[Senate Hearing 106-889]
[From the U.S. Government Publishing Office]




                                                        S. Hrg. 106-889

      CYBER ATTACKS: THE NATIONAL PROTECTION PLAN AND ITS PRIVACY 
                              IMPLICATIONS

=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON TECHNOLOGY, TERRORISM,
                       AND GOVERNMENT INFORMATION

                                 of the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION

                                   on

 EXAMINING THE VULNERABILITY OF U.S. SYSTEMS TO CYBER ATTACK, FOCUSING 
     ON THE ADMINISTRATION'S NATIONAL PLAN FOR INFORMATION SYSTEMS 
           PROTECTION AND ITS IMPLICATIONS REGARDING PRIVACY

                               __________

                            FEBRUARY 1, 2000

                               __________

                          Serial No. J-106-62

                               __________

         Printed for the use of the Committee on the Judiciary


                    U.S. GOVERNMENT PRINTING OFFICE
68-776 CC                   WASHINGTON : 2001




                       COMMITTEE ON THE JUDICIARY

                     ORRIN G. HATCH, Utah, Chairman

STROM THURMOND, South Carolina       PATRICK J. LEAHY, Vermont
CHARLES E. GRASSLEY, Iowa            EDWARD M. KENNEDY, Massachusetts
ARLEN SPECTER, Pennsylvania          JOSEPH R. BIDEN, Jr., Delaware
JON KYL, Arizona                     HERBERT KOHL, Wisconsin
MIKE DeWINE, Ohio                    DIANNE FEINSTEIN, California
JOHN ASHCROFT, Missouri              RUSSELL D. FEINGOLD, Wisconsin
SPENCER ABRAHAM, Michigan            ROBERT G. TORRICELLI, New Jersey
JEFF SESSIONS, Alabama               CHARLES E. SCHUMER, New York
BOB SMITH, New Hampshire

             Manus Cooney, Chief Counsel and Staff Director

                 Bruce A. Cohen, Minority Chief Counsel

                                 ______

   Subcommittee on Technology, Terrorism, and Government Information

                       JON KYL, Arizona, Chairman

ORRIN G. HATCH, Utah                 DIANNE FEINSTEIN, California
CHARLES E. GRASSLEY, Iowa            JOSEPH R. BIDEN, Jr., Delaware
MIKE DeWINE, Ohio                    HERBERT KOHL, Wisconsin

                     Stephen Higgins, Chief Counsel

        Neil Quinter, Minority Chief Counsel and Staff Director

                                  (ii)




                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Kyl, Hon. Jon, U.S. Senator from the State of Arizona............     1
Feinstein, Hon. Dianne, U.S. Senator from the State of California    18

                    CHRONOLOGICAL LIST OF WITNESSES

Statement of John S. Tritak, Director, Critical Infrastructure 
  Assurance Office, Washington, DC...............................    20
Panel consisting of Marc Rotenberg, Executive Director, 
  Electronic Privacy Information Center, Washington, DC; and 
  Frank J. Cilluffo, senior policy analyst, Center for Strategic 
  and International Studies, Washington, DC......................    46

                ALPHABETICAL LIST AND MATERIAL SUBMITTED

Cilluffo, Frank J.:
    Testimony....................................................    53
    Prepared statement...........................................    57
Kyl, Hon. Jon: Prepared statement of Jack L. Brock, Jr., Director 
  Governmentwide and Defense Information Systems, Accounting and 
  Information Management Division................................     4
Rotenberg, Marc:
    Testimony....................................................    46
    Prepared statement...........................................    49
Tritak, John S.:
    Testimony....................................................    20
    Prepared statement...........................................    39

                                APPENDIX
                         Questions and Answers

Responses of John Tritak to Questions from Senators:
    Kyl..........................................................    69
    Biden........................................................    76
    Feinstein....................................................    77

 
CYBER ATTACK: THE NATIONAL PROTECTION PLAN AND ITS PRIVACY IMPLICATIONS

                              ----------                              


                       TUESDAY, FEBRUARY 1, 2000

                           U.S. Senate,    
         Subcommittee on Technology, Terrorism,    
                            and Government Information,    
                                Committee on the Judiciary,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10 a.m., in 
room SD-226, Dirksen Senate Office Building, Hon. Jon Kyl 
(chairman of the subcommittee) presiding.
    Also present: Senators Feinstein and Bennett [ex officio.]

  OPENING STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE 
                        STATE OF ARIZONA

    Senator Kyl. The subcommittee will please come to order.
    Let me first welcome everyone to this hearing of the 
Subcommittee on Technology, Terrorism, and Government 
Information. Today, we will examine the National Plan for 
Information Systems Protection, released by the President on 
January 7, and its implications regarding privacy. This is the 
fifth public hearing we have held on cyber protection in the 
last 2 years, and the first where we can finally review the 
long overdue National Plan mandated by the 1996 Defense 
Authorization Act.
    The United States, of course, is the most technologically 
sophisticated country in the world. Today, virtually every key 
service in our society is dependent on computer technology--
electric power grids, air traffic control, nuclear warning, 
banking, just to name a few examples. Highly interdependent 
information systems control these infrastructures.
    With the benefits of technological advances comes a new set 
of vulnerabilities that can be exploited by individuals, 
terrorists, and foreign nations. Our enemies don't need to risk 
confronting our powerful military if they can attack 
vulnerabilities in our critical information infrastructure. 
According to the National Security Agency, more than 100 
nations are working on information warfare tactics. There have 
already been a disturbing number of attacks on U.S. information 
systems, exposing our Achilles heel to any potential adversary.
    At our last hearing, Michael Vatis, from the FBI, described 
how Russia conducted a ``series of widespread intrusions into 
Defense Department, other Federal Government agencies, and 
private sector computer networks.'' Additionally, China is 
reportedly considering forming an entirely new branch of the 
military for information warriors.
    A recent article in the Chinese Liberation Army Daily 
assessed that the integration of Web warfare with ground combat 
will be essential to winning future conflicts. Moreover a 
recent book titled ``Unrestricted Warfare,'' written by two 
Chinese Army colonels, proposes tactics for developing 
countries like China to use to compensate for their military 
inferiority versus the United States. One scenario described in 
the book envisions a situation where the attacking country 
causes panic through cyber attacks on civilian electricity, 
telecommunications, and financial markets. These examples 
underscore the severity of the threat facing the United States.
    In light of these concerns, I authored an amendment to the 
1996 Defense Authorization Act directing the President to 
submit a report to Congress ``setting forth the results of a 
review of the national policy on protecting the national 
information infrastructure against strategic attacks.'' This 
ultimately culminated in the National Plan before us today, 
which is more than a year overdue.
    I am pleased that the Plan calls for specific milestones 
with timetables for securing our Nation's information systems, 
although its goals are modest and merely a first step. I hope 
the administration considers the Plan a living document that 
must be reviewed and revised with new technological advances 
and discovered vulnerabilities. This will be a complicated and 
expensive process, but it is vital to protect our national 
security and way of life. To support the effort, I am 
encouraged that news reports indicate the President's budget 
will include a $160 million increase in spending on cyber 
security initiatives.
    In securing the critical infrastructures that provide our 
way of life, we must be careful that it doesn't occur at the 
expense of civil liberties. We need to update our current legal 
framework to reflect the revolution in information technology, 
to strike the right balance between security and civil 
liberties.
    The reality is that doing nothing to enhance our cyber 
security, in fact, erodes the privacy and civil liberties of 
Americans by making public information accessible to any hacker 
with a computer and a modem. Let me repeat that. The reality is 
that doing nothing to enhance our cyber security, in fact, 
erodes privacy and civil liberties of Americans by making 
information accessible to any hacker with a computer and a 
modem. The National Plan's implementation must consider the 
reasonable privacy issues that must be discussed and 
appropriately balance them with security interests.
    Our witnesses are well-suited to address these issues. Mr. 
John Tritak, Director of the Critical Infrastructure Assurance 
Office, is responsible for the development of the National 
Plan. He will summarize the Plan and speak to the privacy 
issues it raises.
    Our second panel--Mr. Frank Cilluffo, senior policy analyst 
at the Center for Strategic and International Studies, and Mr. 
Rotenberg, Executive Director of the Electronic Privacy 
Information Center--will testify about the balance between 
security and civil liberties in implementing the Plan. Please 
note that Mr. Barry Steinhardt, from the ACLU, was also invited 
to testify, but respectfully declined.
    I also want to acknowledge excellent testimony that I am 
going to put in the record from the General Accounting Office. 
Jack Brock, who is the Director of the Governmentwide and 
Defense Information Systems Accounting and Information 
Management Division, is here today, and I very much appreciate 
the fine testimony that he presented on critical information 
and infrastructure protection which will be put in the record 
here.
    [The prepared statement of Mr. Brock follows:]

    [GRAPHIC] [TIFF OMITTED] T8776.001
    
    [GRAPHIC] [TIFF OMITTED] T8776.002
    
    [GRAPHIC] [TIFF OMITTED] T8776.003
    
    [GRAPHIC] [TIFF OMITTED] T8776.004
    
    [GRAPHIC] [TIFF OMITTED] T8776.005
    
    [GRAPHIC] [TIFF OMITTED] T8776.006
    
    [GRAPHIC] [TIFF OMITTED] T8776.007
    
    [GRAPHIC] [TIFF OMITTED] T8776.008
    
    [GRAPHIC] [TIFF OMITTED] T8776.009
    
    [GRAPHIC] [TIFF OMITTED] T8776.010
    
    [GRAPHIC] [TIFF OMITTED] T8776.011
    
    [GRAPHIC] [TIFF OMITTED] T8776.012
    
    [GRAPHIC] [TIFF OMITTED] T8776.013
    
    [GRAPHIC] [TIFF OMITTED] T8776.014
    
    Senator Kyl. Senator Feinstein, would you like to make your 
opening statement?

  STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM THE 
                      STATE OF CALIFORNIA

    Senator Feinstein. Thanks very much, Mr. Chairman, and 
thank you for your leadership. As always, it is a pleasure to 
work with you.
    The subject today we discuss is, I think, one of the most 
important we face. In my view, the security of information and 
networks will be the biggest national security issue of the 
decade and one that I think deserves the close oversight of 
this committee.
    I think the events of the last few weeks alone remind us of 
the importance of information security. Just a few days ago, 
the National Security Agency publicly admitted what may be the 
biggest single intelligence failure in its 48-year history. 
From Monday until late Thursday of last week, NSA's computers 
were unable to process the millions of communications 
intercepts flowing in from around the world from U.S. spy 
satellites. The system that was down is the same one used to 
track terrorists such as Osama Bin Laden.
    And just a month ago, on New Year's Eve no less, another 
critical United States spy satellite system crashed. This was 
the same day that numerous terrorist attacks were planned 
against American citizens, but fortunately prevented. And this 
crash occurred after the satellite system had been extensively 
tested for Y2K bugs.
    These recent failures of some of our most important and 
sensitive computer systems have jeopardized our national 
security and the safety of our citizens. They remind us that 
our critical infrastructures are governed by computer networks 
and systems, and that if these networks and systems are 
disrupted or disabled, American citizens will be left 
vulnerable to economic disruption, to possible injury, and to 
possibly death.
    Of course, computers not only process signals intelligence, 
but are responsible for the delivery to virtually every 
American of electric power, oil and gas, communications, 
transportation services, banking and financial services, and 
other vital needs. These computers present a tempting target to 
hackers, to terrorists, and hostile nations because, given our 
military supremacy, few adversaries would wish to fight the 
United States in a conventional war on a traditional 
battlefield.
    Moreover, because so many of our computers are 
interconnected often through the open architecture of the 
Internet, there may be less reason for a hostile party to try 
to terrorize us with bombs, tanks, or planes. With a few 
keystrokes on a computer keyboard half a world away, such a 
party could wreck colossal damage. And every single day, 
someone tries to cause such damage.
    In fact, the computers controlling our critical 
infrastructure are under practically continuous assault. 
Everyday, assailants make hundreds of unauthorized attempts to 
gain access to crucial computers. For example, last year there 
were some 20,000 reported cyber attacks on Department of 
Defense networks and systems alone, an almost four-fold 
increase from the previous year. And many attacks go 
undetected, which means that the numbers are almost certainly 
higher than reported.
    I think Americans like to think that the United States has 
not been invaded since the War of 1812. But, in fact, we are 
invaded everyday. A foreign army once burned the White House 
and the Capitol in this very city. But now an intruder could 
cause even greater damage to our Government without even 
setting foot in the country.
    As U.S. Deputy Secretary of Defense John Hamre has said, 
``We are at war right now, we are in a cyber war.'' This war is 
largely invisible unless, of course, a cyber attack succeeds, 
and that has meant that every American is not as aware of the 
threat of cyber attacks as they should be. Indeed, it is hard 
to visualize a cyber attack.
    Moreover, even if an attack is detected, it is difficult to 
determine who is making it and where it is coming from. Through 
the magic of the Internet, an attack from next door can seem to 
come from the other side of the world. It is much easier to 
think of a person or persons physically attacking sites such as 
Pearl Harbor, the World Trade Center, the Khubar Towers in 
Saudi Arabia, or the Murrah Building in Oklahoma City than 
mounting an electronic assault on a computer.
    But it is a great mistake to think that terrorists nowadays 
will only, or even primarily, target government installations 
or military bases. In fact, 90 percent of critical 
infrastructure is owned or operated by the private sector. 
Thus, the battlefield has shifted to public and private 
computer networks, and society itself has become more, not 
less, vulnerable to terrorist threats.
    While cyber threats seem invisible, they can have serious 
effects when they succeed, and in recent years there have been 
a number of incidents of that. In 1999, hackers in China and 
Taiwan engaged in a cyber war. One expert suggests that Taiwan 
computers suffered 72,000 cyber attacks in August 1999 alone, 
while two Taiwanese attacks on China damaged 360,000 computers 
and caused $120 million in damage.
    In 1998, two California high school kids were among a group 
suspected of penetrating and compromising at least 11 sensitive 
computer systems in U.S. military installations and dozens of 
systems at other government facilities, including Federal 
laboratories that perform nuclear weapons research.
    In 1998, a Swedish man launched a cyber attack on the 911 
emergency system in southern Florida, disabling part of it. In 
1998, a disgruntled New Jersey man cyber bombed his employer's 
computers, destroying files and corrupting backup tapes. He 
caused $10 million in damages. In 1997, a teenager used his 
computer to cripple an FAA control tower in Massachusetts. And 
even where assailants do not succeed, cyber attacks raise 
important issues about information security and information 
warfare.
    In 1999, individuals who may have had ties to Russian 
intelligence--Senator Kyl just spoke about this--carried out a 
series of massive cyber attacks, targeting the computer systems 
of the Department of Defense, the Department of Energy, 
military contractors, and various universities.
    In 1999, just days after NATO began bombing missions over 
the former Republic of Yugoslavia, hackers began trying to 
crash NATO's e-mail communications system. Experts suspect a 
terrorist secret society known as Black Hand.
    In 1997, a Joint Chiefs of Staff exercise proved that a 35-
man team who were instructed not to use any classified tools or 
break any U.S. law could, in fact, disable parts of the U.S. 
electric power grid and cripple portions of our military 
command and control systems in the Pacific and emergency 911 
systems in the United States.
    We have just begun to address the threat of cyber attacks. 
Presidential Decision Directive 63, issued in 1998, makes 
critical infrastructure protection a national security priority 
and commits us to protecting effectively our critical 
infrastructures within 5 years.
    PDD-63 calls for a comprehensive National Plan for 
protection of our critical infrastructure within 6 months of 
the issuance of the directive. We now have that Plan, albeit 14 
months late. I hope and am eager to examine how that Plan will 
work, what changes should be made to it, and how we can assist 
the Government in realizing the Plan's promise.
    I believe very strongly that we have an obligation to 
protect this Nation from the threat of cyber terrorism and 
information warfare in a way that maintains and strengthens 
America's privacy and civil liberties. They may or may not 
conflict at certain points. That is what we are here to 
explore. But I think the point I want to make is the 
overwhelming importance of the mission. There is no question 
that that mission is going to grow greater in the days to come.
    Thank you, Mr. Chairman.
    Senator Kyl. Thank you very much for an excellent 
statement, Senator Feinstein.
    Our first witness is Mr. John Tritak, director of the 
Critical Infrastructure Assurance Office. He is the principal 
administration official responsible for the formulation of the 
National Plan.
    Mr. Tritak, we will place your full written statement in 
the record and invite you to make any summary remarks you would 
like to at this time.

STATEMENT OF JOHN S. TRITAK, DIRECTOR, CRITICAL INFRASTRUCTURE 
                ASSURANCE OFFICE, WASHINGTON, DC

    Mr. Tritak. Thank you very much, Mr. Chairman, Madam 
Ranking Member. It is truly an honor to be here and finally to 
be able to discuss the National Plan. I am going to keep my 
remarks very brief because I think really the purpose of this 
hearing and other hearings is to engage in a dialog.
    You will notice that the National Plan, the very cover of 
the National Plan says a number of things which I think bear 
emphasizing at this point. First and foremost, this is Version 
1.0. This is not meant to be a complete document. Final 
solutions have not been presented.
    One of the things that became very clear since taking over 
the CIAO and bearing responsibility for pulling this effort 
together is just how complex the undertaking really is. I think 
the PDD which calls for a plan to be presented within 6 months 
was overly optimistic. I think it was well-intended at the 
time, but frankly as we got into it and saw what was entailed, 
it took much longer than expected.
    Putting aside the fact that whenever you have to coordinate 
the efforts of 22 agencies, that in itself is a time-consuming 
process, there were really fundamental issues that had to be 
addressed and wrestled with. And I can say happily that what we 
are presenting in the Plan is, I think, a good, solid first 
step toward achieving the goal the President set forth in PDD-
63 for developing a capacity to defend the Nation's 
infrastructures.
    As I indicated, the goals are rather ambitious. It is 
calling for nothing short of an ability for the United States 
to be able to defend itself against deliberate attacks against 
its infrastructures. In order to do so, we are talking about 
actions that not only need to be undertaken by the Federal 
Government, but also State and local government and private 
industry.
    I have said in previous testimony that this issue of 
critical infrastructure protection is perhaps the first 
national security challenge this country has ever had where the 
Federal Government alone cannot solve the problem. It is not a 
question of simply allocating resources, procuring equipment, 
and solving the problem. Since 90 percent of these 
infrastructures are owned and operated within private industry, 
it calls for a very new and unprecedented relationship with 
private industry in order to achieve a national goal.
    I want to emphasize, under this goal, one of the things I 
add here is the importance of upholding civil liberties and 
privacy. After all, the whole point of this exercise in 
defending our Nation's infrastructures is to protect our way of 
life and the values that we cherish. It would do very little to 
serve that interest if we undermined those civil liberties and 
privacy rights that we enjoy today.
    The challenge is not whether or not to trade off privacy 
and civil liberties and security, but how we protect civil 
liberties and privacy in the information age. When this country 
was formed, it began as an agrarian economy. It then moved to 
an industrial economy that presented those challenges to civil 
liberties and privacy, and we dealt with them.
    We are now moving into an information age. That, too, 
presents new challenges. But I am confident that engaging in a 
dialog, which we hope will begin today and continue, will be to 
ensure that whatever policies and proposals are set forth by 
the Federal Government and whatever actions are taken to assure 
the delivery of critical services over our Nation's 
infrastructures that we continue to protect and uphold the 
civil liberties and privacy rights of American citizens.
    By now, I hope you have both the executive summary of the 
National Plan as well as the full report. I will not obviously 
go into any great detail about the National Plan, but what I 
would like to do is at least provide an overview of the 
structure.
    In order to meet the ultimate goal of defending the 
Nation's infrastructures by 2003, the Plan is organized around 
three objectives. The first is to prevent such attacks from 
occurring and, should they occur, to minimize the effect those 
attacks may have on the delivery of critical services.
    One of the first and important steps in doing so is to 
evaluate what the critical assets that perform these critical 
services and deliver these services are; having done so, 
identify both the interdependencies with private industry as 
well as the interdependencies between government agencies, 
identify those vulnerabilities and develop plans for addressing 
them.
    Second is to develop an ability to detect, analyze, and 
evaluate intrusions and attacks against our Nation's 
infrastructures, and develop plans for responding and 
reconstituting those systems. Under this objective, we have 
four broad programs.
    One is to develop a multitiered detection, intrusion, and 
warning system that will enable government agencies to 
determine whether or not an attack is underway and to be able 
to deal with that information in a way that contains the 
problem and doesn't spread to other agencies and affect 
delivery of critical services.
    Second is to develop the intelligence and law enforcement 
capabilities with a view toward focusing on critical 
infrastructure protection; three, to encourage information-
sharing both between government agencies, within private 
industry, and between government and private industry. Fourth 
is to build on the lessons of Y2K and to begin to explore ways 
in which the Government can facilitate response, 
reconstitution, and recovery.
    Finally, objective three, Senators, is really what 
undergirds the achievement of objectives one and two. It 
involves coordinating research and development among Federal 
agencies to ensure that there is not unnecessary duplication. 
It involves training and employing IT security experts.
    Today, there is, in fact, a shortfall in this capability. 
We need not only to ensure that those who are already 
responsible for this mission have state-of-the-art training, 
but also to encourage the recruitment of new expertise into the 
Federal Government, as well as in private industry.
    Three, raise cyber security awareness. I think it is fair 
to say that one of the biggest challenges to this effort 
overall is awareness and appreciation of what we are talking 
about. This need for awareness is not only at the Federal 
Government level; it also requires raising awareness within 
private industry about how this is different from the 
challenges that they faced in the past, and, finally, to raise 
awareness with the American public itself.
    Fourth is to develop and explore legislative and legal 
reforms that may improve information-sharing. One of the 
important ways in which this country can defend its 
infrastructures is to share information within the Government 
and between government and industry. We need to look at ways in 
which we can encourage that without those that are sharing the 
information incurring unnecessary liabilities. And, finally, to 
repeat yet again, all this has to be done within the context of 
protecting civil liberties and privacy rights.
    In the rollout of the National Plan, President Clinton 
mentioned briefly his budget overview for critical 
infrastructure protection. As this chart indicates, the request 
will be for $2 billion, which will be a 15-percent increase 
over last year, with 85 percent of that budget being used to 
actually protect the infrastructures of the respective Federal 
Government agencies, with the remaining 15 percent being used 
for outreach programs with private industry.
    Seventy-two percent of the total will be requested for the 
national security agencies. They bear a very special 
responsibility in this critical infrastructure area, so it is 
appropriate that they would at this stage get the lion's share 
of the budget. Also, the national security agencies have the 
most mature programs, and one of the goals of this Plan is to 
begin to rectify that balance by bringing up to speed the 
civilian agencies. And then, finally, a 31-percent increase in 
research and development in programs designed to address 
specific challenges of critical infrastructure protection.
    Finally, Senators, I would just like to highlight very 
briefly some of the key initiatives, the goal of which is 
really two-fold. One is to establish the Federal Government as 
a model for information security. Recognizing that we are 
asking private industry to bear an increasing responsibility 
for the defense of the Nation's infrastructures, it is 
important that the Federal Government itself be a model of 
information security and computer protection.
    We have laid out a number of initiatives designed to do 
that. First and foremost is to develop the personnel within the 
Federal Government to do this. As I have indicated before, 
there is, in fact, a shortage of information security 
expertise, not only within the Government but within private 
industry. The ability of the Federal Government to draw that 
expertise, given the enormous market pull for people coming 
right out of college to go to private industry--we are 
exploring a number of ways in which we can recruit and retain 
some of these people to build a cadre of information technology 
expertise within the Federal Government.
    One of the principal programs in that regard is a ROTC-like 
program called the Service for Scholarship Program which is 
designed to assist undergraduates and graduate students through 
their education, with the understanding that upon graduation 
they would serve a certain period of service within the Federal 
Government.
    FIDNet, of course, I have a feeling we are going to be 
talking about in some detail, so I will come back to that when 
we have our discussion.
    Senator Kyl. I wish you would discuss it now, if you would.
    Mr. Tritak. Oh, absolutely. Senator, the Federal Intrusion 
Detection Network is intended to serve, in essence, like a 
Federal burglar alarm for civilian government computer systems. 
It is designed to allow Federal agencies to protect those 
critical computer systems that the public relies on for 
delivery of important services. This system is only government 
civilian systems. It does not connect in any way to private 
sector computer systems.
    The Department of Justice has actually undertaken a 
preliminary review of the FIDNet concept and has determined 
that it is compliant with existing Federal laws under ECPA. The 
key issue here, Senator, is to recognize that daily, as you 
have indicated in your testimony, and as Senator Feinstein has 
indicated in her testimony, Federal Government agency computer 
systems are, in fact, being attacked. Some of the information 
out of those computer systems is actually vital to the privacy 
rights of American citizens.
    This problem is not going to go away. The question is how 
we are going to deal with it. The current proposal for the 
FIDNet is for a pilot program. The concept as it is right now, 
we believe, is consistent with all privacy statutes and civil 
liberties statutes. As it goes on through development, at each 
stage it is going to have to be reviewed to ensure that 
compliance is adhered to.
    At each stage, we will be discussing with you, the private 
sector community, and others how this is being implemented so 
that there is an understanding and there is an acceptance of 
what we are doing from the get-go. Of course, at this point 
some of the legalities of this matter actually turn on very 
technical details and design features. That is why it is 
impossible at this stage in the concept to say how it will work 
and what it will do and what will remain compliant. What I can 
assure you is that whatever architecture is actually developed 
for the FIDNet program, it will be consistent. If those 
architectures are not consistent, they will not be adopted.
    I would like to now turn, Senators, very quickly to the 
need for building public-private partnerships. The President 
announced in his rollout address the establishment of an 
Institute for Information Infrastructure Protection. The 
purpose of this institute is not to create a new building, a 
new establishment to duplicate ongoing efforts in 
infrastructure protection. The goal here is to really fill gaps 
in what may exist in critical infrastructure protection.
    As you know, with the President announcing CIP as a 
national priority, agencies do have ongoing efforts to address 
their own needs in this area. However, since much of what is 
needed for infrastructure protection lies within private 
industry itself, it is important to have a mechanism by which 
government and private industry can work together to identify 
potential gaps where the market itself does not permit a 
solution and to ensure that monies from the Federal Government 
can be inserted back into private industry to develop high-
risk, high-payoff technologies which will benefit not only 
private industry but, by extension, the American people.
    Finally, Senator, I would just like to touch briefly on the 
Partnership for Critical Infrastructure Security. This is an 
area I am particularly proud of because what it is trying to do 
is bring together all the communities that are necessary to 
resolve this issue.
    Today, we have lead agencies interacting with their private 
sector counterparts to address sector-specific concerns of 
critical infrastructure protection. What we are trying to do in 
this effort is to draw those efforts together and to include a 
broader community of business interests, to include the risk 
management community which is going to be responsible for 
assessing, creating metrics, and holding accountable companies 
to first adopt and then enforce security measures on their 
computer systems. It will also include the broader business 
community who actually depends on these critical 
infrastructures in order for them to do their business.
    We envision as this partnership evolves that we also will 
include the privacy community and others who have a stake in 
this outcome. I can tell you the first meeting was held in 
December. Over 90 companies attended. It was chaired by 
Secretary Daley. We are now moving to the first working group 
session later this month, in which industry is actually taking 
the lead on identifying those issues of concern with regard to 
critical infrastructure protection. So what we are really 
trying to do here is to develop a real partnership where 
hopefully we will discover market solutions, allow the market 
to come up with solutions as to how to deal with these problems 
and not regulation.
    Senator I think at this point I will conclude my remarks, 
and I welcome any questions.
    Senator Kyl. Thank you very much, and I am sure that 
overview at least indicates the breadth of the effort that is 
being undertaken here. While both Senator Feinstein and I have 
been critical of the administration for not acting with enough 
speed in this matter, we both recognize, I am sure, that it is 
a complicated and ongoing challenge that will require, as I 
said, a continuing evolution in your program. And that is fine, 
but it is important to start and we are at least appreciative 
of this report on that effort.
    One of the interfaces with this program that the Judiciary 
Committee will have, of course, is determining whether there 
are any legal changes that will be necessary in our laws to 
help implement this or to ensure that as it proceeds it can, A, 
be effective, and, B, not improperly infringe on any 
constitutional rights of Americans.
    I made the point, and I tried to stress the point in my 
opening statement that if we do nothing, Americans' privacy 
will, in fact, suffer. I mean, the whole point of providing 
protection to our infrastructure is to prevent unauthorized 
entry into these systems in a way that can compromise people 
and government and businesses' private information. So the 
whole point of this is to protect the American public.
    There are those, on the other hand, who view the effort in 
some respects as potentially damaging to civil liberties. And I 
would like to focus on that because of all the areas in which 
this subcommittee will be working with this critical 
infrastructure issue which has ramifications that apply to many 
other committees here in the Congress--the Government 
Operations Committee, the Intelligence Committee, the Armed 
Services Committee, and so on--our committee's jurisdiction 
will surely impact this privacy issue. And so I wanted to focus 
in on that and that is why I asked you to talk a little bit 
more about FIDNet.
    Now, what I would like to do as a prelude to asking you 
some specific questions is to describe with a little bit more 
particularity the kinds of information that you anticipate will 
be collected and analyzed on the FIDNet program, and if you 
could also describe the degree of maturity of the program. As I 
understand it, you are basically just getting this off the 
ground right now.
    So could you address that briefly and then talk about the 
kinds of things--in other words, how you envision this working. 
You might want to even use an example. Let's say we find that 
there has been a particular kind of incident. How would we be 
reacting to that, at least hypothetically?
    Mr. Tritak. Certainly, Senator, I would be happy to. First, 
to underscore the remark that you made in closing your 
question, and that is that we really are just getting off the 
ground. What we have done so far----
    Senator Kyl. By the way, may I interrupt you and 
acknowledge the presence of Bob Bennett, the Senator from Utah, 
who chaired the very successful Y2K--we just call it the Y2K 
Committee. But while Senator Bennett probably would not 
personally want to brag about this, I figure that the whole 
reason we didn't have any problems with Y2K is because of the 
work of his committee. Of course, I served on the committee.
    Senator Feinstein. You are humble.
    Senator Kyl. That is right.
    But since Senator Bennett is not a member of the Judiciary 
Committee, I wanted to acknowledge his presence here before you 
gave your answer and indicate we will, of course, offer him an 
opportunity to make some observations and ask questions here as 
well, and we appreciate him being here.
    I am sorry to have interrupted you.
    Mr. Tritak. Senator Bennett, it is good seeing you again.
    On FIDNet, Senator Kyl, first let's step back a little bit 
and let's clarify what FIDNet is and what it is not. It has 
been characterized as many things, including being a big 
brother system, or a slippery slope to it. It is nothing of the 
kind.
    To begin with, as I have indicated, what we are talking 
about here is a civilian computer intrusion detection system 
within the Federal Government. Currently, today, an agency can 
install intrusion detection systems at critical computer sites. 
It can monitor the flow of traffic coming in, with a view 
toward identifying potentially anomalous activity going on, a 
virus, for example. When anomalous activity is done, systems 
admin. today can review that information to determine what is 
going on and what needs to be done. That authority exists 
today.
    What FIDNet is proposing--well, let me say one more thing 
about that. Of course, given the nature of certain types of 
attacks, what you will generally see are mappings that an 
attacker will use at different agencies to try to develop an 
overall plan before they actually attack a specific system. 
They are not going to telegraph their intentions too clearly.
    So what could be happening at one agency may only be a 
small bit of what, in fact, is going on around, which could 
actually be amounting to something very serious. No agency 
alone is going to be able to make that determination or 
ascertain what is, in fact, going on. So what the FIDNet is 
proposing to do is in instances where anomalous activity has 
been detected, the information about that anomalous activity 
will be provided to the FEDSIRC, which is at GSA, for further 
analysis, and to correlate other data of anomalous activities 
occurring around Federal agencies to determine what that 
anomalous activity means.
    In the event that that anomalous activity appears 
suspicious or even indicative of crime, that information would 
then be further provided to the NIPC for analysis and if, in 
fact, they determine that there is evidence of criminal 
activity under Federal law enforcement.
    There are several tiers going on here to ensure the 
protection of privacy. Right now, if a systems administrator 
detected anomalous activity and concluded that there was 
evidence of criminal activity, they are obligated under law to 
provide that information directly to Federal law enforcement.
    Some anomalous activity is, in fact, ambiguous; it is not 
clear what it means. You wouldn't want to send that to Federal 
law enforcement, and that is not what is intended here. What is 
intended here is to be able to make sense--drawing on activity 
going around Federal agencies, to make sense of what that 
anomalous activity means for that agency as well as for the 
Government writ large, because in some instances that may be 
our first indication that something is up.
    If something is up, as I have said, and it suggests 
malicious intent or even potential criminal activity, there is 
a mechanism for providing that information on to the NIPC for 
Mr. Vatis and his team to evaluate. At this point, Senator, 
this is where the concept of FIDNet lies. Now, there are a lot 
of details as to how that information is processed, how it will 
be moved on to the FEDSIRC. And that is why I said that beyond 
a threshold assessment, a preliminary assessment, we need to 
further develop the FIDNet program with specific technical 
options.
    There will be RFP's issued, assuming that there is some 
seed funding for it, and then those technologies and 
capabilities will be assessed within the broader architecture 
to ensure compliance with existing privacy laws. I say ensure 
continued, as opposed to moving forward in the hopes that it 
will fit privacy or, in fact, requesting that privacy laws be 
changed in order to accommodate the system.
    Senator Kyl. What kind of data will be collected by the 
FIDNet program?
    Mr. Tritak. The information that is monitored on an 
intrusion detection system is really looking--basically, it is 
set up to look for anomalous patterns. That information, if the 
alarm would go off, would be extracted and that information 
would then be provided to the FEDSIRC for further analysis.
    Now, the details of what is contained in that packet, what 
would be kept at the agency where it is allowed to be kept and 
what would be moved on further for further analysis, is 
something that really is a technical detail that I am not in a 
position to answer right now because I don't know the answer.
    Senator Kyl. OK; now, what is the potential then for 
integrating the private sector--let's say the commercial 
banking computer system--into this overall program and 
interfacing with FIDNet to provide the burglar alarm for a 
private sector computer network as we have with the Government 
network?
    Mr. Tritak. In short, none.
    Senator Kyl. So the FIDNet program is designed to detect 
intrusions into the Government interconnection of computers, 
detect the nature of the activity, and if it is potentially in 
violation of law, refer the appropriate information to the FBI?
    Mr. Tritak. That is correct, sir.
    Senator Kyl. One of the subsequent witnesses, Mr. 
Rotenberg, says that there are--and I am quoting now--there are 
other indications contained in materials that they received 
under the Freedom of Information Act that the CIAO, which you 
lead, intends to make use of credit card records and telephone 
toll records as part of its intrusion detection system, and 
suggests that that raises problems under U.S. law. Is that 
correct?
    Mr. Tritak. Senator, I have to be honest with you. I don't 
know where that comes from. I think, in fairness, what it may 
be referred to is that telephone companies have developed 
technologies that look for certain patterns to suggest that 
someone may be using a credit card that isn't theirs, you know, 
activities which are beyond the normal patterns of activity 
that the person who owns that credit card would do.
    Under those circumstances, there is an alert and those 
people are actually contacted to find out is this purchase--did 
you intend this purchase, is this your purchase, and it is 
really a service actually to the customers.
    Senator Kyl. As a matter of fact, I can tell you one of my 
employees had a cell telephone, got a bill with, I think, $600-
and some worth of telephone calls to Mexico. And about a day 
later, she got a call from the company saying this doesn't look 
like an expenditure that is consistent with your past use of 
your telephone. She said, it is not; she said, I didn't make 
those calls. They said, we didn't think so, don't worry about 
it.
    And this is part of the basis for the bill which came out 
of this subcommittee a couple of years ago on cell phone 
cloning to try to make it easier to prosecute people who do 
that. So this was a use of information to help a consumer, a 
customer who clearly was being taken advantage of by someone. 
Is that the kind of information that you are talking about 
here?
    Mr. Tritak. Actually, I want to be very clear. It is not so 
much the information. It is the technology that helps identify 
certain patterns of behavior. First of all, I am not a 
technologist, so I am doubly handicapped. But one of the 
problems is that when you actually talk about how you identify 
certain types of patterns that are suggestive of anomalous 
behavior, we are talking about levels of detail and technical 
gradients that are very difficult to communicate in normal 
language.
    What I think was referred to in Mr. Rotenberg's statement--
I obviously don't want to speak for him, but my understanding 
to the extent that that ever came up was the fact is right now 
there is a capability that can identify anomalous patterns. In 
this case, it happens to be use of credit cards, or it could be 
the use of the telephone.
    It is the underlying technology that led to the creation of 
that capability which is what I believe was one thing that was 
raised as something to explore, not so much because we are 
looking at collecting that sort of information or information 
about a person or anything else that would be used in an 
intrusion detection system.
    Senator Kyl. And this is one of the reasons why you said 
that you would be careful as you went on to ensure that any use 
of that technology would not invade privacy.
    Mr. Tritak. That is correct, sir.
    Senator Kyl. And I will, of course, give Mr. Rotenberg a 
full opportunity to explore his views on this later, but he 
also says that based on a March 1999 memo from the Justice 
Department to CIAO, FIDNet is a violation of the spirit of the 
Federal wiretap statute, also the plain language of the Federal 
Privacy Act and contrary to the fourth amendment.
    What is your view on that?
    Mr. Tritak. Well, I have to try to remember law school, but 
I recall that wiretapping has to do with voice communications, 
and we are not looking at that there. We are talking about 
traffic that is coming in mainly e-mail.
    Senator Feinstein. Say that again.
    Mr. Tritak. I am sorry. My initial reaction, having not had 
an opportunity to think through this as fully as perhaps I need 
to, is that wiretapping refers to voice communications. We are 
not looking at monitoring voice communications through an 
intrusion detection system. The intrusion detection system is 
designed to identify incoming e-mail traffic that may contain 
anomalous malicious code or something, which may then actually 
go into a computer system and cause damage. So we are really 
monitoring different things.
    Senator Kyl. One thing I would like to ask you to do is to 
consider carefully the testimony of the second panel and to 
perhaps respond to any points that you think are worth--I 
shouldn't say worth responding to, but need response to ensure 
that there is a complete understanding of the FIDNet program 
from your point of view. And we would leave the record open for 
sufficient time for you to respond to any comments that you 
think require response.
    I realize that we are catching you a bit unprepared on 
these matters today, and perhaps at a subsequent hearing we can 
have the people who really are the experts either in the law or 
in the technology to further explore these issues.
    Mr. Tritak. Senator, let me also add that in terms of some 
of the things that you raise and Mr. Rotenberg will be raising 
in his testimony, I think we need to take all that seriously. 
All concerns about privacy should be taken seriously and we 
ought to address them front-on.
    I gave you answer about the wiretap law. I am not even sure 
if it is correct. What I will do, though, is once it is raised, 
to the extent I can respond to it today, I will. To the extent 
I cannot, we will provide written answers specifically to 
those.
    Senator Kyl. Great, and I have some additional questions 
which I will submit to you.
    [The questions of Senator Kyl are located in the appendix.]
    Senator Kyl. I would like to turn to Senator Feinstein now. 
Senator Bennett, by the way, said he would be able to be back.
    Senator Feinstein. Thanks very much, Mr. Chairman.
    Mr. Tritak, just a quickie. On page 29 of the report, in 
the chart it mentions that Federal departments and agencies 
will submit a multiyear vulnerability remediation plan with 
their fiscal year 2001 budget submissions to OMB, and then 
annually afterwards. The ERT will work with the departments on 
implementation. That is due to be completed in June 2000. Are 
you going to make that date?
    Mr. Tritak. Yes; let me make sure I--page 29, you said?
    Senator Feinstein. Page 29, third one down, Federal 
Department Initiatives to Strengthen Cyber Security.
    Mr. Tritak. OK, and that would be----
    Senator Feinstein. 1.3.
    Mr. Tritak. Yes; well, each of the agencies, in fact, will 
have contained in their budget plans for dealing with their 
vulnerabilities and remediating----
    Senator Feinstein. So that will be on time and this 
subcommittee can expect it?
    Mr. Tritak. Yes; that is not to say it is going to be 
complete, and I will tell you that one of the things we are 
actually undertaking at the CIAO is to assist agencies in sort 
of focusing very clearly on what it is that they need to do in 
order to fulfill the missions of PDD-63, and that is to 
actually go into their agencies and identify those assets that 
support national critical services, either in national defense, 
promoting of economic security, or delivery of vital human 
services, and having identified those assets to back into it to 
identify with the nodes and networks that support those and 
then conduct a vulnerability assessment.
    With the institutionalization of the ERT, they will then go 
in and say, OK, let's take a look at those nodes and determine 
to what extent they are vulnerable and what do we need to do to 
address them.
    Senator Feinstein. I just view that as an important step.
    Mr. Tritak. Very important, ma'am.
    Senator Feinstein. And I just wanted to see if it was going 
to get done on time.
    Now, let me just read you a couple of sentences out of the 
GAO draft report on critical infrastructure protection.

          In particular, we believe the Plan should place more 
        emphasis on providing agencies the incentives and tools 
        to implement the management controls necessary to 
        assure comprehensive computer security programs, as 
        opposed to its current strong emphasis on implementing 
        intrusion detection capabilities.

Then it says,

          In addition, the Plan relies heavily on legislation 
        and requirements already in place that, as a whole, are 
        outmoded and inadequate, as well as poorly implemented 
        by the agencies.

    Could you define for us the outmoded and inadequate 
legislation so that we might do something about it?
    Mr. Tritak. Well, I believe that what may be referred to 
may be certain aspects of the Computer Security Act. I have not 
done, in fact, an analysis or studied closely what GAO has said 
in this regard. I would rather take that question and get back 
to you than to simply talk off the top of my head.
    Senator Feinstein. Would you, please?
    Mr. Tritak. I would be happy to.
    Senator Feinstein. This is directly within our jurisdiction 
to update whatever legislation is outmoded and inadequate. So 
if we could get that with specificity in the next week, if 
possible?
    Mr. Tritak. Yes, ma'am.
    Senator Feinstein. Great. Thank you very much.
    Just a couple of quick questions on your burglar alarm, 
FIDNet. What is the legal authority for FIDNet?
    Mr. Tritak. Well, the legal authority for FIDNet--I guess I 
would sort of address it slightly differently. Is FIDNet 
consistent with existing legal authority? One of the initial 
analyses that had to be done was whether it was consistent with 
ECPA, the Electronic Communications and Privacy Act. I usually 
only refer to it by its acronym.
    That makes very clear and puts very severe restrictions on 
the monitoring of content in electronic communications. 
However, it does also have some significant exceptions in order 
to protect Federal Government information systems.
    Senator Feinstein. But you are saying the legal authority 
is within that Electronic Communications and Privacy Act?
    Mr. Tritak. Right.
    Senator Feinstein. OK.
    Mr. Tritak. Now, it also needs to be consistent with other 
laws, but that is one which we did as an initial matter. And 
there was a preliminary, and I emphasize preliminary, 
examination by the Department of Justice which found it to be 
consistent.
    Senator Feinstein. Now, Senator Kyl mentioned the wiretap 
law. Do you agree with Justice that FIDNet must operate under 
the Federal wiretap law?
    Mr. Tritak. Senator, I am going to be honest with you. I am 
going to need to take that question. I am not prepared to 
answer the specific legal authorities with respect to FIDNet 
and the wiretap law, and I think they deserve a thorough review 
and response than what I can give you at this time.
    Senator Feinstein. I appreciate it.
    Mr. Tritak. I have a few tasks now to get back to you very 
quickly on, and that will be one of them.
    Senator Feinstein. Thanks. Do you see any legal problems 
with GSA acting as a centralized authority with regard to 
protection against network intrusions for the entire Federal 
Government?
    Mr. Tritak. I do not. I understand that there is the view, 
although there has not been a formal legal opinion issued at 
this time on this, that the GSA can serve as sort of a super 
systems administrator in connection with the FIDNet program, 
meaning that since it has authority to oversee all government 
agency information and computer systems----
    Senator Feinstein. That includes Defense, of course?
    Mr. Tritak. Yes, although in this case the--yes, but in 
this case the Defense Department has its own system entirely 
and the FIDNet is not actually going to be tied into that.
    Senator Feinstein. So FIDNet would not relate to----
    Mr. Tritak. No; in fact, I am glad you said that. Right 
now, there is an intrusion detection system at the Department 
of Defense and that system has been up for a while. In fact, as 
we proceed in developing FIDNet, obviously we want to benefit 
from the experiences and lessons learned that the Department of 
Defense has made in proceeding there. But this is only for non-
DOD Federal civilian government agencies. It is not networked 
into the Department of Defense.
    Senator Feinstein. Under the current version of FIDNet, 
there would be a large new intrusions operations center at GSA. 
Does this duplicate the mission of the National Infrastructure 
Protection Center?
    Mr. Tritak. I do not believe it does. The way FIDNet was 
designed, first of all, it is very clear in ECPA that the 
systems administrator cannot be an agent of law enforcement. 
Now, I am not saying here that the NIPC is, in fact, an agent 
of law enforcement because it is not. It is, in fact, an agency 
designed to deal with indications of warning and analysis.
    But the decision was made, in an abundance of caution, to 
locate the FIDNet analysis center, if you like, or what 
actually would be located at FEDSIRC--is to provide a place 
where correlation can be done and an assessment of what 
anomalous activity means. And only in cases where that 
anomalous activity rises to the level of suspicion and perhaps 
indicative of criminal activity would it then further sent to 
the NIPC for analysis and they would make the final 
determination of sending it to law enforcement based on their 
own expertise and experience that they believe it needs to 
move.
    Senator Feinstein. A final question. The GAO report points 
out that its audits have found repeatedly serious deficiencies 
in the most basic controls over access to Federal systems. It 
points out that managers often provided overly broad access 
privileges to very large groups of users, and that affords more 
individuals than necessary the ability to browse and modify or 
delete sensitive or critical information.
    What are you going to do about that?
    Mr. Tritak. Well, as you have indicated earlier, and I 
think it bears repeating here, critical infrastructure 
protection is not going to be solved by technology alone. It is 
only as good as the personnel, the technology, and the 
processes that are put in place to do it. Your best intrusion 
detection system, your best technology for combating cyber 
terrorism goes out the window if it is not employed properly.
    There is, in fact, an effort underway, and it is 
contemplated in the National Plan to develop more uniform 
standards across the Federal Government and to raise awareness 
with government employees on the importance and need for 
observing proper practices and standards for information 
security.
    I agree that right now the Government is not the model of 
that. More works needs to be done. By the way, it is also not 
wholly observed within private industry, and I think you would 
find--and I think this is something you would really need to 
talk to Mr. Vatis about, but probably many instances where 
there have been problems, only some of them are because of 
technological flaws. Some of them are because people were not 
observing common security practices which, had they been 
observed, they may have avoided the problem.
    And this a big issue for the information technology 
community because to simply say something is vulnerable is 
suggestive that the vulnerability lies squarely with the 
technologies, when, in fact, the vulnerability is systemic and 
it requires dealing with all three.
    Senator Feinstein. You mentioned earlier that you are going 
to begin recruiting students and training students, et cetera, 
to come into this. In our classified briefing, Senator Kyl and 
I heard about this, and my concern has been that that is going 
to take a very long time. And I wondered if, particularly with 
respect to this security aspect, you had considered recruiting 
from the private sector for a small period of time, say 6 
months to 1 year, the outstanding security experts that we can 
throughout America to really, in essence, do a kind of audit of 
our departments, our management and security functions, and 
make some specific recommendations.
    Mr. Tritak. Well, first of all, Senator, let me say that I 
think that is an excellent idea.
    Senator Feinstein. But will it die an early death?
    Mr. Tritak. Not necessarily. I think the only problem is 
that industry itself is finding a shortage. I mean, they are 
desperately trying to fill these positions themselves. That 
said----
    Senator Feinstein. I talked to one company that is in the 
lead in this direction. I would be happy to tell you 
afterwards.
    Mr. Tritak. I would love to hear who that is. That would be 
great. In fact, I would say even when we get the scholarship 
program going, if all goes well and if we get full funding, we 
envision that the first graduating class having been trained 
through these programs would be May 2002. So we are trying to 
put this on a fast track as much as possible.
    But I think even if we did get this program going, there 
needs to be some kind of ongoing interaction between private 
industry and the Federal Government in this because, first of 
all, I think industry actually has an interest in the Federal 
Government having secure computer systems. They, in fact, 
depend on some of these systems for their own businesses.
    And, second, the experiences that are gained in the Federal 
Government are likely to be different in some respects from the 
kinds of experiences they have in private industry. Since 
government in some cases is one of the front lines of attack 
against hostile forces, that kind of experience in how to deal 
with it and respond to it would be extremely valuable to 
private industry.
    So I think that is a very good idea, and I would actually 
like to speak to you afterwards about the companies who have 
indicated a willingness to volunteer to support Federal 
Government programs.
    Senator Feinstein. Thank you very much. I appreciate it.
    Mr. Tritak. Thank you, Senator.
    Senator Kyl. Senator Bennett.
    Senator Bennett. Thank you, Mr. Chairman. I very much 
appreciate your indulgence in letting me participate in this 
way, and I apologize for going in and out. We were in the 
process of trying to gather a quorum up in the Banking 
Committee so we could report out Alan Greenspan. We have 
successfully done that and so I am here now.
    I want to express my appreciation to you for your hearings 
not only now, but previously. I think, as I have said 
previously, that this issue is one that is going to be with us 
a long, long time. It is only going to increase in its 
intensity and its importance and we are just at the threshold 
of beginning to understand it.
    I have brought along a little visual aid this morning, Mr. 
Chairman, and you can't see it too well from where you are. I 
wish it were on a white background instead of a black 
background, but that is a map of the world. Some people think 
it is an abstract painting. Maybe someone could hold it up and 
show it to the audience as well.
    That is a map of the world, only it is a map of the 
Internet. The most outstanding thing about that when you look 
at it as a map of the world is that there are no oceans and 
there are no continents. And when you start talking about 
either national security threats or commerce in a world in 
which there are no oceans and no continents, you realize that 
we are not talking about a new tool to use in commerce or a new 
weapon to use in war. We are talking about a whole new place. 
We are talking about a whole new universe that is different 
from any that we have structured our Government to defend or 
our economy to market in in the past. That is why these 
hearings are so important and the issues that we are addressing 
are so important, and they are going to go on and on.
    Now, in May 1998 President Clinton signed PDD-63, calling 
for the development of a detailed Federal Plan, and we are 
having the hearings now on the first cut of that Plan. It was 
finally released this month. Unfortunately, it is over a year 
late from the date that was set in PDD-63. It is an invitation 
to a dialog, as the Plan itself says, and this hearing is going 
to be part of that dialog.
    Now, in my opinion, Mr. Chairman, there are two main 
problems with the Plan. I don't mean to start out being 
critical because I start out being grateful that we have it, 
that we have something to talk about. But here is my reaction 
to it.
    First, the architecture of the Plan is flawed, the 
structure is wrong. The FBI is given the coordination function, 
which immediately raises suspicions on the part of industry and 
questions about the role of the Department of Defense. The 
greatest area of expertise in this challenge lies with the 
Department of Defense and the National Security Agency, and 
they are under the coordination of the FBI. That is one of the 
reasons why you are holding this hearing, Mr. Chairman, because 
the FBI is under the jurisdiction of the Judiciary Committee. 
But the question about the FBI's expertise as opposed to that 
contained within the DOD and the NSA is a structural question 
that immediately comes to mind.
    The second part of the first problem--the first problem is 
the structure and now I am giving subtopics under that. The 
second subtopic is that the Plan seems to me to focus primarily 
on the hacker threat. I listened very carefully to the 
President during the State of the Union message when he raised 
this, and again I applaud him for raising it, and he too 
stressed the hacker threat, the threat of irresponsible 
hackers.
    I think the broader threat that we face long term is going 
to come from terrorist groups and eventually, if not 
immediately, from hostile nation states that have the staying 
power both financially and technologically far beyond that of a 
teenage hacker operating out of his bedroom. And I wish the 
Plan had focused on the broader threat of information warfare 
and not the more narrow threat of a rogue hacker.
    The third subpart of the flawed architecture is that the 
Plan does not yet articulate a strategy for reconstitution and 
recovery if an attack occurs. We had the experience in the Y2K 
Committee of talking about contingency plans, and one of the 
reasons that Y2K went so smoothly is that in many areas 
contingency plans simply took over flawlessly and seamlessly.
    And people said, gee, there was no Y2K failure, when, in 
fact, there was, but there was no suspension of service because 
the contingency plan was working. That is an analogy for the 
focus on reconstitution and recovery, and there is nothing in 
this Plan that focuses on that.
    And the final aspect of the architecture that--well, I have 
already talked about it; that is, that the role of DOD and NSA 
is unclear, and those are the two agencies that have the most 
expertise.
    The second major problem with the Plan--this is parochial, 
in a sense, because it looks at it from the standpoint of the 
Congress. The Plan makes it almost impossible to follow the 
money. Approximately nine committees in the Congress have some 
kind of critical infrastructure protection oversight 
responsibility. There is in the President's budget $2.04 
billion spread over 15 agencies, and it becomes very difficult 
to follow the money, very difficult for Congress to provide its 
appropriate oversight responsibility when things are fractured 
that much.
    I would note that in the 2001 budget tagged for critical 
infrastructure protection, $276 million is new funding. That is 
more than a 10-percent increase, closer to a 12- to 15-percent 
increase. I don't object to that increase. I think the issue is 
serious enough that it justifies that increase, but it becomes 
very hard to focus when the thing is spread so wide.
    So, Mr. Chairman, I give the President and the 
administration high marks for proceeding. I am glad the 
National Plan is finally before us, even at this late date. I 
know how devilishly difficult it must have been to put 
together, and so I don't fault the administration too much for 
being a year late. But I have to lay down my immediate concerns 
in these two areas, and very much appreciate the opportunity to 
share that with you this morning.
    Thank you.
    Senator Kyl. Thank you very much, Senator Bennett. As a 
matter of fact, Senator Feinstein and I were just talking about 
the criticisms which you leveled. These were criticisms that 
were raised in earlier hearings that we had, as a matter of 
fact, prior to the actual development of the Plan when we asked 
whether or not it wouldn't be more appropriate to have a larger 
role for the Defense Department, given the fact that our 
national security is implicated when there is attack on other 
government agencies than the Department of Defense. That 
remains an ongoing concern that we have. We continue to 
evaluate that and look into it with your assistance, as well.
    Senator Bennett. Mr. Chairman, if I could raise an example 
that I use sometimes when I give speeches on this subject--and 
I will be giving another one around noon--we have in Utah a 
steel mill, a very unusual place to put a steel mill in the 
middle of Utah, next to Utah Lake. It was put there in 1942 for 
strategic reasons.
    The Government was afraid that a steel mill built in 
Senator Feinstein's State might be subject to attack from the 
Japanese. They wanted to put it far enough inland that a 
Japanese bomber wouldn't be able to get to it. Steel mills, as 
you know, require a fairly large body of water, and there is a 
lake in Utah that was big enough. So this mill, which is known 
as the Geneva Steel Mill, because they thought Utah Lake looked 
a little like Lake Geneva in Switzerland--U.S. Steel built the 
Geneva Steel Works on the borders of Utah Lake in 1942 as a 
defense initiative. We needed more steel for our defense 
purpose and we wanted to protect it.
    Now, if the Japanese were to decide that that steel mill 
was essential to our war effort and that they had to take it 
out at almost any cost and launched a bomber from a carrier off 
the coast of San Francisco to fly to Provo, UT, to try to 
destroy the Geneva Steel Works, the responsibility of defending 
that steel mill would obviously fall to the Department of 
Defense, or in that case the War Department. We didn't have a 
Department of Defense in 1942.
    The responsibility of shooting down that bomber would lie 
with the Army Air Corps, very clear lines of jurisdiction. And 
if something happened to the steel mill, the War Production 
Board would be responsible for trying to get it rebuilt, or 
that capability rebuilt.
    Today, if a hostile nation were to decide that an 
installation somewhere in the United States was critical to 
America's defense effort and they were to decide they were 
going to take it down by a cyber attack, whose responsibility 
is it to defend that facility? It is nowhere near as clear-cut 
as the old paradigm, and that underscores what I am trying to 
say.
    We are in a whole new place now. Does the FBI have to 
defend that critical segment of our economy against foreign 
attack? Does the National Security Agency have a defense role 
or is it strictly informational? Who is responsible for 
reconstitution?
    And I would ask you, Mr. Tritak, if I am allowed, do we 
need an EFEMA? We have spent a lot of time in Y2K talking about 
FEMA and reconstitution, as I have said. Do we need an EFEMA? 
Does that need to be part of the Plan? These are the kinds of 
issues that are much easier to raise than they are to solve.
    But I put in terms of the analogy of the steel mill to 
indicate how differently the world operates now and how the old 
compartments of responsibilities no longer apply. And your 
responsibility down at CIAO is to give us all the answers to 
these terrible problems.
    Senator Feinstein. Mr. Chairman, before Mr. Tritak 
responds, would you add the example you just gave me on the oil 
because I think it is relevant?
    Senator Kyl. Sure. There are so many different examples. 
The point is that while the defense and related national 
security groups are in charge of their own security, as Senator 
Bennett points out, there are innumerable implications to 
national security from attacks on other agency computers.
    We were just talking about, for example, the computers that 
may keep track of world oil shipments and the like. What if 
those are infiltrated for purposes designed to harm U.S. 
national security? You know, the Commerce Department computers 
may not be under the jurisdiction of the Department of Defense, 
but does GSA or FBI or Commerce have the ability to do the 
kinds of things that Senator Bennett talked about? No; the 
Defense Department is the one that ought to be involved in 
that.
    That is why, as I say, these questions were raised earlier 
on, and maybe you could provide an answer to some of the 
questions that Senator Bennett has raised as to why the 
Department of Defense wasn't more closely integrated into this 
overall Plan.
    Mr. Tritak. Well, let me say that the issue you have raised 
about the information age knows no boundaries, whether 
national, bureaucratic, private, public, is probably one of the 
most significant implications and is going to require us to 
really look very closely at what do we even mean by national 
security anymore.
    It was very clear when the threats were from a foreign 
intruder that had to cross a boundary or our air space what 
needed to be done. That wasn't the question. It is a lot more 
difficult now. Obviously, no one wants a solution where we 
create a veritable police state and the Nation's infrastructure 
needs to be posted with guards or net force-type capabilities 
on every computer system that may bear some effect on the 
national economy. On the other hand, as you have pointed out, 
the way our bureaucracies are currently organized, there are 
clear lines of responsibility that don't really reflect the new 
demands that are being posed by the information age.
    I don't want to be in a position to define for the Defense 
Department what they view their mission is. I believe, however, 
it is fair to say that one of the missions they do have is to 
ensure that the infrastructures of this country that are 
necessary for the projection of power overseas or to mobilize 
war is, in fact, a concern of theirs and they have, in fact, 
been working on it.
    So it wouldn't be true to say that they don't do 
infrastructure protection within the United States, but it is 
with a very clear focus on the Defense Department's missions. 
And when you go beyond that to talk about the defense of the 
Nation's infrastructures that are necessary for economic 
security and delivery of human services, we get into a much 
more complicated set of circumstances.
    I am sad to say I don't have the answer to your question 
right at the moment. But what I will say, though, is going back 
to something that you raised actually in my first hearing when 
I was on the job about 2 weeks, and you raised to me a question 
that has over time really struck me as really at the core of 
what we need to be turning to next, having gone through the Y2K 
experience, and that is we accept the fact that the Nation's 
infrastructures are mainly privately owned and that the 
industry itself and the market should bear most of the 
responsibility for reconstituting those systems should they 
fail.
    That was clearly the goal of Y2K and, in fact, they did a 
very good job. Owners and operators of infrastructures have had 
to deal with disruptions, whatever the cause, for at least 100 
years. And this new information age is going to complicate that 
because as more and more of their business operations go online 
or become part of computer-controlled networks, they may become 
more susceptible to deliberate disruption.
    So we recognize that perhaps the first way to deal with 
this is to raise the awareness with industry that this is a 
problem that is emerging and what the threats are. There are 
programs underway for the NIPC to brief industry on what is 
actually going on to try to raise that level of awareness. We 
are also as part of this partnership trying to raise this as 
basically a case for action, that regardless of the source of 
the disruption, they can't afford to have their systems go 
down.
    And the hope there is that the market itself will go a long 
way to dealing with this problem, and then when there is a 
shortfall between the two, that is really where government and 
private industry need to work together to solve it.
    Senator Kyl. If I could just interject and then we do need 
to turn to our other panel, the problem is that industry is 
working with cross-tensions here. In a competitive age, in a 
deregulatory environment, it is not very cost-effective for 
Energy to build in robust backup kinds of systems. And the net 
result is that a lot of the systems are more fragile than they 
used to be when you had monopolies and the Government was 
ensuring that they had the money available to build this 
robustness into the systems.
    And I think particularly of communications and the Defense 
Department and the national security Agencies and the other 
parts of our Government relying to a significant extent on 
literally commercial satellites which are very vulnerable. Our 
communications, our transportation system, and certainly our 
energy grid all serve both defense and nondefense needs. And in 
all three of these areas, there are vulnerabilities that didn't 
exist before that do exist now that are the business of the 
United States from a defense point of view, and this is a point 
that both Senator Bennett and Senator Feinstein have made.
    I think there will need to be more analysis of how the 
Defense Department and the NSA and other agencies can interface 
with the system that is being developed here. Placing it where 
it has been placed has been a conscious decision. I am inclined 
to try to provide some significant oversight over the process, 
but see how it evolves. And I think we are going to have to 
have some additional discussion on this point as we go on.
    I want to make it clear for those who are here, and perhaps 
here for the first time that we tended not--except in the very 
fine brief summary in Senator Feinstein's opening statement, we 
haven't revisited what brought us here, the significant threat 
to our way of life and to the national security of the United 
States. We have gone into that at some length before and we 
have even talked about some of the assumptions of this basic 
Plan.
    As I said in the beginning, this is the fifth hearing of 
this subcommittee, and what I wanted to do today was to focus 
on a specific issue which I will get to in the next panel which 
has to do with privacy concerns, because I would note that our 
ability to move forward as a government in this area is 
dependent upon the approval of the citizens of the United 
States to allow us to move forward. And if they have concerns 
about a privacy issue, for example, we need to deal with those 
up front or we are not going to be able to address these more 
fundamental questions.
    But I think it is good that Senator Bennett has reminded us 
of one of the critical assumptions underlying the structure 
that you have set up here and the fact that that assumption may 
not be necessarily a valid one, that we may need to turn more 
to the national security side of our Government to help us to 
protect the critical infrastructure, and we will have to 
evaluate that as time goes on.
    Mr. Tritak. Senator, if I can make just one quick point in 
answer actually to what I was actually leading up to, Senator, 
and that is one of the things that struck me about a question 
you asked fairly early in the Y2K Committee was when, whether, 
and under what circumstances may the Federal Government play a 
role in reconstituting privately-owned infrastructures.
    Recognizing that we want the market to lead, what happens 
if that fails, for whatever reason, and it is beginning to have 
a deleterious effect on national security, economic security, 
or delivery of vital services? That, to me, is the fundamental 
question and, in fact, that is what we are beginning to turn to 
now because I think it really is at the core of what you mean 
by an EFEMA versus other things.
    But we have begun to look at authorities. One place you 
start is actually looking at existing authorities and where are 
the shortfalls for those, and then developing clear ideas about 
what contingencies might arise and to assure we can plan 
against those contingencies. We don't know yet for sure what 
contingencies would apply, but I think the question and the 
issue is a valid one and you raised it in the Y2K context. I 
think it is critical to CIP and part of what the Government's 
responsibility is to defend the Nation in the event of an 
attack, particularly if it comes from overseas.
    Senator Kyl. Thank you very much. Well, obviously we will 
have more questions for you. We will submit some for the 
record. What we also I think would appreciate is an ongoing 
communication from you as things evolve. Don't wait for a 
hearing to come up and talk to us. Feel free to communicate 
with us on an ongoing basis as the situation evolves so that we 
will be up to speed with what you are doing.
    Thank you again for being here today. Obviously, we could 
spend all day on some of these issues.
    [The prepared statement of Mr. Tritak follows:]

                  Prepared Statement of John S. Tritak

    Mr. Chairman, it is an honor to appear before you here today to 
talk with you about the National Plan for Information Systems 
Protection, Version 1.0. This Subcommittee has shown exceptional 
leadership on the matter of critical infrastructure assurance. I am 
grateful for the opportunity to discuss the Administration's efforts to 
achieve President Clinton's goal of establishing a full operational 
capability to defend the critical infrastructures of the United States 
by 2003 against deliberate attacks aimed at significantly disrupting 
the delivery of services vital to our nation's defense, economic 
security, and the health and safety of its people. This cannot be done 
without the support and participation of the Congress.

                            1. INTRODUCTION
    The Information Age has fundamentally altered the nature and extent 
of our dependency on these infrastructures. Increasingly, our 
Government, economy, and society are being connected into an ever 
expanding and interdependent digital nervous system of computers and 
information systems. With This interdependence comes new 
vulnerabilities. One person with a computer, a modem, and a telephone 
line anywhere in the world can potentially break into sensitive 
Government files, shut down an airport's air traffic control system, or 
disrupt 911 services for an entire community.
    The threats posed to our critical infrastructures by hackers, 
terrorists, criminal organizations and foreign Governments are real and 
growing. The need to assure delivery, of critical services over our 
infrastructures is not only a concern for the national security and 
federal law enforcement communities, it is also a growing concern for 
the business community, since the security of information 
infrastracture is a vital element of E-commerce. Drawing on the full 
breadth of expertise of the federal government and the private sector 
is therefore essential to addressing this matter effectively.
    President Clinton has increased funding on critical infrastructure 
substantially during the past three years, including a 15 percent 
increase in the fiscal year 2001 budget proposal to $2.0 billion. He 
has also developed and funded new initiatives to defend the nation's 
computer systems from cuber attack.
    In the 18 months since the President signed Presidential Decision 
Directive 63, we have made significant progress in protecting our 
critical infrastructures. In response to the President's call for a 
national plan to serve as a blueprint for establishing a critical 
infrastructure protection (CIP) capability, the National Plan for 
Information Systems Protection  was released last month. It represents 
the first attempt by any national Government to design a way to protect 
those infrastructured essential to the delivery of electric power, oil 
and gas, communications, transportation services, banking and financial 
services, and vital human services. Increasingly, these infrastructures 
are being operated and controlled through the use of computers and 
computer networks.
    The current version of the Plan focuses mainly on the domestic 
efforts being undertaken by the Federal Government to protect the 
Nation's critical cyber-based infrastructures. Later versions will 
focus on the efforts of the infrastructure owners and operators, as 
well as the risk management and broader business community. Subsequent 
versions will also reflect to a greater degree the interests and 
concerns expressed by Congress and the general public based on their 
feedback. that is why the Plan is designated Version 1.0 and subtitled 
An Invitation to a Dialogue--to indicate that it is still a work in 
progress and that a broader range of perspective must be taken into 
account if the Plan is truly to be ``national;'' in scope and 
treatment.

                   THE PLAN: OVERVIEW AND HIGHLIGHTS
    President Clinton directed the development of this Plan to chart 
the way toward the attainment of a national capability to defend our 
critical infrastructures by the end of 2003. To meet this ambitious 
goal, the Plan establishes 10 programs for achieving three broad 
objectives. They are:

  Objective 1: Prepare and Prevent: Undertake those steps necessary to 
    minimize the possibility of a significant and successful attack on 
    our critical information networks, and build an infrastructure that 
    remains effective in the face of such attacks.

          Program 1 calls for the Government and the private sector to 
        identify significant assets, interdependencies, and 
        vulnerabilities of critical information networks from attacks, 
        and to develop and implement realistic programs to remedy the 
        vulnerabilities, while continuously updating assessment and 
        remediation efforts.

  Objective 2: Detect and Respond: Develop the means required to 
    identify and assess attacks in a timely way, contain such attacks, 
    recover quickly from them, and reconstitute those systems affected.

          Program 2 will install multi-layered protection on sensitive 
        computer systems, including advanced firewalls, intrusion 
        detection monitors, anomalous behavior identifiers, enterprise-
        wide management systems, and malicious code scanners. To 
        protect critical federal systems, computer security operations 
        centers will receive warnings from these detection devices, as 
        well as Computer Emergency Response teams (CERTs) and other 
        means, in order to analyze the attacks, and assist sites in 
        defeating attacks.
          Program 3 will develop robust intelligence and law 
        enforcement capabilities to protect critical information 
        systems, consistent with the law. It will assist, transform, 
        and strengthen U.S. law enforcement and intelligence Agencies 
        to be able to deal with a new kind of threat and a new kind of 
        criminal--one that acts against computer networks.
          Program 4 calls for a more effective nationwide system to 
        share attack warnings and information in a timely manner. This 
        includes improving information sharing within the Federal 
        Government and encouraging private industry, as well as state 
        and local Governments, to create Information Sharing and 
        Analysis Centers (ISACs), which would share information from 
        the Federal Government. Program 4 additionally calls for 
        removal of existing legal barriers to information sharing.
          Program 5 will create capabilities for response, 
        reconstitution, and recovery to limit an attack while it is 
        underway and to build into corporate and Agency continuity and 
        recovery plans the ability to deal with information attacks. 
        The goal for Government and the recommendation for industry is 
        that every critical information system have a recovery plan in 
        place that includes provisions for rapidly employing additional 
        defensive measures (e.g., more stringent firewall 
        instructions), cutting off or shutting down parts of the 
        network under certain predetermined circumstances (through 
        enterprise-wide management systems), shifting minimal essential 
        operations to ``clean'' systems, and to quickly reconstitute 
        affected systems.

  Objective 3: Build Strong Foundations: Take all actions necessary to 
    create and support the Nation's commitment to Prepare and Prevent 
    and to Detect and Respond to attacks on our critical information 
    networks.

          Program 6 will systematically establish research requirements 
        and priorities needed to implement the Plan, ensure funding, 
        and create a system to ensure that our information security 
        technology stays abreast with changes in the threat 
        environment.
          Program 7 will survey the numbers of people and the skills 
        required for information security specialists within the 
        Federal Government and the private sector, and takes action to 
        train current Federal IT workers and recruit and educate 
        additional personnel to meet shortfalls.
          Program 8 will explain publicly the need to act now, before a 
        catastrophic event, to improve our ability to defend against 
        deliberate cyber-based attacks.
          Program 9 will develop the legislative framework necessary to 
        support initiatives proposed in other programs. This action 
        requires intense cooperation within the Federal Government, 
        including Congress, and between the Government and private 
        industry.
          Program 10 builds mechanisms to highlight and address privacy 
        issues in the development of each and every program. 
        Infrastructure assurance goals must be accomplished in a manner 
        that maintains, and even strengthens, American's privacy and 
        civil liberties. The Plan outlines nine specific solutions, 
        which include consulting with various communities; focusing on 
        and highlighting the impact of programs on personal 
        information; committing to fair information practices and other 
        solutions developed by various working groups in multiple 
        industries; and working closely with Congress to ensure that 
        each program meets standards established in existing 
        Congressional protections.

    I would like to highlight a few of the programs in the remainder of 
my testimony. In these programs, the Administration seeks to accomplish 
two broad aims of the Plan--the establishment of the U.S. Government as 
a model of infrastructure protection, and the development of a public-
private partnership to defend our national infrastructures.
A. The Federal Government as a model of information security
    We often say that more than 90 percent of our critical 
infrastructures are neither owned nor operated by the Federal 
Government. Partnerships with the private sector and state and local 
governments are therefore not just needed, but are the fundamental 
aspect of critical infrastructure protection. Yet, The President 
rightly challenged the Federal Government in PDD-63 to serve as a model 
for critical infrastructure protection--to put our own house in order 
first. Given the complexity of this issue, we need to take advantage of 
the breadth of expertise within the Federal Government to ensure that 
we enlist those Agencies with special capabilities and relationships 
with private industry to the fullest measure in pursuit of our common 
goal.
    To this end, the President has developed and provided full or pilot 
funding for the following key initiatives designed to protect the 
federal Government's computer systems:

    Federal Computer Security Requirements and Government 
Infrastructure Dependencies. One component of this effort supports 
aggressive, Government-wide implementation of federal computer security 
requirements and analysis of vulnerabilities. Thus, in support of the 
release of the National Plan, the President announced his intent to 
create a permanent Expert Review Team (ERT) at the Department of 
Commerce's National Institute of Standards and Technology (NIST). The 
ERT will be responsible for helping Agencies identify vulnerabilities, 
plan secure systems, and implement Critical Infrastructure Protection 
Plans. Pursuant to existing Congressional authorities and 
administrative requirements, the Director of the team would consult 
with the Office of Management and Budget and the National Security 
Council on the team's plan to protect and enhance computer security for 
Federal Agencies. The President's Budget for fiscal year 2001 will 
propose $5 million for the ERT.
    Under PDD-63, the President directed the CIAO to coordinate 
analyses of the U.S. Government's own dependencies on critical 
infrastructures. Many of the critical infrastructures that support our 
nation's defense and security are shared by a number of Agencies. Even 
within Government, critical infrastructure outages may cascade and 
unduly impair delivery of critical services. The CIAO is coordinating 
an interagency effort to develop a more sophisticated identification of 
critical nodes and system, and to understand their impact on national 
security, national economic security, and public health and safety 
Government-wide. These efforts support the work of the ERT in 
identifying vulnerabilities of the Government's information 
infrastructures, and provide valuable input to Agencies for planning 
secure computer systems and implementing computer security plans. This 
research, when complete, will permit the Federal Government to identify 
and redress its most significant critical infrastructure 
vulnerabilities first and provide the necessary framework for well 
informed critical infrastructure protection policy making and budget 
decisions.

    Federal Intrusion Detection Network (FIDNet). PDD-63 marshals 
Federal Government resources to improve interagency cooperation in 
detecting and responding to significant computer intrusions into 
civilian Government critical infrastructure nodes. The program--much 
like a centralized burglar alarm system--would operate within long-
standing, well-established legal requirements and Government policies 
covering privacy and civil liberties. FIDNet is intended to protect 
information on critical, civilian Government computer systems, 
including that provided by private citizens. It will not monitor or be 
wired into private sector computers. All aspects of the FIDNet will be 
fully consistent with all laws protecting the civil liberties and 
privacy rights of Americans.
    To support this effort, the Administration will propose funding in 
the President's fiscal year 2001 Budget ($10 million) to create a 
centralized intrusion detection and response capability at the General 
Services Administration (GSA). This capability will function in consort 
with GSA's Federal Computer Incident Response Capability, and assist 
Federal Agencies to:

   detect and analyze computer attacks and unauthorized 
        intrusions;

   share attack warnings and related information across 
        Agencies; and

   respond to attacks in accordance with existing procedures 
        and mechanisms.

    FIDNet is intended to promote confidence in users of Federal 
civilian computer systems. It is important to recognize that FIDNet has 
a graduated system for response and reporting attack and intrusion 
information would be gathered and analyzed by home-Agency experts. Only 
data on system anomalies would be forwarded to GSA for further 
analysis. Thus, intrusion detection would not become a pass-through for 
all information to The Federal Bureau of Investigation or other law 
enforcement entities. Law enforcement would receive information about 
computer attacks and intrusions only under long-standing legal rules--
no new authorities are implied or envisioned by the FIDNet program.
    One additional benefit of Government-wide intrusion detection is to 
improve computer intrusion reporting and the sharing of incident 
information consistent with existing government computer security 
policy. Various authorities require Agencies to report criminal 
intrusions to appropriate law enforcement personnel, which include the 
National Infrastructure Protection Center.
    FIDNet will support law enforcement's responsibilities where cyber-
attacks are of a criminal nature or threaten national security.
    In short, FIDNet will:

   be run by the GSA, not the FBI;

   not monitor any private network traffic;

   confer no new authorities on any Government Agency; and

   be fully consistent with privacy law and practice.

    Federal Cyber Services (FCS). One of the nation's strategic 
shortcomings in protecting our critical infrastructures is a shortage 
of skilled information technology (IT) personnel. Within IT, the 
shortage of information systems security personnel is acute, The 
Federal Government's shortfall of skilled information systems security 
personnel amounts to a crisis. This shortfall reflects a scarcity of 
university graduate and undergraduate information security programs and 
the inability of the Government to provide the salary and benefit 
packages necessary to compete with the private sector for these highly 
skilled workers. In attacking this problem through the Federal Cyber 
Services initiative described below, we are leveraging the initial 
efforts made by the Defense Department, National Security Agency, and 
some other Federal Agencies. The President's Budget for fiscal year 
2001 will propose $25 million for this effort.
    The Federal Cyber Services training and education initiative, 
highlighted by the President at the Plan's release, introduces five 
programs to help solve the Federal IT security personnel problem.

   a study by the Office of Personnel Management to identify 
        and develop competencies for federal information technology 
        (IT) security positions, and the associated training and 
        certification requirements.

   the development of Centers of IT Excellence to establish 
        competencies and certify current Federal IT workers and 
        maintain their information security skill levels throughout 
        their careers.

   The creation of a Scholarship for Service (SFS) program to 
        recruit and educate the next generation of Federal IT managers 
        by awarding scholarships for the study of information security, 
        in return for a commitment to work for a specified time for the 
        Federal Government. This program will also support the 
        development of information security faculty.

   The development of a high school outreach and awareness 
        program that will provide a curriculum for computer security 
        awareness classes and encourage careers in IT fields.

   The development and implementation of a Federal Information 
        Security awareness curriculum aimed at ensuring computer 
        security literacy throughout the entire Federal workforce.

    Research and Development. A key component to our ability to protect 
our critical infrastructures now and in the future is a robust research 
and development plan. As part of the structure established by PDD-63, 
the interagency Critical Infrastructure Coordination Group (CICG) 
created a process to identify technology requirements in support of the 
Plan. Chaired by the Office of Science and Technology Policy (OSTP), 
the Research and Development Sub-Group works, with Agencies and the 
private sector to:

   gain agreement on requirements and priorities for 
        information security research and development;

   coordinate among Federal Departments and Agencies to ensure 
        the requirements are met within departmental research budgets 
        and to prevent waste or duplication among departmental efforts;

   communicate with private sector and academic researchers to 
        prevent Federally funded R&D from duplicating prior, ongoing, 
        or planned programs in the private sector or academia; and

   identify areas where market forces are not creating 
        sufficient or adequate research efforts in information security 
        technology.

    That process, begun in 1998, has helped focus efforts on 
coordinated cross-government critical infrastructure protection 
research. Among the priorities identified by the process are:

   technology to support large-scale networks of intrusion 
        detection monitors;

   artificial intelligence and other methods to identify 
        malicious code (trap doors) in operating system code;

   methodologies to contain, stop, or eject intruders, and to 
        mitigate damage or restore information-processing services in 
        the event of an attack or disaster,

   technologies to increase network reliability, system 
        survivability, and the robustness of critical infrastructure 
        components and systems, as well as the critical infrastructures 
        themselves; and

   technologies to model infrastructure responses to attacks or 
        failures; identify interdependencies and their implications; 
        and locate key vulnerable nodes, components, or systems.

    The President's Budget for fiscal year 2001 will propose $606 
million across all Agencies for critical infrastructure related R&D 
investment.
    The need exists, however, to coordinate R&D efforts not just across 
the federal Government, but between the public and private sectors as 
well. A fundamentally important initiative that has the ability to pull 
disparate pieces of the national R&D community into closer 
relationships is the Institute for Information Infrastructure 
Protection (I3P), an organization created to identify and 
fund research and technology development to protect America's 
cyberspace from attack or other failures. I will discuss this in detail 
when I address Public-Private Partnership issues.
    Public Key Infrastructure. Protecting critical infrastructures in 
the Federal Government and private sectors requires development of an 
interoperable public key infrastructure (PKI). A PKI enables data 
integrity, user identification and authentication, user non-
repudiation, and data confidentiality through public key cryptography 
by distributing digital certificates (essentially electronic 
credentials) containing public keys, in a secure, scalable, and 
reliable manner. The potential of PKI has inspired numerous projects 
and pilots throughout the Federal Government and private sectors. The 
Federal Government has actively promoted the development of PKI 
technology and has developed a strategy to integrate these efforts into 
a fully functional Federal PKI. The President's Budget for fiscal year 
2001 will propose $7 million to ensure development of an interoperable 
Federal PKI.
    To achieve the goal of an integrated Federal PKI, and protect oar 
critical infrastructures, the Federal Government is working with 
industry to implement the following program of activities:

   Connect Agency-wide PKIs into a Federal PKI. DoD, NASA, and 
        other Government Agencies, are actively implementing Agency-
        wide PKIs to protect their internal critical infrastructures. 
        While a positive step, these isolated PKIs do not protect 
        infrastructures that cross Agency boundaries. Full protection 
        requires an integrated, fully functional PKI.

   Connect the Federal PKI with Private Sector PKI: Private 
        sector groups are actively developing their own PKIs as well. 
        While a positive step, these isolated PKIs do not protect 
        infrastructures that cross Government or industry sector 
        boundaries.

   Encouraging Development of Interoperable Commercial Off-the-
        Shelf (COTS) PKI Products: Limitation to a single vendor's 
        solution can be a Serious impediment, as most organizations 
        have a heterogeneous computing environment. Consumers must be 
        able to choose COTS PKI components that suit their needs.

   Validating the Security of Critical PKI Components: 
        Protecting critical infrastructures require sound 
        implementation. The strength of the security services provided 
        to the critical infrastructures depends upon the security of 
        the PKI components. Validation of the security of PKI 
        components is needed to ensure that critical infrastructures 
        are adequately protected. NIST is pursuing a validation program 
        for PKI components.

   Encouraging Development of PKI-Aware Applications: To 
        encourage development of PKI-aware applications, the Government 
        is working with vendors in key application areas. One example 
        is the secure electronic mail projects that have been performed 
        jointly with industry.
B. Public-Private partnership
    The security of information flowing over the information highway is 
a critical element of E-commerce, as well as to our national security. 
It is a necessary part of building trust in the accuracy and integrity 
of transactions made over the information infrastructure. There is a 
growing awareness that America's information infrastructure--the basis 
of E-Commerce--is becoming an increasingly attractive target for 
deliberate attack or sabotage. A strategy of cooperation and 
partnership between the private sector and the U.S. Government to 
protect the Nation's infrastructure is the linchpin of this effort. The 
President is committed to building partnerships with the private sector 
to protect our computer networks through the following initiatives:

    Institute for Information Infrastructure Protection 
(I3P). The Institute would identify and address serious R&D 
gaps that neither the private sector nor the Government's national 
security community would otherwise address, but that are necessary to 
ensure the robust, reliable operation of the national information 
infrastructure. The President announced he would propose initial 
funding of $50 million for the Institute in his fiscal year 2001 
Budget. Funding would be provided through the Commerce Department's 
National Institute of Standards and Technology (NIST) to this 
organization. The Institute was first proposed by the scientists and 
corporate officials who served on the President's Committee of Advisors 
on Science and Technology, and supported by leading corporate Chief 
Technology Officers.
    The Institute will work directly with private sector information 
technology suppliers and consumers to define research priorities and 
engage the country's finest technical experts to address the priorities 
identified. Research work will be performed at existing institutions 
including private corporations, universities, and non-profit research 
institutes. The Institute will also make provisions to accept private 
sector support for some research activities.
    Partnership for Critical Infrastructure Security. Last December, 
Commerce Secretary Daley met with senior representatives from over 90 
major corporations, most fortune 500, representing owners and operators 
of critical infrastructures, their suppliers, and their customers, to 
discuss the building a Partnership for Critical Infrastructure 
Security. Industry has taken the lead on this effort and organized a 
meeting at the U.S. Chamber of Commerce far later this month to give 
substance and purpose to the Partnership.
    The Partnership will explore ways in which industry and Government 
can work together to address the risks to the nation's critical 
infrastructures. Federal Lead Agencies are currently building 
partnerships with individual infrastructure sectors in private 
industry, including communications, banking and finance, 
transportation, and energy. The Partnership will serve as a forum in 
which to draw these individual efforts together to facilitate a 
dialogue on cross-sector interdependencies, explore common approaches 
and experiences, and engage other key professional and business 
communities that have an interest in infrastructure assurance. By doing 
so, the Partnership hopes to raise awareness and understanding of, and 
to serve, when appropriate, as a catalyst for action among, the owners 
and operators of critical infrastructures, the risk management and 
investment communities, other members of the business community, and 
state and local Governments.
    National Infrastructure Assurance Council (NIAC). President Clinton 
established the NIAC by Executive Order 13130 on July 14, 1999. When 
fully constituted, it will consist of up to 30 leaders in industry, 
academia? the privacy community, and state and local Government. The 
NIAC will provide advise and counsel to the President on a range of 
policy matters relating to critical infrastructure assurance, including 
the enhancement of public-private partnerships, generally.

                            III. CONCLUSION
    In conclusion, the National Plan is an important step forward. My 
staff and I are committed to building on this promising beginning, 
coordinating the Governments efforts into an integrated program for 
critical infrastructure protection in support of the National 
Coordinator for Security, Infrastructure Protection, and Counter-
Terrorism, and the Federal Government, generally. We have much work 
left to do, and I hope to work with the members of this committee, 
indeed with the Congress as a whole, as we wrestle with this developing 
field. I look forward to your questions.

    Senator Kyl. I would like to bring our next panel forward 
now to look specifically at the National Plan and privacy 
issues associated with it. We will have two witnesses. The 
first witness is Mr. Marc Rotenberg, executive director of the 
Electronic Privacy Information Center, EPIC. Mr. Rotenberg also 
teaches on information privacy at Georgetown Law School. He has 
testified before Congress, advocating strong privacy protection 
in the Internet age.
    He has also followed the work of this subcommittee quite 
closely, stating in a 1998 study entitled ``Critical 
Infrastructure and the Endangerment of Civil Liberties'' that 
in the fight for diminishing resources--I am going to quote 
now, Senator Feinstein--

          the intelligence community and the Pentagon also 
        ensured a body of congressional champions of 
        information warfare advocates and supporters. Chief 
        among them are Senator Jon Kyl--

thank you--

          whose Subcommittee on Technology, Terrorism, and 
        Government Information has held numerous hearings 
        featuring doom-and-gloom witnesses complaining that the 
        Nation is on the verge of an electronic Pearl Harbor, 
        and even more distastefully, an electronic Oklahoma 
        City.

    In any event, thank you for appearing and following our 
hearings, Mr. Rotenberg. We will place your full statement in 
the record and in a moment ask you to provide a summary of 
that.
    The other witness in this panel is Frank Cilluffo, senior 
policy analyst at the Center for Strategic and International 
Studies. He directs seven task forces on a range of topics, 
including information warfare and information assurance, 
terrorism, and financial crimes. These task forces comprise 
over 175 senior officials and experts from the academic, 
defense, intelligence, law enforcement, and corporate 
communities. We will place your full statement in the record as 
well and ask both of you to summarize your comments.
    So, first, Mr. Rotenberg.

    PANEL CONSISTING OF MARC ROTENBERG, EXECUTIVE DIRECTOR, 
  ELECTRONIC PRIVACY INFORMATION CENTER, WASHINGTON, DC; AND 
FRANK J. CILLUFFO, SENIOR POLICY ANALYST, CENTER FOR STRATEGIC 
           AND INTERNATIONAL STUDIES, WASHINGTON, DC

                  STATEMENT OF MARC ROTENBERG

    Mr. Rotenberg. Thank you, Mr. Chairman and Senator 
Feinstein. I am grateful to be here with the opportunity to 
talk about privacy. I should say at the outset that there is 
really no disagreement about the need to keep the Nation's 
computer network secure and safe from attack. Outages cause 
disruption for industry. They cause disruption for users, and 
certainly they pose questions of public safety and national 
security.
    At the same time, I would like to suggest to you in 
reviewing the Plan that it is very important to keep in mind 
the history of the growth of the Internet, as well as our 
country's recent experience with computer security policy to 
ensure that the plan that is followed through on actually is 
the best way to protect this underlying interest. In my 
testimony, I outline some of this history. I would like to 
briefly highlight a couple of points and then focus in on the 
FIDNet proposal.
    The first point I would like to make is regarding the 
nature of the Internet itself. This is a very robust 
communication infrastructure that was designed with the 
understanding that a foreign adversary may well cause an attack 
that could have taken out a traditional channel switch network, 
like a telephone network, for example. And in this old style of 
networking, if you take out one of the points along the line, 
the whole line goes down and you cannot get information 
through.
    The Internet relied on a different architecture. It was 
decentralized, it used multiple nodes. It used a type of 
switching technology called packet switching which made it 
possible to move information from one point to another, even if 
some of the points in between along the way had been taken out, 
and this made it very robust. It also interestingly made it 
equally secure against attack from a foreign adversary, as well 
as a natural disaster or even a winter storm.
    Now, I don't mean to suggest to you that there aren't real 
risks to the Internet today. There are, and I think the 
subcommittee has done a good job of documenting these risks. 
But at the same time, I would like to suggest to you that the 
architects of this infrastructure, the designers, were very 
much aware from the outset of the need to create a 
communications network that could withstand attack and that 
could continue to operate. And this is important to understand 
what security is about.
    The second point I would like to say is that, frankly, 
during the past decade the Federal Government's record in the 
area of promoting computer security has been quite mixed. And 
as you are no doubt aware, the private sector user 
organizations, privacy organizations, have expressed a lot of 
concern that many of these proposals that seek at the outset to 
promote computer security in the end create a lot of computer 
surveillance, and that whereas a private organization might try 
to make a system more robust or more difficult to attack or 
take down, the Government invariably comes up with proposals 
that make it easier to monitor and to spy on.
    Nowhere was this problem more clearly demonstrated than in 
the difficulty of developing an encryption policy that would 
work for the Government and for the private sector. Now, I am 
not going to go through all that history, but I do want to 
provide for you one very simple example of the difficulties 
that the Federal Government's computer security policy over the 
last decade created for computer users and for private 
industry, and it has to do with the online transactions 
involving credit card purchases.
    When people went online last Christmas to buy books or CD's 
or gifts for their families, many of them were typing in credit 
card numbers, and what secured those credit card numbers so 
that they could not be stolen by thieves or anybody else was a 
little bit of encryption built into the software that they were 
using. They weren't even aware of it, but it scrambled the 
credit card number so that it would go from their computer to 
the Web site where they were buying this product online and 
protected that information.
    Now, you can design that encryption so that it is very 
strong, so that it is difficult to break. But the Federal 
Government was very reluctant to make that type of strong 
encryption widely available because they said if we make that 
available for American consumers, it could also fall into the 
wrong hands. So what they tried to do instead is they said we 
are going to create two levels of encryption, one level the 
strong kind that will let American consumers use it if they 
prove that they are U.S. citizens, and another a weak kind that 
will let U.S. companies market to foreign users because they 
are going to need some encryption, but it is not going to be as 
strong.
    Well, the result of that policy, as I describe in my 
testimony, was that this past Christmas season when U.S. 
consumers were buying products from U.S. businesses in the 
United States, they were invariably using the weak encryption 
because of a government policy that was trying to keep strong 
encryption out of the hands of foreign users. This is a 
reoccurring problem in the computer security field. I think the 
Plan as currently described is going to recreate this problem 
and I want to bring it to your attention today. It is a very 
real problem.
    Now, I am going to focus now on FIDNet. A couple of things 
were said by Mr. Tritak during the last panel, and I hope you 
will ask me a couple of questions about this, but I have to say 
at the outset what disturbed me most about Mr. Tritak's 
presentation--in some ways it is not surprising--is having said 
on the one hand that the Government is very much aware of 
privacy issues and privacy laws, and intends to respond to 
these concerns because they are widely shared by the American 
public, Mr. Tritak was unaware that the type of government 
monitoring that is proposed in the Plan as described in FIDNet 
would fall under the legal rules set out in our Communications 
Privacy Act, passed in 1986 with strong bipartisan support.
    He seemed to think that because this wasn't voice 
communication, it wasn't subject to any legal rules. That is 
simply not correct. But it was even more disturbing, as I 
described in my testimony, that in a memo that was prepared by 
the Department of Justice by Mr. Ron Lee to Mr. Tritak's 
predecessor, Mr. Hunker, who is the Director of the CIAO, Mr. 
Lee outlined the problem. He said, you have got a real issue 
here. The type of network monitoring which one agency like the 
DOD would be permitted to do on its own computer networks which 
you are now proposing under the Plan to do across all 
government computer networks clearly would fall under the 
Communications Privacy Act. And if you want to do this, advised 
Mr. Lee, you are going to have to notify all people using 
government computer networks, not just Federal employees but 
also U.S. citizens, that they will have no right of privacy 
using the network.
    Now, that is frankly the suggestion that is put forward by 
Mr. Lee and the Department of Justice that could, in effect, 
make the privacy issue go away. But it is a solution that I 
think privacy organizations across the political spectrum would 
have a great deal of difficulty with. And as I have tried to 
suggest in the testimony, I think for the Government to say, in 
effect, you have no legal rights of privacy when you are using 
the Government computer system would be contrary not only to 
the Federal wiretap statute, but also our Privacy Act, passed 
in 1974, and our whole fourth amendment tradition which 
basically says, yes, the Government has the right to search and 
protect public safety, but it has to be done in a way that 
recognizes the balance of power within our Government; that the 
executive branch, the Federal agencies may conduct these 
activities, but they have to be reviewed by the judicial 
branch.
    The other point which I would like to briefly say, Mr. 
Chairman, is that there was in my testimony a reference to the 
use of credit card information and telephone toll record 
information. And you asked a question which I certainly thought 
was very appropriate, and that is what type of information 
would be collected in trying to assess system anomalies because 
this, of course, is the basis for the search that the 
Government agencies will conduct.
    Now, I don't know exactly what the plan is, and I think Mr. 
Tritak is correct to say that this is still a Plan in 
development. But I do have here and am pleased to provide for 
the subcommittee a memo from Mr. Hunker outlining the National 
Plan and, ``how we get industry buy-in.'' And contained in this 
Plan is one slide titled ``Profiling System Anomalies.'' The 
first bullet point is ``Systematic Identification of Suspicious 
and Anomalous Behavior Based on Algorithms to Analyze 
Similarities and Match Behavioral Patterns.''
    And then there are three lines. The first line, which 
frankly I don't understand, says ``Traditional Psycho-
Linguistics.'' The second line is ``Credit Card Profiling,'' 
and the third line is ``Toll Fraud Profiling.'' And this is 
from a memo that was prepared by Mr. Hunker describing how 
system anomalization might be identified.
    And I should say, in fairness, Mr. Chairman, that this is a 
big, complex area. I wouldn't expect Mr. Tritak to be familiar 
with all the details, but I think if we are to take seriously 
the commitment to privacy protection, we need a clear 
understanding about the application of U.S. privacy laws, and 
we clearly need more information about what type of information 
will be collected from U.S. citizens.
    You see, when you set up intrusion detection, it is not 
just the bad guys and the people who are intent on causing us 
harm that you are going to be tracking and monitoring. You are 
going to be tracking U.S. employees working for U.S. firms in 
London and Tokyo, U.S. trade officials in Geneva and Paris, 
U.S. computer researchers in Dublin and Tel Aviv, and U.S. 
citizens within the United States. All of these people will 
become subject to the monitoring scheme that is outlined in the 
FIDNet proposal.
    So I would be pleased to answer your questions and I thank 
you again for the chance to be here.
    Senator Kyl. Thank you.
    [The prepared statement of Mr. Rotenberg follows:]

                  Prepared Statement of Marc Rotenberg

    Mr. Chairman, members of the Subcommittee, thank you for the 
opportunity to testify today regarding the privacy implications of the 
Administration's proposed National Plan for Information Systems 
Protection. My name is Marc Rotenberg and I am the executive director 
of the Electronic Privacy Information Center, a research and advocacy 
organization, located here in Washington, DC. EPIC has a general 
interest in privacy protection and a particular interest in ensuring 
that efforts to promote computer security do not undermine basic 
American liberties. For over a decade we have reviewed proposals for 
information system security in the federal government, made 
recommendations for changes, and pursued litigation where appropriate.
    I should say at the outset that we are all aware that our nation 
has become increasingly dependent on the hi-tech infrastructure for 
everything from power and communications to transportation and national 
defense. Moreover, it is quite likely that others who intend to do us 
harm would target this infrastructure in an effort to disable or 
disrupt essential communications resources.
    Nonetheless our fear of attack and our need to protect public 
safety should not lead us to take actions that are wasteful, misguided, 
or ultimately undermine the values that we seek to defend. We should be 
particularly careful that the solutions that are pursued reflect the 
full range of risks to our nation's communications network. The plan 
presumes that threats to the nation's infrastructure are from 
adversaries intent on causing harm to the United States and that 
therefore steps must be taken to ``defend our federal cyber systems.'' 
Security standards that treat all risks as simply defending against 
foreign threats will ultimately not serve us well.\1\
---------------------------------------------------------------------------
    \1\ The developers of the Plan are aware of this as well, but they 
often obscure the problem. On the very first page of the report, the 
writers describe several genuine security problems with the nation's 
computer systems but then say, ``All of these events have occurred--not 
on the same day, and not all the result of deliberate action by 
America's adversaries--but all within the last 36 months.'' The message 
should be stated more clearly: not all threats to the nation's computer 
systems will be malicious attacks from overseas.
---------------------------------------------------------------------------
    In this spirit, I would like to remind the Committee that the 
winter storm that hit Washington, DC last week did far more damage to 
the operation of government, the use of our transportation systems, and 
our supply networks than the widely touted Y2K bug which has consumed 
so much attention in the federal government. Defending America's 
cyberspace may require preparation against winter ice storms as well as 
malicious hackers in foreign countries.
    To assess the National Plan for Information System Protection, you 
must first recall that the Internet, which has emerged from the 
ARPANet, was designed to continue operation even after an attack from a 
foreign government. Robustness was key to the design. Protecting the 
Internet from attack is hardly a new problem; it was the basis of its 
creation.
    The key to the Internet's resilience, and what distinguished it 
from the channel-switched communications networks that proceeded it, is 
a decentralized architecture that allows multiple-routings for, 
messages sent between the same two points. If, for example, a person 
wished to send a message from Pittsburgh to Flagstaff in the old 
telephone network, an outage at the main switch in Phoenix could 
prevent a call from ever getting through. But in the packet-switched 
network, where messages could be broken up into small pieces, sent 
through different channels and then put back together, the disruption 
at one node would not prevent communications from going through.
    In designing the Internet, the engineers recognized that a 
traditional top-down command and control structure would be vulnerable 
to attack and that a different way to move information would be 
necessary. History has shown that the design was well conceived. Over 
the last thirty years there have been only two incidents that really 
took down the Internet--and both resulted from software glitches.
    It is important also to understand that the Internet really doesn't 
care whether a node is down because of a military attack or a winter 
storm--it is equally resistant to both purposeful assault and natural 
disaster.
    Work on Internet security today continues largely in the open among 
researchers and experts all around the world. Critical to the future of 
network security is the open exchange of information among security 
experts, the opportunity to publish findings in the open literature, 
and the chance to challenge, even attack, another programmer's work. 
This process which relies on cooperation and the exchange of ideas is 
the best way to identify security flaws and encourage trust among 
users.
    This work is not done simply by US citizens or US companies. 
Computer researchers around the world have all played an important role 
in developing the protocols and promoting the architecture that secures 
the Internet in the United States and around the world. Indeed the 
cryptographic techniques that help protect computers in this country 
were developed by researchers in Japan, Israel and elsewhere.
    Unfortunately, the National Plan ignores much of this history. It 
draws sharp boundaries based on national interests. It treats threats 
to network reliability as primarily threats from abroad and downplays 
the risk of software glitches and winter storms. The plan urges the 
development of computer security experts charged with defending the 
nation's infrastructure. This view of computer scientists, as soldiers 
with keyboards, misses the critical point that computer security is an 
international enterprise.
    Ultimately the Plan views the Internet as a domestic communications 
structure that must be secured from above from foreign threats. But the 
original architects of the network knew better. A communications 
network that can be secured from above can also be taken out from 
above.

              ADMINISTRATION HAS CREATED SECURITY PROBLEMS
    My second point is that the federal government's recent efforts to 
promote computer security in the private sector have created more 
problems than they have solved. For the past decade the federal 
government was largely responsible for preventing the widespread 
availability of encryption and security tools that would have made the 
nation's computer systems more secure and less vulnerable to attack.
    It is only in the past few months, after heavy lobbying by 
industry, pressure from Congress, and the continued voice of privacy 
organizations, that the administration has begun to back off the 
complex and short-sighted export control regime that has not only 
prevented the development and sale of good security products but also 
the implementation of better security systems in our country.
    The problem is that the federal government has two very distinct 
views of computer security: one commonly called COMSEC, refers to 
Communications Security, the other SIGINT, refers to Signals 
Intelligence. In the COMSEC view of the world there is general 
agreement about the need to promote security and to make systems more 
difficult to attack. But in the SIGINT view of the world, the 
government seeks to get into computers, to intercept communications and 
to gather information that may be useful to protect the nation's 
security.
    In no agency are the two notions more at odds than the National 
Security Agency. The NSA simultaneously attempts to promote strong 
security standards for the nation's computer systems and at the same 
time to develop the methods to crack codes, break into networks, and 
seize valuable intelligence. (And even with the resources at the NSA to 
promote computer security, problems remain. The newspapers reported 
last week that there was a significant failure at the NSA that took 
down key systems for several days.)
    The Administration said that with many of its early encryption 
proposals it was trying to balance these competing interests, but the 
SIGINT interests were clearly undermining the COMSEC efforts. As a 
result, deeply flawed technical standards, such as the escrowed 
encryption standard, were put forward and the nation's computer systems 
remained vulnerable to attack. Also, tens of millions, possibly 
hundreds of millions of dollars were wasted trying to make these 
proposals designed by experts in SIGINT work.
    The Administration also claimed that: the export controls rules 
that limited the development of encryption products were only intended 
to control the availability of strong encryption outside of the United 
States. But in practice the rules kept strong encryption away from 
American users. For example, there are encryption protocols in software 
that protect credit card purchases on the Internet. But because of the 
government's export policy, US manufacturers were required to provide 
two versions--a strong 128-bit version for US citizens, and a weaker 
40-bit version for non-US citizens. Because of the additional paperwork 
required for US citizens to download the 128-bit version, many users 
simply left the 40-bit version in place. As a result US consumers 
buying products from US companies in the United States were using a 
weak version of encryption because of a policy that was intended to 
prevent strong encryption from being made available overseas. This is 
exactly the kind of problem that will be replayed under the National 
Infrastructure Protection Plan unless its proponents take a much 
broader view of the problems in computer security.
    Much will be done in the next few years to improve network security 
in the private sector and across the federal agencies if the federal 
government simply stays out of the way. Institutions have a clear 
interest in safeguarding the security of their systems, but the federal 
government's interests are more divided. Until trust is reestablished 
in the security field, it would be better for the federal government to 
follow rather than lead.

              PRIVACY SAFEGUARDS IN PLAN ARE INSUFFICIENT
    Largely in response to concerns raised by privacy organizations and 
members of Congress about the original plan for Critical Infrastructure 
Protection, the new Information Systems Security Plan discusses the 
privacy issue at some length. There is much said about the need to 
protect privacy and uphold privacy laws. But in the end the 
recommendations on privacy fall short when compared with the enormous 
surveillance authority that will be given to the federal government.
    The Plan sets out a series of ``solutions'' to address privacy 
concerns. It requests input from the privacy community, but establishes 
no formal process to incorporate recommendations. The plan proposes a 
legal review of elements of the plan, but most of the plan, including 
specific mission objectives and milestones, has already been 
established. The privacy section describes the need to review various 
privacy issues, but then focuses on such concepts as ``consent'' and 
``disclosure'' that are clearly intended to facilitate government data 
collection and monitoring. The Plan's authors propose an annual 
conference and some consideration of privacy issues by the National 
Infrastructure Advisory Council, which is also tasked with a wide range 
of other responsibilities. And if the private sector membership of this 
Council is required to hold government security clearances, as is so 
often the case with similar bodies, it will limit the ability of 
citizens and independent experts to provide meaningful input as the 
proposal goes forward.
    The section on privacy stands in sharp contrast to the other 
sections of the plan where the drafters outline ambitious, expensive 
and far-reaching proposals for government agencies. Nowhere does the 
Plan answer such questions as what formal reporting requirements will 
be established, what independent review will be conducted, and what 
mechanisms for public accountability and government oversight will be 
put in place. The federal wiretap law, for example, contains an annual 
reporting requirement so that the Congress and the public can review 
the use of wiretap authority by the federal government. The Computer 
Security Act established a Computer System Security and Privacy 
Advisory Board that has held frequent meetings, issued reports and 
adopted resolutions on privacy and security matters for almost a 
decade. Where is the same institutional commitment in the Security Plan 
to ensure oversight and accountability?
    It is also clear that the absence of a privacy agency in the 
federal government with the staff, expertise and resources to review 
the Information Protection plan and other similar proposals remains a 
critical problem. Having announced a commitment to ensure the 
protection of civil liberties, it seems clear that some institutional 
balance must be established to ensure that these proposals receive 
adequate review. Isn't it possible that in this vast budget to erect 
all of these elaborate surveillance techniques that Congress could set 
aside 3 percent to establish a federal privacy agency that could 
actually help safeguard the rights of Americans? This would be a small 
investment in what many Americans consider their number one concern 
about our nation's communications infrastructure--the protection of 
personal privacy.

                          PROBLEMS WITH FIDNET
    While it remains unclear whether the proposed Plan will in fact 
promote network security, one point is clear: the plan will 
dramatically expand the ability of the federal government to monitor 
the activities of Americans all across the country. The plan recommends 
the development of a Federal Intrusion Detection Network (``FIDNET''), 
an open-ended monitoring authority that essentially gives a single 
federal agency the authority to track communications across all federal 
computer networks. According to the New York Times, ``networks of 
thousands of software monitoring programs would constantly track 
computer activities, looking for indications of computer network 
intrusions and other illegal acts.''
    This is an extraordinary surveillance authority, unlike any 
capability that currently exists in the federal government. Last year 
civil liberties organizations warned that this proposal would create 
dramatic new government authority to monitor American citizens. The 
drafters of the Plan are aware of this criticism and believe they have 
addressed this problem. I tell you today that the problems with FIDNET 
remain.
    I would like to draw your attention to a March 8, 1999 memo from 
Mr. Ronald D. Lee, Associate Deputy Attorney General, to Mr. Jeffrey 
Hunker, Director of the Critical Infrastructure Assurance Office. (This 
memo was obtained by EPIC under a Freedom of Information Act request 
and is attached to this testimony.)
    Mr. Lee says at the outset it is important to ``precisely identify 
under what legal authority the FIDNET program is to be conducted. 
Because monitoring ongoing communications is a wiretap within the 
meaning of 18 U.S.C. Sec. 2511, it can only be authorized pursuant to a 
wiretap order, or some relevant exemption to the statute.''
    Mr. Lee goes on to say that while an individual federal agency 
would have the right to monitor its own network to ``protect against 
network intrusions, this does not mean that the GSA is a 'service 
provider' within the meaning of the statute for the entire federal 
government.''
    Mr. Lee concludes that the only way that the GSA could conduct the 
type of monitoring contemplated in the FIDNET proposal would be if the 
federal government would notify all users of federal computer systems 
that they would be subject to monitoring. Such a policy would cover not 
only federal employees but all Americans who make use of a federal 
computer system.
    While Mr. Lee indicates that the Justice Department favors this 
type of government-wide ``no privacy'' warning notice, I want to make 
very clear that privacy organizations across the political spectrum 
would oppose such a proposal as a violation of the spirit of the 
federal wiretap statute, the plain language of the federal Privacy Act, 
and contrary to the Fourth Amendment. US law simply does not give the 
government the right to conduct such general purpose searches. The 
history of the Fourth Amendment reveals a clear intent to require the 
government to set out the specific circumstances for a search to occur. 
There is no ``cyber threat'' exception to the Fourth Amendment. The 
fact that the government announces that a warrantless search may occur 
is hardly a sufficient legal basis to permit such searches to take 
place.
    There are other indications, contained in materials that we 
received under the FOIA, that the CIAO intends to make use of credit 
card records and telephone toll records as part of its intrusions 
detection system. Access to these records raises specific problem under 
US law.
    The FIDNET proposal, as currently conceived, must simply be 
withdrawn. It is impermissible in the United States to give a federal 
agency such extensive surveillance authority.

                            RECOMMENDATIONS
    As the White House plan currently stands, it raises far-reaching 
privacy problems. The designers of the plan are trying to apply 
twentieth century notions of national defense to twenty-first century 
problems of communications security. Such an approach will leave our 
networks ill-prepared to face the challenges of tomorrow.
    In too many places the Plan relies too heavily on monitoring and 
surveillance and not enough on integrity and redundancy. To give a 
simple example, there are public telephones all across this country 
filled with money. One way to implement security would be to install 
cameras and recording devices inside each phone booth to monitor each 
person's use of the phone to ensure that it is appropriate and to 
determine whether any efforts are being made to steal the money stored 
inside the phone. Another approach would simply be to make the phones 
more secure and the money more difficult to steal. The phone companies 
have wisely chosen the second approach. The federal government still 
seems interested in the first.
    Everyone wants to ensure that the computer networks that our 
country relies on remain secure, safe and free from disruption. On this 
point there is no disagreement. However, there is disagreement as to 
whether an intrusive, government-directed initiative that views 
computer security as almost solely defending ``our cyberspace'' from 
foreign assault is the right way to go.
    I urge you to proceed very cautiously. The government is just now 
digging itself out of the many mistakes that were made over the past 
decade with computer security policy. This is not the best time to be 
pushing an outdated approach to network security, fraught with privacy 
problems, on a fast-moving industry that is itself racing to develop 
good security solutions.
    In 1975, Senator Frank Church, who conducted a Senate investigation 
of intelligence abuses, said of the NSA technology: ``That capability 
at any time could be turned around on the American people, and no 
American would have any privacy left, such is the capability to monitor 
everything * * * there will be no place to hide.''
    This Committee should keep Senator Church's warning in mind as it 
reviews this proposal to create a vast new surveillance authority 
across the federal government.

                               REFERENCES
    White House ``National Plan for Information Systems Protection'' 
(January 7, 2000) http://www.ciao.ncr.gov/National-Plan/
national%20plan%20final.pdf

    Executive Summary of ``National Plan for Information Systems 
Protection'' (January 7, 2000) [http://www.whitehouse.gov/WH/EOP/NSC/
html/documents/npisp-execsummary-000105.pdf]

    Bruce Schneier and David Banisar, Electronic Privacy Papers: 
Documents on the Battle for Privacy in the Age of Surveillance (Wiley 
1997)

    Whitfield Diffie and Susan Landau, Privacy on the Line (MIT Press 
1998)

    Katie Hafner and Matthew Lyon, Where Wizards Stay Up Late: The 
Origins of the Internet (Touchstone Books 1998)

    National Resource Council, CRISIS Report (1996)

    Peter G. Neumann, Computer-Related Risks (Addison Wesley 1995)

    ``Critical Infrastructure Protection and the Endangerment of Civil 
Liberties: An Assessment of the Report of the President's Commission on 
Critical Infrastructure Protection'' (EPIC 1998) [http://
www.amazon.com/exec/obidos/ISBNI=1893044017/electronicprivacA]

    EPIC, Critical Infrastructure Protection Resources [http://
www.epic.org/security/infowar/resources.html]

    Letter from Simon Liu, Acting Director, Information Management and 
Security Staff, Department of Justice to Mr. Wayne Madsen, Senior 
Fellow, Electronic Privacy Information Center, January 20, 2000 
responding to Freedom of Information Act request of July 20, 2000 for 
``all agency records, including memorandum, letters, and minutes of 
meetings, dealing with any liaison between the Department of Justice 
and the Critical Infrastructure Assurance Office.''

    Senator Kyl. Mr. Cilluffo.

                 STATEMENT OF FRANK J. CILLUFFO

    Mr. Cilluffo. Thank you, Mr. Chairman. Mr. Chairman, 
Senator Feinstein, I appreciate the opportunity to appear 
before you today with respect to the recently released National 
Plan and the challenge of simultaneously assuring the security 
of our Nation's critical infrastructures while preserving 
personal privacy.
    I also commend you for your leadership on these issues and 
the recognition that they extend far beyond the Nation's 
Capital. Indeed, they must be brought before the American 
people. Many of these issues are misunderstood and give rise to 
skepticism, distrust, and confusion between individuals, 
organizations, and government, the initial media account of the 
proposed FIDNet program being one case in example.
    One of the advantages of working at a think tank is that I 
don't have to stand where I sit, so I can be a little more 
blunt. Another is that we are simply in the ideas business and 
are not responsible or held accountable for implementing these 
ideas. With that in mind, I would like to take a few moments 
and make a few brief observations on, first, the cyber threat 
in general; second, the need to strike the appropriate balance 
between privacy and security; and, third, the National Plan for 
Information Systems Protection.
    The reason we have to understand the threat, I think, is to 
be able to do the appropriate balance, we need to know exactly 
what we are dealing with. And we are all aware of the many 
benefits of information technology, and this revolution's 
impact on society has been profound and touches everyone, 
whether we are examining our economy, our national security, or 
our quality of life.
    Unfortunately, as we touched on earlier, there is a dark 
side, and along with these new rewards come new risks and 
unintended consequences which need to be better understood and 
managed by our corporate and government leaders, and I mention 
corporate first. These risks--and we discussed some of them--
range from the national security issues, strategic information 
warfare and information operations, the vulnerabilities and 
threats to our infrastructures, to protecting our personal 
information, such as medical records and the like.
    I think that I have a disagreement with Mr. Rotenberg on 
the robustness of our infrastructures. I think that the ability 
to network has far outpaced our ability to protect networks. In 
some cases, systems are being integrated on top of one another, 
and hence a failsafe on one day becomes a loophole the next, 
since you can't beta-test all these networks as a whole.
    Moreover, many of our highly advanced systems are based on 
insecure foundations. ARPANet, while it may have been quiet, 
was not intended to be secure. It was actually intended to 
share information between and among scientists, and then it 
expanded to academe and then it expanded to where it is today. 
It was not intended to be secure.
    Yet, many in public life and among our citizenry remain 
skeptical or even downright dismissive of any potential 
dangers. And again I look to Senator Feinstein, and I agree 
with you. It is difficult to visualize these cyber threats. It 
is not like Nazi forces moving across Europe, it is not like 
the effects of Pearl Harbor, or even the Soviet missiles on 
parade in Red Square. This is something that is difficult to 
see.
    Yet, our real assets today are stored electronically and 
not in Fort Knox, and the target increasingly is not the 
military at all, but rather our Government and corporate 
information systems. Information warfare inherently extends the 
battlefield to incorporate all of society. As you mentioned, 
the myth persists that the U.S. hasn't been invaded since 1812. 
Invasion through cyber space is now a daily occurrence.
    The threat spectrum ranges from the so-called ankle biters 
on one end to foreign nations on the other, and one of the 
greatest challenges of these cyber threats is its anonymity. 
Who is behind the clickety-clack of the keyboard breaking into 
my system? Is it a young adult, is it a foreign intelligence 
service, is it an economic competitor, is it someone doing the 
bidding for someone else, or perhaps even someone masquerading, 
cloaking the perpetrator's true identity leading you to go in 
the wrong direction?
    Additionally, smoking keyboards are hard to find, as an 
assailant can loop and weave from country to country in a 
matter of nanoseconds, all while law enforcement is forced to 
stop at jurisdictional boundaries defined by the physical 
world, which have little to no meaning in cyber space. In 
essence, we have created the global village without a police 
department, and I thought Senator Bennett's slide was excellent 
along those lines.
    According to a recent report by the Department of Defense, 
the NCS in particular, currently at least 10 countries--an 
unclassified report--possess offensive information warfare 
capabilities somewhat akin to our own. As you mentioned 
earlier, Mr. Chairman, of unique interest are the current 
Chinese discussions regarding the possible creation of a fourth 
branch of the armed services within the PLA devoted entirely to 
information warfare.
    Bits and bytes will never replace bullets and bombs. Yet, 
one area that I think does require some further examination is 
the synergy of where the physical and the virtual come 
together. For example, you have detonated a conventional 
explosive and then you follow that up with an attack on our E 
911 systems. As we heard earlier, a young man in Toborg, 
Sweden, was able to do it many thousands of miles away. And my 
Swedish colleagues tell me that that young man is now in an 
insane asylum, and I guess we can call him a crackpot who hit 
the jackpot. But he still demonstrates these vulnerabilities 
that can be exploited by those with more nefarious intent.
    And we are also aware of our vulnerabilities due to 
exercises such as Eligible Receiver and subsequent exercises 
which we can't get into--squirrels taking down major networks, 
backhoes, NSA systems being down last week. We are well aware 
of our vulnerabilities. We have seen demonstrated capabilities, 
whether it is E 911 systems or whether it is air traffic 
control.
    What we haven't seen yet, though, is the marriage of the 
true, the real hostile, where the intent and the capability 
come together. In my eyes, though, that is only a matter of 
time before this convergence occurs, and I call it where the 
real bad guys exploit the real good stuff and become more 
techno-savvy.
    As we contemplate methods of dealing with these threats, it 
is important to remember that our national security community 
and law enforcement institutions were designed and establish to 
protect our freedoms, our liberties, and our way of life.
    With this in mind, I think it is possible to ensure the 
security of our Nation's critical infrastructures without 
compromising civil liberties and personal privacy or by locking 
down the Internet. Throughout history, the first obligation of 
any State has been to protect its citizens. Today is no 
exception. Yet, we must be careful and avoid placing our 
national security community in a position where they could 
trample on our liberties in order to preserve them.
    Moreover, policies in response to threats of any kind, 
especially in cyber space, must not stifle the engines of 
innovation that drive our economy and enhance our lives. We 
cannot afford to overreact and put up too many virtual or 
physical walls. If we do, the adversary wins by default because 
our way of life has been lost, and I look back to the weeks 
before ushering in the new millennium as a number of lessons 
that should be learned there.
    Too often, the debate is framed as if security and privacy 
are mutually exclusive. This is simply not true. It is wrong to 
think of these issues as an either/or. We must rather think of 
the need to incorporate both, and in order to preserve the twin 
goals of security and privacy, we must begin with the notion of 
a true partnership, and I think we are seeing some very good 
steps in that direction.
    For a number of years, many, myself included, have 
criticized the current administration for being long on nouns 
and short on verbs, a lot of talk, not a whole lot of action 
with respect to critical infrastructure protection and 
policies, a concern I know you share, Mr. Chairman, given your 
1996 amendment to the Defense Authorization Act. And I think 
that the President was required to answer those questions 
within 120 days. Well, 4 years later, we do have a 200-page 
document that begins to address some of your concerns.
    Overall, I think the Plan does an excellent job of 
identifying gaps and shortfalls within the Federal Government 
and charting an initial course of action to address them. My 
major concern is that it does not do enough. We must be willing 
to commit real money to tackling the problem. After all, policy 
without resources is rhetoric.
    While the President's proposed budget for fiscal year 2001 
is a good start, a vast majority of those resources have 
already been earmarked and allocated in previous budgets. I 
also personally believe that more funds should be devoted to 
governmentwide programs and measures aimed at prevention and 
protection. Moreover, only through leading by example can the 
Government realistically hope for the private sector to commit 
the sort of resources expected of them.
    There were also concerns, legitimate ones in my eyes, that 
the Plan was developed behind closed doors, without public 
input, including the Congress and many of the owners and 
operators of these critical infrastructures, and their views 
were not solicited. Nevertheless, I do think it is encouraging 
that the administration seems amenable to accept input at this 
point, a process I encourage be enhanced.
    With respect to infrastructure assurance, we must continue 
to work toward and build on a true National Plan with full 
representation from industry and all interested parties. We 
need to forge a genuine partnership between the public and 
private sector. It can no longer be merely a case of the 
Government leading and the private sector following. In other 
words, Silicon Valley and the Beltway, where the so-called wing 
tip meets the sandal, must stand side by side on equal footing 
to address these issues.
    No offense, Senator Feinstein, to Silicon Valley.
    I think that the Partnership for Critical Infrastructure 
Security referenced earlier by John Tritak is one that is 
particularly encouraging.
    In closing, New York Yankee great Yogi Berra once said the 
future ain't what it used to be. The best way to predict the 
future is to help build it. We should not have to choose 
between security and privacy. With a lot of hard work we can, 
and arguably must, have both.
    Thank you for your time and I would be pleased to try to 
answer any questions you may have.
    [The prepared statement of Mr. Cilluffo follows:]

                Prepared Statement of Frank J. Cilluffo

    Mr. Chairman, Senator Feinstein, distinguished Members of the 
Committee, I appreciate the opportunity to appear before you today to 
discuss some of the policy implications with respect to the recently 
released ``National Plan for Information Systems Protection.'' I would 
also like to address the difficult challenge of simultaneously ensuring 
the security of our nation's critical infrastructures while preserving 
personal privacy.
    I commend you for your leadership on these issues and the 
recognition that they extend far beyond the nation's capital. Indeed, 
they must be brought before the American people--and soon. Many of 
these issues are misunderstood and give rise to skepticism, distrust 
and confusion between individuals, industry and the government--the 
initial media accounts of the proposed Federal Intrusion Detection 
Network (FIDNET) to cite one example. We must encourage any initiatives 
aimed at advancing a meaningful dialogue between our citizens, 
industry, and government.
    One of the advantages of working for a think tank is that we don't 
have to stand where we sit, a rare luxury for someone inside the 
Beltway. Another is that we are simply in the ideas business and are 
not responsible or held accountable for implementing our ideas.
    With that in mind, I would like to make a few brief observations 
on:

   Cyber threats in general;

   The need to strike an appropriate balance between privacy 
        and security; and

   The ``National Plan for Information Systems Protection.''

    The information technology revolution has given us an unrivalled, 
perhaps unsurpassable, lead over the rest of the world in virtually 
every facet of modern life. Information technology's impact on society 
has been profound and touches everyone, whether we examine our economy, 
our quality of life, or our national security. Unfortunately there is a 
``dark side'' to this revolution. Along with the clear rewards come new 
risks and a litany of unintended consequences that need to be better 
understood and managed by our industry and government leaders. These 
risks range from the national security considerations involving threats 
to, and vulnerabilities of, our critical infrastructures from cyber 
attacks and information operations, to protecting the confidentiality 
and integrity of our personal information such as medical records, 
credit histories, or even our identities, from unauthorized use. If we 
do not understand these potential consequences, widespread cyber 
threats--once the domain of science fiction--will become a reality for 
us all.
    Our highly complex and inter-networked environment is based on 
insecure foundations. It is not widely understood that the Internet's 
predecessor, ARPANET, was never intended to be ``secure.'' In fact its 
very design schematic was based on openness--to facilitate the sharing 
of information between scientists and researchers.
    It is also problematic that the ability to network has far outpaced 
the ability to protect networks. In some cases, new systems are being 
integrated on top of one another--hence a fail-safe system on one day 
becomes a loophole the next. The established cliche about the ``weakest 
link in the chain'' has never been more acute or applicable. 
Additionally, according the Final Report of the President's Commission 
on Critical Infrastructure Protection (PCCIP), it is estimated that by 
2002, a worldwide population of approximately 19 million will have the 
skills to mount a cyber attack.
    All of this interconnection leads to the origins of our problem. 
Modern societies are dependent upon critical infrastructures such as 
telecommunications, electric power, health services, banking and 
finance, transportation, and defense systems, to provide us with a 
comfortable standard of living. These systems are increasingly 
interdependent on one another and damage to one can potentially cascade 
and impact others--with single point failures being of greatest 
concern. To compound the problem, military and law enforcement 
authorities report that every month assailants make thousands of 
unauthorized attempts to gain access to these systems, amounting to a 
nearly continuous assault.
    And yet, many in public life and among our citizenry remain 
skeptical or downright dismissive of any potential dangers. After all, 
it is difficult to visualize a cyber threat in the same way that we saw 
film clips of Hitler's legions marching across Europe, the results of 
Japan's attack on Pearl Harbor, or Soviet missiles on parade in Red 
Square. There are other problems with getting people to take these 
threats seriously. For example, how can you ``see'' a cyber threat 
developing? While it may be scary in the abstract, it does not easily 
lend itself to images of fear, making it difficult to personalize for 
most Americans.
    Today our real assets are stored electronically, not in Fort Knox 
and the targets are increasingly not government and military 
installations, but rather public and private computer network systems. 
Information warfare extends the battlefield to incorporate all of 
society. The myth persists that the United States has not been invaded 
since 1812, but invasion through cyberspace is now a daily occurrence. 
We can no longer afford to rely on the two oceans that have 
historically protected our country: instead we must develop the means 
to mitigate risk in an electronic environment that knows no borders.
    The threat spectrum ranges from ``ankle biters'' \1\ to nations, 
with currently no readily available means to discern who is committing 
the attack. Additionally, ``smoking keyboards'' are hard to find as an 
assailant can loop and weave from country to country in a matter of 
nanoseconds. Thus, an attack initiated a couple of blocks away can be 
made to appear to come from halfway around the world. All of this 
happens while law enforcement is forced to stop at jurisdictional 
boundaries, defined by the physical world which have no meaning in 
cyberspace. In essence, we have created a global village without a 
police department.
---------------------------------------------------------------------------
    \1\ As defined by the NSA Glossary of Terms Used in Security and 
Intrusion Detection, an ankle-biter is ``A person who aspires to be a 
hacker/cracker but has very limited knowledge related to Automated 
Information Systems. Usually associated with young adults who collect 
and use malicious programs obtained from the Internet.''
---------------------------------------------------------------------------
    According to a recent public report by the Department of Defense 
(the National Communications System), currently at least ten countries 
possess offensive information warfare capabilities comparable to our 
own. Moreover, a 1996 Government Accounting Office (GAO) report 
references that approximately 120 nations have some sort of computer 
attack capability. The reality of this potential threat was illustrated 
in an article published this fall in the Liberation Army Daily; the 
official newspaper of the Chinese People's Liberation Army (PLA) titled 
``Bringing Internet Warfare into the Military System is of Equal 
Significance with Land, Sea, and Air Power.'' In this article, the 
authors discuss Chinese preparations to carry out high-technology 
warfare over the Internet and advocate the creation of a fourth branch 
of the armed services within the PLA devoted to information warfare.
    Bits and bytes will never replace bullets and bombs. Conventional 
terrorist organizations, for example, will never abandon car bombs or 
pipe bombs, which have already proven highly effective, relatively low 
in cost and risk and still generate headline news. As a force 
multiplier, however, information warfare increases the lethality of the 
terrorist when used in concert with other more conventional means. For 
example, one scenario we created at CSIS involved a malcontent first 
detonating a conventional explosive followed up by denial of service 
cyber attacks on the same city's emergency communications network, 
thereby preventing the first responders and authorities from 
responding. The consequences were two-fold; it led to an increase in 
the number of potential casualties and sowed further psychological 
fear.Is this really far-fetched? Two years ago a young man sitting 
behind his desktop computer thousands of miles away in Toborg, Sweden, 
disabled portions of the Emergency 911 system in Southern Florida. 
Another example of a significant infrastructure disruption occurred in 
1997, when a Massachusetts teenager was charged with disabling the 
Federal Airline Aviation control tower for six hours at Worcester 
Regional Airport.
    It is only a matter of time before there is a convergence between 
those with hostile intent and techno-savvy, where the real bad guys 
exploit the real good stuff.
    As we contemplate methods of dealing with these threats it is 
important to remember that our national security community and law 
enforcement institutions were designed and established to protect our 
freedom, our civil liberties and our way of life. We expect the 
national law enforcement agencies to protect us from criminal elements 
within our borders. We expect the Defense Department and the Armed 
Forces to protect us from external threats. We expect the nation's 
intelligence agencies to provide insight into the intentions and 
capabilities of our adversaries and to provide advance early warning of 
threats to us.
    It would be a mistake to place our national security and law 
enforcement institutions in a position where they would have to 
compromise our precious hard-won rights or infringe upon our privacy in 
order to protect us. The worst possible victory granted cyber attackers 
would be one that destroyed these values whereby we would become less 
open, less tolerant and less free.
    Concomitantly, we must recognize the many benefits of information 
technology and understand that these benefits far outweigh any risks. 
Thus, our policies in response to threats of any kind must not stifle 
the engines of innovation that drive our economy and enhance our lives. 
We cannot afford to over react or put up too many ``virtual'' or 
``physical walls.'' If we do, the adversary wins by default because our 
way of life has been lost.
    It is possible to ensure the security of our nation's critical 
infrastructures without compromising civil liberties and personal 
privacy or locking down the Internet. Throughout history, the first 
obligation of the state has been to protect its citizens. Today is no 
exception. Information technology, while providing us many comforts and 
conveniences has also created for us new kinds of vulnerabilities that 
can be exploited. These vulnerabilities must be addressed and balanced 
with the civil liberties we have worked so hard to earn as a nation. It 
makes no sense to trample on civil liberties in order to preserve them.
    Too often, the debate is framed as if security and privacy are 
mutually exclusive. This is simply not true. It is wrong to think of 
the issue as ``either'' ``or''. We must rather think of the need to 
incorporate both. In order to preserve the twin goals of security and 
privacy, we must begin with the notion of a true partnership.
    For a number of years many, myself included, have criticized the 
current Administration for being ``long on nouns and short on verbs''--
a lot of talk, not a lot of action--with respect to critical 
infrastructure protection and related policies. A concern I know you 
share Mr. Chairman, especially given your amendment to the 1996 Defense 
Authorization Act, wherein ``the President shall submit to Congress a 
report setting forth the results of a review of the national policy on 
protecting the national information infrastructure against strategic 
attacks.'' Four years later, we have a 200-page document (``the Plan'') 
that begins to address some of your concerns. To their credit, the 
President and his team have done some good work with the Critical 
Infrastructure Working Group (CIWG), Executive Order 13010, the 
President's Commission on Critical Infrastructure Protection (PCCIP), 
Presidential Decision Directive 62, and Presidential Decision Directive 
63, albeit most of these initiatives do not adequately address high-end 
national security threats to our information infrastructures, including 
strategic information warfare.
    Overall, I think the Plan does an excellent job identifying gaps 
and shortfalls within the Federal government, and charting an initial 
course of action to address them. My major concern is that it does not 
do enough.
    We must be willing to commit real money to tackling the problem--
after all policy without resources is rhetoric. While the President's 
proposed budget for fiscal year 2001 is a good start, a vast majority 
of the resources have already been earmarked and allocated in previous 
budgets. I personally believe that more money should be devoted to 
government-wide programs (i.e. a more robust and complete PKI 
infrastructure) and measures aimed at prevention and protection. While 
there are no protective measures that are completely effective, the 80 
percent solution will be sufficient to deter most attackers by 
increasing the risk of detection or failure. In essence, by raising the 
bar higher, we would then improve our ``signal to noise'' ratio and be 
better positioned to address the more significant threats. Moreover, 
only through leading by example can the government realistically hope 
for the private sector to commit the sort of resources expected of 
them.
    There have also been concerns that the Plan was developed behind 
closed doors, and that public input was not solicited through the 
Federal Register and other means. Many individuals and organizations, 
including the Congress and the owners and operators of many of the 
critical infrastructures within industry, could have offered valuable 
counsel and prevented some of the adverse publicity surrounding the 
Plan last summer. Nevertheless, it is encouraging that the 
Administration seems amenable to accept input at this point, a process 
that needs to be enhanced and encouraged.
    With respect to infrastructure assurance, we must continue to work 
toward and build upon a true national plan with full representation 
from industry and all interested parties. We need to forge a genuine 
partnership between the public and private sectors. The public actions 
of the Critical Infrastructure Assurance Office (CIAO) are very 
encouraging in this respect. Specifically, the recently announced 
Partnership for Critical Infrastructure Security, which has brought 
together approximately ninety leading corporations and various federal 
agencies to address the problems of infrastructure assurance, is a good 
example of a step in the right direction.
    We also need a true national debate on infrastructure assurance and 
we need to re-think national security strategy accordingly. It can no 
longer be a case of the government leading and the private sector 
following. In other words, Silicon Valley and the Beltway, where the 
sandal meets the wingtip, must stand side by side and on equal footing 
in addressing these issues and formulating responses.
    Philosopher and New York Yankee great, Yogi Berra, once said, ``The 
future ain't what it used to be.'' The best way to predict the future 
is to help build it. We should not have to choose between security and 
privacy. With a lot of hard work, we can and must, have both.
    Thank you for your time. I would be pleased to try to answer any 
questions you may have.

    Senator Kyl. Thank you, Mr. Cilluffo. I think the last 
comment you made summarizes my view, and that is that this 
doesn't have to be a zero-sum game. We have got to be concerned 
about both issues, both the protection of American interests, 
which include privacy interests, and on the other hand doing it 
in a way that doesn't inhibit people's civil liberties. That is 
an age-old issue. This is merely one of the latest iterations 
of it. You could write the history of this country and every 
decade would have a chapter dealing with some iteration of this 
particular problem. But it has got a new feature now and a more 
complicated one, and I think a constructive dialog is 
important.
    I think the questions that Mr. Rotenberg raises are 
important questions and I think the Government needs to pay 
more attention to those questions. There needs to be more 
public discussion of them. There needs to be a lot of serious 
questioning with respect to the protection of privacy.
    But I also think that the people who raise those questions 
would be more credible in doing so if they didn't denigrate the 
nature of the challenge that we are trying to deal with here, 
which I think, Mr. Rotenberg, with all due respect, you do. And 
I think the very legitimate questions you raised would be 
enhanced by an acknowledgement right up front that this was not 
some invention of the Defense Department in order to get more 
money, which is what you have said, but rather a response to a 
legitimate concern.
    Senator Sam Nunn and I had the first hearings on this. I 
don't think you would criticize him as somebody that is a 
mouthpiece for getting more money for the Defense Department. 
As a matter of fact, I think it is arguably true that we had to 
drag them kicking and screaming to this problem because they 
saw it coming out of their budget. And I think if you asked the 
people downtown, they would say one of the reasons why this was 
so slow in coming is that nobody wanted to put their arm around 
this baby because they knew that it was going to be hard and it 
was going to cost a lot of money and they didn't want it to 
come out of their budget.
    So when you say things, Mr. Rotenberg, like the DOD and its 
secretive component, the NSA, were driving forces behind 
critical infrastructure protection--``For the Pentagon and the 
intel community, info warfare offered a new vista in an era of 
post-Cold War diminishing military budgets, paucity of 
conventional threats, base closures, and reductions in force, 
both military and civilian''--I think you are just dead wrong. 
That isn't how this all came about. It came about because a lot 
of serious people understood there was a significant threat and 
they wanted to do something about it.
    And I really believe that in raising the questions you have 
raised, which I again acknowledge are legitimate questions and 
have not, I would add, been adequately answered by Mr. Tritak 
today, I think that the discussion needs to begin from a 
different point.
    I would ask you this question. Having been critical, can 
you offer some suggestions as to how we might better balance 
the concerns for our protection from this cyber terrorism, on 
the one hand, and the very legitimate concerns you raised about 
personal privacy protection on the other? In other words, 
rather than just saying there is a huge problem here, the 
Government is trying to get into everybody's lives, how would 
you deal with the nature of this challenge? What kind of 
structure would you set up to provide the kind or protection 
that you are interested in?
    Mr. Rotenberg. Let me just say at the outset, Senator, I 
take your criticism. I know that you are referring to a report 
that we published last year. I should say that the words that 
you are quoting aren't actually my words. I mean, they were 
written by someone else. I did write the preface to the report, 
which I suspect you would probably agree with much of it 
because, as people know, I tend to be fairly balanced in my 
assessment of these issues, as I was in my statement for the 
subcommittee today. But I take your criticism and I think it is 
a fair one. I think these are real problems.
    At the same time, I hope you would appreciate that for 
people who are concerned about privacy issues and civil 
liberties issues, there is a sense, as there is this morning, 
that these very elaborate programs are put together that have 
enormous civil liberties implications and sort of after the 
fact people say, and now we want to address privacy concerns, 
so that you will have to decide, for example, about whether to 
go forward with a FIDNet proposal that I believe, and even the 
Department of Justice believes, could be contrary to U.S. law. 
I think we have a good basis for our criticism.
    But you asked me how do we resolve these two issues, and I 
have tried to suggest in my statement this morning that key to 
a successful answer is a successful and accurate description of 
the problem. We are not just defending U.S. borders anymore. I 
mean, the very interesting thing about Senator Bennett's 
picture is that this is a worldwide network, and the security 
solutions and the reliability solutions are being developed by 
researchers all around the world. U.S. firms, U.S. scientists, 
U.S. Federal agencies are benefiting today from work that is 
being done across the globe.
    And I think we run some serious risk, if we are intent on 
trying to protect this network, by now erecting national 
borders in a world and in an environment where those national 
borders are just harder to control. Now, in saying this I am 
not trying to diminish the importance of national security or 
public safety. In fact, I think I am actually underscoring it.
    I am simply trying to say that the problems that we face in 
the 21st century to protect these communication networks on 
which we depend are very different from the types of problems 
we confronted in the 20th century when we could follow 
airplanes moving in our air space, across our borders, destined 
for an attack.
    Senator Kyl. Conceded. We all make that point. We all 
agree. My question was, so how do you then deal with the issue, 
and I will ask Mr. Cilluffo to answer the same question. Just 
get specific for a minute, and we really need to specifically 
direct your answer to the question.
    Mr. Rotenberg. Fair enough. My first answer is I think we 
need a proposal that complies with U.S. privacy law. I don't 
think you can put forward a proposal that says we are concerned 
about privacy and at the same time ignore the relevant law that 
this Congress has passed which says that when the Government 
conducts electronic surveillance, it has to comply with certain 
fourth amendment standards. That seems to me a fairly 
reasonable request to make.
    I think a second point to make is that when you are 
creating within government a great surveillance capability, it 
is appropriate to have some mechanism for oversight and 
accountability. Now, I think this is an area, in fact, where 
Mr. Tritak has given a lot of thought. There is obviously an 
effort to work with the committees and to incorporate public 
comments, but that has to be done on a much more formal basis.
    I mean, the Department of Justice has annual reporting 
requirements. The Computer Security Act has a formal committee 
that conducts hearings, issues reports. We need the types of 
institutional safeguards vested with the responsibility to 
protect privacy and civil liberties to counterbalance this very 
great surveillance authority that is going to be created.
    And I should say, by the way, this hearing is really 
focusing on a small part of the Plan. I think there are large 
parts of the Plan where there is really no dispute. I mean, 
what we are really talking about today is whether, to protect 
computer security, the Federal Government should have openended 
authority to conduct computer surveillance.
    Senator Kyl. That is not true, that is just fundamentally 
not true. Nobody argues that the U.S. Government should have 
that authority, and if you would like to cite anybody that you 
can think of that comes at it from that point of view, I invite 
you to do so right now. You see, I think that is an 
exaggeration and it is the kind of statement that doesn't help 
us get to a constructive solution.
    Senator Feinstein was saying just a moment ago that we 
start from the premise that the U.S. Constitution governs here. 
We have got to protect the liberties that are guaranteed in 
that document. The question is, with a brand new kind of 
technology here that we have all acknowledged eliminates the 
kind of formal barriers that used to instruct us on how to deal 
with these issues, we have got to come up with structures that, 
while they solve the problem, don't impinge upon constitutional 
liberties.
    Just to give you one little illustration that is by analogy 
only--it is not directly applicable here--we have a bill that 
has passed the Senate unanimously dealing with Internet 
gambling. The 1961 Telephone and Wire Act prohibits sports 
gambling, but some defendants in a case said, well, wait a 
minute, to the U.S. attorney, you can't prove that that bet was 
transmitted over wire; it could have been through fiber optic 
cable or satellite microwave transmission.
    The point is sometimes you have got to bring the law 
current with even the terminology of new technology, let alone 
the application of that technology. And it may be that some of 
these laws need to be brought up to date so that they enable us 
both to protect our security and protect the rights of the 
citizens. But don't start from the premise that it is zero-sum 
game and that the people that want to protect our security do 
not want to protect our privacy. It is just not true.
    Mr. Rotenberg. That is not my view, and it is not my view 
that it is a zero-sum game.
    Senator Kyl. Well, perhaps I misunderstood the comment you 
made.
    Let me ask Mr. Cilluffo if he has some specific, 
constructive suggestions on how we square this circle, the 
challenge that Mr. Rotenberg has laid down.
    Mr. Cilluffo. Well, I think clearly the notion of 
partnerships, genuine partnerships that provide input from all 
different parties, is absolutely critical here. This is an 
issue that touches absolutely everyone, the civil liberties 
issues as well as the national security issues, and corporate 
issues such as intangible intellectual property rights and 
economic and industrial espionage.
    There are a whole bunch of issues here that need to be 
brought to the table, and the only way you can begin doing that 
is by having this dialog. This table is much bigger than most 
traditional national security tables have been. It requires the 
input of so many new parties and so many different communities 
that I actually give the administration a lot of credit for 
adding that line to the Plan, an invitation to a dialog, 
because that is what we need; we need a dialog.
    And while I agree that there are some very legitimate civil 
liberty issues that need to be addressed at that table, that is 
not the only issue that needs to be addressed, and I really 
don't see it as an either/or. I would accept nothing less than 
a plan that both protects our privacy and ensures our security. 
So the dialog, I think, is an important step. There are a 
number of initiatives within that, such as the information-
sharing analysis centers where industry starts getting together 
doing some of the initiatives. We have parallel programs inside 
the Government, but the dialog is crucial.
    Senator Kyl. Well, let me say this and then I will turn to 
Senator Feinstein. I think before this is actually implemented, 
we will have additional hearings in which we will ask legal 
experts as well as technical experts to sit at this table and 
walk us through precisely how they envision it being done so 
that, for example, where they see--well, first of all, where 
they have the legal authority to look for these anomalies, what 
do they have the legal right to look for? What gives them that 
legal right? What kind of potential civil rights problems are 
there in looking for those anomalies?
    Then what can they next do with that information? What is 
the next filter? Mr. Tritak envisions three or four layers or 
filters of analysis, as he pointed out. So when it gets to that 
next level, is there any further challenge to the civil 
liberties issues and what protections pertain there, all the 
way down to the hand-off to the FBI, the law enforcement 
agency, when they have reason to believe a crime might be being 
committed here, and therefore what the FBI must work--what 
strictures govern the FBI's actions here. I am sure those will 
be fairly standard law enforcement kinds of strictures.
    But it is that initial broad-based analysis of anomalous 
information or incidents that probably raises the real 
questions because once you get to the FBI, I don't see a whole 
lot changing. I mean, they are going to be stuck with what they 
are stuck with the way we have got it pretty much written now. 
On the other hand, there may be some new techniques that they 
would wish to employ based on new technology, and if that 
implicates privacy laws, then we will have to view it in that 
context.
    So I think the challenge, Mr. Rotenberg, that you lay out 
is an appropriate challenge. I think we need to have people 
come and testify specifically about exactly what they are going 
to do because unless there is an acceptance of this by the 
American people, we are not going to be able to protect 
ourselves. And someday we will wish that we had tried to figure 
it out better in advance, and I appreciate your approach to 
that, Mr. Cilluffo.
    Mr. Cilluffo. Mr. Chairman, if I could add one point, too 
often the debate also focuses entirely on concerns of big 
brother. Well, the Government also has a responsibility to 
protect its citizens from little brothers. The thing that makes 
this threat so unique is that you don't need to be the United 
States, you don't need a major budget, you don't need to be the 
former Soviet Union or the People's Republic of China. Anyone 
can have a rudimentary capability, and we have a responsibility 
to protect our citizens.
    Just imagine if we could not get our Social Security checks 
next month. I think people would be in the streets, arguably 
for good reason. Whether it is air traffic control and the 
like, I think that there are some very legitimate concerns that 
we need to look at it from the inverse perspective as well, not 
to mention that we are stuck prosecuting 21st century crimes 
with 20th century laws. I agree with Mr. Rotenberg's point, but 
it also has a flip side that needs to be on the table as well.
    Senator Kyl. Senator Feinstein.
    Senator Feinstein. Thanks very much, Mr. Chairman. You 
know, I think that we are both on the same line here. I think 
we both believe that this is the frontier of a huge problem. I 
think we both believe that the technology is advancing so 
rapidly, so much quicker than our laws, our philosophy, our 
ability to really deal with it in any way.
    At the same time, it is a whole new worldwide phenomenon 
and those that produce the phenomenon say, leave us alone, we 
don't want government interference. And it is very difficult to 
weigh the balance. On the one hand, you have commercially where 
people find their Social Security numbers being used without 
their permission, their drivers' licenses used without their 
permission, their medical information, their financial 
information. On one level, that sets up a huge level of privacy 
concern, and I think you and I will address it in a piece of 
legislation.
    On the other level, you have this situation where a plane 
or planes go down in a cyber attack. Then what right does the 
Government have to infiltrate an encrypted computer system to 
try to get at the perpetrator? So it becomes two different sets 
of things we are looking at. At the same time, you have pointed 
out, and I think correctly, the technology is advancing so 
rapidly that by the time we get there, it is at the next stage.
    It is a very hard challenge in front of us. I think we 
believe we have to do everything we can within protection of 
privacy to also protect our Nation and our people against 
attacks that we know as sure as the sun is coming up tomorrow 
morning are going to happen, and it is hard to get equipped to 
do so.
    Now, let me ask a couple of questions, if I could, that are 
specific. Mr. Cilluffo, you mention that Congress should 
appropriate money for a governmentwide information security 
program such as encryption--and we have had a lot of debates 
over encryption--that is, a national public key infrastructure. 
Why do you believe that public key infrastructure is a good 
solution?
    Mr. Cilluffo. Well, it is not necessarily the encryption 
piece; it is the public key infrastructure writ large. I 
believe that that would raise the bar throughout our Federal 
systems to a level where you have the so-called 80-percent 
solution. Then the additional 20 percent that still could 
circumvent all these new protective measures that are put in 
place--we could focus on those specific threats which I think 
are the most critical to our national security.
    From there, we can hone in our indications and warning 
capabilities and the like to deal with the more significant 
threats and keep out the 80 percent, the so-called ankle 
biters, that really are not significant national security 
issues.
    Senator Feinstein. Explain what you mean by public key.
    Mr. Cilluffo. It is heavily based on encryption means, but 
it goes beyond to incorporate other token key infrastructures. 
And to me, encryption is an important piece to protecting 
ourselves, but it doesn't do a whole lot to protect from denial 
of service attacks. What good is protecting the confidentiality 
and integrity of the information if you can't get a dial tone? 
But the PKI infrastructure does incorporate to add in some of 
the denial of service protection measures.
    Senator Feinstein. Thank you.
    Mr. Rotenberg, you noted that many people used credit cards 
over this past holiday over the Internet, and that weaker 
encryption was freely available, I think you said due 
indirectly to the administration's old encryption control 
regulations. You then suggested that the National Plan will 
replicate the problem. I didn't understand what you meant. 
Could you explain it as to what exactly you mean?
    Mr. Rotenberg. Yes, Senator. What I was trying to describe 
was the problem that results from a Plan, you know, well-
intended basically to keep these strong security tools away 
from people which could cause harm to the country, which is 
what the export control system does in part, had the practical 
consequence of keeping the same strong tools away from American 
consumers.
    As computer security policies are implemented, there are 
all sorts of other effects that can be difficult to control, 
and it is a very good example, particularly with people using 
the Internet at Christmastime and making themselves vulnerable 
with credit card purchases. And I agree with you, by the way. I 
think that is also a very big part of the privacy issue. There 
are a lot of things happening obviously in the private sector 
that may require some government legislation to protect privacy 
and I would certainly support that.
    But here you see sometimes a policy even well-intended that 
says we have got to try to keep good encryption away from the 
bad guys has the practical problem of keeping those same tools 
away from the good guys and leaving the good guys more 
vulnerable, and that is what I think we need to avoid 
duplicating.
    Senator Feinstein. Well, let me go back to the incident of 
the computer in Manila where the airline information was in it 
and this individual was going to bring down, if he could, a 
whole flock of commercial airliners. Fortunately, you could get 
into his computer and the information was there.
    What is wrong with using the same procedure that one would 
use with a telephone? In other words, a wire tap; you go before 
a judge, you get a court order. You have to provide information 
to a judge, an independent third party, a reasonable cause to 
believe, et cetera. What is wrong with that procedure?
    Mr. Rotenberg. Actually, I think it is the right procedure.
    Senator Feinstein. I do, too.
    Mr. Rotenberg. And throughout the debate on encryption, you 
know, we really never argued about the Government's right to 
conduct a wiretap, with lawful authority, with a warrant. We 
said we understand that.
    What we are really discussing is what kind of technological 
design, what kind of architecture for this evolving 
communication network is best likely to promote security and 
privacy. I agree with you, Senator Kyl. I think both goals are 
critical and we should not face a tradeoff where we are giving 
up one for the other.
    And I guess the sense we have today after going through 
this long debate on encryption is that there really is a risk 
that if we focus solely on security, then privacy gets pushed 
off the table. It becomes sort of an after-the-fact 
consideration. And so we have to think at the very beginning 
when we are proposing, for example, public key infrastructure 
which could be very good to promote network security across 
Federal agencies--people filing tax returns, for example, make 
sure those aren't misappropriated. But we have to make sure at 
the beginning that privacy really becomes part of the design 
requirement so that we don't face the tradeoffs, and I think 
that is what I am saying.
    Senator Feinstein. Well, let me give you a challenge.
    Mr. Rotenberg. Yes.
    Senator Feinstein. I used to say when I was mayor to my 
staff--they would come in the door at the end of the day with a 
problem and I would say, don't come in with a problem unless 
you have got the solution, too. So let me give you that 
challenge. It is one thing to point out the problem, it is 
another thing to come up with a solution, and so I would like 
to challenge you to present us with some solutions.
    Mr. Rotenberg. Senator, I would be pleased to do that. In 
fact, I would offer to the subcommittee that there are groups 
of security experts. The American Association for Computing 
Machinery has been working in this area for a long time. I 
think we could put together a study group and maybe produce a 
report in a short period of time to try to answer this question 
for you. How do we do privacy and security so that both 
interests are protected as we go forward?
    Senator Feinstein. If I understood your opening comments, 
you would agree that there is a problem out there.
    Mr. Rotenberg. Yes.
    Senator Feinstein. So then all of us together, the privacy 
community as well as the governmental and the private sector, 
really ought to come together to come up with the solution 
because we have to do that.
    Mr. Rotenberg. Yes, I agree.
    Senator Feinstein. Thanks, Mr. Chairman.
    Senator Kyl. Thank you very much. Well put. I was just 
thinking, just to close this off and put it in context, 
yesterday when I came through the security mechanism at the 
airport I was reminded again that just a little tiny bit of my 
civil liberties have been taken from me for a larger cause. 
Fortunately, I didn't have anything metal in my pockets to set 
the machine off, but if I had and I couldn't take it out of my 
pocket, then I get this routine which frequently happens to me. 
And I am standing there and somebody runs a little wand all 
over me.
    Senator Feinstein. Yes, me, too.
    Senator Kyl. Well, I don't care. It is a little bit of an 
inhibition on my freedom to come and go as I please, but the 
larger good of ensuring that I don't have some kind of 
terrorist device gives all of the people on the airplane I get 
on a sense of assurance that it is going to be OK. I think that 
is the kind of thing we are looking at here.
    What kind of legitimate limitations are we willing to 
impose on ourselves in order to ensure that the entire Nation 
is not subject to this kind of terrorism or specific attack, 
and what kind of assurances can our Government provide its 
citizens that it has done only that which is necessary and no 
more? I think that is the nature of the challenge before us.
    I will take you up on your offer, Mr. Rotenberg, and what I 
would like to do is ask both of you to come back or to provide 
testimony to the committee. I think that what this hearing has 
demonstrated is that in addition to a wide variety of other 
kinds of questions, we need to ask Mr. Tritak and others from 
the administration to be prepared to discuss specifics in the 
area that I think is most relevant to this subcommittee's 
jurisdiction which we will probably be dealing with in 
legislative form at a later date.
    So I appreciate both of you being here to testify and we 
will leave the record open for any further comments you would 
like to make. In addition, we may have some other written 
questions that we would like to pose to you.
    Thank you, Senator Feinstein. If there is nothing further, 
then we will adjourn this meeting, and I guarantee you we will 
have another hearing on this subject in the not too distant 
future.
    Thank you very much. This hearing is adjourned.
    [Whereupon, at 12:11 p.m., the subcommittee was adjourned.]
                            A P P E N D I X

                              ----------                              


                         Questions and Answers

                              ----------                              


       Responses of John Tritak to Questions From Senator Jon Kyl

    Question 1. In his written testimony for the Subcommittee's 
February 1, 2000 hearing on critical infrastructure protection, Marc 
Rotenberg, Executive Director of the Electronic Privacy Information 
Center, noted that, based on a March 1999 memo from the Justice 
Department to the CIAO, FIDNet is a ``violation of the spirit of the 
federal wiretap statute, the plain language of the federal Privacy Act, 
and contrary to the Fourth Amendment.'' During the hearing, questions 
about legal authority for FIDNet were raised at the hearing, you 
testified that FIDNet is consistent with all ``privacy laws'', yet 
stated you were unfamiliar with whether Federal wiretap statutes 
applied to FIDNet. For the record, please explain in detail the current 
laws that apply to FIDNet, and specifically how FIDNet in its current 
conception is not in violation of each of those laws. Include, at a 
minimum, the Privacy Act, the Electronic Communications Privacy Act, 
the Computer Security Act, and wiretap statutes.
    Answer 1. At the outset and before we can respond to your question 
fully, we need to make two observations as a backdrop for the 
discussion. First, the Federal Intrusion Detection Network (the 
``FIDNet'') proposal was and continues to be a work in progress. Since 
the release of PDD-63 in May 1998, the Administration has worked 
carefully to identify the full range of possible security options that 
incorporate intrusion detection technology. The proposal as described 
in the earliest drafts of the National Plan has evolved considerably, 
and continues to evolve.
    The second point to be made is that, as underscored in the National 
Plan, the FIDNet proposal will be implemented in a manner consistent 
with all relevant laws, including privacy laws. Our legal analysis of 
the proposal--and our ongoing consultation with the Department of 
Justice--continues as part of a comprehensive interagency process and 
in tandem with the evolution of the FIDNet to assure its adherence to 
the spirit and letter of law.
    FIDNet has been carefully tailored to vest authority and control in 
the Federal civilian agencies, consistent with the Computer Security 
Act of 1987, Clinger-Cohen Act, and Executive Order 13011, which 
implement Congressional policies. Under current practices, federal 
agency computer system administrators (as well as system administrators 
in most companies in the private sector) already analyze data flowing 
over their systems, based on strategic placement of intrusion detection 
technology in accordance with the needs of the organization. Under the 
FIDNet proposal as currently formulated:

   The agencies will decide what data on system anomalies to 
        forward to the GSA for further review;

   The GSA will use data on anomalies exclusively to warn 
        agencies about system anomalies; and

   Law enforcement would receive information about computer 
        attacks and intrusions only under long-standing legal rules 
        (i.e., when there is evidence of a crime). No new authorities 
        are implied or envisioned by the FIDNet program.

    FIDNet is intended to be a multi-level system. At the first level, 
each agency's own security-protection software will scan for harmful 
traffic entering that agency's system. (The key to understanding 
intrusion detection is the concept of a ``firewall,'' which by 
definition and design is meant to scan incoming transmissions for 
hostile files and programs.) In fact, this is already being done at 
federal agencies, not to mention most private companies. The National 
Plan contemplates that the implementation and operation of such 
protective measures will continue to be the responsibility of the 
individual agencies. The objective of FIDNet is not to send the 
resulting information to law enforcement officials. Instead, the goal 
is to improve overall federal system security through improved 
information sharing among systems administrators and information 
security officials.
    Contrary to Mr. Rotenberg's suggestion, the March 1999 Justice 
Department memorandum does not state at any point that FIDNet--even in 
the preliminary form then under analysis--would violate federal privacy 
law. On the contrary, the memorandum identifies the legal bases on 
which protective monitoring of government computer systems can be 
lawfully conducted.
    In fact, the current FIDNet proposal is structured to comply fully 
with the Electronic Communications Privacy Act (``ECPA''), 18 U.S.C. 
Sec. 2510 et seq., which incorporates federal wiretap law. 
Specifically, while ECPA generally prohibits the interception of 
electronic communications, it contains two relevant exceptions to that 
general prohibition: (1) consent of a party and (2) system protection 
monitoring activities. As to the first of these, the federal agencies 
participating in FIDNet will, in appropriate instances, establish 
consent to monitoring by using login ``banners'' displayed to each 
network's users.
    FIDNet will also rely on the separate exception applicable to 
systems protection. Under this exception, ECPA expressly authorizes a 
system owner or his agent to monitor network traffic on the system to 
the extent necessary to protect the ``rights or property'' of the 
system owner.
    In addition, the FIDNet concept is compatible with the Privacy Act. 
The Privacy Act, designed to protect personal privacy from unwarranted 
invasions by federal agencies, regulates the collection, maintenance, 
use, and dissemination of personal information by federal government 
agencies. It forbids the disclosure of personal information by federal 
agencies except under certain circumstances, and, subject to enumerated 
exceptions, gives individuals access to information maintained on them.
    FIDNet will be fully consistent with the Privacy Act's requirement 
that physical security and information management practices be designed 
to ensure individual privacy. As properly and legally formulated, 
FIDNet will increase the level of privacy and security afforded to 
information about individuals on government computers.

    Question 2. Is there a need for legislation to bring any of those 
laws up to date to reflect the current state of information technology? 
If so, please make specific suggestions?
    Answer 2. No. No new authorities are implied or envisioned by the 
FIDNet program.

    Question 3. If, in your view, any of those laws need to he updated, 
do your suggested changes erode privacy and civil liberties in any way?
    Answer 3. As previously noted, no new authorities are implied or 
envisioned by the FIDNet program. In addition, our legal analysis of 
the proposal--and our ongoing consultation with the Department of 
Justice--continues as part of a comprehensive interagency process and 
in tandem with the evolution of the FIDNet to assure its adherence to 
the spirit and letter of law.
    Starting from this point of seeking to protect privacy and civil 
liberties, we additionally remember your admonition that privacy and 
liberty are also endangered if we do nothing at all and leave the 
information on the government systems subject to attack and theft. I 
firmly believe that FIDNet will not erode privacy and civil liberties; 
indeed, by protecting citizen information communicated to government 
agencies from theft or improper release, and securing government 
systems from attacks by hackers, criminals and terrorists, FIDNet will 
ultimately serve to enhance privacy and liberty.

    Question 4. In his written testimony for the Subcommittee's 
February 1, 2000 hearing on critical infrastructure protection, Marc 
Rotenberg, Executive Director of the Electronic Privacy Information 
Center, stated ``There are other indications, contained in materials 
that we received under the Freedom of Information Act, the CIAO intends 
to make use of credit card records and telephone toll records as part 
of its intrusions detection system, ``and notes this raises problems 
under U.S. law. Does the CIAO intend to use credit card records and 
telephone toll records as part of its intrusion detection system?
    Answer 4. There is not, nor has there ever been any intent to use 
credit card records and telephone toll records as part of an intrusion 
detection system. Mr. Rotenberg may be misconstruing and 
misinterpreting comments made about the technology used to detect 
anomalies in the use of telephone and credit cards.
    In the early stages of the FIDNet process, the Administration 
considered, among others, the technology that telephone companies use 
to find abnormalities in behavior patterns--in their case for use of 
telephone phone credit cards--to see if that technology could be used 
to identify abnormal behaviors patterns on government networks. This 
was an examination of the underlying technology only, and had nothing 
to do with using actual phone number or credit card records.

    Question 5. Mr. Rotenberg submitted the attached memo for the 
record at the hearing. The memo includes a chart referring to credit 
card and toll fraud profiling. Please explain the meaning of that 
slide.
    Answer 5. Consistent with the response to the previous question, 
the only references to credit card and telephone toll records dealt 
with consideration of the underlying technology models and not with any 
specific credit card and telephone information. Since release of PDD-63 
in May 1998, the Administration has reviewed carefully the full range 
of available technologies that may be applied to intrusion detection 
systems. The slide at issue relates to technology options discussed for 
the FIDNet. That is, the credit card and toll-fraud detection were only 
offered as an example of a type of detection technology currently in 
use.
    Specifically, what was then being considered was the technology 
that telephone companies use to find abnormalities in behavior 
patterns--in their case for telephone of phone credit cards use--to see 
if it could be used to identify abnormal behaviors patterns on our 
networks. This was an examination of the underlying technology only, 
and had nothing to do with using actual phone number or credit card 
records.

    Question 6. Please provide an outline of FIDNet in its current 
stage of development.
    Answer 6. At present, FIDNet remains entirely on the drawing board. 
The program plan for fiscal year 2000-2001 relies upon the experience 
and expertise of the vendor community to actually develop the technical 
architecture(s) for FIDNet.
    An initial Request for Proposal (RFP) from the General Services 
Administration (GSA) will solicit such architectures from the corporate 
sector. The expectation is that these architectures will come from 
those companies that already provide intrusion detection products and 
services both to industry and government. While the RFP will document 
all known legal constraints upon the Network, the program plan still 
calls for yet another legal review of each of the vendors' submissions 
by the Department of Justice. Depending upon the build costs of the 
remaining vendor proposal's (those proposed architectures which pass 
legal muster with the Department of Justice) and the amount of 
available funding, the GSA Program Office will then fund development of 
between two and five FIDNet prototypes. The prototypes must then prove 
the technical, operational and practical viability of their 
architectures while continuing to steer clear of any new legal/privacy 
constraints that Justice may have identified. The extent to which the 
prototypes prove they actually meet all system requirements: technical, 
legal, privacy-related, operational and fiscal (i.e., best value for 
the Government) will determine the winner in final Source Selection.

    Question 6a. Describe which practices of surveillance and 
monitoring already take place in individual agencies.
    Answer 6a. Because the Program Office is just getting under way, 
GSA has not yet had the opportunity to begin a comprehensive survey of 
government agency intrusion detection practices, which products they 
may have purchased from which vendors, and how the agencies actually 
employ the intrusion detection systems they have already purchased.
    We will keep the Subcommittee informed about the development of the 
FIDNet proposal and about the information that GSA assembles concerning 
intrusion detection practices in various agencies.

    Question 7. Using the model of FIDNet, explain what type of 
monitoring would apply to a citizen, in his home who logs on to a 
government web site. What types of activities would that citizen have 
to do to ``set off a typical intrusion detection system (understanding 
that different government agencies have varying IDSs)?
    Answer 7. Merely accessing a public government web site over the 
Internet would not be the kind of activity that would trigger an 
intrusion detection system. That activity is not only exceedingly 
common, but is entirely expected and encouraged. After all, government 
agencies' web pages are posted so that they may be accessed and read by 
the general public.
    It is safe to assume, however, that sending e-mail infected with a 
virus or worm to a government office would certainly activate the 
agency's anti-virus software and thus ``set off'' the intrusion 
detection system of a given agency. Participation in distributed Denial 
of Service (DDOS) attacks, such as those that recently shut down Yahoo! 
, e-Bay  and other popular commercial web pages, 
would most likely also trigger an alert.
    Please be aware that it will be the systems administrators in the 
individual agencies who will determine for each critical computer 
system what type of activity sets off their alarm(s), and what data 
(within legal constraints) will be sent via FIDNet to the Federal 
Computer Incident Response Capability (FedCIRC) at GSA when 
unauthorized activity is suspected. Given the sorts of intrusion 
detection systems on the market today, agencies' traffic monitoring 
typically notices anomalous activity that may indicate an unlawful 
intrusion into a significant information system--such as attempts to 
enter a government computer system at an unusual port of entry or the 
delivery/execution of certain types of files that are typically used as 
vehicles for hostile code, e.g., Trojan horses.

    Question 8. While much of the national plan deals with protection 
against cyber attack, milestone 1.7 calls for all agencies to cooperate 
in the construction of a program to protect critical infrastructures 
against physical attack, by terrorists or others. This part of the plan 
is scheduled to be complete by June 2000. Could you please elaborate on 
what this part of the plan will consist of?
    Answer 8. The National Plan for Critical Physical Infrastructure 
Protection (NPCPIP) will strengthen our economic and national security 
through the identification and remediation of critical physical 
infrastructure vulnerabilities. The plan involves asset identification, 
process and procedure integration, risk mitigation, remediation, 
incident reports, response, and interdependency understanding.
    The Information Technology revolution that has taken place in 
America during the 1990s, and the dependence on information systems it 
has created, makes a national level program for information systems 
security and defense essential. Given the urgent need for an 
information systems security and defense plan, and because of the 
breadth of this topic, the National Plan for Information Systems 
Protection, released by the President on January 7, 2000, focuses on 
protection of critical information infrastructures from both cyber and 
physical attack. It excludes consideration of other critical physical 
infrastructures and security issues related to them.
    America depends on both the physical and cyber portions of her 
critical infrastructures for economic and national security. A cyber 
event can cause a disruption of a physical infrastructure (e.g., power 
overload leads to a transformer or substation problem); a physical 
event/incident can disrupt a cyber infrastructure (e.g., a 
communications substation or electric transformer problem negatively 
impacts/degrades Secure Supervisory Control and Data Acquisition 
(SCADA) or communications systems).
    A physical infrastructure plan will integrate the cyber and 
physical aspects of critical infrastructure protection. All 
infrastructures consist of both cyber and physical elements and it is 
important not to separate them, specifically when one considers 
business continuity and target opportunities. However, for purposes of 
this plan, we must view the physical infrastructures from a national 
lens, and thus, we will define critical physical infrastructures to be 
those that would have broad reaching consequences, e.g. those that 
would impact on major geographical, economical, regional, or national 
security levels, if their services or operations were disrupted.
    Therefore, to address the physical vulnerabilities of non-cyber 
infrastructures, a new Critical Physical Infrastructure Protection Plan 
is being developed to identify the necessary initiatives and programs 
for ensuring protection of these infrastructures. The CIAO will lead 
this effort and will work with an inter-agency Task Group which will 
include DoD, FBI, and other agencies. These elements along with reviews 
of existing critical physical infrastructure security programs will 
lead to The National Plan for Critical Physical Infrastructure 
Protection (NPCPIP) to be issued in 2000.

Participating Agencies in NPCPIP Task Group.
Chair/Lead: CIAO*
Sector Liaison Agencies:
    Information & Communications--DOC
    Banking & Finance--Treasury*
    Transportation--DOT*
    Energy--DOE*
    Emergency Fire Service/Continuity of Government--FEMA*
    Public Health--HHS
    Water Supply--EPA*

Lead Agencies for Special Functions:
    Intelligence--CIA
    Foreign Affairs--State
    Law Enforcement--DOJ/FBI*
    National Defense--DoD*
    Federal Government (Non-DoD)--GSA*

Others:
    NSC
    Local Law Enforcement--Sheriff, Arapaho Co, Colorado
    NSTAC (National Security Telecommunications Advisory Council)--(in 
a consultant status)
    OMB
    USDA (Agriculture)
    DOI (Interior)
    HHS (Health & Human Services)

    *}Mandatory--will form the core-writing contingent for 
the physical plan, other organizations including the NSTAC will be used 
in a reviewer/consultant role.

    Question 8a. Do each of the agencies involved have the expertise to 
accomplish this study, or are some agencies, such as the FBI and 
Defense Department being called on to assist other agencies?
    Answer 8a. As described above, an interagency task force is 
developing the NPCPIP. No single agency, alone, has the knowledge base 
to complete the effort. It should be noted that this plan will not take 
the form of an agency-by-agency plan, but a cross-sectoral approach.

    Question 9. The Plan states that ``Federal Agencies aad Departments 
should have assessed information systems vulnerabilities, adopted a 
multi-year funding plan to remedy them, and created a system for 
continuously updating. Private sector companies of every critical 
sector could do the same. 7 (Milestone 1.21). Is there a need for 
legislation to ensure that private sector owners and operators do this?
    Answer 9. We do not envision the need now for new legislation. 
Individual companies already address security to varying levels. The 
degree depends on their level of awareness and understanding of how 
critical information systems are to their business operations and to 
their ability to assure reliable services and delivery of products to 
their customers and the communities they serve. An industry awareness 
initiative will create market forces that will inevitably elevate the 
level of attention and investment by industry, an example of which we 
saw with the Year 2000 conversion experience. At some point, we may 
recognize a gap between what national security needs for critical 
infrastructure security and what companies believe their customers and 
communities are willing to pay for. At that time, additional incentives 
may be needed for industry to step up to additional levels of 
investment beyond what the market supports.
    Information security, unlike the Year 2000 conversion, has no end 
point. Consequently, it will require an on-going commitment and 
institutionalization of controls into core business processes. 
Technology also continues to change very quickly, requiring continuing 
attention and investment from those who would benefit from it. 
Obtaining buy-in from industry in their own business interests will 
more effectively address this issue in a timely and creative manner.

    Question 9a. Other than legislation requiring private companies to 
undertake this sort of planning, are there other incentives we could 
use to encourage firms in key sectors to be more pro-active in making 
their computer networks more secure?
    Answer 9a. The most effective incentive for corporations to take 
action is for the government to articulate its concern in business 
terms. The government's real focus is on predictable delivery of 
critical services that enable the government to satisfy its national 
security responsibilities and foster a competitive economy. Private 
industry succeeds by providing most of these services. If the 
government is successful in conveying its message, industry will take 
action based on sound business management practices.

    Question 10. What is the status of the development of Information 
Sharing and Analysis Center (ISACs), which are intended to bring 
together companies in key sectors like banking and telecommunications 
to facilitate the sharing of information about cyber threats and best 
practices for addressing vulnerabilities?
    Answer 10. Building the public-private partnership to ensure action 
is at the core of the National Plan. Without the full participation of 
the private sector, federal actions to protect critical infrastructures 
will not be fully effective. PDD-63 suggests that the private sector, 
in cooperation with the Federal government, establish Information 
Sharing and Analysis Centers (ISACs) to facilitate public-private 
information sharing on vulnerabilities, threats intrusions, and 
anomalies. It should be noted, however, that ISACs are only one of the 
many information-sharing mechanisms now employed by the private sector.
    Last October, Banking and Finance publicly announced the creation 
of the Financial Services Information and Analysis Center (FS-ISAC). 
This is the first center that is operational and it is currently 
recruiting members from the entire financial industry.
    The National Coordinating Center (NCC) for Telecommunications, 
established in 1984, already performs many of the functions of an ISAC 
for the telecommunications industry.
    The electric power industry, through the North American Electric 
Reliability Council (NERC), has developed a reporting process and 
specific data elements on incidents to be shared with the National 
Infrastructure Protection Center (NIPC). This reporting process was 
built on a reporting structure and process that already exists within 
the electric industry to support the reliability, availability, and 
integrity of the nation's electric grid.
    There are other information sharing vehicles in private industry, 
created for paying members. Many of the large consulting and technology 
firms provide similar or equivalent services to their customers. Many 
of these share relevant information with the government.
    The government is also engaged in a dialogue with the Partnership 
for Critical Infrastructure Security to explore the value and 
feasibility of cross-sector information sharing regarding common 
threats, experiences, and best practices.

    Question 11. Pages 24 and 25 of the executive summary of the Plan 
describe deterrents and obstacles to companies who wish to share 
information on cyber-threats with the government. How can we remove 
these obstacles to encourage companies to share such information with 
the government? Do you need help from Congress to address these 
impediments?
    Answer 11. Many owners and operators of critical infrastructures 
and industry officials have expressed reluctance to share information 
about threats and vulnerabilities with the government. The degree of 
reluctance varies according to infrastructure, but is present in each. 
Only 17 percent of respondents who experienced an attack during the 
previous year reported it to law enforcement, according to the 
President's Commission on Critical Infrastructure Protection, which 
published its findings in October 1997.
    In a recent meeting with industry officials they have suggested 
that they would be reluctant to share such proprietary information or 
to participate in information sharing programs for a number of reasons. 
They fear information provided to the government may be made public and 
thereby damage their reputations, expose them to liability, or weaken 
their competitive position. In addition, potential contributors from 
the private sector are reluctant to share specific threat and 
vulnerability information because of impediments they perceive to arise 
from antitrust and unfair-business laws.
    With this dilemma in mind, an interagency group was formed in 
August 1999 to consider a non-disclosure provision that would allow 
Federal agencies to accept voluntary contributions of certain security-
related information outside the operation of the Freedom of Information 
Act (FOIA). The information in question would not be of the type 
normally disclosed either to the Federal government or to the public. 
In the near future, the group plans to address antitrust and liability 
issues.
    In each of these cases, we will need to work closely with Congress 
and the privacy community in developing effective solutions and 
removing these obstacles.

    Question 12. The Plan refers to the Partnership for Critical 
Infrastructure Security. Furthermore, milestone 8.2 states that this 
partnership will be created this month. What is it and how will it be 
created?
    Answer 12. The Partnership for Critical Infrastructure Security was 
created on February 22, 2000 at an organizational meeting held at the 
U.S. Chamber of Commerce. Over 120 companies attended (with more on the 
waiting list that could not be accommodated, but who want to join the 
partnership).
    The Partnership is intended to be a collaborative effort of 
industry and government to assure the delivery of essential services 
over the nation's critical infrastructures. These infrastructures, 
identified in Presidential Decision Directive 63 (PDD-63), include:

   Energy

   Financial Services

   Transportation

   Communications and Information Services

   Vital Human Services, including Health, Safety, and Water

    Private sector membership in the Partnership is open to 
infrastructure owners and operators, providers of infrastructure 
hardware, software, and services, risk management and investment 
professionals, and other members of the business community. Government 
representation will include state and local governments, as well as 
Federal agencies and departments responsible for working with the 
critical infrastructure sectors and for providing functional support 
for the protection of those infrastructures.
    The Partnership recognizes that the nation's critical services 
depend increasingly on commercial information technologies. The new 
threats and vulnerabilities that come with greater dependency on these 
technologies, combined with the growing interdependencies among the 
nation's critical infrastructures, require urgent attention not only in 
the government but also in the business community.
    The Partnership recognizes that in addition to protecting these 
infrastructures, attention must be given to the range of actions 
necessary to assure the delivery of critical services--including 
mitigation, response, and reconstitution.
    Since the vast majority of the critical infrastructures of the 
United States are owned and operated by private industry, the 
Partnership recognizes and acknowledges that the Federal government 
alone cannot protect these infrastructures or assure the delivery of 
services over them. While most of the challenges to assuring critical 
services are best handled by industry itself, the Partnership is based 
on the premise that some of these challenges are better handled by 
industry and government working together.
    The Partnership will explore ways in which industry and government 
can work together to address the risks to the nation's critical 
infrastructures. Federal Lead Agencies are currently building 
partnerships with individual infrastructure sectors in private 
industry, and state and local governments. The Partnership will provide 
a forum in which to draw these individual efforts together to 
facilitate a dialogue on cross-sector interdependencies, explore common 
approaches and experiences, and engage other key professional and 
business communities that have an interest in infrastructure assurance. 
By doing so, the Partnership hopes to raise awareness and understanding 
of, and to serve, when appropriate, as a catalyst for action among, the 
owners and operators of critical infrastructures, the risk management 
and investment communities, other members of the business community, 
and state and local governments.
    How the Partnership conducts itself--how it is organized, and how 
it manages its on-going operations--will largely be determined by its 
industry members. For its part, the Federal Government is prepared to 
sponsor on behalf of the Partnership a series of conferences, meetings, 
and working groups with industry and government executives to:

   Exchanges views on issues of mutual interest to the 
        government and members of industry, including, but not limited 
        to:

           Interdependencies, including cross-sector 
        information sharing arrangements and the appropriate safeguards 
        for protecting the confidentiality of such information;

           Evolving threats to critical infrastructures;

           Education, training and workforce development;

           Standards and Best Practices;

           Technology and R&D

           Risk Management: prevention, mitigation, response, 
        and reconstitution, including incident response management and 
        consequence management; and,

           Legal and regulatory matters.

   Facilitate the participation of members of industry in the 
        ongoing development of the national plan for critical 
        infrastructure protection; and,
   Facilitate contributions by members of industry to the work 
        of the National Infrastructure Assurance Council.\1\
---------------------------------------------------------------------------
    \1\ President Clinton established the National Infrastructure 
Assurance Council (NIAC) by Executive Order 13130 on July 14, 1999. The 
Council will consist of up to 30 leaders in industry and state and 
local government. Its mandate is to advise and counsel the President on 
a range of policy matters relating to critical infrastructure 
assurance, including the enhancement of public-private partnerships, 
generally. The Partnership for Critical Infrastructure Security could 
serve as one important channel of communication to the NIAC, ensuring 
that Council members have the full benefit of a wide cross-section of 
industry views.
---------------------------------------------------------------------------
                                 ______
                                 

Responses of John Tritak to Questions From Senator Joseph R. Biden, Jr.

    Question 1. Mr. Tritak in light of privacy advocates' criticism of 
the Federal Intrusion Detection Network (FIDNet) program, how can you 
guarantee that civil liberties are protected and that FIDNet will not 
violate current privacy protection, wiretap and 4th amendment law?
    At the outset and before we can respond to your question fully, we 
need to make two observations as a backdrop for the discussion. First, 
the Federal Intrusion Detection Network (the ``FIDNet'') proposal was 
and continues to be a work in progress. Since the release of PDD-63 in 
May 1998, the Administration has worked carefully to identify the full 
range of possible security options that incorporate intrusion detection 
technology. The proposal as described in the earliest drafts of the 
National Plan has evolved considerably, and continues to evolve.
    The second point to be made is that, as underscored in the National 
Plan, the FIDNet proposal will be implemented in a manner consistent 
with all relevant laws, including privacy laws. Our legal analysis of 
the proposal--and our ongoing consultation with the Department of 
Justice--continues as part of a comprehensive interagency process and 
in tandem with the evolution of the FIDNet to assure its adherence to 
the spirit and letter of law.
    FIDNet has been carefully tailored to vest authority and control in 
the Federal civilian agencies, consistent with the Computer Security 
Act of 1987, Clinger-Cohen Act, and Executive Order 13011, which 
implement Congressional policies. Under current practices, federal 
agency computer system administrators (as well as system administrators 
in most companies in the private sector) already analyze data flowing 
over their systems, based on strategic placement of intrusion detection 
technology in accordance with the needs of the organization. Under the 
FIDNet proposal as currently formulated:

   The agencies will decide what data on system anomalies to 
        forward to the GSA for further review;

   The GSA will use data on anomalies exclusively to warn 
        agencies about system anomalies; and

   Law enforcement would receive information about computer 
        attacks and intrusions only under long-standing legal rules 
        (i.e., when there is evidence of a crime). No new authorities 
        are implied or envisioned by the FIDNet program.

    FIDNet is intended to be a multi-level system. At the first level, 
each agency's own security-protection software will scan for harmful 
traffic entering that agency's system. (The key to understanding 
intrusion detection is the concept of a ``firewall,'' which by 
definition and design is meant to scan incoming transmissions for 
hostile files and programs.) In fact, this is already being done at 
federal agencies, not to mention most private companies. The National 
Plan contemplates that the implementation and operation of such 
protective measures will continue to be the responsibility of the 
individual agencies. The objective of FIDNet is not to send the 
resulting information to law enforcement officials. Instead, the goal 
is to improve overall federal system security through improved 
information sharing among systems administrators and information 
security officials.
    Contrary to Mr. Rotenberg's suggestion, the March 1999 Justice 
Department memorandum does not state at any point that FIDNet--even in 
the preliminary form then under analysis--would violate federal privacy 
law. On the contrary, the memorandum identifies the legal bases on 
which protective monitoring of government computer systems can be 
lawfully conducted.
    In fact, the current FIDNet proposal is structured to comply fully 
with the Electronic Communications Privacy Act (``ECPA''), 18 U.S.C. 
Sec. 2510 et seq., which incorporates federal wiretap law. 
Specifically, while ECPA generally prohibits the interception of 
electronic communications, it contains two relevant exceptions to that 
general prohibition: (1) consent of a party and (2) system protection 
monitoring activities. As to the first of these, the federal agencies 
participating in FIDNet will, in appropriate instances, establish 
consent to monitoring by using login ``banners'' displayed to each 
network's users.
    FIDNet will also rely on the separate exception applicable to 
systems protection. Under this exception, ECPA expressly authorizes a 
system owner or his agent to monitor network traffic on the system to 
the extent necessary to protect the ``rights or property'' of the 
system owner.
    In addition, the FIDNet concept is compatible with the Privacy Act. 
The Privacy Act, designed to protect personal privacy from unwarranted 
invasions by federal agencies, regulates the collection, maintenance, 
use, and dissemination of personal information by federal government 
agencies. It forbids the disclosure of personal information by federal 
agencies except under certain circumstances, and, subject to enumerated 
exceptions, gives individuals access to information maintained on them.
    FIDNet will be fully consistent with the Privacy Act's requirement 
that physical security and information management practices be designed 
to ensure individual privacy. As properly and legally formulated, 
FIDNet will increase the level of privacy and security afforded to 
information about individuals on government computers.

    Question 2. What type of data will be collected by FIDNet and how 
long will the Government Services Administration retain the data?
    Answer 2. FIDNet will not deploy collectors or sensors on any 
government agencies or other entity network. This is the job of the 
agency systems administrators and their intrusion detection systems. 
Instead, the FIDNet will receive from the agencies, under processes 
established by the agency systems administrators, only those alarm 
indications that the agency internal intrusion detection systems 
identify as anomalous and that the agency systems administrators 
forward to FIDNet.
    Intrusion detection system alarm data typically have a short shelf-
life and GSA does not envision a need to retain this data. However, 
legal requirements relating to government records may mandate that 
certain records be retained or archived in accordance with schedules 
established in accordance with law. This issue is currently being 
reviewed. Of course, GSA will continue to adhere to existing laws with 
respect to records involving law enforcement matters.
                                 ______
                                 

  Responses of John Tritak to Questions From Senator Dianne Feinstein

    Question 1. Does FIDNet comply with the Wire Tap Laws?
    Answer 1. Yes, FIDNet complies with the wiretap laws.
    At the outset and before we can respond to your question fully, we 
need to make two observations as a backdrop for the discussion. first, 
the Federal Intrusion Detection Network (the ``FIDNet'') proposal was 
and continues to be a work in progress. Since the release of PDD-63 in 
May 1998, the Administration has worked carefully to identify the full 
range of possible security options that incorporate intrusion detection 
technology. The proposal as described in the earliest drafts of the 
National Plan has evolved considerably, and continues to evolve.
    The second point to be made is that, as underscored in the National 
Plan, the FIDNet proposal will be implemented in a manner consistent 
with all relevant laws, including privacy laws. Our legal analysis of 
the proposal--and our ongoing consultation with the Department of 
Justice--continues as part of a comprehensive interagency process and 
in tandem with the evolution of the FIDNet to assure its adherence to 
the spirit and letter of law.
    FIDNet has been carefully tailored to vest authority and control in 
the Federal civilian agencies, consistent with the Computer Security 
Act of 1987, Clinger-Cohen Act, and Executive Order 13011, which 
implement Congressional policies. Under current practices, federal 
agency computer system administrators (as well as system administrators 
in most companies in the private sector) already analyze data flowing 
over their systems, based on strategic placement of intrusion detection 
technology in accordance with the needs of the organization. Under the 
FIDNet proposal as currently formulated:

   The agencies will decide what data on system anomalies to 
        forward to the GSA for further review;

   The GSA will use data on anomalies exclusively to warn 
        agencies about system anomalies; and

   Law enforcement would receive information about computer 
        attacks and intrusions only under long-standing legal rules 
        (i.e., when there is evidence of a crime). No new authorities 
        are implied or envisioned by the FIDNet program.

    FIDNet is intended to be a multi-level system. At the first level, 
each agency's own security-protection software will scan for harmful 
traffic entering that agency's system. (The key to understanding 
intrusion detection is the concept of a ``firewall,'' which by 
definition and design is meant to scan incoming transmissions for 
hostile files and programs.) In fact, this is already being done at 
federal agencies, not to mention most private companies. The National 
Plan contemplates that the implementation and operation of such 
protective measures will continue to be the responsibility of the 
individual agencies. The objective of FIDNet is not to send the 
resulting information to law enforcement officials. Instead, the goal 
is to improve overall federal system security through improved 
information sharing among systems administrators and information 
security officials.
    Contrary to Mr. Rotenberg's suggestion, the March 1999 Justice 
Department memorandum does not state at any point that FIDNet--even in 
the preliminary form then under analysis--would violate federal privacy 
law. On the contrary, the memorandum identifies the legal bases on 
which protective monitoring of government computer systems can be 
lawfully conducted.
    In fact, the current FIDNet proposal is structured to comply fully 
with the Electronic Communications Privacy Act (``ECPA''), 18 U.S.C. 
Sec. 2510 et seq., which incorporates federal wiretap law. 
Specifically, while ECPA generally prohibits the interception of 
electronic communications, it contains two relevant exceptions to that 
general prohibition: (1) consent of a party and (2) system protection 
monitoring activities. As to the first of these, the federal agencies 
participating in FIDNet will, in appropriate instances, establish 
consent to monitoring by using login ``banners'' displayed to each 
network's users.
    FIDNet will also rely on the separate exception applicable to 
systems protection. Under this exception, ECPA expressly authorizes a 
system owner or his agent to monitor network traffic on the system to 
the extent necessary to protect the ``rights or property'' of the 
system owner.
    In addition, the FIDNet concept is compatible with the Privacy Act. 
The Privacy Act, designed to protect personal privacy from unwarranted 
invasions by federal agencies, regulates the collection, maintenance, 
use, and dissemination of personal information by federal government 
agencies. It forbids the disclosure of personal information by federal 
agencies except under certain circumstances, and, subject to enumerated 
exceptions, gives individuals access to information maintained on them.
    FIDNet will be fully consistent with the Privacy Act's requirement 
that physical security and information management practices be designed 
to ensure individual privacy. As properly and legally formulated, 
FIDNet will increase the level of privacy and security afforded to 
information about individuals on government computers.

    Question 2. Under what legal authority does FIDNet function?
    Answer 2. The Administration is committed to structuring the FIDNet 
concept in strict adherence to exiting protections under the law, 
including ECPA (Wiretap Statutes), the Privacy Act, and other laws. 
Please refer to Question 1 above for more details.

    Question 3. How are FIDNet and the NIPC redundant?
    Answer 3. They are not. FIDNet, when operational, will be a service 
offered by the GSA to the civilian departments and agencies to help 
them improve information sharing within the Federal civilian government 
amongst systems administrators. This information sharing covers the 
efficiency and reliability of intrusion detection systems which some 
agencies already employ in accordance with OMB Circular A-130. In 
short, the FIDNet is a centrally managed operational structure that 
permits GSA to look at and draw conclusions about anomalous cyber 
activity across the federal civilian government in a way that no single 
agency could do for itself.
    In contrast, the NIPC serves as the national focal point for threat 
assessment, warning, investigation, and response to attacks on the 
critical infrastructures. A significant part of its mission involves 
establishing mechanisms to increase the sharing of vulnerability and 
threat information between the government and private industry. It also 
provides invaluable input and capabilities to federal law enforcement 
and defense cyber operations.

    Question 4. Give your opinion on the GAO's assertion that the 
current laws governing IT Security are outdated.
    Answer 4. The management of information security in the Federal 
government is an issue that is currently being debated in the Congress 
and the Administration, including in legislation such as S. 1993. 
Accordingly, the only observation I would make at this time is that we 
should rely on the existing legal framework, to the extent we can 
continue to assure ourselves that the system is working, is effective, 
and is providing the appropriate level of protection for the full range 
of proprietary, personal, and other sensitive information.

    Question 5. Is there a need to tailor infosec standards to certain 
types of information, and if so how?
    Answer 5. As discussed above, the only observation I would offer on 
this subject is that information technology is developing rapidly and 
that critical infrastructure protection needs to be an essential part 
of that development, if we are to build secure infrastructures. We 
should rely on the existing legal framework, to the extent we can 
assure ourselves that the system is working, is effective, and is 
providing the appropriate level of protection for proprietary, personal 
and other sensitive information.

    Question 6. Should Congress approve more money for PKI?
    Answer 6. Public Key Infrastructure (PKI) maximizes our capability 
to implement needed security services including confidentiality, 
integrity, authentication, non-repudiation and access control. PKI 
facilitates the secure exchange of information electronically. It is a 
key element for gaining increasing trust and confidence in the use of 
this medium for commercial applications.
    Today, cryptography is the most viable means of protecting 
information in cyberspace. As mentioned, public key cryptography, based 
on a PKI, maximizes our capability to implement needed security 
services including confidentiality, integrity, authentication, non-
repudiation and access control. Appropriate combinations of these 
services allow us to protect information stored and transmitted over 
the Internet from our lap-top and desk-top computers. The PKI also 
allows us to configure firewalls and other Internet components to 
protect the internal domain name services and routing table 
information. These PKI security services enable secure e-commerce, e-
mail and a myriad of important large distributed applications including 
those that provide Government services.
    Appropriated monies for PKI would be well spent in the following 
areas:

    PKI Standards, Testing and Product Certification--As industry 
responds to a growing customer base for PKI products, innovative and 
enterprising solutions are finding their way into large international 
markets. Of critical importance to the Government is the 
interoperability of a Government PKI with those of the public and 
private sectors and other sovereign governments. It is unlikely that 
these industry PKI solutions will meet all the unique Government PKI 
requirements. Appropriate testing and high confidence certifications 
for Government PKIs often go well beyond the interoperability and 
testing requirements of other PKIs. Additional government activities in 
interoperability standards development and in testing and certification 
are needed.
    PKI Research and Development--The Next Generation Internet (NGI) 
holds the promise of extremely high bandwidth, rich connectivity and 
extremely efficient large distributed applications. It is prudent to 
plan now for the security services that will likely be required for the 
NGI. Three interagency working groups are coordinating expertise to 
begin the process: The Large Scale Networking Next Generation Internet 
(LSN/NGI), the High Confidence Systems (HCSS) and the Critical 
Infrastructure Protection (CIP) communities have expressed interest in 
a Public Key Infrastructure for the Next Generation Internet. 
Additional government activities in defining the transition strategy 
from current PKI for the Internet to a PKI for the NGI is rightfully a 
research and development idea with low risk and high potential payoff 
for both our nations next generation critical infrastructures and our 
governments next generation needs and requirements.
    Our models for secure e-commerce and e-mail have been tested with 
prototype implementations; but, not stressed. We need real experiences 
with a Government PKI that provisions security in large, scalable high-
speed dynamic group communications similar to those used by our 
emergency response communications and messaging systems and other 
critical government systems. We know little about integrating PKI into 
large legacy applications used by the Government to provision services 
for the public. We know even less about integrating PKI into new, as 
yet untested, major applications that serve the public.
    Operational Critical Systems--While PKI technology by itself cannot 
completely protect critical operational systems, PKI is considered a 
necessary component when cryptography is deployed. Biometric techniques 
used in conjunction with PKI can provide high-grade authentication of 
people accessing critical assets. In addition, digital signature 
techniques based on PKI can provide integrity and non-repudiation of 
information and transactions--a key element in audit trail techniques. 
The monies necessary to upgrade legacy systems with PKI technology 
often come out of agency security budget lines. Monies specifically 
approved for PKI by the Congress would have the immediate effect of 
forming the critical mass necessary to jump-start the Government's PKI.
  

                                
