mill in the
middle of Utah, next to Utah Lake. It was put there in 1942 for
strategic reasons.
The Government was afraid that a steel mill built in
Senator Feinstein's State might be subject to attack from the
Japanese. They wanted to put it far enough inland that a
Japanese bomber wouldn't be able to get to it. Steel mills, as
you know, require a fairly large body of water, and there is a
lake in Utah that was big enough. So this mill, which is known
as the Geneva Steel Mill, because they thought Utah Lake looked
a little like Lake Geneva in Switzerland--U.S. Steel built the
Geneva Steel Works on the borders of Utah Lake in 1942 as a
defense initiative. We needed more steel for our defense
purpose and we wanted to protect it.
Now, if the Japanese were to decide that that steel mill
was essential to our war effort and that they had to take it
out at almost any cost and launched a bomber from a carrier off
the coast of San Francisco to fly to Provo, UT, to try to
destroy the Geneva Steel Works, the responsibility of defending
that steel mill would obviously fall to the Department of
Defense, or in that case the War Department. We didn't have a
Department of Defense in 1942.
The responsibility of shooting down that bomber would lie
with the Army Air Corps, very clear lines of jurisdiction. And
if something happened to the steel mill, the War Production
Board would be responsible for trying to get it rebuilt, or
that capability rebuilt.
Today, if a hostile nation were to decide that an
installation somewhere in the United States was critical to
America's defense effort and they were to decide they were
going to take it down by a cyber attack, whose responsibility
is it to defend that facility? It is nowhere near as clear-cut
as the old paradigm, and that underscores what I am trying to
say.
We are in a whole new place now. Does the FBI have to
defend that critical segment of our economy against foreign
attack? Does the National Security Agency have a defense role
or is it strictly informational? Who is responsible for
reconstitution?
And I would ask you, Mr. Tritak, if I am allowed, do we
need an EFEMA? We have spent a lot of time in Y2K talking about
FEMA and reconstitution, as I have said. Do we need an EFEMA?
Does that need to be part of the Plan? These are the kinds of
issues that are much easier to raise than they are to solve.
But I put in terms of the analogy of the steel mill to
indicate how differently the world operates now and how the old
compartments of responsibilities no longer apply. And your
responsibility down at CIAO is to give us all the answers to
these terrible problems.
Senator Feinstein. Mr. Chairman, before Mr. Tritak
responds, would you add the example you just gave me on the oil
because I think it is relevant?
Senator Kyl. Sure. There are so many different examples.
The point is that while the defense and related national
security groups are in charge of their own security, as Senator
Bennett points out, there are innumerable implications to
national security from attacks on other agency computers.
We were just talking about, for example, the computers that
may keep track of world oil shipments and the like. What if
those are infiltrated for purposes designed to harm U.S.
national security? You know, the Commerce Department computers
may not be under the jurisdiction of the Department of Defense,
but does GSA or FBI or Commerce have the ability to do the
kinds of things that Senator Bennett talked about? No; the
Defense Department is the one that ought to be involved in
that.
That is why, as I say, these questions were raised earlier
on, and maybe you could provide an answer to some of the
questions that Senator Bennett has raised as to why the
Department of Defense wasn't more closely integrated into this
overall Plan.
Mr. Tritak. Well, let me say that the issue you have raised
about the information age knows no boundaries, whether
national, bureaucratic, private, public, is probably one of the
most significant implications and is going to require us to
really look very closely at what do we even mean by national
security anymore.
It was very clear when the threats were from a foreign
intruder that had to cross a boundary or our air space what
needed to be done. That wasn't the question. It is a lot more
difficult now. Obviously, no one wants a solution where we
create a veritable police state and the Nation's infrastructure
needs to be posted with guards or net force-type capabilities
on every computer system that may bear some effect on the
national economy. On the other hand, as you have pointed out,
the way our bureaucracies are currently organized, there are
clear lines of responsibility that don't really reflect the new
demands that are being posed by the information age.
I don't want to be in a position to define for the Defense
Department what they view their mission is. I believe, however,
it is fair to say that one of the missions they do have is to
ensure that the infrastructures of this country that are
necessary for the projection of power overseas or to mobilize
war is, in fact, a concern of theirs and they have, in fact,
been working on it.
So it wouldn't be true to say that they don't do
infrastructure protection within the United States, but it is
with a very clear focus on the Defense Department's missions.
And when you go beyond that to talk about the defense of the
Nation's infrastructures that are necessary for economic
security and delivery of human services, we get into a much
more complicated set of circumstances.
I am sad to say I don't have the answer to your question
right at the moment. But what I will say, though, is going back
to something that you raised actually in my first hearing when
I was on the job about 2 weeks, and you raised to me a question
that has over time really struck me as really at the core of
what we need to be turning to next, having gone through the Y2K
experience, and that is we accept the fact that the Nation's
infrastructures are mainly privately owned and that the
industry itself and the market should bear most of the
responsibility for reconstituting those systems should they
fail.
That was clearly the goal of Y2K and, in fact, they did a
very good job. Owners and operators of infrastructures have had
to deal with disruptions, whatever the cause, for at least 100
years. And this new information age is going to complicate that
because as more and more of their business operations go online
or become part of computer-controlled networks, they may become
more susceptible to deliberate disruption.
So we recognize that perhaps the first way to deal with
this is to raise the awareness with industry that this is a
problem that is emerging and what the threats are. There are
programs underway for the NIPC to brief industry on what is
actually going on to try to raise that level of awareness. We
are also as part of this partnership trying to raise this as
basically a case for action, that regardless of the source of
the disruption, they can't afford to have their systems go
down.
And the hope there is that the market itself will go a long
way to dealing with this problem, and then when there is a
shortfall between the two, that is really where government and
private industry need to work together to solve it.
Senator Kyl. If I could just interject and then we do need
to turn to our other panel, the problem is that industry is
working with cross-tensions here. In a competitive age, in a
deregulatory environment, it is not very cost-effective for
Energy to build in robust backup kinds of systems. And the net
result is that a lot of the systems are more fragile than they
used to be when you had monopolies and the Government was
ensuring that they had the money available to build this
robustness into the systems.
And I think particularly of communications and the Defense
Department and the national security Agencies and the other
parts of our Government relying to a significant extent on
literally commercial satellites which are very vulnerable. Our
communications, our transportation system, and certainly our
energy grid all serve both defense and nondefense needs. And in
all three of these areas, there are vulnerabilities that didn't
exist before that do exist now that are the business of the
United States from a defense point of view, and this is a point
that both Senator Bennett and Senator Feinstein have made.
I think there will need to be more analysis of how the
Defense Department and the NSA and other agencies can interface
with the system that is being developed here. Placing it where
it has been placed has been a conscious decision. I am inclined
to try to provide some significant oversight over the process,
but see how it evolves. And I think we are going to have to
have some additional discussion on this point as we go on.
I want to make it clear for those who are here, and perhaps
here for the first time that we tended not--except in the very
fine brief summary in Senator Feinstein's opening statement, we
haven't revisited what brought us here, the significant threat
to our way of life and to the national security of the United
States. We have gone into that at some length before and we
have even talked about some of the assumptions of this basic
Plan.
As I said in the beginning, this is the fifth hearing of
this subcommittee, and what I wanted to do today was to focus
on a specific issue which I will get to in the next panel which
has to do with privacy concerns, because I would note that our
ability to move forward as a government in this area is
dependent upon the approval of the citizens of the United
States to allow us to move forward. And if they have concerns
about a privacy issue, for example, we need to deal with those
up front or we are not going to be able to address these more
fundamental questions.
But I think it is good that Senator Bennett has reminded us
of one of the critical assumptions underlying the structure
that you have set up here and the fact that that assumption may
not be necessarily a valid one, that we may need to turn more
to the national security side of our Government to help us to
protect the critical infrastructure, and we will have to
evaluate that as time goes on.
Mr. Tritak. Senator, if I can make just one quick point in
answer actually to what I was actually leading up to, Senator,
and that is one of the things that struck me about a question
you asked fairly early in the Y2K Committee was when, whether,
and under what circumstances may the Federal Government play a
role in reconstituting privately-owned infrastructures.
Recognizing that we want the market to lead, what happens
if that fails, for whatever reason, and it is beginning to have
a deleterious effect on national security, economic security,
or delivery of vital services? That, to me, is the fundamental
question and, in fact, that is what we are beginning to turn to
now because I think it really is at the core of what you mean
by an EFEMA versus other things.
But we have begun to look at authorities. One place you
start is actually looking at existing authorities and where are
the shortfalls for those, and then developing clear ideas about
what contingencies might arise and to assure we can plan
against those contingencies. We don't know yet for sure what
contingencies would apply, but I think the question and the
issue is a valid one and you raised it in the Y2K context. I
think it is critical to CIP and part of what the Government's
responsibility is to defend the Nation in the event of an
attack, particularly if it comes from overseas.
Senator Kyl. Thank you very much. Well, obviously we will
have more questions for you. We will submit some for the
record. What we also I think would appreciate is an ongoing
communication from you as things evolve. Don't wait for a
hearing to come up and talk to us. Feel free to communicate
with us on an ongoing basis as the situation evolves so that we
will be up to speed with what you are doing.
Thank you again for being here today. Obviously, we could
spend all day on some of these issues.
[The prepared statement of Mr. Tritak follows:]
Prepared Statement of John S. Tritak
Mr. Chairman, it is an honor to appear before you here today to
talk with you about the National Plan for Information Systems
Protection, Version 1.0. This Subcommittee has shown exceptional
leadership on the matter of critical infrastructure assurance. I am
grateful for the opportunity to discuss the Administration's efforts to
achieve President Clinton's goal of establishing a full operational
capability to defend the critical infrastructures of the United States
by 2003 against deliberate attacks aimed at significantly disrupting
the delivery of services vital to our nation's defense, economic
security, and the health and safety of its people. This cannot be done
without the support and participation of the Congress.
1. INTRODUCTION
The Information Age has fundamentally altered the nature and extent
of our dependency on these infrastructures. Increasingly, our
Government, economy, and society are being connected into an ever
expanding and interdependent digital nervous system of computers and
information systems. With This interdependence comes new
vulnerabilities. One person with a computer, a modem, and a telephone
line anywhere in the world can potentially break into sensitive
Government files, shut down an airport's air traffic control system, or
disrupt 911 services for an entire community.
The threats posed to our critical infrastructures by hackers,
terrorists, criminal organizations and foreign Governments are real and
growing. The need to assure delivery, of critical services over our
infrastructures is not only a concern for the national security and
federal law enforcement communities, it is also a growing concern for
the business community, since the security of information
infrastracture is a vital element of E-commerce. Drawing on the full
breadth of expertise of the federal government and the private sector
is therefore essential to addressing this matter effectively.
President Clinton has increased funding on critical infrastructure
substantially during the past three years, including a 15 percent
increase in the fiscal year 2001 budget proposal to $2.0 billion. He
has also developed and funded new initiatives to defend the nation's
computer systems from cuber attack.
In the 18 months since the President signed Presidential Decision
Directive 63, we have made significant progress in protecting our
critical infrastructures. In response to the President's call for a
national plan to serve as a blueprint for establishing a critical
infrastructure protection (CIP) capability, the National Plan for
Information Systems Protection was released last month. It represents
the first attempt by any national Government to design a way to protect
those infrastructured essential to the delivery of electric power, oil
and gas, communications, transportation services, banking and financial
services, and vital human services. Increasingly, these infrastructures
are being operated and controlled through the use of computers and
computer networks.
The current version of the Plan focuses mainly on the domestic
efforts being undertaken by the Federal Government to protect the
Nation's critical cyber-based infrastructures. Later versions will
focus on the efforts of the infrastructure owners and operators, as
well as the risk management and broader business community. Subsequent
versions will also reflect to a greater degree the interests and
concerns expressed by Congress and the general public based on their
feedback. that is why the Plan is designated Version 1.0 and subtitled
An Invitation to a Dialogue--to indicate that it is still a work in
progress and that a broader range of perspective must be taken into
account if the Plan is truly to be ``national;'' in scope and
treatment.
THE PLAN: OVERVIEW AND HIGHLIGHTS
President Clinton directed the development of this Plan to chart
the way toward the attainment of a national capability to defend our
critical infrastructures by the end of 2003. To meet this ambitious
goal, the Plan establishes 10 programs for achieving three broad
objectives. They are:
Objective 1: Prepare and Prevent: Undertake those steps necessary to
minimize the possibility of a significant and successful attack on
our critical information networks, and build an infrastructure that
remains effective in the face of such attacks.
Program 1 calls for the Government and the private sector to
identify significant assets, interdependencies, and
vulnerabilities of critical information networks from attacks,
and to develop and implement realistic programs to remedy the
vulnerabilities, while continuously updating assessment and
remediation efforts.
Objective 2: Detect and Respond: Develop the means required to
identify and assess attacks in a timely way, contain such attacks,
recover quickly from them, and reconstitute those systems affected.
Program 2 will install multi-layered protection on sensitive
computer systems, including advanced firewalls, intrusion
detection monitors, anomalous behavior identifiers, enterprise-
wide management systems, and malicious code scanners. To
protect critical federal systems, computer security operations
centers will receive warnings from these detection devices, as
well as Computer Emergency Response teams (CERTs) and other
means, in order to analyze the attacks, and assist sites in
defeating attacks.
Program 3 will develop robust intelligence and law
enforcement capabilities to protect critical information
systems, consistent with the law. It will assist, transform,
and strengthen U.S. law enforcement and intelligence Agencies
to be able to deal with a new kind of threat and a new kind of
criminal--one that acts against computer networks.
Program 4 calls for a more effective nationwide system to
share attack warnings and information in a timely manner. This
includes improving information sharing within the Federal
Government and encouraging private industry, as well as state
and local Governments, to create Information Sharing and
Analysis Centers (ISACs), which would share information from
the Federal Government. Program 4 additionally calls for
removal of existing legal barriers to information sharing.
Program 5 will create capabilities for response,
reconstitution, and recovery to limit an attack while it is
underway and to build into corporate and Agency continuity and
recovery plans the ability to deal with information attacks.
The goal for Government and the recommendation for industry is
that every critical information system have a recovery plan in
place that includes provisions for rapidly employing additional
defensive measures (e.g., more stringent firewall
instructions), cutting off or shutting down parts of the
network under certain predetermined circumstances (through
enterprise-wide management systems), shifting minimal essential
operations to ``clean'' systems, and to quickly reconstitute
affected systems.
Objective 3: Build Strong Foundations: Take all actions necessary to
create and support the Nation's commitment to Prepare and Prevent
and to Detect and Respond to attacks on our critical information
networks.
Program 6 will systematically establish research requirements
and priorities needed to implement the Plan, ensure funding,
and create a system to ensure that our information security
technology stays abreast with changes in the threat
environment.
Program 7 will survey the numbers of people and the skills
required for information security specialists within the
Federal Government and the private sector, and takes action to
train current Federal IT workers and recruit and educate
additional personnel to meet shortfalls.
Program 8 will explain publicly the need to act now, before a
catastrophic event, to improve our ability to defend against
deliberate cyber-based attacks.
Program 9 will develop the legislative framework necessary to
support initiatives proposed in other programs. This action
requires intense cooperation within the Federal Government,
including Congress, and between the Government and private
industry.
Program 10 builds mechanisms to highlight and address privacy
issues in the development of each and every program.
Infrastructure assurance goals must be accomplished in a manner
that maintains, and even strengthens, American's privacy and
civil liberties. The Plan outlines nine specific solutions,
which include consulting with various communities; focusing on
and highlighting the impact of programs on personal
information; committing to fair information practices and other
solutions developed by various working groups in multiple
industries; and working closely with Congress to ensure that
each program meets standards established in existing
Congressional protections.
I would like to highlight a few of the programs in the remainder of
my testimony. In these programs, the Administration seeks to accomplish
two broad aims of the Plan--the establishment of the U.S. Government as
a model of infrastructure protection, and the development of a public-
private partnership to defend our national infrastructures.
A. The Federal Government as a model of information security
We often say that more than 90 percent of our critical
infrastructures are neither owned nor operated by the Federal
Government. Partnerships with the private sector and state and local
governments are therefore not just needed, but are the fundamental
aspect of critical infrastructure protection. Yet, The President
rightly challenged the Federal Government in PDD-63 to serve as a model
for critical infrastructure protection--to put our own house in order
first. Given the complexity of this issue, we need to take advantage of
the breadth of expertise within the Federal Government to ensure that
we enlist those Agencies with special capabilities and relationships
with private industry to the fullest measure in pursuit of our common
goal.
To this end, the President has developed and provided full or pilot
funding for the following key initiatives designed to protect the
federal Government's computer systems:
Federal Computer Security Requirements and Government
Infrastructure Dependencies. One component of this effort supports
aggressive, Government-wide implementation of federal computer security
requirements and analysis of vulnerabilities. Thus, in support of the
release of the National Plan, the President announced his intent to
create a permanent Expert Review Team (ERT) at the Department of
Commerce's National Institute of Standards and Technology (NIST). The
ERT will be responsible for helping Agencies identify vulnerabilities,
plan secure systems, and implement Critical Infrastructure Protection
Plans. Pursuant to existing Congressional authorities and
administrative requirements, the Director of the team would consult
with the Office of Management and Budget and the National Security
Council on the team's plan to protect and enhance computer security for
Federal Agencies. The President's Budget for fiscal year 2001 will
propose $5 million for the ERT.
Under PDD-63, the President directed the CIAO to coordinate
analyses of the U.S. Government's own dependencies on critical
infrastructures. Many of the critical infrastructures that support our
nation's defense and security are shared by a number of Agencies. Even
within Government, critical infrastructure outages may cascade and
unduly impair delivery of critical services. The CIAO is coordinating
an interagency effort to develop a more sophisticated identification of
critical nodes and system, and to understand their impact on national
security, national economic security, and public health and safety
Government-wide. These efforts support the work of the ERT in
identifying vulnerabilities of the Government's information
infrastructures, and provide valuable input to Agencies for planning
secure computer systems and implementing computer security plans. This
research, when complete, will permit the Federal Government to identify
and redress its most significant critical infrastructure
vulnerabilities first and provide the necessary framework for well
informed critical infrastructure protection policy making and budget
decisions.
Federal Intrusion Detection Network (FIDNet). PDD-63 marshals
Federal Government resources to improve interagency cooperation in
detecting and responding to significant computer intrusions into
civilian Government critical infrastructure nodes. The program--much
like a centralized burglar alarm system--would operate within long-
standing, well-established legal requirements and Government policies
covering privacy and civil liberties. FIDNet is intended to protect
information on critical, civilian Government computer systems,
including that provided by private citizens. It will not monitor or be
wired into private sector computers. All aspects of the FIDNet will be
fully consistent with all laws protecting the civil liberties and
privacy rights of Americans.
To support this effort, the Administration will propose funding in
the President's fiscal year 2001 Budget ($10 million) to create a
centralized intrusion detection and response capability at the General
Services Administration (GSA). This capability will function in consort
with GSA's Federal Computer Incident Response Capability, and assist
Federal Agencies to:
detect and analyze computer attacks and unauthorized
intrusions;
share attack warnings and related information across
Agencies; and
respond to attacks in accordance with existing procedures
and mechanisms.
FIDNet is intended to promote confidence in users of Federal
civilian computer systems. It is important to recognize that FIDNet has
a graduated system for response and reporting attack and intrusion
information would be gathered and analyzed by home-Agency experts. Only
data on system anomalies would be forwarded to GSA for further
analysis. Thus, intrusion detection would not become a pass-through for
all information to The Federal Bureau of Investigation or other law
enforcement entities. Law enforcement would receive information about
computer attacks and intrusions only under long-standing legal rules--
no new authorities are implied or envisioned by the FIDNet program.
One additional benefit of Government-wide intrusion detection is to
improve computer intrusion reporting and the sharing of incident
information consistent with existing government computer security
policy. Various authorities require Agencies to report criminal
intrusions to appropriate law enforcement personnel, which include the
National Infrastructure Protection Center.
FIDNet will support law enforcement's responsibilities where cyber-
attacks are of a criminal nature or threaten national security.
In short, FIDNet will:
be run by the GSA, not the FBI;
not monitor any private network traffic;
confer no new authorities on any Government Agency; and
be fully consistent with privacy law and practice.
Federal Cyber Services (FCS). One of the nation's strategic
shortcomings in protecting our critical infrastructures is a shortage
of skilled information technology (IT) personnel. Within IT, the
shortage of information systems security personnel is acute, The
Federal Government's shortfall of skilled information systems security
personnel amounts to a crisis. This shortfall reflects a scarcity of
university graduate and undergraduate information security programs and
the inability of the Government to provide the salary and benefit
packages necessary to compete with the private sector for these highly
skilled workers. In attacking this problem through the Federal Cyber
Services initiative described below, we are leveraging the initial
efforts made by the Defense Department, National Security Agency, and
some other Federal Agencies. The President's Budget for fiscal year
2001 will propose $25 million for this effort.
The Federal Cyber Services training and education initiative,
highlighted by the President at the Plan's release, introduces five
programs to help solve the Federal IT security personnel problem.
a study by the Office of Personnel Management to identify
and develop competencies for federal information technology
(IT) security positions, and the associated training and
certification requirements.
the development of Centers of IT Excellence to establish
competencies and certify current Federal IT workers and
maintain their information security skill levels throughout
their careers.
The creation of a Scholarship for Service (SFS) program to
recruit and educate the next generation of Federal IT managers
by awarding scholarships for the study of information security,
in return for a commitment to work for a specified time for the
Federal Government. This program will also support the
development of information security faculty.
The development of a high school outreach and awareness
program that will provide a curriculum for computer security
awareness classes and encourage careers in IT fields.
The development and implementation of a Federal Information
Security awareness curriculum aimed at ensuring computer
security literacy throughout the entire Federal workforce.
Research and Development. A key component to our ability to protect
our critical infrastructures now and in the future is a robust research
and development plan. As part of the structure established by PDD-63,
the interagency Critical Infrastructure Coordination Group (CICG)
created a process to identify technology requirements in support of the
Plan. Chaired by the Office of Science and Technology Policy (OSTP),
the Research and Development Sub-Group works, with Agencies and the
private sector to:
gain agreement on requirements and priorities for
information security research and development;
coordinate among Federal Departments and Agencies to ensure
the requirements are met within departmental research budgets
and to prevent waste or duplication among departmental efforts;
communicate with private sector and academic researchers to
prevent Federally funded R&D from duplicating prior, ongoing,
or planned programs in the private sector or academia; and
identify areas where market forces are not creating
sufficient or adequate research efforts in information security
technology.
That process, begun in 1998, has helped focus efforts on
coordinated cross-government critical infrastructure protection
research. Among the priorities identified by the process are:
technology to support large-scale networks of intrusion
detection monitors;
artificial intelligence and other methods to identify
malicious code (trap doors) in operating system code;
methodologies to contain, stop, or eject intruders, and to
mitigate damage or restore information-processing services in
the event of an attack or disaster,
technologies to increase network reliability, system
survivability, and the robustness of critical infrastructure
components and systems, as well as the critical infrastructures
themselves; and
technologies to model infrastructure responses to attacks or
failures; identify interdependencies and their implications;
and locate key vulnerable nodes, components, or systems.
The President's Budget for fiscal year 2001 will propose $606
million across all Agencies for critical infrastructure related R&D
investment.
The need exists, however, to coordinate R&D efforts not just across
the federal Government, but between the public and private sectors as
well. A fundamentally important initiative that has the ability to pull
disparate pieces of the national R&D community into closer
relationships is the Institute for Information Infrastructure
Protection (I3P), an organization created to identify and
fund research and technology development to protect America's
cyberspace from attack or other failures. I will discuss this in detail
when I address Public-Private Partnership issues.
Public Key Infrastructure. Protecting critical infrastructures in
the Federal Government and private sectors requires development of an
interoperable public key infrastructure (PKI). A PKI enables data
integrity, user identification and authentication, user non-
repudiation, and data confidentiality through public key cryptography
by distributing digital certificates (essentially electronic
credentials) containing public keys, in a secure, scalable, and
reliable manner. The potential of PKI has inspired numerous projects
and pilots throughout the Federal Government and private sectors. The
Federal Government has actively promoted the development of PKI
technology and has developed a strategy to integrate these efforts into
a fully functional Federal PKI. The President's Budget for fiscal year
2001 will propose $7 million to ensure development of an interoperable
Federal PKI.
To achieve the goal of an integrated Federal PKI, and protect oar
critical infrastructures, the Federal Government is working with
industry to implement the following program of activities:
Connect Agency-wide PKIs into a Federal PKI. DoD, NASA, and
other Government Agencies, are actively implementing Agency-
wide PKIs to protect their internal critical infrastructures.
While a positive step, these isolated PKIs do not protect
infrastructures that cross Agency boundaries. Full protection
requires an integrated, fully functional PKI.
Connect the Federal PKI with Private Sector PKI: Private
sector groups are actively developing their own PKIs as well.
While a positive step, these isolated PKIs do not protect
infrastructures that cross Government or industry sector
boundaries.
Encouraging Development of Interoperable Commercial Off-the-
Shelf (COTS) PKI Products: Limitation to a single vendor's
solution can be a Serious impediment, as most organizations
have a heterogeneous computing environment. Consumers must be
able to choose COTS PKI components that suit their needs.
Validating the Security of Critical PKI Components:
Protecting critical infrastructures require sound
implementation. The strength of the security services provided
to the critical infrastructures depends upon the security of
the PKI components. Validation of the security of PKI
components is needed to ensure that critical infrastructures
are adequately protected. NIST is pursuing a validation program
for PKI components.
Encouraging Development of PKI-Aware Applications: To
encourage development of PKI-aware applications, the Government
is working with vendors in key application areas. One example
is the secure electronic mail projects that have been performed
jointly with industry.
B. Public-Private partnership
The security of information flowing over the information highway is
a critical element of E-commerce, as well as to our national security.
It is a necessary part of building trust in the accuracy and integrity
of transactions made over the information infrastructure. There is a
growing awareness that America's information infrastructure--the basis
of E-Commerce--is becoming an increasingly attractive target for
deliberate attack or sabotage. A strategy of cooperation and
partnership between the private sector and the U.S. Government to
protect the Nation's infrastructure is the linchpin of this effort. The
President is committed to building partnerships with the private sector
to protect our computer networks through the following initiatives:
Institute for Information Infrastructure Protection
(I3P). The Institute would identify and address serious R&D
gaps that neither the private sector nor the Government's national
security community would otherwise address, but that are necessary to
ensure the robust, reliable operation of the national information
infrastructure. The President announced he would propose initial
funding of $50 million for the Institute in his fiscal year 2001
Budget. Funding would be provided through the Commerce Department's
National Institute of Standards and Technology (NIST) to this
organization. The Institute was first proposed by the scientists and
corporate officials who served on the President's Committee of Advisors
on Science and Technology, and supported by leading corporate Chief
Technology Officers.
The Institute will work directly with private sector information
technology suppliers and consumers to define research priorities and
engage the country's finest technical experts to address the priorities
identified. Research work will be performed at existing institutions
including private corporations, universities, and non-profit research
institutes. The Institute will also make provisions to accept private
sector support for some research activities.
Partnership for Critical Infrastructure Security. Last December,
Commerce Secretary Daley met with senior representatives from over 90
major corporations, most fortune 500, representing owners and operators
of critical infrastructures, their suppliers, and their customers, to
discuss the building a Partnership for Critical Infrastructure
Security. Industry has taken the lead on this effort and organized a
meeting at the U.S. Chamber of Commerce far later this month to give
substance and purpose to the Partnership.
The Partnership will explore ways in which industry and Government
can work together to address the risks to the nation's critical
infrastructures. Federal Lead Agencies are currently building
partnerships with individual infrastructure sectors in private
industry, including communications, banking and finance,
transportation, and energy. The Partnership will serve as a forum in
which to draw these individual efforts together to facilitate a
dialogue on cross-sector interdependencies, explore common approaches
and experiences, and engage other key professional and business
communities that have an interest in infrastructure assurance. By doing
so, the Partnership hopes to raise awareness and understanding of, and
to serve, when appropriate, as a catalyst for action among, the owners
and operators of critical infrastructures, the risk management and
investment communities, other members of the business community, and
state and local Governments.
National Infrastructure Assurance Council (NIAC). President Clinton
established the NIAC by Executive Order 13130 on July 14, 1999. When
fully constituted, it will consist of up to 30 leaders in industry,
academia? the privacy community, and state and local Government. The
NIAC will provide advise and counsel to the President on a range of
policy matters relating to critical infrastructure assurance, including
the enhancement of public-private partnerships, generally.
III. CONCLUSION
In conclusion, the National Plan is an important step forward. My
staff and I are committed to building on this promising beginning,
coordinating the Governments efforts into an integrated program for
critical infrastructure protection in support of the National
Coordinator for Security, Infrastructure Protection, and Counter-
Terrorism, and the Federal Government, generally. We have much work
left to do, and I hope to work with the members of this committee,
indeed with the Congress as a whole, as we wrestle with this developing
field. I look forward to your questions.
Senator Kyl. I would like to bring our next panel forward
now to look specifically at the National Plan and privacy
issues associated with it. We will have two witnesses. The
first witness is Mr. Marc Rotenberg, executive director of the
Electronic Privacy Information Center, EPIC. Mr. Rotenberg also
teaches on information privacy at Georgetown Law School. He has
testified before Congress, advocating strong privacy protection
in the Internet age.
He has also followed the work of this subcommittee quite
closely, stating in a 1998 study entitled ``Critical
Infrastructure and the Endangerment of Civil Liberties'' that
in the fight for diminishing resources--I am going to quote
now, Senator Feinstein--
the intelligence community and the Pentagon also
ensured a body of congressional champions of
information warfare advocates and supporters. Chief
among them are Senator Jon Kyl--
thank you--
whose Subcommittee on Technology, Terrorism, and
Government Information has held numerous hearings
featuring doom-and-gloom witnesses complaining that the
Nation is on the verge of an electronic Pearl Harbor,
and even more distastefully, an electronic Oklahoma
City.
In any event, thank you for appearing and following our
hearings, Mr. Rotenberg. We will place your full statement in
the record and in a moment ask you to provide a summary of
that.
The other witness in this panel is Frank Cilluffo, senior
policy analyst at the Center for Strategic and International
Studies. He directs seven task forces on a range of topics,
including information warfare and information assurance,
terrorism, and financial crimes. These task forces comprise
over 175 senior officials and experts from the academic,
defense, intelligence, law enforcement, and corporate
communities. We will place your full statement in the record as
well and ask both of you to summarize your comments.
So, first, Mr. Rotenberg.
PANEL CONSISTING OF MARC ROTENBERG, EXECUTIVE DIRECTOR,
ELECTRONIC PRIVACY INFORMATION CENTER, WASHINGTON, DC; AND
FRANK J. CILLUFFO, SENIOR POLICY ANALYST, CENTER FOR STRATEGIC
AND INTERNATIONAL STUDIES, WASHINGTON, DC
STATEMENT OF MARC ROTENBERG
Mr. Rotenberg. Thank you, Mr. Chairman and Senator
Feinstein. I am grateful to be here with the opportunity to
talk about privacy. I should say at the outset that there is
really no disagreement about the need to keep the Nation's
computer network secure and safe from attack. Outages cause
disruption for industry. They cause disruption for users, and
certainly they pose questions of public safety and national
security.
At the same time, I would like to suggest to you in
reviewing the Plan that it is very important to keep in mind
the history of the growth of the Internet, as well as our
country's recent experience with computer security policy to
ensure that the plan that is followed through on actually is
the best way to protect this underlying interest. In my
testimony, I outline some of this history. I would like to
briefly highlight a couple of points and then focus in on the
FIDNet proposal.
The first point I would like to make is regarding the
nature of the Internet itself. This is a very robust
communication infrastructure that was designed with the
understanding that a foreign adversary may well cause an attack
that could have taken out a traditional channel switch network,
like a telephone network, for example. And in this old style of
networking, if you take out one of the points along the line,
the whole line goes down and you cannot get information
through.
The Internet relied on a different architecture. It was
decentralized, it used multiple nodes. It used a type of
switching technology called packet switching which made it
possible to move information from one point to another, even if
some of the points in between along the way had been taken out,
and this made it very robust. It also interestingly made it
equally secure against attack from a foreign adversary, as well
as a natural disaster or even a winter storm.
Now, I don't mean to suggest to you that there aren't real
risks to the Internet today. There are, and I think the
subcommittee has done a good job of documenting these risks.
But at the same time, I would like to suggest to you that the
architects of this infrastructure, the designers, were very
much aware from the outset of the need to create a
communications network that could withstand attack and that
could continue to operate. And this is important to understand
what security is about.
The second point I would like to say is that, frankly,
during the past decade the Federal Government's record in the
area of promoting computer security has been quite mixed. And
as you are no doubt aware, the private sector user
organizations, privacy organizations, have expressed a lot of
concern that many of these proposals that seek at the outset to
promote computer security in the end create a lot of computer
surveillance, and that whereas a private organization might try
to make a system more robust or more difficult to attack or
take down, the Government invariably comes up with proposals
that make it easier to monitor and to spy on.
Nowhere was this problem more clearly demonstrated than in
the difficulty of developing an encryption policy that would
work for the Government and for the private sector. Now, I am
not going to go through all that history, but I do want to
provide for you one very simple example of the difficulties
that the Federal Government's computer security policy over the
last decade created for computer users and for private
industry, and it has to do with the online transactions
involving credit card purchases.
When people went online last Christmas to buy books or CD's
or gifts for their families, many of them were typing in credit
card numbers, and what secured those credit card numbers so
that they could not be stolen by thieves or anybody else was a
little bit of encryption built into the software that they were
using. They weren't even aware of it, but it scrambled the
credit card number so that it would go from their computer to
the Web site where they were buying this product online and
protected that information.
Now, you can design that encryption so that it is very
strong, so that it is difficult to break. But the Federal
Government was very reluctant to make that type of strong
encryption widely available because they said if we make that
available for American consumers, it could also fall into the
wrong hands. So what they tried to do instead is they said we
are going to create two levels of encryption, one level the
strong kind that will let American consumers use it if they
prove that they are U.S. citizens, and another a weak kind that
will let U.S. companies market to foreign users because they
are going to need some encryption, but it is not going to be as
strong.
Well, the result of that policy, as I describe in my
testimony, was that this past Christmas season when U.S.
consumers were buying products from U.S. businesses in the
United States, they were invariably using the weak encryption
because of a government policy that was trying to keep strong
encryption out of the hands of foreign users. This is a
reoccurring problem in the computer security field. I think the
Plan as currently described is going to recreate this problem
and I want to bring it to your attention today. It is a very
real problem.
Now, I am going to focus now on FIDNet. A couple of things
were said by Mr. Tritak during the last panel, and I hope you
will ask me a couple of questions about this, but I have to say
at the outset what disturbed me most about Mr. Tritak's
presentation--in some ways it is not surprising--is having said
on the one hand that the Government is very much aware of
privacy issues and privacy laws, and intends to respond to
these concerns because they are widely shared by the American
public, Mr. Tritak was unaware that the type of government
monitoring that is proposed in the Plan as described in FIDNet
would fall under the legal rules set out in our Communications
Privacy Act, passed in 1986 with strong bipartisan support.
He seemed to think that because this wasn't voice
communication, it wasn't subject to any legal rules. That is
simply not correct. But it was even more disturbing, as I
described in my testimony, that in a memo that was prepared by
the Department of Justice by Mr. Ron Lee to Mr. Tritak's
predecessor, Mr. Hunker, who is the Director of the CIAO, Mr.
Lee outlined the problem. He said, you have got a real issue
here. The type of network monitoring which one agency like the
DOD would be permitted to do on its own computer networks which
you are now proposing under the Plan to do across all
government computer networks clearly would fall under the
Communications Privacy Act. And if you want to do this, advised
Mr. Lee, you are going to have to notify all people using
government computer networks, not just Federal employees but
also U.S. citizens, that they will have no right of privacy
using the network.
Now, that is frankly the suggestion that is put forward by
Mr. Lee and the Department of Justice that could, in effect,
make the privacy issue go away. But it is a solution that I
think privacy organizations across the political spectrum would
have a great deal of difficulty with. And as I have tried to
suggest in the testimony, I think for the Government to say, in
effect, you have no legal rights of privacy when you are using
the Government computer system would be contrary not only to
the Federal wiretap statute, but also our Privacy Act, passed
in 1974, and our whole fourth amendment tradition which
basically says, yes, the Government has the right to search and
protect public safety, but it has to be done in a way that
recognizes the balance of power within our Government; that the
executive branch, the Federal agencies may conduct these
activities, but they have to be reviewed by the judicial
branch.
The other point which I would like to briefly say, Mr.
Chairman, is that there was in my testimony a reference to the
use of credit card information and telephone toll record
information. And you asked a question which I certainly thought
was very appropriate, and that is what type of information
would be collected in trying to assess system anomalies because
this, of course, is the basis for the search that the
Government agencies will conduct.
Now, I don't know exactly what the plan is, and I think Mr.
Tritak is correct to say that this is still a Plan in
development. But I do have here and am pleased to provide for
the subcommittee a memo from Mr. Hunker outlining the National
Plan and, ``how we get industry buy-in.'' And contained in this
Plan is one slide titled ``Profiling System Anomalies.'' The
first bullet point is ``Systematic Identification of Suspicious
and Anomalous Behavior Based on Algorithms to Analyze
Similarities and Match Behavioral Patterns.''
And then there are three lines. The first line, which
frankly I don't understand, says ``Traditional Psycho-
Linguistics.'' The second line is ``Credit Card Profiling,''
and the third line is ``Toll Fraud Profiling.'' And this is
from a memo that was prepared by Mr. Hunker describing how
system anomalization might be identified.
And I should say, in fairness, Mr. Chairman, that this is a
big, complex area. I wouldn't expect Mr. Tritak to be familiar
with all the details, but I think if we are to take seriously
the commitment to privacy protection, we need a clear
understanding about the application of U.S. privacy laws, and
we clearly need more information about what type of information
will be collected from U.S. citizens.
You see, when you set up intrusion detection, it is not
just the bad guys and the people who are intent on causing us
harm that you are going to be tracking and monitoring. You are
going to be tracking U.S. employees working for U.S. firms in
London and Tokyo, U.S. trade officials in Geneva and Paris,
U.S. computer researchers in Dublin and Tel Aviv, and U.S.
citizens within the United States. All of these people will
become subject to the monitoring scheme that is outlined in the
FIDNet proposal.
So I would be pleased to answer your questions and I thank
you again for the chance to be here.
Senator Kyl. Thank you.
[The prepared statement of Mr. Rotenberg follows:]
Prepared Statement of Marc Rotenberg
Mr. Chairman, members of the Subcommittee, thank you for the
opportunity to testify today regarding the privacy implications of the
Administration's proposed National Plan for Information Systems
Protection. My name is Marc Rotenberg and I am the executive director
of the Electronic Privacy Information Center, a research and advocacy
organization, located here in Washington, DC. EPIC has a general
interest in privacy protection and a particular interest in ensuring
that efforts to promote computer security do not undermine basic
American liberties. For over a decade we have reviewed proposals for
information system security in the federal government, made
recommendations for changes, and pursued litigation where appropriate.
I should say at the outset that we are all aware that our nation
has become increasingly dependent on the hi-tech infrastructure for
everything from power and communications to transportation and national
defense. Moreover, it is quite likely that others who intend to do us
harm would target this infrastructure in an effort to disable or
disrupt essential communications resources.
Nonetheless our fear of attack and our need to protect public
safety should not lead us to take actions that are wasteful, misguided,
or ultimately undermine the values that we seek to defend. We should be
particularly careful that the solutions that are pursued reflect the
full range of risks to our nation's communications network. The plan
presumes that threats to the nation's infrastructure are from
adversaries intent on causing harm to the United States and that
therefore steps must be taken to ``defend our federal cyber systems.''
Security standards that treat all risks as simply defending against
foreign threats will ultimately not serve us well.\1\
---------------------------------------------------------------------------
\1\ The developers of the Plan are aware of this as well, but they
often obscure the problem. On the very first page of the report, the
writers describe several genuine security problems with the nation's
computer systems but then say, ``All of these events have occurred--not
on the same day, and not all the result of deliberate action by
America's adversaries--but all within the last 36 months.'' The message
should be stated more clearly: not all threats to the nation's computer
systems will be malicious attacks from overseas.
---------------------------------------------------------------------------
In this spirit, I would like to remind the Committee that the
winter storm that hit Washington, DC last week did far more damage to
the operation of government, the use of our transportation systems, and
our supply networks than the widely touted Y2K bug which has consumed
so much attention in the federal government. Defending America's
cyberspace may require preparation against winter ice storms as well as
malicious hackers in foreign countries.
To assess the National Plan for Information System Protection, you
must first recall that the Internet, which has emerged from the
ARPANet, was designed to continue operation even after an attack from a
foreign government. Robustness was key to the design. Protecting the
Internet from attack is hardly a new problem; it was the basis of its
creation.
The key to the Internet's resilience, and what distinguished it
from the channel-switched communications networks that proceeded it, is
a decentralized architecture that allows multiple-routings for,
messages sent between the same two points. If, for example, a person
wished to send a message from Pittsburgh to Flagstaff in the old
telephone network, an outage at the main switch in Phoenix could
prevent a call from ever getting through. But in the packet-switched
network, where messages could be broken up into small pieces, sent
through different channels and then put back together, the disruption
at one node would not prevent communications from going through.
In designing the Internet, the engineers recognized that a
traditional top-down command and control structure would be vulnerable
to attack and that a different way to move information would be
necessary. History has shown that the design was well conceived. Over
the last thirty years there have been only two incidents that really
took down the Internet--and both resulted from software glitches.
It is important also to understand that the Internet really doesn't
care whether a node is down because of a military attack or a winter
storm--it is equally resistant to both purposeful assault and natural
disaster.
Work on Internet security today continues largely in the open among
researchers and experts all around the world. Critical to the future of
network security is the open exchange of information among security
experts, the opportunity to publish findings in the open literature,
and the chance to challenge, even attack, another programmer's work.
This process which relies on cooperation and the exchange of ideas is
the best way to identify security flaws and encourage trust among
users.
This work is not done simply by US citizens or US companies.
Computer researchers around the world have all played an important role
in developing the protocols and promoting the architecture that secures
the Internet in the United States and around the world. Indeed the
cryptographic techniques that help protect computers in this country
were developed by researchers in Japan, Israel and elsewhere.
Unfortunately, the National Plan ignores much of this history. It
draws sharp boundaries based on national interests. It treats threats
to network reliability as primarily threats from abroad and downplays
the risk of software glitches and winter storms. The plan urges the
development of computer security experts charged with defending the
nation's infrastructure. This view of computer scientists, as soldiers
with keyboards, misses the critical point that computer security is an
international enterprise.
Ultimately the Plan views the Internet as a domestic communications
structure that must be secured from above from foreign threats. But the
original architects of the network knew better. A communications
network that can be secured from above can also be taken out from
above.
ADMINISTRATION HAS CREATED SECURITY PROBLEMS
My second point is that the federal government's recent efforts to
promote computer security in the private sector have created more
problems than they have solved. For the past decade the federal
government was largely responsible for preventing the widespread
availability of encryption and security tools that would have made the
nation's computer systems more secure and less vulnerable to attack.
It is only in the past few months, after heavy lobbying by
industry, pressure from Congress, and the continued voice of privacy
organizations, that the administration has begun to back off the
complex and short-sighted export control regime that has not only
prevented the development and sale of good security products but also
the implementation of better security systems in our country.
The problem is that the federal government has two very distinct
views of computer security: one commonly called COMSEC, refers to
Communications Security, the other SIGINT, refers to Signals
Intelligence. In the COMSEC view of the world there is general
agreement about the need to promote security and to make systems more
difficult to attack. But in the SIGINT view of the world, the
government seeks to get into computers, to intercept communications and
to gather information that may be useful to protect the nation's
security.
In no agency are the two notions more at odds than the National
Security Agency. The NSA simultaneously attempts to promote strong
security standards for the nation's computer systems and at the same
time to develop the methods to crack codes, break into networks, and
seize valuable intelligence. (And even with the resources at the NSA to
promote computer security, problems remain. The newspapers reported
last week that there was a significant failure at the NSA that took
down key systems for several days.)
The Administration said that with many of its early encryption
proposals it was trying to balance these competing interests, but the
SIGINT interests were clearly undermining the COMSEC efforts. As a
result, deeply flawed technical standards, such as the escrowed
encryption standard, were put forward and the nation's computer systems
remained vulnerable to attack. Also, tens of millions, possibly
hundreds of millions of dollars were wasted trying to make these
proposals designed by experts in SIGINT work.
The Administration also claimed that: the export controls rules
that limited the development of encryption products were only intended
to control the availability of strong encryption outside of the United
States. But in practice the rules kept strong encryption away from
American users. For example, there are encryption protocols in software
that protect credit card purchases on the Internet. But because of the
government's export policy, US manufacturers were required to provide
two versions--a strong 128-bit version for US citizens, and a weaker
40-bit version for non-US citizens. Because of the additional paperwork
required for US citizens to download the 128-bit version, many users
simply left the 40-bit version in place. As a result US consumers
buying products from US companies in the United States were using a
weak version of encryption because of a policy that was intended to
prevent strong encryption from being made available overseas. This is
exactly the kind of problem that will be replayed under the National
Infrastructure Protection Plan unless its proponents take a much
broader view of the problems in computer security.
Much will be done in the next few years to improve network security
in the private sector and across the federal agencies if the federal
government simply stays out of the way. Institutions have a clear
interest in safeguarding the security of their systems, but the federal
government's interests are more divided. Until trust is reestablished
in the security field, it would be better for the federal government to
follow rather than lead.
PRIVACY SAFEGUARDS IN PLAN ARE INSUFFICIENT
Largely in response to concerns raised by privacy organizations and
members of Congress about the original plan for Critical Infrastructure
Protection, the new Information Systems Security Plan discusses the
privacy issue at some length. There is much said about the need to
protect privacy and uphold privacy laws. But in the end the
recommendations on privacy fall short when compared with the enormous
surveillance authority that will be given to the federal government.
The Plan sets out a series of ``solutions'' to address privacy
concerns. It requests input from the privacy community, but establishes
no formal process to incorporate recommendations. The plan proposes a
legal review of elements of the plan, but most of the plan, including
specific mission objectives and milestones, has already been
established. The privacy section describes the need to review various
privacy issues, but then focuses on such concepts as ``consent'' and
``disclosure'' that are clearly intended to facilitate government data
collection and monitoring. The Plan's authors propose an annual
conference and some consideration of privacy issues by the National
Infrastructure Advisory Council, which is also tasked with a wide range
of other responsibilities. And if the private sector membership of this
Council is required to hold government security clearances, as is so
often the case with similar bodies, it will limit the ability of
citizens and independent experts to provide meaningful input as the
proposal goes forward.
The section on privacy stands in sharp contrast to the other
sections of the plan where the drafters outline ambitious, expensive
and far-reaching proposals for government agencies. Nowhere does the
Plan answer such questions as what formal reporting requirements will
be established, what independent review will be conducted, and what
mechanisms for public accountability and government oversight will be
put in place. The federal wiretap law, for example, contains an annual
reporting requirement so that the Congress and the public can review
the use of wiretap authority by the federal government. The Computer
Security Act established a Computer System Security and Privacy
Advisory Board that has held frequent meetings, issued reports and
adopted resolutions on privacy and security matters for almost a
decade. Where is the same institutional commitment in the Security Plan
to ensure oversight and accountability?
It is also clear that the absence of a privacy agency in the
federal government with the staff, expertise and resources to review
the Information Protection plan and other similar proposals remains a
critical problem. Having announced a commitment to ensure the
protection of civil liberties, it seems clear that some institutional
balance must be established to ensure that these proposals receive
adequate review. Isn't it possible that in this vast budget to erect
all of these elaborate surveillance techniques that Congress could set
aside 3 percent to establish a federal privacy agency that could
actually help safeguard the rights of Americans? This would be a small
investment in what many Americans consider their number one concern
about our nation's communications infrastructure--the protection of
personal privacy.
PROBLEMS WITH FIDNET
While it remains unclear whether the proposed Plan will in fact
promote network security, one point is clear: the plan will
dramatically expand the ability of the federal government to monitor
the activities of Americans all across the country. The plan recommends
the development of a Federal Intrusion Detection Network (``FIDNET''),
an open-ended monitoring authority that essentially gives a single
federal agency the authority to track communications across all federal
computer networks. According to the New York Times, ``networks of
thousands of software monitoring programs would constantly track
computer activities, looking for indications of computer network
intrusions and other illegal acts.''
This is an extraordinary surveillance authority, unlike any
capability that currently exists in the federal government. Last year
civil liberties organizations warned that this proposal would create
dramatic new government authority to monitor American citizens. The
drafters of the Plan are aware of this criticism and believe they have
addressed this problem. I tell you today that the problems with FIDNET
remain.
I would like to draw your attention to a March 8, 1999 memo from
Mr. Ronald D. Lee, Associate Deputy Attorney General, to Mr. Jeffrey
Hunker, Director of the Critical Infrastructure Assurance Office. (This
memo was obtained by EPIC under a Freedom of Information Act request
and is attached to this testimony.)
Mr. Lee says at the outset it is important to ``precisely identify
under what legal authority the FIDNET program is to be conducted.
Because monitoring ongoing communications is a wiretap within the
meaning of 18 U.S.C. Sec. 2511, it can only be authorized pursuant to a
wiretap order, or some relevant exemption to the statute.''
Mr. Lee goes on to say that while an individual federal agency
would have the right to monitor its own network to ``protect against
network intrusions, this does not mean that the GSA is a 'service
provider' within the meaning of the statute for the entire federal
government.''
Mr. Lee concludes that the only way that the GSA could conduct the
type of monitoring contemplated in the FIDNET proposal would be if the
federal government would notify all users of federal computer systems
that they would be subject to monitoring. Such a policy would cover not
only federal employees but all Americans who make use of a federal
computer system.
While Mr. Lee indicates that the Justice Department favors this
type of government-wide ``no privacy'' warning notice, I want to make
very clear that privacy organizations across the political spectrum
would oppose such a proposal as a violation of the spirit of the
federal wiretap statute, the plain language of the federal Privacy Act,
and contrary to the Fourth Amendment. US law simply does not give the
government the right to conduct such general purpose searches. The
history of the Fourth Amendment reveals a clear intent to require the
government to set out the specific circumstances for a search to occur.
There is no ``cyber threat'' exception to the Fourth Amendment. The
fact that the government announces that a warrantless search may occur
is hardly a sufficient legal basis to permit such searches to take
place.
There are other indications, contained in materials that we
received under the FOIA, that the CIAO intends to make use of credit
card records and telephone toll records as part of its intrusions
detection system. Access to these records raises specific problem under
US law.
The FIDNET proposal, as currently conceived, must simply be
withdrawn. It is impermissible in the United States to give a federal
agency such extensive surveillance authority.
RECOMMENDATIONS
As the White House plan currently stands, it raises far-reaching
privacy problems. The designers of the plan are trying to apply
twentieth century notions of national defense to twenty-first century
problems of communications security. Such an approach will leave our
networks ill-prepared to face the challenges of tomorrow.
In too many places the Plan relies too heavily on monitoring and
surveillance and not enough on integrity and redundancy. To give a
simple example, there are public telephones all across this country
filled with money. One way to implement security would be to install
cameras and recording devices inside each phone booth to monitor each
person's use of the phone to ensure that it is appropriate and to
determine whether any efforts are being made to steal the money stored
inside the phone. Another approach would simply be to make the phones
more secure and the money more difficult to steal. The phone companies
have wisely chosen the second approach. The federal government still
seems interested in the first.
Everyone wants to ensure that the computer networks that our
country relies on remain secure, safe and free from disruption. On this
point there is no disagreement. However, there is disagreement as to
whether an intrusive, government-directed initiative that views
computer security as almost solely defending ``our cyberspace'' from
foreign assault is the right way to go.
I urge you to proceed very cautiously. The government is just now
digging itself out of the many mistakes that were made over the past
decade with computer security policy. This is not the best time to be
pushing an outdated approach to network security, fraught with privacy
problems, on a fast-moving industry that is itself racing to develop
good security solutions.
In 1975, Senator Frank Church, who conducted a Senate investigation
of intelligence abuses, said of the NSA technology: ``That capability
at any time could be turned around on the American people, and no
American would have any privacy left, such is the capability to monitor
everything * * * there will be no place to hide.''
This Committee should keep Senator Church's warning in mind as it
reviews this proposal to create a vast new surveillance authority
across the federal government.
REFERENCES
White House ``National Plan for Information Systems Protection''
(January 7, 2000) http://www.ciao.ncr.gov/National-Plan/
national%20plan%20final.pdf
Executive Summary of ``National Plan for Information Systems
Protection'' (January 7, 2000) [http://www.whitehouse.gov/WH/EOP/NSC/
html/documents/npisp-execsummary-000105.pdf]
Bruce Schneier and David Banisar, Electronic Privacy Papers:
Documents on the Battle for Privacy in the Age of Surveillance (Wiley
1997)
Whitfield Diffie and Susan Landau, Privacy on the Line (MIT Press
1998)
Katie Hafner and Matthew Lyon, Where Wizards Stay Up Late: The
Origins of the Internet (Touchstone Books 1998)
National Resource Council, CRISIS Report (1996)
Peter G. Neumann, Computer-Related Risks (Addison Wesley 1995)
``Critical Infrastructure Protection and the Endangerment of Civil
Liberties: An Assessment of the Report of the President's Commission on
Critical Infrastructure Protection'' (EPIC 1998) [http://
www.amazon.com/exec/obidos/ISBNI=1893044017/electronicprivacA]
EPIC, Critical Infrastructure Protection Resources [http://
www.epic.org/security/infowar/resources.html]
Letter from Simon Liu, Acting Director, Information Management and
Security Staff, Department of Justice to Mr. Wayne Madsen, Senior
Fellow, Electronic Privacy Information Center, January 20, 2000
responding to Freedom of Information Act request of July 20, 2000 for
``all agency records, including memorandum, letters, and minutes of
meetings, dealing with any liaison between the Department of Justice
and the Critical Infrastructure Assurance Office.''
Senator Kyl. Mr. Cilluffo.
STATEMENT OF FRANK J. CILLUFFO
Mr. Cilluffo. Thank you, Mr. Chairman. Mr. Chairman,
Senator Feinstein, I appreciate the opportunity to appear
before you today with respect to the recently released National
Plan and the challenge of simultaneously assuring the security
of our Nation's critical infrastructures while preserving
personal privacy.
I also commend you for your leadership on these issues and
the recognition that they extend far beyond the Nation's
Capital. Indeed, they must be brought before the American
people. Many of these issues are misunderstood and give rise to
skepticism, distrust, and confusion between individuals,
organizations, and government, the initial media account of the
proposed FIDNet program being one case in example.
One of the advantages of working at a think tank is that I
don't have to stand where I sit, so I can be a little more
blunt. Another is that we are simply in the ideas business and
are not responsible or held accountable for implementing these
ideas. With that in mind, I would like to take a few moments
and make a few brief observations on, first, the cyber threat
in general; second, the need to strike the appropriate balance
between privacy and security; and, third, the National Plan for
Information Systems Protection.
The reason we have to understand the threat, I think, is to
be able to do the appropriate balance, we need to know exactly
what we are dealing with. And we are all aware of the many
benefits of information technology, and this revolution's
impact on society has been profound and touches everyone,
whether we are examining our economy, our national security, or
our quality of life.
Unfortunately, as we touched on earlier, there is a dark
side, and along with these new rewards come new risks and
unintended consequences which need to be better understood and
managed by our corporate and government leaders, and I mention
corporate first. These risks--and we discussed some of them--
range from the national security issues, strategic information
warfare and information operations, the vulnerabilities and
threats to our infrastructures, to protecting our personal
information, such as medical records and the like.
I think that I have a disagreement with Mr. Rotenberg on
the robustness of our infrastructures. I think that the ability
to network has far outpaced our ability to protect networks. In
some cases, systems are being integrated on top of one another,
and hence a failsafe on one day becomes a loophole the next,
since you can't beta-test all these networks as a whole.
Moreover, many of our highly advanced systems are based on
insecure foundations. ARPANet, while it may have been quiet,
was not intended to be secure. It was actually intended to
share information between and among scientists, and then it
expanded to academe and then it expanded to where it is today.
It was not intended to be secure.
Yet, many in public life and among our citizenry remain
skeptical or even downright dismissive of any potential
dangers. And again I look to Senator Feinstein, and I agree
with you. It is difficult to visualize these cyber threats. It
is not like Nazi forces moving across Europe, it is not like
the effects of Pearl Harbor, or even the Soviet missiles on
parade in Red Square. This is something that is difficult to
see.
Yet, our real assets today are stored electronically and
not in Fort Knox, and the target increasingly is not the
military at all, but rather our Government and corporate
information systems. Information warfare inherently extends the
battlefield to incorporate all of society. As you mentioned,
the myth persists that the U.S. hasn't been invaded since 1812.
Invasion through cyber space is now a daily occurrence.
The threat spectrum ranges from the so-called ankle biters
on one end to foreign nations on the other, and one of the
greatest challenges of these cyber threats is its anonymity.
Who is behind the clickety-clack of the keyboard breaking into
my system? Is it a young adult, is it a foreign intelligence
service, is it an economic competitor, is it someone doing the
bidding for someone else, or perhaps even someone masquerading,
cloaking the perpetrator's true identity leading you to go in
the wrong direction?
Additionally, smoking keyboards are hard to find, as an
assailant can loop and weave from country to country in a
matter of nanoseconds, all while law enforcement is forced to
stop at jurisdictional boundaries defined by the physical
world, which have little to no meaning in cyber space. In
essence, we have created the global village without a police
department, and I thought Senator Bennett's slide was excellent
along those lines.
According to a recent report by the Department of Defense,
the NCS in particular, currently at least 10 countries--an
unclassified report--possess offensive information warfare
capabilities somewhat akin to our own. As you mentioned
earlier, Mr. Chairman, of unique interest are the current
Chinese discussions regarding the possible creation of a fourth
branch of the armed services within the PLA devoted entirely to
information warfare.
Bits and bytes will never replace bullets and bombs. Yet,
one area that I think does require some further examination is
the synergy of where the physical and the virtual come
together. For example, you have detonated a conventional
explosive and then you follow that up with an attack on our E
911 systems. As we heard earlier, a young man in Toborg,
Sweden, was able to do it many thousands of miles away. And my
Swedish colleagues tell me that that young man is now in an
insane asylum, and I guess we can call him a crackpot who hit
the jackpot. But he still demonstrates these vulnerabilities
that can be exploited by those with more nefarious intent.
And we are also aware of our vulnerabilities due to
exercises such as Eligible Receiver and subsequent exercises
which we can't get into--squirrels taking down major networks,
backhoes, NSA systems being down last week. We are well aware
of our vulnerabilities. We have seen demonstrated capabilities,
whether it is E 911 systems or whether it is air traffic
control.
What we haven't seen yet, though, is the marriage of the
true, the real hostile, where the intent and the capability
come together. In my eyes, though, that is only a matter of
time before this convergence occurs, and I call it where the
real bad guys exploit the real good stuff and become more
techno-savvy.
As we contemplate methods of dealing with these threats, it
is important to remember that our national security community
and law enforcement institutions were designed and establish to
protect our freedoms, our liberties, and our way of life.
With this in mind, I think it is possible to ensure the
security of our Nation's critical infrastructures without
compromising civil liberties and personal privacy or by locking
down the Internet. Throughout history, the first obligation of
any State has been to protect its citizens. Today is no
exception. Yet, we must be careful and avoid placing our
national security community in a position where they could
trample on our liberties in order to preserve them.
Moreover, policies in response to threats of any kind,
especially in cyber space, must not stifle the engines of
innovation that drive our economy and enhance our lives. We
cannot afford to overreact and put up too many virtual or
physical walls. If we do, the adversary wins by default because
our way of life has been lost, and I look back to the weeks
before ushering in the new millennium as a number of lessons
that should be learned there.
Too often, the debate is framed as if security and privacy
are mutually exclusive. This is simply not true. It is wrong to
think of these issues as an either/or. We must rather think of
the need to incorporate both, and in order to preserve the twin
goals of security and privacy, we must begin with the notion of
a true partnership, and I think we are seeing some very good
steps in that direction.
For a number of years, many, myself included, have
criticized the current administration for being long on nouns
and short on verbs, a lot of talk, not a whole lot of action
with respect to critical infrastructure protection and
policies, a concern I know you share, Mr. Chairman, given your
1996 amendment to the Defense Authorization Act. And I think
that the President was required to answer those questions
within 120 days. Well, 4 years later, we do have a 200-page
document that begins to address some of your concerns.
Overall, I think the Plan does an excellent job of
identifying gaps and shortfalls within the Federal Government
and charting an initial course of action to address them. My
major concern is that it does not do enough. We must be willing
to commit real money to tackling the problem. After all, policy
without resources is rhetoric.
While the President's proposed budget for fiscal year 2001
is a good start, a vast majority of those resources have
already been earmarked and allocated in previous budgets. I
also personally believe that more funds should be devoted to
governmentwide programs and measures aimed at prevention and
protection. Moreover, only through leading by example can the
Government realistically hope for the private sector to commit
the sort of resources expected of them.
There were also concerns, legitimate ones in my eyes, that
the Plan was developed behind closed doors, without public
input, including the Congress and many of the owners and
operators of these critical infrastructures, and their views
were not solicited. Nevertheless, I do think it is encouraging
that the administration seems amenable to accept input at this
point, a process I encourage be enhanced.
With respect to infrastructure assurance, we must continue
to work toward and build on a true National Plan with full
representation from industry and all interested parties. We
need to forge a genuine partnership between the public and
private sector. It can no longer be merely a case of the
Government leading and the private sector following. In other
words, Silicon Valley and the Beltway, where the so-called wing
tip meets the sandal, must stand side by side on equal footing
to address these issues.
No offense, Senator Feinstein, to Silicon Valley.
I think that the Partnership for Critical Infrastructure
Security referenced earlier by John Tritak is one that is
particularly encouraging.
In closing, New York Yankee great Yogi Berra once said the
future ain't what it used to be. The best way to predict the
future is to help build it. We should not have to choose
between security and privacy. With a lot of hard work we can,
and arguably must, have both.
Thank you for your time and I would be pleased to try to
answer any questions you may have.
[The prepared statement of Mr. Cilluffo follows:]
Prepared Statement of Frank J. Cilluffo
Mr. Chairman, Senator Feinstein, distinguished Members of the
Committee, I appreciate the opportunity to appear before you today to
discuss some of the policy implications with respect to the recently
released ``National Plan for Information Systems Protection.'' I would
also like to address the difficult challenge of simultaneously ensuring
the security of our nation's critical infrastructures while preserving
personal privacy.
I commend you for your leadership on these issues and the
recognition that they extend far beyond the nation's capital. Indeed,
they must be brought before the American people--and soon. Many of
these issues are misunderstood and give rise to skepticism, distrust
and confusion between individuals, industry and the government--the
initial media accounts of the proposed Federal Intrusion Detection
Network (FIDNET) to cite one example. We must encourage any initiatives
aimed at advancing a meaningful dialogue between our citizens,
industry, and government.
One of the advantages of working for a think tank is that we don't
have to stand where we sit, a rare luxury for someone inside the
Beltway. Another is that we are simply in the ideas business and are
not responsible or held accountable for implementing our ideas.
With that in mind, I would like to make a few brief observations
on:
Cyber threats in general;
The need to strike an appropriate balance between privacy
and security; and
The ``National Plan for Information Systems Protection.''
The information technology revolution has given us an unrivalled,
perhaps unsurpassable, lead over the rest of the world in virtually
every facet of modern life. Information technology's impact on society
has been profound and touches everyone, whether we examine our economy,
our quality of life, or our national security. Unfortunately there is a
``dark side'' to this revolution. Along with the clear rewards come new
risks and a litany of unintended consequences that need to be better
understood and managed by our industry and government leaders. These
risks range from the national security considerations involving threats
to, and vulnerabilities of, our critical infrastructures from cyber
attacks and information operations, to protecting the confidentiality
and integrity of our personal information such as medical records,
credit histories, or even our identities, from unauthorized use. If we
do not understand these potential consequences, widespread cyber
threats--once the domain of science fiction--will become a reality for
us all.
Our highly complex and inter-networked environment is based on
insecure foundations. It is not widely understood that the Internet's
predecessor, ARPANET, was never intended to be ``secure.'' In fact its
very design schematic was based on openness--to facilitate the sharing
of information between scientists and researchers.
It is also problematic that the ability to network has far outpaced
the ability to protect networks. In some cases, new systems are being
integrated on top of one another--hence a fail-safe system on one day
becomes a loophole the next. The established cliche about the ``weakest
link in the chain'' has never been more acute or applicable.
Additionally, according the Final Report of the President's Commission
on Critical Infrastructure Protection (PCCIP), it is estimated that by
2002, a worldwide population of approximately 19 million will have the
skills to mount a cyber attack.
All of this interconnection leads to the origins of our problem.
Modern societies are dependent upon critical infrastructures such as
telecommunications, electric power, health services, banking and
finance, transportation, and defense systems, to provide us with a
comfortable standard of living. These systems are increasingly
interdependent on one another and damage to one can potentially cascade
and impact others--with single point failures being of greatest
concern. To compound the problem, military and law enforcement
authorities report that every month assailants make thousands of
unauthorized attempts to gain access to these systems, amounting to a
nearly continuous assault.
And yet, many in public life and among our citizenry remain
skeptical or downright dismissive of any potential dangers. After all,
it is difficult to visualize a cyber threat in the same way that we saw
film clips of Hitler's legions marching across Europe, the results of
Japan's attack on Pearl Harbor, or Soviet missiles on parade in Red
Square. There are other problems with getting people to take these
threats seriously. For example, how can you ``see'' a cyber threat
developing? While it may be scary in the abstract, it does not easily
lend itself to images of fear, making it difficult to personalize for
most Americans.
Today our real assets are stored electronically, not in Fort Knox
and the targets are increasingly not government and military
installations, but rather public and private computer network systems.
Information warfare extends the battlefield to incorporate all of
society. The myth persists that the United States has not been invaded
since 1812, but invasion through cyberspace is now a daily occurrence.
We can no longer afford to rely on the two oceans that have
historically protected our country: instead we must develop the means
to mitigate risk in an electronic environment that knows no borders.
The threat spectrum ranges from ``ankle biters'' \1\ to nations,
with currently no readily available means to discern who is committing
the attack. Additionally, ``smoking keyboards'' are hard to find as an
assailant can loop and weave from country to country in a matter of
nanoseconds. Thus, an attack initiated a couple of blocks away can be
made to appear to come from halfway around the world. All of this
happens while law enforcement is forced to stop at jurisdictional
boundaries, defined by the physical world which have no meaning in
cyberspace. In essence, we have created a global village without a
police department.
---------------------------------------------------------------------------
\1\ As defined by the NSA Glossary of Terms Used in Security and
Intrusion Detection, an ankle-biter is ``A person who aspires to be a
hacker/cracker but has very limited knowledge related to Automated
Information Systems. Usually associated with young adults who collect
and use malicious programs obtained from the Internet.''
---------------------------------------------------------------------------
According to a recent public report by the Department of Defense
(the National Communications System), currently at least ten countries
possess offensive information warfare capabilities comparable to our
own. Moreover, a 1996 Government Accounting Office (GAO) report
references that approximately 120 nations have some sort of computer
attack capability. The reality of this potential threat was illustrated
in an article published this fall in the Liberation Army Daily; the
official newspaper of the Chinese People's Liberation Army (PLA) titled
``Bringing Internet Warfare into the Military System is of Equal
Significance with Land, Sea, and Air Power.'' In this article, the
authors discuss Chinese preparations to carry out high-technology
warfare over the Internet and advocate the creation of a fourth branch
of the armed services within the PLA devoted to information warfare.
Bits and bytes will never replace bullets and bombs. Conventional
terrorist organizations, for example, will never abandon car bombs or
pipe bombs, which have already proven highly effective, relatively low
in cost and risk and still generate headline news. As a force
multiplier, however, information warfare increases the lethality of the
terrorist when used in concert with other more conventional means. For
example, one scenario we created at CSIS involved a malcontent first
detonating a conventional explosive followed up by denial of service
cyber attacks on the same city's emergency communications network,
thereby preventing the first responders and authorities from
responding. The consequences were two-fold; it led to an increase in
the number of potential casualties and sowed further psychological
fear.Is this really far-fetched? Two years ago a young man sitting
behind his desktop computer thousands of miles away in Toborg, Sweden,
disabled portions of the Emergency 911 system in Southern Florida.
Another example of a significant infrastructure disruption occurred in
1997, when a Massachusetts teenager was charged with disabling the
Federal Airline Aviation control tower for six hours at Worcester
Regional Airport.
It is only a matter of time before there is a convergence between
those with hostile intent and techno-savvy, where the real bad guys
exploit the real good stuff.
As we contemplate methods of dealing with these threats it is
important to remember that our national security community and law
enforcement institutions were designed and established to protect our
freedom, our civil liberties and our way of life. We expect the
national law enforcement agencies to protect us from criminal elements
within our borders. We expect the Defense Department and the Armed
Forces to protect us from external threats. We expect the nation's
intelligence agencies to provide insight into the intentions and
capabilities of our adversaries and to provide advance early warning of
threats to us.
It would be a mistake to place our national security and law
enforcement institutions in a position where they would have to
compromise our precious hard-won rights or infringe upon our privacy in
order to protect us. The worst possible victory granted cyber attackers
would be one that destroyed these values whereby we would become less
open, less tolerant and less free.
Concomitantly, we must recognize the many benefits of information
technology and understand that these benefits far outweigh any risks.
Thus, our policies in response to threats of any kind must not stifle
the engines of innovation that drive our economy and enhance our lives.
We cannot afford to over react or put up too many ``virtual'' or
``physical walls.'' If we do, the adversary wins by default because our
way of life has been lost.
It is possible to ensure the security of our nation's critical
infrastructures without compromising civil liberties and personal
privacy or locking down the Internet. Throughout history, the first
obligation of the state has been to protect its citizens. Today is no
exception. Information technology, while providing us many comforts and
conveniences has also created for us new kinds of vulnerabilities that
can be exploited. These vulnerabilities must be addressed and balanced
with the civil liberties we have worked so hard to earn as a nation. It
makes no sense to trample on civil liberties in order to preserve them.
Too often, the debate is framed as if security and privacy are
mutually exclusive. This is simply not true. It is wrong to think of
the issue as ``either'' ``or''. We must rather think of the need to
incorporate both. In order to preserve the twin goals of security and
privacy, we must begin with the notion of a true partnership.
For a number of years many, myself included, have criticized the
current Administration for being ``long on nouns and short on verbs''--
a lot of talk, not a lot of action--with respect to critical
infrastructure protection and related policies. A concern I know you
share Mr. Chairman, especially given your amendment to the 1996 Defense
Authorization Act, wherein ``the President shall submit to Congress a
report setting forth the results of a review of the national policy on
protecting the national information infrastructure against strategic
attacks.'' Four years later, we have a 200-page document (``the Plan'')
that begins to address some of your concerns. To their credit, the
President and his team have done some good work with the Critical
Infrastructure Working Group (CIWG), Executive Order 13010, the
President's Commission on Critical Infrastructure Protection (PCCIP),
Presidential Decision Directive 62, and Presidential Decision Directive
63, albeit most of these initiatives do not adequately address high-end
national security threats to our information infrastructures, including
strategic information warfare.
Overall, I think the Plan does an excellent job identifying gaps
and shortfalls within the Federal government, and charting an initial
course of action to address them. My major concern is that it does not
do enough.
We must be willing to commit real money to tackling the problem--
after all policy without resources is rhetoric. While the President's
proposed budget for fiscal year 2001 is a good start, a vast majority
of the resources have already been earmarked and allocated in previous
budgets. I personally believe that more money should be devoted to
government-wide programs (i.e. a more robust and complete PKI
infrastructure) and measures aimed at prevention and protection. While
there are no protective measures that are completely effective, the 80
percent solution will be sufficient to deter most attackers by
increasing the risk of detection or failure. In essence, by raising the
bar higher, we would then improve our ``signal to noise'' ratio and be
better positioned to address the more significant threats. Moreover,
only through leading by example can the government realistically hope
for the private sector to commit the sort of resources expected of
them.
There have also been concerns that the Plan was developed behind
closed doors, and that public input was not solicited through the
Federal Register and other means. Many individuals and organizations,
including the Congress and the owners and operators of many of the
critical infrastructures within industry, could have offered valuable
counsel and prevented some of the adverse publicity surrounding the
Plan last summer. Nevertheless, it is encouraging that the
Administration seems amenable to accept input at this point, a process
that needs to be enhanced and encouraged.
With respect to infrastructure assurance, we must continue to work
toward and build upon a true national plan with full representation
from industry and all interested parties. We need to forge a genuine
partnership between the public and private sectors. The public actions
of the Critical Infrastructure Assurance Office (CIAO) are very
encouraging in this respect. Specifically, the recently announced
Partnership for Critical Infrastructure Security, which has brought
together approximately ninety leading corporations and various federal
agencies to address the problems of infrastructure assurance, is a good
example of a step in the right direction.
We also need a true national debate on infrastructure assurance and
we need to re-think national security strategy accordingly. It can no
longer be a case of the government leading and the private sector
following. In other words, Silicon Valley and the Beltway, where the
sandal meets the wingtip, must stand side by side and on equal footing
in addressing these issues and formulating responses.
Philosopher and New York Yankee great, Yogi Berra, once said, ``The
future ain't what it used to be.'' The best way to predict the future
is to help build it. We should not have to choose between security and
privacy. With a lot of hard work, we can and must, have both.
Thank you for your time. I would be pleased to try to answer any
questions you may have.
Senator Kyl. Thank you, Mr. Cilluffo. I think the last
comment you made summarizes my view, and that is that this
doesn't have to be a zero-sum game. We have got to be concerned
about both issues, both the protection of American interests,
which include privacy interests, and on the other hand doing it
in a way that doesn't inhibit people's civil liberties. That is
an age-old issue. This is merely one of the latest iterations
of it. You could write the history of this country and every
decade would have a chapter dealing with some iteration of this
particular problem. But it has got a new feature now and a more
complicated one, and I think a constructive dialog is
important.
I think the questions that Mr. Rotenberg raises are
important questions and I think the Government needs to pay
more attention to those questions. There needs to be more
public discussion of them. There needs to be a lot of serious
questioning with respect to the protection of privacy.
But I also think that the people who raise those questions
would be more credible in doing so if they didn't denigrate the
nature of the challenge that we are trying to deal with here,
which I think, Mr. Rotenberg, with all due respect, you do. And
I think the very legitimate questions you raised would be
enhanced by an acknowledgement right up front that this was not
some invention of the Defense Department in order to get more
money, which is what you have said, but rather a response to a
legitimate concern.
Senator Sam Nunn and I had the first hearings on this. I
don't think you would criticize him as somebody that is a
mouthpiece for getting more money for the Defense Department.
As a matter of fact, I think it is arguably true that we had to
drag them kicking and screaming to this problem because they
saw it coming out of their budget. And I think if you asked the
people downtown, they would say one of the reasons why this was
so slow in coming is that nobody wanted to put their arm around
this baby because they knew that it was going to be hard and it
was going to cost a lot of money and they didn't want it to
come out of their budget.
So when you say things, Mr. Rotenberg, like the DOD and its
secretive component, the NSA, were driving forces behind
critical infrastructure protection--``For the Pentagon and the
intel community, info warfare offered a new vista in an era of
post-Cold War diminishing military budgets, paucity of
conventional threats, base closures, and reductions in force,
both military and civilian''--I think you are just dead wrong.
That isn't how this all came about. It came about because a lot
of serious people understood there was a significant threat and
they wanted to do something about it.
And I really believe that in raising the questions you have
raised, which I again acknowledge are legitimate questions and
have not, I would add, been adequately answered by Mr. Tritak
today, I think that the discussion needs to begin from a
different point.
I would ask you this question. Having been critical, can
you offer some suggestions as to how we might better balance
the concerns for our protection from this cyber terrorism, on
the one hand, and the very legitimate concerns you raised about
personal privacy protection on the other? In other words,
rather than just saying there is a huge problem here, the
Government is trying to get into everybody's lives, how would
you deal with the nature of this challenge? What kind of
structure would you set up to provide the kind or protection
that you are interested in?
Mr. Rotenberg. Let me just say at the outset, Senator, I
take your criticism. I know that you are referring to a report
that we published last year. I should say that the words that
you are quoting aren't actually my words. I mean, they were
written by someone else. I did write the preface to the report,
which I suspect you would probably agree with much of it
because, as people know, I tend to be fairly balanced in my
assessment of these issues, as I was in my statement for the
subcommittee today. But I take your criticism and I think it is
a fair one. I think these are real problems.
At the same time, I hope you would appreciate that for
people who are concerned about privacy issues and civil
liberties issues, there is a sense, as there is this morning,
that these very elaborate programs are put together that have
enormous civil liberties implications and sort of after the
fact people say, and now we want to address privacy concerns,
so that you will have to decide, for example, about whether to
go forward with a FIDNet proposal that I believe, and even the
Department of Justice believes, could be contrary to U.S. law.
I think we have a good basis for our criticism.
But you asked me how do we resolve these two issues, and I
have tried to suggest in my statement this morning that key to
a successful answer is a successful and accurate description of
the problem. We are not just defending U.S. borders anymore. I
mean, the very interesting thing about Senator Bennett's
picture is that this is a worldwide network, and the security
solutions and the reliability solutions are being developed by
researchers all around the world. U.S. firms, U.S. scientists,
U.S. Federal agencies are benefiting today from work that is
being done across the globe.
And I think we run some serious risk, if we are intent on
trying to protect this network, by now erecting national
borders in a world and in an environment where those national
borders are just harder to control. Now, in saying this I am
not trying to diminish the importance of national security or
public safety. In fact, I think I am actually underscoring it.
I am simply trying to say that the problems that we face in
the 21st century to protect these communication networks on
which we depend are very different from the types of problems
we confronted in the 20th century when we could follow
airplanes moving in our air space, across our borders, destined
for an attack.
Senator Kyl. Conceded. We all make that point. We all
agree. My question was, so how do you then deal with the issue,
and I will ask Mr. Cilluffo to answer the same question. Just
get specific for a minute, and we really need to specifically
direct your answer to the question.
Mr. Rotenberg. Fair enough. My first answer is I think we
need a proposal that complies with U.S. privacy law. I don't
think you can put forward a proposal that says we are concerned
about privacy and at the same time ignore the relevant law that
this Congress has passed which says that when the Government
conducts electronic surveillance, it has to comply with certain
fourth amendment standards. That seems to me a fairly
reasonable request to make.
I think a second point to make is that when you are
creating within government a great surveillance capability, it
is appropriate to have some mechanism for oversight and
accountability. Now, I think this is an area, in fact, where
Mr. Tritak has given a lot of thought. There is obviously an
effort to work with the committees and to incorporate public
comments, but that has to be done on a much more formal basis.
I mean, the Department of Justice has annual reporting
requirements. The Computer Security Act has a formal committee
that conducts hearings, issues reports. We need the types of
institutional safeguards vested with the responsibility to
protect privacy and civil liberties to counterbalance this very
great surveillance authority that is going to be created.
And I should say, by the way, this hearing is really
focusing on a small part of the Plan. I think there are large
parts of the Plan where there is really no dispute. I mean,
what we are really talking about today is whether, to protect
computer security, the Federal Government should have openended
authority to conduct computer surveillance.
Senator Kyl. That is not true, that is just fundamentally
not true. Nobody argues that the U.S. Government should have
that authority, and if you would like to cite anybody that you
can think of that comes at it from that point of view, I invite
you to do so right now. You see, I think that is an
exaggeration and it is the kind of statement that doesn't help
us get to a constructive solution.
Senator Feinstein was saying just a moment ago that we
start from the premise that the U.S. Constitution governs here.
We have got to protect the liberties that are guaranteed in
that document. The question is, with a brand new kind of
technology here that we have all acknowledged eliminates the
kind of formal barriers that used to instruct us on how to deal
with these issues, we have got to come up with structures that,
while they solve the problem, don't impinge upon constitutional
liberties.
Just to give you one little illustration that is by analogy
only--it is not directly applicable here--we have a bill that
has passed the Senate unanimously dealing with Internet
gambling. The 1961 Telephone and Wire Act prohibits sports
gambling, but some defendants in a case said, well, wait a
minute, to the U.S. attorney, you can't prove that that bet was
transmitted over wire; it could have been through fiber optic
cable or satellite microwave transmission.
The point is sometimes you have got to bring the law
current with even the terminology of new technology, let alone
the application of that technology. And it may be that some of
these laws need to be brought up to date so that they enable us
both to protect our security and protect the rights of the
citizens. But don't start from the premise that it is zero-sum
game and that the people that want to protect our security do
not want to protect our privacy. It is just not true.
Mr. Rotenberg. That is not my view, and it is not my view
that it is a zero-sum game.
Senator Kyl. Well, perhaps I misunderstood the comment you
made.
Let me ask Mr. Cilluffo if he has some specific,
constructive suggestions on how we square this circle, the
challenge that Mr. Rotenberg has laid down.
Mr. Cilluffo. Well, I think clearly the notion of
partnerships, genuine partnerships that provide input from all
different parties, is absolutely critical here. This is an
issue that touches absolutely everyone, the civil liberties
issues as well as the national security issues, and corporate
issues such as intangible intellectual property rights and
economic and industrial espionage.
There are a whole bunch of issues here that need to be
brought to the table, and the only way you can begin doing that
is by having this dialog. This table is much bigger than most
traditional national security tables have been. It requires the
input of so many new parties and so many different communities
that I actually give the administration a lot of credit for
adding that line to the Plan, an invitation to a dialog,
because that is what we need; we need a dialog.
And while I agree that there are some very legitimate civil
liberty issues that need to be addressed at that table, that is
not the only issue that needs to be addressed, and I really
don't see it as an either/or. I would accept nothing less than
a plan that both protects our privacy and ensures our security.
So the dialog, I think, is an important step. There are a
number of initiatives within that, such as the information-
sharing analysis centers where industry starts getting together
doing some of the initiatives. We have parallel programs inside
the Government, but the dialog is crucial.
Senator Kyl. Well, let me say this and then I will turn to
Senator Feinstein. I think before this is actually implemented,
we will have additional hearings in which we will ask legal
experts as well as technical experts to sit at this table and
walk us through precisely how they envision it being done so
that, for example, where they see--well, first of all, where
they have the legal authority to look for these anomalies, what
do they have the legal right to look for? What gives them that
legal right? What kind of potential civil rights problems are
there in looking for those anomalies?
Then what can they next do with that information? What is
the next filter? Mr. Tritak envisions three or four layers or
filters of analysis, as he pointed out. So when it gets to that
next level, is there any further challenge to the civil
liberties issues and what protections pertain there, all the
way down to the hand-off to the FBI, the law enforcement
agency, when they have reason to believe a crime might be being
committed here, and therefore what the FBI must work--what
strictures govern the FBI's actions here. I am sure those will
be fairly standard law enforcement kinds of strictures.
But it is that initial broad-based analysis of anomalous
information or incidents that probably raises the real
questions because once you get to the FBI, I don't see a whole
lot changing. I mean, they are going to be stuck with what they
are stuck with the way we have got it pretty much written now.
On the other hand, there may be some new techniques that they
would wish to employ based on new technology, and if that
implicates privacy laws, then we will have to view it in that
context.
So I think the challenge, Mr. Rotenberg, that you lay out
is an appropriate challenge. I think we need to have people
come and testify specifically about exactly what they are going
to do because unless there is an acceptance of this by the
American people, we are not going to be able to protect
ourselves. And someday we will wish that we had tried to figure
it out better in advance, and I appreciate your approach to
that, Mr. Cilluffo.
Mr. Cilluffo. Mr. Chairman, if I could add one point, too
often the debate also focuses entirely on concerns of big
brother. Well, the Government also has a responsibility to
protect its citizens from little brothers. The thing that makes
this threat so unique is that you don't need to be the United
States, you don't need a major budget, you don't need to be the
former Soviet Union or the People's Republic of China. Anyone
can have a rudimentary capability, and we have a responsibility
to protect our citizens.
Just imagine if we could not get our Social Security checks
next month. I think people would be in the streets, arguably
for good reason. Whether it is air traffic control and the
like, I think that there are some very legitimate concerns that
we need to look at it from the inverse perspective as well, not
to mention that we are stuck prosecuting 21st century crimes
with 20th century laws. I agree with Mr. Rotenberg's point, but
it also has a flip side that needs to be on the table as well.
Senator Kyl. Senator Feinstein.
Senator Feinstein. Thanks very much, Mr. Chairman. You
know, I think that we are both on the same line here. I think
we both believe that this is the frontier of a huge problem. I
think we both believe that the technology is advancing so
rapidly, so much quicker than our laws, our philosophy, our
ability to really deal with it in any way.
At the same time, it is a whole new worldwide phenomenon
and those that produce the phenomenon say, leave us alone, we
don't want government interference. And it is very difficult to
weigh the balance. On the one hand, you have commercially where
people find their Social Security numbers being used without
their permission, their drivers' licenses used without their
permission, their medical information, their financial
information. On one level, that sets up a huge level of privacy
concern, and I think you and I will address it in a piece of
legislation.
On the other level, you have this situation where a plane
or planes go down in a cyber attack. Then what right does the
Government have to infiltrate an encrypted computer system to
try to get at the perpetrator? So it becomes two different sets
of things we are looking at. At the same time, you have pointed
out, and I think correctly, the technology is advancing so
rapidly that by the time we get there, it is at the next stage.
It is a very hard challenge in front of us. I think we
believe we have to do everything we can within protection of
privacy to also protect our Nation and our people against
attacks that we know as sure as the sun is coming up tomorrow
morning are going to happen, and it is hard to get equipped to
do so.
Now, let me ask a couple of questions, if I could, that are
specific. Mr. Cilluffo, you mention that Congress should
appropriate money for a governmentwide information security
program such as encryption--and we have had a lot of debates
over encryption--that is, a national public key infrastructure.
Why do you believe that public key infrastructure is a good
solution?
Mr. Cilluffo. Well, it is not necessarily the encryption
piece; it is the public key infrastructure writ large. I
believe that that would raise the bar throughout our Federal
systems to a level where you have the so-called 80-percent
solution. Then the additional 20 percent that still could
circumvent all these new protective measures that are put in
place--we could focus on those specific threats which I think
are the most critical to our national security.
From there, we can hone in our indications and warning
capabilities and the like to deal with the more significant
threats and keep out the 80 percent, the so-called ankle
biters, that really are not significant national security
issues.
Senator Feinstein. Explain what you mean by public key.
Mr. Cilluffo. It is heavily based on encryption means, but
it goes beyond to incorporate other token key infrastructures.
And to me, encryption is an important piece to protecting
ourselves, but it doesn't do a whole lot to protect from denial
of service attacks. What good is protecting the confidentiality
and integrity of the information if you can't get a dial tone?
But the PKI infrastructure does incorporate to add in some of
the denial of service protection measures.
Senator Feinstein. Thank you.
Mr. Rotenberg, you noted that many people used credit cards
over this past holiday over the Internet, and that weaker
encryption was freely available, I think you said due
indirectly to the administration's old encryption control
regulations. You then suggested that the National Plan will
replicate the problem. I didn't understand what you meant.
Could you explain it as to what exactly you mean?
Mr. Rotenberg. Yes, Senator. What I was trying to describe
was the problem that results from a Plan, you know, well-
intended basically to keep these strong security tools away
from people which could cause harm to the country, which is
what the export control system does in part, had the practical
consequence of keeping the same strong tools away from American
consumers.
As computer security policies are implemented, there are
all sorts of other effects that can be difficult to control,
and it is a very good example, particularly with people using
the Internet at Christmastime and making themselves vulnerable
with credit card purchases. And I agree with you, by the way. I
think that is also a very big part of the privacy issue. There
are a lot of things happening obviously in the private sector
that may require some government legislation to protect privacy
and I would certainly support that.
But here you see sometimes a policy even well-intended that
says we have got to try to keep good encryption away from the
bad guys has the practical problem of keeping those same tools
away from the good guys and leaving the good guys more
vulnerable, and that is what I think we need to avoid
duplicating.
Senator Feinstein. Well, let me go back to the incident of
the computer in Manila where the airline information was in it
and this individual was going to bring down, if he could, a
whole flock of commercial airliners. Fortunately, you could get
into his computer and the information was there.
What is wrong with using the same procedure that one would
use with a telephone? In other words, a wire tap; you go before
a judge, you get a court order. You have to provide information
to a judge, an independent third party, a reasonable cause to
believe, et cetera. What is wrong with that procedure?
Mr. Rotenberg. Actually, I think it is the right procedure.
Senator Feinstein. I do, too.
Mr. Rotenberg. And throughout the debate on encryption, you
know, we really never argued about the Government's right to
conduct a wiretap, with lawful authority, with a warrant. We
said we understand that.
What we are really discussing is what kind of technological
design, what kind of architecture for this evolving
communication network is best likely to promote security and
privacy. I agree with you, Senator Kyl. I think both goals are
critical and we should not face a tradeoff where we are giving
up one for the other.
And I guess the sense we have today after going through
this long debate on encryption is that there really is a risk
that if we focus solely on security, then privacy gets pushed
off the table. It becomes sort of an after-the-fact
consideration. And so we have to think at the very beginning
when we are proposing, for example, public key infrastructure
which could be very good to promote network security across
Federal agencies--people filing tax returns, for example, make
sure those aren't misappropriated. But we have to make sure at
the beginning that privacy really becomes part of the design
requirement so that we don't face the tradeoffs, and I think
that is what I am saying.
Senator Feinstein. Well, let me give you a challenge.
Mr. Rotenberg. Yes.
Senator Feinstein. I used to say when I was mayor to my
staff--they would come in the door at the end of the day with a
problem and I would say, don't come in with a problem unless
you have got the solution, too. So let me give you that
challenge. It is one thing to point out the problem, it is
another thing to come up with a solution, and so I would like
to challenge you to present us with some solutions.
Mr. Rotenberg. Senator, I would be pleased to do that. In
fact, I would offer to the subcommittee that there are groups
of security experts. The American Association for Computing
Machinery has been working in this area for a long time. I
think we could put together a study group and maybe produce a
report in a short period of time to try to answer this question
for you. How do we do privacy and security so that both
interests are protected as we go forward?
Senator Feinstein. If I understood your opening comments,
you would agree that there is a problem out there.
Mr. Rotenberg. Yes.
Senator Feinstein. So then all of us together, the privacy
community as well as the governmental and the private sector,
really ought to come together to come up with the solution
because we have to do that.
Mr. Rotenberg. Yes, I agree.
Senator Feinstein. Thanks, Mr. Chairman.
Senator Kyl. Thank you very much. Well put. I was just
thinking, just to close this off and put it in context,
yesterday when I came through the security mechanism at the
airport I was reminded again that just a little tiny bit of my
civil liberties have been taken from me for a larger cause.
Fortunately, I didn't have anything metal in my pockets to set
the machine off, but if I had and I couldn't take it out of my
pocket, then I get this routine which frequently happens to me.
And I am standing there and somebody runs a little wand all
over me.
Senator Feinstein. Yes, me, too.
Senator Kyl. Well, I don't care. It is a little bit of an
inhibition on my freedom to come and go as I please, but the
larger good of ensuring that I don't have some kind of
terrorist device gives all of the people on the airplane I get
on a sense of assurance that it is going to be OK. I think that
is the kind of thing we are looking at here.
What kind of legitimate limitations are we willing to
impose on ourselves in order to ensure that the entire Nation
is not subject to this kind of terrorism or specific attack,
and what kind of assurances can our Government provide its
citizens that it has done only that which is necessary and no
more? I think that is the nature of the challenge before us.
I will take you up on your offer, Mr. Rotenberg, and what I
would like to do is ask both of you to come back or to provide
testimony to the committee. I think that what this hearing has
demonstrated is that in addition to a wide variety of other
kinds of questions, we need to ask Mr. Tritak and others from
the administration to be prepared to discuss specifics in the
area that I think is most relevant to this subcommittee's
jurisdiction which we will probably be dealing with in
legislative form at a later date.
So I appreciate both of you being here to testify and we
will leave the record open for any further comments you would
like to make. In addition, we may have some other written
questions that we would like to pose to you.
Thank you, Senator Feinstein. If there is nothing further,
then we will adjourn this meeting, and I guarantee you we will
have another hearing on this subject in the not too distant
future.
Thank you very much. This hearing is adjourned.
[Whereupon, at 12:11 p.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions and Answers
----------
Responses of John Tritak to Questions From Senator Jon Kyl
Question 1. In his written testimony for the Subcommittee's
February 1, 2000 hearing on critical infrastructure protection, Marc
Rotenberg, Executive Director of the Electronic Privacy Information
Center, noted that, based on a March 1999 memo from the Justice
Department to the CIAO, FIDNet is a ``violation of the spirit of the
federal wiretap statute, the plain language of the federal Privacy Act,
and contrary to the Fourth Amendment.'' During the hearing, questions
about legal authority for FIDNet were raised at the hearing, you
testified that FIDNet is consistent with all ``privacy laws'', yet
stated you were unfamiliar with whether Federal wiretap statutes
applied to FIDNet. For the record, please explain in detail the current
laws that apply to FIDNet, and specifically how FIDNet in its current
conception is not in violation of each of those laws. Include, at a
minimum, the Privacy Act, the Electronic Communications Privacy Act,
the Computer Security Act, and wiretap statutes.
Answer 1. At the outset and before we can respond to your question
fully, we need to make two observations as a backdrop for the
discussion. First, the Federal Intrusion Detection Network (the
``FIDNet'') proposal was and continues to be a work in progress. Since
the release of PDD-63 in May 1998, the Administration has worked
carefully to identify the full range of possible security options that
incorporate intrusion detection technology. The proposal as described
in the earliest drafts of the National Plan has evolved considerably,
and continues to evolve.
The second point to be made is that, as underscored in the National
Plan, the FIDNet proposal will be implemented in a manner consistent
with all relevant laws, including privacy laws. Our legal analysis of
the proposal--and our ongoing consultation with the Department of
Justice--continues as part of a comprehensive interagency process and
in tandem with the evolution of the FIDNet to assure its adherence to
the spirit and letter of law.
FIDNet has been carefully tailored to vest authority and control in
the Federal civilian agencies, consistent with the Computer Security
Act of 1987, Clinger-Cohen Act, and Executive Order 13011, which
implement Congressional policies. Under current practices, federal
agency computer system administrators (as well as system administrators
in most companies in the private sector) already analyze data flowing
over their systems, based on strategic placement of intrusion detection
technology in accordance with the needs of the organization. Under the
FIDNet proposal as currently formulated:
The agencies will decide what data on system anomalies to
forward to the GSA for further review;
The GSA will use data on anomalies exclusively to warn
agencies about system anomalies; and
Law enforcement would receive information about computer
attacks and intrusions only under long-standing legal rules
(i.e., when there is evidence of a crime). No new authorities
are implied or envisioned by the FIDNet program.
FIDNet is intended to be a multi-level system. At the first level,
each agency's own security-protection software will scan for harmful
traffic entering that agency's system. (The key to understanding
intrusion detection is the concept of a ``firewall,'' which by
definition and design is meant to scan incoming transmissions for
hostile files and programs.) In fact, this is already being done at
federal agencies, not to mention most private companies. The National
Plan contemplates that the implementation and operation of such
protective measures will continue to be the responsibility of the
individual agencies. The objective of FIDNet is not to send the
resulting information to law enforcement officials. Instead, the goal
is to improve overall federal system security through improved
information sharing among systems administrators and information
security officials.
Contrary to Mr. Rotenberg's suggestion, the March 1999 Justice
Department memorandum does not state at any point that FIDNet--even in
the preliminary form then under analysis--would violate federal privacy
law. On the contrary, the memorandum identifies the legal bases on
which protective monitoring of government computer systems can be
lawfully conducted.
In fact, the current FIDNet proposal is structured to comply fully
with the Electronic Communications Privacy Act (``ECPA''), 18 U.S.C.
Sec. 2510 et seq., which incorporates federal wiretap law.
Specifically, while ECPA generally prohibits the interception of
electronic communications, it contains two relevant exceptions to that
general prohibition: (1) consent of a party and (2) system protection
monitoring activities. As to the first of these, the federal agencies
participating in FIDNet will, in appropriate instances, establish
consent to monitoring by using login ``banners'' displayed to each
network's users.
FIDNet will also rely on the separate exception applicable to
systems protection. Under this exception, ECPA expressly authorizes a
system owner or his agent to monitor network traffic on the system to
the extent necessary to protect the ``rights or property'' of the
system owner.
In addition, the FIDNet concept is compatible with the Privacy Act.
The Privacy Act, designed to protect personal privacy from unwarranted
invasions by federal agencies, regulates the collection, maintenance,
use, and dissemination of personal information by federal government
agencies. It forbids the disclosure of personal information by federal
agencies except under certain circumstances, and, subject to enumerated
exceptions, gives individuals access to information maintained on them.
FIDNet will be fully consistent with the Privacy Act's requirement
that physical security and information management practices be designed
to ensure individual privacy. As properly and legally formulated,
FIDNet will increase the level of privacy and security afforded to
information about individuals on government computers.
Question 2. Is there a need for legislation to bring any of those
laws up to date to reflect the current state of information technology?
If so, please make specific suggestions?
Answer 2. No. No new authorities are implied or envisioned by the
FIDNet program.
Question 3. If, in your view, any of those laws need to he updated,
do your suggested changes erode privacy and civil liberties in any way?
Answer 3. As previously noted, no new authorities are implied or
envisioned by the FIDNet program. In addition, our legal analysis of
the proposal--and our ongoing consultation with the Department of
Justice--continues as part of a comprehensive interagency process and
in tandem with the evolution of the FIDNet to assure its adherence to
the spirit and letter of law.
Starting from this point of seeking to protect privacy and civil
liberties, we additionally remember your admonition that privacy and
liberty are also endangered if we do nothing at all and leave the
information on the government systems subject to attack and theft. I
firmly believe that FIDNet will not erode privacy and civil liberties;
indeed, by protecting citizen information communicated to government
agencies from theft or improper release, and securing government
systems from attacks by hackers, criminals and terrorists, FIDNet will
ultimately serve to enhance privacy and liberty.
Question 4. In his written testimony for the Subcommittee's
February 1, 2000 hearing on critical infrastructure protection, Marc
Rotenberg, Executive Director of the Electronic Privacy Information
Center, stated ``There are other indications, contained in materials
that we received under the Freedom of Information Act, the CIAO intends
to make use of credit card records and telephone toll records as part
of its intrusions detection system, ``and notes this raises problems
under U.S. law. Does the CIAO intend to use credit card records and
telephone toll records as part of its intrusion detection system?
Answer 4. There is not, nor has there ever been any intent to use
credit card records and telephone toll records as part of an intrusion
detection system. Mr. Rotenberg may be misconstruing and
misinterpreting comments made about the technology used to detect
anomalies in the use of telephone and credit cards.
In the early stages of the FIDNet process, the Administration
considered, among others, the technology that telephone companies use
to find abnormalities in behavior patterns--in their case for use of
telephone phone credit cards--to see if that technology could be used
to identify abnormal behaviors patterns on government networks. This
was an examination of the underlying technology only, and had nothing
to do with using actual phone number or credit card records.
Question 5. Mr. Rotenberg submitted the attached memo for the
record at the hearing. The memo includes a chart referring to credit
card and toll fraud profiling. Please explain the meaning of that
slide.
Answer 5. Consistent with the response to the previous question,
the only references to credit card and telephone toll records dealt
with consideration of the underlying technology models and not with any
specific credit card and telephone information. Since release of PDD-63
in May 1998, the Administration has reviewed carefully the full range
of available technologies that may be applied to intrusion detection
systems. The slide at issue relates to technology options discussed for
the FIDNet. That is, the credit card and toll-fraud detection were only
offered as an example of a type of detection technology currently in
use.
Specifically, what was then being considered was the technology
that telephone companies use to find abnormalities in behavior
patterns--in their case for telephone of phone credit cards use--to see
if it could be used to identify abnormal behaviors patterns on our
networks. This was an examination of the underlying technology only,
and had nothing to do with using actual phone number or credit card
records.
Question 6. Please provide an outline of FIDNet in its current
stage of development.
Answer 6. At present, FIDNet remains entirely on the drawing board.
The program plan for fiscal year 2000-2001 relies upon the experience
and expertise of the vendor community to actually develop the technical
architecture(s) for FIDNet.
An initial Request for Proposal (RFP) from the General Services
Administration (GSA) will solicit such architectures from the corporate
sector. The expectation is that these architectures will come from
those companies that already provide intrusion detection products and
services both to industry and government. While the RFP will document
all known legal constraints upon the Network, the program plan still
calls for yet another legal review of each of the vendors' submissions
by the Department of Justice. Depending upon the build costs of the
remaining vendor proposal's (those proposed architectures which pass
legal muster with the Department of Justice) and the amount of
available funding, the GSA Program Office will then fund development of
between two and five FIDNet prototypes. The prototypes must then prove
the technical, operational and practical viability of their
architectures while continuing to steer clear of any new legal/privacy
constraints that Justice may have identified. The extent to which the
prototypes prove they actually meet all system requirements: technical,
legal, privacy-related, operational and fiscal (i.e., best value for
the Government) will determine the winner in final Source Selection.
Question 6a. Describe which practices of surveillance and
monitoring already take place in individual agencies.
Answer 6a. Because the Program Office is just getting under way,
GSA has not yet had the opportunity to begin a comprehensive survey of
government agency intrusion detection practices, which products they
may have purchased from which vendors, and how the agencies actually
employ the intrusion detection systems they have already purchased.
We will keep the Subcommittee informed about the development of the
FIDNet proposal and about the information that GSA assembles concerning
intrusion detection practices in various agencies.
Question 7. Using the model of FIDNet, explain what type of
monitoring would apply to a citizen, in his home who logs on to a
government web site. What types of activities would that citizen have
to do to ``set off a typical intrusion detection system (understanding
that different government agencies have varying IDSs)?
Answer 7. Merely accessing a public government web site over the
Internet would not be the kind of activity that would trigger an
intrusion detection system. That activity is not only exceedingly
common, but is entirely expected and encouraged. After all, government
agencies' web pages are posted so that they may be accessed and read by
the general public.
It is safe to assume, however, that sending e-mail infected with a
virus or worm to a government office would certainly activate the
agency's anti-virus software and thus ``set off'' the intrusion
detection system of a given agency. Participation in distributed Denial
of Service (DDOS) attacks, such as those that recently shut down Yahoo!
, e-Bay and other popular commercial web pages,
would most likely also trigger an alert.
Please be aware that it will be the systems administrators in the
individual agencies who will determine for each critical computer
system what type of activity sets off their alarm(s), and what data
(within legal constraints) will be sent via FIDNet to the Federal
Computer Incident Response Capability (FedCIRC) at GSA when
unauthorized activity is suspected. Given the sorts of intrusion
detection systems on the market today, agencies' traffic monitoring
typically notices anomalous activity that may indicate an unlawful
intrusion into a significant information system--such as attempts to
enter a government computer system at an unusual port of entry or the
delivery/execution of certain types of files that are typically used as
vehicles for hostile code, e.g., Trojan horses.
Question 8. While much of the national plan deals with protection
against cyber attack, milestone 1.7 calls for all agencies to cooperate
in the construction of a program to protect critical infrastructures
against physical attack, by terrorists or others. This part of the plan
is scheduled to be complete by June 2000. Could you please elaborate on
what this part of the plan will consist of?
Answer 8. The National Plan for Critical Physical Infrastructure
Protection (NPCPIP) will strengthen our economic and national security
through the identification and remediation of critical physical
infrastructure vulnerabilities. The plan involves asset identification,
process and procedure integration, risk mitigation, remediation,
incident reports, response, and interdependency understanding.
The Information Technology revolution that has taken place in
America during the 1990s, and the dependence on information systems it
has created, makes a national level program for information systems
security and defense essential. Given the urgent need for an
information systems security and defense plan, and because of the
breadth of this topic, the National Plan for Information Systems
Protection, released by the President on January 7, 2000, focuses on
protection of critical information infrastructures from both cyber and
physical attack. It excludes consideration of other critical physical
infrastructures and security issues related to them.
America depends on both the physical and cyber portions of her
critical infrastructures for economic and national security. A cyber
event can cause a disruption of a physical infrastructure (e.g., power
overload leads to a transformer or substation problem); a physical
event/incident can disrupt a cyber infrastructure (e.g., a
communications substation or electric transformer problem negatively
impacts/degrades Secure Supervisory Control and Data Acquisition
(SCADA) or communications systems).
A physical infrastructure plan will integrate the cyber and
physical aspects of critical infrastructure protection. All
infrastructures consist of both cyber and physical elements and it is
important not to separate them, specifically when one considers
business continuity and target opportunities. However, for purposes of
this plan, we must view the physical infrastructures from a national
lens, and thus, we will define critical physical infrastructures to be
those that would have broad reaching consequences, e.g. those that
would impact on major geographical, economical, regional, or national
security levels, if their services or operations were disrupted.
Therefore, to address the physical vulnerabilities of non-cyber
infrastructures, a new Critical Physical Infrastructure Protection Plan
is being developed to identify the necessary initiatives and programs
for ensuring protection of these infrastructures. The CIAO will lead
this effort and will work with an inter-agency Task Group which will
include DoD, FBI, and other agencies. These elements along with reviews
of existing critical physical infrastructure security programs will
lead to The National Plan for Critical Physical Infrastructure
Protection (NPCPIP) to be issued in 2000.
Participating Agencies in NPCPIP Task Group.
Chair/Lead: CIAO*
Sector Liaison Agencies:
Information & Communications--DOC
Banking & Finance--Treasury*
Transportation--DOT*
Energy--DOE*
Emergency Fire Service/Continuity of Government--FEMA*
Public Health--HHS
Water Supply--EPA*
Lead Agencies for Special Functions:
Intelligence--CIA
Foreign Affairs--State
Law Enforcement--DOJ/FBI*
National Defense--DoD*
Federal Government (Non-DoD)--GSA*
Others:
NSC
Local Law Enforcement--Sheriff, Arapaho Co, Colorado
NSTAC (National Security Telecommunications Advisory Council)--(in
a consultant status)
OMB
USDA (Agriculture)
DOI (Interior)
HHS (Health & Human Services)
*}Mandatory--will form the core-writing contingent for
the physical plan, other organizations including the NSTAC will be used
in a reviewer/consultant role.
Question 8a. Do each of the agencies involved have the expertise to
accomplish this study, or are some agencies, such as the FBI and
Defense Department being called on to assist other agencies?
Answer 8a. As described above, an interagency task force is
developing the NPCPIP. No single agency, alone, has the knowledge base
to complete the effort. It should be noted that this plan will not take
the form of an agency-by-agency plan, but a cross-sectoral approach.
Question 9. The Plan states that ``Federal Agencies aad Departments
should have assessed information systems vulnerabilities, adopted a
multi-year funding plan to remedy them, and created a system for
continuously updating. Private sector companies of every critical
sector could do the same. 7 (Milestone 1.21). Is there a need for
legislation to ensure that private sector owners and operators do this?
Answer 9. We do not envision the need now for new legislation.
Individual companies already address security to varying levels. The
degree depends on their level of awareness and understanding of how
critical information systems are to their business operations and to
their ability to assure reliable services and delivery of products to
their customers and the communities they serve. An industry awareness
initiative will create market forces that will inevitably elevate the
level of attention and investment by industry, an example of which we
saw with the Year 2000 conversion experience. At some point, we may
recognize a gap between what national security needs for critical
infrastructure security and what companies believe their customers and
communities are willing to pay for. At that time, additional incentives
may be needed for industry to step up to additional levels of
investment beyond what the market supports.
Information security, unlike the Year 2000 conversion, has no end
point. Consequently, it will require an on-going commitment and
institutionalization of controls into core business processes.
Technology also continues to change very quickly, requiring continuing
attention and investment from those who would benefit from it.
Obtaining buy-in from industry in their own business interests will
more effectively address this issue in a timely and creative manner.
Question 9a. Other than legislation requiring private companies to
undertake this sort of planning, are there other incentives we could
use to encourage firms in key sectors to be more pro-active in making
their computer networks more secure?
Answer 9a. The most effective incentive for corporations to take
action is for the government to articulate its concern in business
terms. The government's real focus is on predictable delivery of
critical services that enable the government to satisfy its national
security responsibilities and foster a competitive economy. Private
industry succeeds by providing most of these services. If the
government is successful in conveying its message, industry will take
action based on sound business management practices.
Question 10. What is the status of the development of Information
Sharing and Analysis Center (ISACs), which are intended to bring
together companies in key sectors like banking and telecommunications
to facilitate the sharing of information about cyber threats and best
practices for addressing vulnerabilities?
Answer 10. Building the public-private partnership to ensure action
is at the core of the National Plan. Without the full participation of
the private sector, federal actions to protect critical infrastructures
will not be fully effective. PDD-63 suggests that the private sector,
in cooperation with the Federal government, establish Information
Sharing and Analysis Centers (ISACs) to facilitate public-private
information sharing on vulnerabilities, threats intrusions, and
anomalies. It should be noted, however, that ISACs are only one of the
many information-sharing mechanisms now employed by the private sector.
Last October, Banking and Finance publicly announced the creation
of the Financial Services Information and Analysis Center (FS-ISAC).
This is the first center that is operational and it is currently
recruiting members from the entire financial industry.
The National Coordinating Center (NCC) for Telecommunications,
established in 1984, already performs many of the functions of an ISAC
for the telecommunications industry.
The electric power industry, through the North American Electric
Reliability Council (NERC), has developed a reporting process and
specific data elements on incidents to be shared with the National
Infrastructure Protection Center (NIPC). This reporting process was
built on a reporting structure and process that already exists within
the electric industry to support the reliability, availability, and
integrity of the nation's electric grid.
There are other information sharing vehicles in private industry,
created for paying members. Many of the large consulting and technology
firms provide similar or equivalent services to their customers. Many
of these share relevant information with the government.
The government is also engaged in a dialogue with the Partnership
for Critical Infrastructure Security to explore the value and
feasibility of cross-sector information sharing regarding common
threats, experiences, and best practices.
Question 11. Pages 24 and 25 of the executive summary of the Plan
describe deterrents and obstacles to companies who wish to share
information on cyber-threats with the government. How can we remove
these obstacles to encourage companies to share such information with
the government? Do you need help from Congress to address these
impediments?
Answer 11. Many owners and operators of critical infrastructures
and industry officials have expressed reluctance to share information
about threats and vulnerabilities with the government. The degree of
reluctance varies according to infrastructure, but is present in each.
Only 17 percent of respondents who experienced an attack during the
previous year reported it to law enforcement, according to the
President's Commission on Critical Infrastructure Protection, which
published its findings in October 1997.
In a recent meeting with industry officials they have suggested
that they would be reluctant to share such proprietary information or
to participate in information sharing programs for a number of reasons.
They fear information provided to the government may be made public and
thereby damage their reputations, expose them to liability, or weaken
their competitive position. In addition, potential contributors from
the private sector are reluctant to share specific threat and
vulnerability information because of impediments they perceive to arise
from antitrust and unfair-business laws.
With this dilemma in mind, an interagency group was formed in
August 1999 to consider a non-disclosure provision that would allow
Federal agencies to accept voluntary contributions of certain security-
related information outside the operation of the Freedom of Information
Act (FOIA). The information in question would not be of the type
normally disclosed either to the Federal government or to the public.
In the near future, the group plans to address antitrust and liability
issues.
In each of these cases, we will need to work closely with Congress
and the privacy community in developing effective solutions and
removing these obstacles.
Question 12. The Plan refers to the Partnership for Critical
Infrastructure Security. Furthermore, milestone 8.2 states that this
partnership will be created this month. What is it and how will it be
created?
Answer 12. The Partnership for Critical Infrastructure Security was
created on February 22, 2000 at an organizational meeting held at the
U.S. Chamber of Commerce. Over 120 companies attended (with more on the
waiting list that could not be accommodated, but who want to join the
partnership).
The Partnership is intended to be a collaborative effort of
industry and government to assure the delivery of essential services
over the nation's critical infrastructures. These infrastructures,
identified in Presidential Decision Directive 63 (PDD-63), include:
Energy
Financial Services
Transportation
Communications and Information Services
Vital Human Services, including Health, Safety, and Water
Private sector membership in the Partnership is open to
infrastructure owners and operators, providers of infrastructure
hardware, software, and services, risk management and investment
professionals, and other members of the business community. Government
representation will include state and local governments, as well as
Federal agencies and departments responsible for working with the
critical infrastructure sectors and for providing functional support
for the protection of those infrastructures.
The Partnership recognizes that the nation's critical services
depend increasingly on commercial information technologies. The new
threats and vulnerabilities that come with greater dependency on these
technologies, combined with the growing interdependencies among the
nation's critical infrastructures, require urgent attention not only in
the government but also in the business community.
The Partnership recognizes that in addition to protecting these
infrastructures, attention must be given to the range of actions
necessary to assure the delivery of critical services--including
mitigation, response, and reconstitution.
Since the vast majority of the critical infrastructures of the
United States are owned and operated by private industry, the
Partnership recognizes and acknowledges that the Federal government
alone cannot protect these infrastructures or assure the delivery of
services over them. While most of the challenges to assuring critical
services are best handled by industry itself, the Partnership is based
on the premise that some of these challenges are better handled by
industry and government working together.
The Partnership will explore ways in which industry and government
can work together to address the risks to the nation's critical
infrastructures. Federal Lead Agencies are currently building
partnerships with individual infrastructure sectors in private
industry, and state and local governments. The Partnership will provide
a forum in which to draw these individual efforts together to
facilitate a dialogue on cross-sector interdependencies, explore common
approaches and experiences, and engage other key professional and
business communities that have an interest in infrastructure assurance.
By doing so, the Partnership hopes to raise awareness and understanding
of, and to serve, when appropriate, as a catalyst for action among, the
owners and operators of critical infrastructures, the risk management
and investment communities, other members of the business community,
and state and local governments.
How the Partnership conducts itself--how it is organized, and how
it manages its on-going operations--will largely be determined by its
industry members. For its part, the Federal Government is prepared to
sponsor on behalf of the Partnership a series of conferences, meetings,
and working groups with industry and government executives to:
Exchanges views on issues of mutual interest to the
government and members of industry, including, but not limited
to:
Interdependencies, including cross-sector
information sharing arrangements and the appropriate safeguards
for protecting the confidentiality of such information;
Evolving threats to critical infrastructures;
Education, training and workforce development;
Standards and Best Practices;
Technology and R&D;
Risk Management: prevention, mitigation, response,
and reconstitution, including incident response management and
consequence management; and,
Legal and regulatory matters.
Facilitate the participation of members of industry in the
ongoing development of the national plan for critical
infrastructure protection; and,
Facilitate contributions by members of industry to the work
of the National Infrastructure Assurance Council.\1\
---------------------------------------------------------------------------
\1\ President Clinton established the National Infrastructure
Assurance Council (NIAC) by Executive Order 13130 on July 14, 1999. The
Council will consist of up to 30 leaders in industry and state and
local government. Its mandate is to advise and counsel the President on
a range of policy matters relating to critical infrastructure
assurance, including the enhancement of public-private partnerships,
generally. The Partnership for Critical Infrastructure Security could
serve as one important channel of communication to the NIAC, ensuring
that Council members have the full benefit of a wide cross-section of
industry views.
---------------------------------------------------------------------------
______
Responses of John Tritak to Questions From Senator Joseph R. Biden, Jr.
Question 1. Mr. Tritak in light of privacy advocates' criticism of
the Federal Intrusion Detection Network (FIDNet) program, how can you
guarantee that civil liberties are protected and that FIDNet will not
violate current privacy protection, wiretap and 4th amendment law?
At the outset and before we can respond to your question fully, we
need to make two observations as a backdrop for the discussion. First,
the Federal Intrusion Detection Network (the ``FIDNet'') proposal was
and continues to be a work in progress. Since the release of PDD-63 in
May 1998, the Administration has worked carefully to identify the full
range of possible security options that incorporate intrusion detection
technology. The proposal as described in the earliest drafts of the
National Plan has evolved considerably, and continues to evolve.
The second point to be made is that, as underscored in the National
Plan, the FIDNet proposal will be implemented in a manner consistent
with all relevant laws, including privacy laws. Our legal analysis of
the proposal--and our ongoing consultation with the Department of
Justice--continues as part of a comprehensive interagency process and
in tandem with the evolution of the FIDNet to assure its adherence to
the spirit and letter of law.
FIDNet has been carefully tailored to vest authority and control in
the Federal civilian agencies, consistent with the Computer Security
Act of 1987, Clinger-Cohen Act, and Executive Order 13011, which
implement Congressional policies. Under current practices, federal
agency computer system administrators (as well as system administrators
in most companies in the private sector) already analyze data flowing
over their systems, based on strategic placement of intrusion detection
technology in accordance with the needs of the organization. Under the
FIDNet proposal as currently formulated:
The agencies will decide what data on system anomalies to
forward to the GSA for further review;
The GSA will use data on anomalies exclusively to warn
agencies about system anomalies; and
Law enforcement would receive information about computer
attacks and intrusions only under long-standing legal rules
(i.e., when there is evidence of a crime). No new authorities
are implied or envisioned by the FIDNet program.
FIDNet is intended to be a multi-level system. At the first level,
each agency's own security-protection software will scan for harmful
traffic entering that agency's system. (The key to understanding
intrusion detection is the concept of a ``firewall,'' which by
definition and design is meant to scan incoming transmissions for
hostile files and programs.) In fact, this is already being done at
federal agencies, not to mention most private companies. The National
Plan contemplates that the implementation and operation of such
protective measures will continue to be the responsibility of the
individual agencies. The objective of FIDNet is not to send the
resulting information to law enforcement officials. Instead, the goal
is to improve overall federal system security through improved
information sharing among systems administrators and information
security officials.
Contrary to Mr. Rotenberg's suggestion, the March 1999 Justice
Department memorandum does not state at any point that FIDNet--even in
the preliminary form then under analysis--would violate federal privacy
law. On the contrary, the memorandum identifies the legal bases on
which protective monitoring of government computer systems can be
lawfully conducted.
In fact, the current FIDNet proposal is structured to comply fully
with the Electronic Communications Privacy Act (``ECPA''), 18 U.S.C.
Sec. 2510 et seq., which incorporates federal wiretap law.
Specifically, while ECPA generally prohibits the interception of
electronic communications, it contains two relevant exceptions to that
general prohibition: (1) consent of a party and (2) system protection
monitoring activities. As to the first of these, the federal agencies
participating in FIDNet will, in appropriate instances, establish
consent to monitoring by using login ``banners'' displayed to each
network's users.
FIDNet will also rely on the separate exception applicable to
systems protection. Under this exception, ECPA expressly authorizes a
system owner or his agent to monitor network traffic on the system to
the extent necessary to protect the ``rights or property'' of the
system owner.
In addition, the FIDNet concept is compatible with the Privacy Act.
The Privacy Act, designed to protect personal privacy from unwarranted
invasions by federal agencies, regulates the collection, maintenance,
use, and dissemination of personal information by federal government
agencies. It forbids the disclosure of personal information by federal
agencies except under certain circumstances, and, subject to enumerated
exceptions, gives individuals access to information maintained on them.
FIDNet will be fully consistent with the Privacy Act's requirement
that physical security and information management practices be designed
to ensure individual privacy. As properly and legally formulated,
FIDNet will increase the level of privacy and security afforded to
information about individuals on government computers.
Question 2. What type of data will be collected by FIDNet and how
long will the Government Services Administration retain the data?
Answer 2. FIDNet will not deploy collectors or sensors on any
government agencies or other entity network. This is the job of the
agency systems administrators and their intrusion detection systems.
Instead, the FIDNet will receive from the agencies, under processes
established by the agency systems administrators, only those alarm
indications that the agency internal intrusion detection systems
identify as anomalous and that the agency systems administrators
forward to FIDNet.
Intrusion detection system alarm data typically have a short shelf-
life and GSA does not envision a need to retain this data. However,
legal requirements relating to government records may mandate that
certain records be retained or archived in accordance with schedules
established in accordance with law. This issue is currently being
reviewed. Of course, GSA will continue to adhere to existing laws with
respect to records involving law enforcement matters.
______
Responses of John Tritak to Questions From Senator Dianne Feinstein
Question 1. Does FIDNet comply with the Wire Tap Laws?
Answer 1. Yes, FIDNet complies with the wiretap laws.
At the outset and before we can respond to your question fully, we
need to make two observations as a backdrop for the discussion. first,
the Federal Intrusion Detection Network (the ``FIDNet'') proposal was
and continues to be a work in progress. Since the release of PDD-63 in
May 1998, the Administration has worked carefully to identify the full
range of possible security options that incorporate intrusion detection
technology. The proposal as described in the earliest drafts of the
National Plan has evolved considerably, and continues to evolve.
The second point to be made is that, as underscored in the National
Plan, the FIDNet proposal will be implemented in a manner consistent
with all relevant laws, including privacy laws. Our legal analysis of
the proposal--and our ongoing consultation with the Department of
Justice--continues as part of a comprehensive interagency process and
in tandem with the evolution of the FIDNet to assure its adherence to
the spirit and letter of law.
FIDNet has been carefully tailored to vest authority and control in
the Federal civilian agencies, consistent with the Computer Security
Act of 1987, Clinger-Cohen Act, and Executive Order 13011, which
implement Congressional policies. Under current practices, federal
agency computer system administrators (as well as system administrators
in most companies in the private sector) already analyze data flowing
over their systems, based on strategic placement of intrusion detection
technology in accordance with the needs of the organization. Under the
FIDNet proposal as currently formulated:
The agencies will decide what data on system anomalies to
forward to the GSA for further review;
The GSA will use data on anomalies exclusively to warn
agencies about system anomalies; and
Law enforcement would receive information about computer
attacks and intrusions only under long-standing legal rules
(i.e., when there is evidence of a crime). No new authorities
are implied or envisioned by the FIDNet program.
FIDNet is intended to be a multi-level system. At the first level,
each agency's own security-protection software will scan for harmful
traffic entering that agency's system. (The key to understanding
intrusion detection is the concept of a ``firewall,'' which by
definition and design is meant to scan incoming transmissions for
hostile files and programs.) In fact, this is already being done at
federal agencies, not to mention most private companies. The National
Plan contemplates that the implementation and operation of such
protective measures will continue to be the responsibility of the
individual agencies. The objective of FIDNet is not to send the
resulting information to law enforcement officials. Instead, the goal
is to improve overall federal system security through improved
information sharing among systems administrators and information
security officials.
Contrary to Mr. Rotenberg's suggestion, the March 1999 Justice
Department memorandum does not state at any point that FIDNet--even in
the preliminary form then under analysis--would violate federal privacy
law. On the contrary, the memorandum identifies the legal bases on
which protective monitoring of government computer systems can be
lawfully conducted.
In fact, the current FIDNet proposal is structured to comply fully
with the Electronic Communications Privacy Act (``ECPA''), 18 U.S.C.
Sec. 2510 et seq., which incorporates federal wiretap law.
Specifically, while ECPA generally prohibits the interception of
electronic communications, it contains two relevant exceptions to that
general prohibition: (1) consent of a party and (2) system protection
monitoring activities. As to the first of these, the federal agencies
participating in FIDNet will, in appropriate instances, establish
consent to monitoring by using login ``banners'' displayed to each
network's users.
FIDNet will also rely on the separate exception applicable to
systems protection. Under this exception, ECPA expressly authorizes a
system owner or his agent to monitor network traffic on the system to
the extent necessary to protect the ``rights or property'' of the
system owner.
In addition, the FIDNet concept is compatible with the Privacy Act.
The Privacy Act, designed to protect personal privacy from unwarranted
invasions by federal agencies, regulates the collection, maintenance,
use, and dissemination of personal information by federal government
agencies. It forbids the disclosure of personal information by federal
agencies except under certain circumstances, and, subject to enumerated
exceptions, gives individuals access to information maintained on them.
FIDNet will be fully consistent with the Privacy Act's requirement
that physical security and information management practices be designed
to ensure individual privacy. As properly and legally formulated,
FIDNet will increase the level of privacy and security afforded to
information about individuals on government computers.
Question 2. Under what legal authority does FIDNet function?
Answer 2. The Administration is committed to structuring the FIDNet
concept in strict adherence to exiting protections under the law,
including ECPA (Wiretap Statutes), the Privacy Act, and other laws.
Please refer to Question 1 above for more details.
Question 3. How are FIDNet and the NIPC redundant?
Answer 3. They are not. FIDNet, when operational, will be a service
offered by the GSA to the civilian departments and agencies to help
them improve information sharing within the Federal civilian government
amongst systems administrators. This information sharing covers the
efficiency and reliability of intrusion detection systems which some
agencies already employ in accordance with OMB Circular A-130. In
short, the FIDNet is a centrally managed operational structure that
permits GSA to look at and draw conclusions about anomalous cyber
activity across the federal civilian government in a way that no single
agency could do for itself.
In contrast, the NIPC serves as the national focal point for threat
assessment, warning, investigation, and response to attacks on the
critical infrastructures. A significant part of its mission involves
establishing mechanisms to increase the sharing of vulnerability and
threat information between the government and private industry. It also
provides invaluable input and capabilities to federal law enforcement
and defense cyber operations.
Question 4. Give your opinion on the GAO's assertion that the
current laws governing IT Security are outdated.
Answer 4. The management of information security in the Federal
government is an issue that is currently being debated in the Congress
and the Administration, including in legislation such as S. 1993.
Accordingly, the only observation I would make at this time is that we
should rely on the existing legal framework, to the extent we can
continue to assure ourselves that the system is working, is effective,
and is providing the appropriate level of protection for the full range
of proprietary, personal, and other sensitive information.
Question 5. Is there a need to tailor infosec standards to certain
types of information, and if so how?
Answer 5. As discussed above, the only observation I would offer on
this subject is that information technology is developing rapidly and
that critical infrastructure protection needs to be an essential part
of that development, if we are to build secure infrastructures. We
should rely on the existing legal framework, to the extent we can
assure ourselves that the system is working, is effective, and is
providing the appropriate level of protection for proprietary, personal
and other sensitive information.
Question 6. Should Congress approve more money for PKI?
Answer 6. Public Key Infrastructure (PKI) maximizes our capability
to implement needed security services including confidentiality,
integrity, authentication, non-repudiation and access control. PKI
facilitates the secure exchange of information electronically. It is a
key element for gaining increasing trust and confidence in the use of
this medium for commercial applications.
Today, cryptography is the most viable means of protecting
information in cyberspace. As mentioned, public key cryptography, based
on a PKI, maximizes our capability to implement needed security
services including confidentiality, integrity, authentication, non-
repudiation and access control. Appropriate combinations of these
services allow us to protect information stored and transmitted over
the Internet from our lap-top and desk-top computers. The PKI also
allows us to configure firewalls and other Internet components to
protect the internal domain name services and routing table
information. These PKI security services enable secure e-commerce, e-
mail and a myriad of important large distributed applications including
those that provide Government services.
Appropriated monies for PKI would be well spent in the following
areas:
PKI Standards, Testing and Product Certification--As industry
responds to a growing customer base for PKI products, innovative and
enterprising solutions are finding their way into large international
markets. Of critical importance to the Government is the
interoperability of a Government PKI with those of the public and
private sectors and other sovereign governments. It is unlikely that
these industry PKI solutions will meet all the unique Government PKI
requirements. Appropriate testing and high confidence certifications
for Government PKIs often go well beyond the interoperability and
testing requirements of other PKIs. Additional government activities in
interoperability standards development and in testing and certification
are needed.
PKI Research and Development--The Next Generation Internet (NGI)
holds the promise of extremely high bandwidth, rich connectivity and
extremely efficient large distributed applications. It is prudent to
plan now for the security services that will likely be required for the
NGI. Three interagency working groups are coordinating expertise to
begin the process: The Large Scale Networking Next Generation Internet
(LSN/NGI), the High Confidence Systems (HCSS) and the Critical
Infrastructure Protection (CIP) communities have expressed interest in
a Public Key Infrastructure for the Next Generation Internet.
Additional government activities in defining the transition strategy
from current PKI for the Internet to a PKI for the NGI is rightfully a
research and development idea with low risk and high potential payoff
for both our nations next generation critical infrastructures and our
governments next generation needs and requirements.
Our models for secure e-commerce and e-mail have been tested with
prototype implementations; but, not stressed. We need real experiences
with a Government PKI that provisions security in large, scalable high-
speed dynamic group communications similar to those used by our
emergency response communications and messaging systems and other
critical government systems. We know little about integrating PKI into
large legacy applications used by the Government to provision services
for the public. We know even less about integrating PKI into new, as
yet untested, major applications that serve the public.
Operational Critical Systems--While PKI technology by itself cannot
completely protect critical operational systems, PKI is considered a
necessary component when cryptography is deployed. Biometric techniques
used in conjunction with PKI can provide high-grade authentication of
people accessing critical assets. In addition, digital signature
techniques based on PKI can provide integrity and non-repudiation of
information and transactions--a key element in audit trail techniques.
The monies necessary to upgrade legacy systems with PKI technology
often come out of agency security budget lines. Monies specifically
approved for PKI by the Congress would have the immediate effect of
forming the critical mass necessary to jump-start the Government's PKI.
�