[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]



PROTECTING AMERICA'S CRITICAL INFRASTRUCTURE: HOW SECURE ARE GOVERNMENT 
                           COMPUTER SYSTEMS?

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                      OVERSIGHT AND INVESTIGATIONS

                                 of the

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED SEVENTH CONGRESS

                             FIRST SESSION

                               __________

                             APRIL 5, 2001

                               __________

                           Serial No. 107-13

                               __________

       Printed for the use of the Committee on Energy and Commerce


 Available via the World Wide Web: http://www.access.gpo.gov/congress/
                                 house

                               __________

                  U.S. GOVERNMENT PRINTING OFFICE
73-508                     WASHINGTON : 2001
_______________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001


                    COMMITTEE ON ENERGY AND COMMERCE

               W.J. ``BILLY'' TAUZIN, Louisiana, Chairman

MICHAEL BILIRAKIS, Florida           JOHN D. DINGELL, Michigan
JOE BARTON, Texas                    HENRY A. WAXMAN, California
FRED UPTON, Michigan                 EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida               RALPH M. HALL, Texas
PAUL E. GILLMOR, Ohio                RICK BOUCHER, Virginia
JAMES C. GREENWOOD, Pennsylvania     EDOLPHUS TOWNS, New York
CHRISTOPHER COX, California          FRANK PALLONE, Jr., New Jersey
NATHAN DEAL, Georgia                 SHERROD BROWN, Ohio
STEVE LARGENT, Oklahoma              BART GORDON, Tennessee
RICHARD BURR, North Carolina         PETER DEUTSCH, Florida
ED WHITFIELD, Kentucky               BOBBY L. RUSH, Illinois
GREG GANSKE, Iowa                    ANNA G. ESHOO, California
CHARLIE NORWOOD, Georgia             BART STUPAK, Michigan
BARBARA CUBIN, Wyoming               ELIOT L. ENGEL, New York
JOHN SHIMKUS, Illinois               TOM SAWYER, Ohio
HEATHER WILSON, New Mexico           ALBERT R. WYNN, Maryland
JOHN B. SHADEGG, Arizona             GENE GREEN, Texas
CHARLES ``CHIP'' PICKERING,          KAREN McCARTHY, Missouri
Mississippi                          TED STRICKLAND, Ohio
VITO FOSSELLA, New York              DIANA DeGETTE, Colorado
ROY BLUNT, Missouri                  THOMAS M. BARRETT, Wisconsin
TOM DAVIS, Virginia                  BILL LUTHER, Minnesota
ED BRYANT, Tennessee                 LOIS CAPPS, California
ROBERT L. EHRLICH, Jr., Maryland     MICHAEL F. DOYLE, Pennsylvania
STEVE BUYER, Indiana                 CHRISTOPHER JOHN, Louisiana
GEORGE RADANOVICH, California        JANE HARMAN, California
CHARLES F. BASS, New Hampshire
JOSEPH R. PITTS, Pennsylvania
MARY BONO, California
GREG WALDEN, Oregon
LEE TERRY, Nebraska

                  David V. Marventano, Staff Director

                   James D. Barnette, General Counsel

      Reid P.F. Stuntz, Minority Staff Director and Chief Counsel

                                 ______

              Subcommittee on Oversight and Investigations

               JAMES C. GREENWOOD, Pennsylvania, Chairman

MICHAEL BILIRAKIS, Florida           PETER DEUTSCH, Florida
CLIFF STEARNS, Florida               BART STUPAK, Michigan
PAUL E. GILLMOR, Ohio                TED STRICKLAND, Ohio
STEVE LARGENT, Oklahoma              DIANA DeGETTE, Colorado
RICHARD BURR, North Carolina         CHRISTOPHER JOHN, Louisiana
ED WHITFIELD, Kentucky               BOBBY L. RUSH, Illinois
  Vice Chairman                      JOHN D. DINGELL, Michigan,
CHARLES F. BASS, New Hampshire         (Ex Officio)
W.J. ``BILLY'' TAUZIN, Louisiana
  (Ex Officio)

                                  (ii)


                            C O N T E N T S

                               __________
                                                                   Page

Testimony of:
    Dacey, Robert F., Director, Information Security Issues, U.S. 
      General Accounting Office..................................    53
    Dick, Ronald L., Director, National Infrastructure Protection 
      Center.....................................................    30
    McDonald, Sallie, Assistant Commissioner, Office of 
      Information Assurance and Critical Infrastructure, U.S. 
      General Services Administration............................    26
    Noonan, Tom, President and CEO, Internet Security Systems, 
      Inc........................................................    39
    Podonsky, Glenn S., Director, Office of Independent Oversight 
      and Performance Assurance, accompanied by Jason Bellone, 
      former member of the Computer Analysis Response Team, 
      Federal Bureau of Investigation; Karen Matthews, formerly 
      with Computer Forensics Laboratory, U.S. Department of 
      Defense; Brent Huston, author of book on hackproofing; and 
      Brad Peterson, Director, Office of Cyber Security and 
      Special Reviews, U.S. Department of Energy.................    13
    Tritak, John S., Director, Critical Infrastructure Assurance 
      Office, U.S. Department of Commerce........................    65
Material submitted for the record by:
    Kemper, Jason, III, Vice President, Government Affairs, 
      Cryptek, letter dated April 5, 2001, enclosing testimony 
      for the record.............................................    76

                                 (iii)

  

 
PROTECTING AMERICA'S CRITICAL INFRASTRUCTURE: HOW SECURE ARE GOVERNMENT 
                           COMPUTER SYSTEMS?

                              ----------                              


                        THURSDAY, APRIL 5, 2001

                  House of Representatives,
                  Committee on Energy and Commerce,
              Subcommittee on Oversight and Investigations,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 9:40 a.m., in 
room 2322, Rayburn House Office Building, Hon. James C. 
Greenwood (chairman) presiding.
    Members present: Representatives Greenwood, Tauzin, (ex 
officio), Strickland, and DeGette.
    Also present: Representatives Norwood and Davis.
    Staff present: Tom DiLenge, majority counsel; Amit Sachdev, 
majority counsel; Peter Kielty, legislative clerk; and Edith 
Holleman, minority counsel.
    Mr. Greenwood. This hearing of the Oversight and 
Investigations Subcommittee will come to order. The Chair 
recognizes himself for 5 minutes for the purpose of an opening 
statement.
    Today, the subcommittee holds a hearing to assess the 
security of government computer systems. In particular, we will 
assess how well or how poorly they are protecting our most 
critical cyberinfrastructures and operations from the threat of 
disgruntled insiders, hackers, criminals, terrorists, and rogue 
nation-states. Over the past 2 years this committee has 
conducted extensive oversight of computer security at 
particular government agencies, most notably EPA, the 
Department of Energy, and to a lesser extent, FDA and the 
Department of Commerce. Our reviews consistently have found 
poor computer security planning and management and a general 
lack of compliance with existing requirements of law and 
policy.
    We also found that, with few exceptions, the agencies were 
not testing their own systems to determine whether their 
security plans and policies were as effective in practice as 
they looked on paper. And we found that whenever real testing 
of agency systems was conducted numerous significant and easily 
exploitable vulnerabilities were almost always discovered.
    In response, Congress passed a law last October that 
reiterated computer security requirements contained in prior 
Federal laws and OMB directives mandating that agencies develop 
security plans for their systems and conduct periodic risk 
assessments and tests of those systems. But it also imposed a 
new requirement, that agency inspectors general conduct an 
independent test of an appropriate subset of agency systems 
each year.
    One month ago, in order to set a benchmark for measuring 
agency progress under this new law, I wrote to 15 Federal 
departments, agencies, and commissions within this committee's 
jurisdiction to inquire about their compliance with computer 
security directives and their plans to implement the new law. 
While a few of the agencies are still in the process of 
producing documentation for us, it is fair to say that, at this 
point, we are not surprised or pleased by what we are finding.
    In particular, very few of the responding agencies have had 
any true penetration tests of their computer systems conducted 
and many of these were very limited in nature and scope, 
conducted as part of financial system audits. A few other 
agencies have conducted automated scans of their network to 
search for vulnerabilities in their configurations or operating 
systems which, while worthwhile, do not reveal the real degree 
of potential exploits of their systems. And several other 
agencies reported no scans or penetration tests whatsoever.
    Also, not surprising, the tests and scans that have been 
done continue to reveal real computer security problems at 
these agencies:
    A recent internal scan conducted by a Commerce Department 
bureau found more than 5,000 security ``holes,'' or known 
vulnerabilities, in its networks and systems; and that of 1,200 
hosts or workstations scanned, fully 30 percent suffered from 
category ``red'' vulnerabilities, which is the most severe 
rating because of the potential to compromise an entire 
account.
    An internal test of a Medicare contractor 2 years ago 
found, unbelievably, that the network system administrator's 
account--let me repeat that, the network system administrator's 
account--could be easily compromised because his password was 
the same as his user name.
    A recent internal test of a critical HHS operating 
division, using freely available password cracking software, 
resulted in 60 percent of passwords being cracked in under 10 
minutes.
    Unfortunately, these findings are not the exception. They 
are just some of the many examples of poor computer security we 
are finding during the course of our review. Consistent with 
the broad swath of GAO and inspector general computer security 
audits across the Federal Government over the past 4 or 5 
years.
    I point these out not to embarrass particular agencies--
actually, they should be commended for testing their systems to 
find these problems in the first place--but rather to emphasize 
the need for the Federal Government to begin taking 
cybersecurity much more seriously than we have been. They also 
clearly demonstrate the need to increase our level of testing 
so that problems can like these can be found and corrected 
before real damage is done.
    Why is this so important? Because as we will see and hear 
today, the threats and attacks on government systems are 
increasing and the technology used to perpetrate such attack is 
becoming both more sophisticated and more generally available. 
An expert team from the Department of Energy will demonstrate 
this morning how such attacks are conducted, using freely 
available software tools found on the Internet, and they will 
show us the results from some recent real-world testing the 
team conducted at several DOE sites.
    For its part, GSA, which tracks overall security incidents 
at Federal civilian agencies, will testify today that in the 
year 2000 alone 32 agencies reported 155 known ``root'' 
compromises of their computer systems, the most serious type of 
incident tracked because the unauthorized user was able to gain 
complete control of the server or system compromised.
    GSA also will testify that there were hundreds of incidents 
of network reconnaissance reported by 18 different civilian 
agencies last year, mostly from foreign sources and targeting 
our scientific facilities. And these are only the incidents we 
know about. GSA estimates that only 20 percent of all known 
incidents are reported by the agencies and there likely are 
thousands more that go undetected by the agencies themselves.
    GSA and other experts in this field also estimate that 
nearly all of the incidents reported on both government and 
private systems could have been prevented had the system 
administrators fixed well-known vulnerabilities with existing 
patches or configuration changes.
    While no network can ever be 100 percent secure from the 
most sophisticated and novel attacks, it should not be an 
unreasonable expectation that our sensitive systems would be 
secure from commonly known vulnerabilities.
    Finally, as the title of this hearing suggests, we also 
will focus today on the related issue of critical 
cyberinfrastructure protection, that is, the protection of 
those Federal cybersystems that are truly critical to the 
Nation's security for the public's health and welfare. Not all 
computer systems are created equal, nor do they deserve the 
same level of security attention.
    The Clinton administration realized the need to focus the 
attention on threats posed to our most critical cybersystems by 
terrorists or others intent on doing the Nation harm. 
Accordingly, in May 1998, the President issued a directive 
mandating the Federal agencies identify their critical assets, 
assess the vulnerabilities of those assets, and then implement 
plans to fix the vulnerabilities by May 2003. However, several 
recent reports confirm what the committee's own review has 
found that, 3 years later, most agencies are still in the 
process of identifying their critical assets and virtually none 
have made significant progress in assessing and mitigating 
vulnerabilities in those systems or the private sector 
resources on which these Federal systems so often rely. Given 
this state of affairs, it appears that we will not meet this 
deadline unless we dramatically increase our focus on this 
problem in the very near term.
    Clearly, we need to do better both with respect to critical 
cybersystems and to overall computer security throughout the 
Federal Government. I hope that today's hearing will be the 
first in a series on these important and related topics, that 
we can work together on both sides of the aisle and with this 
new administration to improve the security of our Nation and 
the sensitive data held by our Federal Government.
    The Chair recognizes Mr. Strickland for an opening 
statement.
    Mr. Strickland. Mr. Chairman, thank you for holding this 
hearing on this very important question.
    As one of our witnesses will testify today, the existence 
of the Internet ties together a vast array of computer systems 
and networks. For communications, commerce, and the democratic 
exchange of ideas, there are enormous benefits from this full 
and open access; but like any technology that is new, or 
relatively new, it has a serious downside. By tying these 
networks together, the Internet makes them all vulnerable to 
hacking by creative teenagers and others with more nefarious 
purposes such as fraud, identity theft, extortion, disruptions 
of commercial service, and terrorist attacks.
    One system can be used as a platform to attack other 
systems. Without appropriate safeguards, any system can be hit, 
whether it is essential to our defense and economy or it is a 
site that sells goods in an electronic auction; and it appears 
that the attempts to penetrate both government and private 
systems are increasing. We must recognize that no system will 
ever be completely secure, but the question is whether the 
Federal response to safeguard their critical assets is adequate 
and whether it has the resources to respond fully.
    A great deal was done by the previous administration to 
begin to address this enormous task. President Clinton 
established a Commission on Critical Infrastructure Protection 
in July 1996 to look at the scope and the nature of 
vulnerabilities and threats to the Nation's critical 
infrastructures and to recommend a comprehensive national 
policy and implementation plan for protecting them, whether 
public or private.
    The result was the commission's 1997 report, which found no 
immediate crisis threatening the infrastructure, but did find 
that threat to and the vulnerability of the critical 
infrastructure existed. President Clinton responded by issuing 
Presidential Decision Directive 63 in May 1998, which ordered 
the Federal agencies to identify their critical 
infrastructures, take steps to protect them and work 
cooperatively with private companies which control most of the 
infrastructure, to secure those systems also. The target date 
for completion was May of 2003.
    Presidential Directive 63 listed the areas in which the 
infrastructure should be protected, and established the 
position of National Coordinator for Security and for 
Structural Protection and Counterterrorism in the National 
Security Council. It set up the critical Infrastructure 
Assurance Office at the Commerce Department to support the 
national coordinator and the agencies and gave the Federal 
Bureau of Investigation the explicit authority to expand its 
existing cybercrimes unit into the National Infrastructure 
Protection Center.
    Prior to this Presidential directive, President Clinton had 
already established a Federal computer intrusion response 
capability, which is housed at the General Services 
Administration. A national plan for information systems 
protection, the first in the world by a national government, 
was issued in January of 2000. And just before he left office, 
President Clinton nominated 18 members of the National 
Infrastructure Assurance Council, which is to report on the 
actions of private and public bodies to protect their critical 
infrastructures.
    Three industry sectors also have established information 
sharing and analysis centers.
    How far along are the agencies in implementing the 
Presidential directive? Certainly they are ahead of where they 
were 5 years ago when cybersecurity was given little, if any, 
attention, but they are not far enough along and they remain 
vulnerable. As we will hear from the Commerce Department 
witnesses, most agencies still have to finish identifying their 
critical infrastructure assets. They will not meet the 2003 
deadline without significant additional resources.
    Furthermore, no one know if the structure established by 
the previous administration to enforce Presidential Directive 
63 will be continued by the new administration. The old 
structure was not perfect, and there are numerous overlapping 
and conflicting responsibilities resulting from the differing 
directives in PDD-63 and various other laws. But we must 
request that the Bush administration tread lightly and consider 
whether a completely new structure will delay even longer this 
very important task.
    A question for the Congress to address is whether the 
agencies are getting the money they need to get the job done. 
This body has not been particularly responsive to 
appropriations for computer security, as evidenced by its 
rejection of most of the requests last year for beefing up the 
Energy Department security, its rejection of the $50 million 
request for an Institute for Information Infrastructure 
Protection, and an almost 50 percent reduction in GSA's request 
for funding for their needs.
    One other concern I must mention, however, is privacy. GSA 
has published a very disturbing newsletter that tells agencies 
to get around Congress' and the public's concerns about being 
tracked by Federal agencies by contracting out the service and 
calling it something else. I have attached that document to my 
testimony and would like it placed in the record.
    Mr. Chairman, these are all issues that I hope this 
subcommittee will address in the next several months. I may 
have additional documents to place in the record and would 
request that the record be held open for that purpose.
    Thank you, Mr. Chairman.
    Mr. Greenwood. The Chair thanks the gentleman. Without 
objection his attachment will be entered into the record.
    [The prepared statement of Hon. Ted Strickland follows:]

Prepared Statement of Hon. Ted Strickland, a Representative in Congress 
                         from the State of Ohio

    Mr. Chairman, thank you for holding this hearing on this very 
important question. The existence of the Internet ties together a vast 
array of computer systems and networks. For communications, commerce 
and the democratic exchange of ideas, there are enormous benefits from 
full and open access to these systems. But, like any technological 
advance, it also has a serious downside. By tying these networks 
together, the Internet makes them all vulnerable to hacking by creative 
teen-agers and others with more nefarious purposes such as: fraud; 
identity theft; extortion; disruptions of commercial service; and 
terrorist attacks. One system can be used as a platform to attack other 
systems. Without appropriate safeguards, any system can be hit, whether 
it is essential to our defense and economy, or it is a site that sells 
goods in an electronic auction. And it appears that the attempts to 
penetrate both government and private systems are increasing.
    We must recognize that no system will ever be completely secure, 
but the question is whether the federal government's response to 
safeguard its critical assets is adequate, and whether it has the 
resources to fully respond. A great deal was done by the previous 
administration to begin to address this enormous task. President 
Clinton established a Commission on Critical Infrastructure Protection 
in July of 1996 to look at the scope and nature of vulnerabilities and 
threats to the nation's critical infrastructures and recommend a 
comprehensive national policy and implementation plan for protecting 
them, whether public and private. The Commission's 1997 report found no 
immediate crisis threatening the infrastructure, but did find that the 
threat to and vulnerability of the critical infrastructure existed. 
President Clinton responded by issuing Presidential Decision Directive 
63 in May of 1998. It ordered federal agencies to identify their 
critical infrastructures, take steps to protect them and work 
cooperatively with private companies--which control most of the 
infrastructure--to secure those systems also. The target date for 
completion was May of 2003.
    PDD 63 listed the areas in which the infrastructures should be 
protected, and established the position of national coordinator for 
security, infrastructure protection and counter-terrorism in the 
National Security Council. It set up the Critical Infrastructure 
Assurance Office at the Commerce Department to support the national 
coordinator and the agencies and gave the Federal Bureau of 
Investigation the explicit authority to expand its existing cyber 
crimes unit into the National Infrastructure Protection Center (NIPC). 
Prior to PDD 63, President Clinton had already established a Federal 
Computer Intrusion Response Capability, or ``Fed CIRC'', which is 
housed at the General Services Administration. A national plan for 
information systems protection--the first in the world by a national 
government--was issued in January of 2000. And just before he left 
office, President Clinton nominated 18 members of the National 
Infrastructure Assurance Council, which is to report on the actions of 
private and public bodies to protect their critical infrastructures. 
Three industry sectors also have established Information Sharing and 
Analysis Centers or ISACs.
    How far along are the agencies in implementing PDD 63? Certainly, 
they are ahead of where they were five years ago when cyber security 
was given little, if any, attention. But they are not far enough along, 
and they remain vulnerable. As we will hear from the Commerce 
Department witnesses, most agencies still have to finish identifying 
their critical infrastructure assets. They will not meet the 2003 
deadline without significant additional resources.
    Furthermore, no one knows if the structure established by the 
previous administration to enforce PDD-63 will be continued in the new 
administration. The old structure was not perfect, and there are 
numerous overlapping and conflicting responsibilities resulting from 
the differing directives in PDD-63 and various laws. But the Bush 
Administration should tread lightly and consider whether a completely 
new structure will delay even longer this very important task.
    A question for the Congress to address is whether the agencies are 
getting the money they need to get the job done. This body has not been 
particularly responsive to appropriations for computer security as 
evidenced by its rejection of most of the request last year for beefing 
up the Energy Department's security; its rejection of NIST's $50 
million request for an Institute for Information Infrastructure 
Protection; and an almost 50 percent reduction of GSA's request for 
funding for Fed CIRC.
    One other concern that I must mention, however, is privacy. GSA has 
published a very disturbing newsletter that tells agencies to get 
around Congress' and the public's concerns about being tracked on the 
Internet by federal agencies by contracting out the surveillance to 
private contractors and calling it ``Management Security Services.'' I 
have attached that document to my testimony and would like it placed 
into the record.
    Mr. Chairman, these are all issues that I hope this Subcommittee 
will address in the next several months. I may have additional 
documents to place in the record and would like to request that the 
record to be held open for that purpose.

    Mr. Norwood. Mr. Chairman, I ask unanimous consent that I 
may make a brief opening statement.
    Mr. Greenwood. Mr. Norwood, while an esteemed member of the 
Energy and Commerce Committee, does not have the honor of 
serving on this subcommittee. But we have the honor of his 
presence, and without objection, we will ask that he be offered 
time for an opening statement.
    Mr. Norwood. Thank you very much, Mr. Chairman.
    I am here for two or three reasons this morning, one of 
which is to thank you and to congratulate you and to tell you 
how pleased I am that you are taking the Commerce Committee in 
this direction in terms of the security for our Nation. I thank 
you for that, and I hope, too, you will have many other 
hearings.
    To give you some indication of how important I think this 
subject is, about right now we are teeing off the first tee in 
the Augusta National this morning, my home district, and I 
promise you I would have loved to have been there, but I view 
this as a little more important.
    The other reason I wanted to come this morning is because I 
am very pleased with the witnesses and especially that you have 
the President and CEO of Internet Security Systems here as a 
big player in all of this. ISS has been recognized as the 
worldwide leader, Mr. Chairman, in the intrusion detection and 
vulnerability assessment market. In addition, ISS has become 
the world's largest provider of managed security service, and 
they deliver a 24-7 security monitoring and management, just 
sort of something we might be interested in. And I guess I am 
just real tickled that a Georgia company has played such a 
leading role in this extremely important area.
    We have indications that this area of computer security is 
growing very, very rapidly. For example, ISS has been named the 
fifth fastest growing technology company in North America and, 
listen to this, this is based on a 5-year revenue growth of 
45,000 percent. There is some indication in that number that 
tells us all how important this is and must be.
    This achievement demonstrates to me that this is a large 
emerging area that will impact today's Internet economy.
    Now, the government has taken strides--I don't know whether 
to say great or good--but at least strides in the past few 
years. However, as you know, much more is needed. Funding must 
be increased by a substantial amount if we take this seriously. 
As industry has considered resources and expertise, a continued 
partnership with industry on this subject is going to be very 
critical; and it is my understanding that ISS has played a 
leadership role in working and partnering with the government 
on security issue s. And with any private company you do that 
with some risk, but I think and hope this relationship will 
continue, not just because it is good for a Georgia company, 
but because it is so very needed for the national security of 
this Nation. And with that, Mr. Chairman, I will submit the 
rest for the record and thank you for your courtesy and 
kindness this morning.
    Mr. Greenwood. The Chair thanks the gentleman. Without 
objection, the rest of his testimony, as well as the testimony 
of all other members who may submit them, will be entered into 
the record. Also a member of the committee, but not a member of 
the Oversight and Investigation Subcommittee, is Mr. Davis of 
Virginia, and we are happy to have him here as well.
    Mr. Davis. Thank you very much. Let me--Mr. Chairman, I ask 
unanimous consent that I be able to make some comments.
    Mr. Greenwood. Without objection.
    Mr. Davis. Thanks for allowing me to participate in this 
hearing today. I want to compliment you and your staff on the 
diligent work on this pressing issue. It is vitally important 
that we in Congress recognize and understand the complexities 
we face in pursuing our Nation's critical infrastructure, the 
systematic activities that are essential to the minimum 
operation of our economy and government.
    Although 95 percent of our critical infrastructure is owned 
and operated by the private sector as your Nation's front line, 
the Federal Government plays an essential role in sharing 
information about cyberthreats against our assets. But the 
evidence demonstrates that the Federal Government is 
dangerously behind the curve in getting its own house in order. 
Simply put, we are losing time. Since 1997, GAO has listed 
information security as a governmentwide high-risk area and has 
conducted numerous reviews which have continuously sounded the 
alarm about widespread weakness and vulnerabilities in the 
Federal Government's information systems.
    During March of last year, as part of a review requested by 
the Subcommittee on Government Management Information and 
Technology, of which I was a member, GAO has found that 22 of 
the largest Federal agencies were providing inadequate 
protection to critical Federal operations and assets from 
computer-based attacks. They were able to identify systemic 
weaknesses in the information security practice of the 
Department of Defense, the National Aeronautics and Space 
Administration, the Department of State, and the Department of 
Veterans Affairs; and then, as many of you know, in September 
of 2000, the subcommittee gave the Federal Government an 
overall D-minus on its computer security practices report card.
    Just as the Romans built the greatest network of roads at 
the height of the Roman Empire and the barbarians used these 
same networks to destroy the Romans, so we may face the same 
vulnerabilities with the advances we have made in technology 
and the interconnectivity of our networks. There is no doubt 
that nations are in the process of developing tools to 
penetrate and cripple these networks.
    At the same time, the outside world is but one source of 
the threat to government information systems. Much of the 
threat comes from within the government. A key challenge to 
making the Federal Government more secure lies in the mindSet 
of many Federal agencies vis-a-vis the importance of 
information security to their operations and assets.
    For many, implementing best practices for controlling and 
protecting information resources is just a low priority. The 
question before us then is, what do we do about it? What steps 
should Congress take to change the direction and reduce the 
vulnerability of Federal operations and assets?
    As one who has studied the issue for over a year, I come to 
the conclusion there are two necessary components to achieving 
the goal. First, I strongly believe there is a dire need for a 
strong central leader who can coordinate implementation of 
information security best practices across government. 
Currently, these responsibilities are shared by several Federal 
agencies, some of whom are before us today, which make the 
coordination and uniformity of information security practices a 
formidable obstacle.
    The government information security community needs an 
advocate who can ensure that information security becomes an 
integrated component of information systems. Let me say I agree 
with those who assert that funding for implementing information 
security measures is inadequate. I submit that having a Federal 
CIO with this responsibility, as I put forth in legislation, 
who can champion the agency's security needs, would be an 
effective voice in this respect.
    Second, we need to encourage information sharing between 
the private sector and government. As many of our witnesses 
would likely agree, the ownership dynamic of our Nation's 
critical assets makes crucial the development of thriving 
public-private partnerships for this purpose, but with the 
current Federal computer systems it is, in my mind, entirely 
reasonable that many in the private sector are wary of entering 
into these partnerships. At the same time, current law is 
retarding the implementation of the National Infrastructure 
Assurance Plan. It is for this reason we introduced legislation 
last year that gives critical infrastructure industries the 
assurances they need to confidently share information with the 
Federal Government.
    Our measure would provide a limited FOIA exemption, civil 
litigation protection for shared information, and an antitrust 
exemption for information shared within an information sharing 
and analysis. These three protections were cited by the past 
administration as necessary legislative remedies. This 
legislation would enable the ISACs to move forward without fear 
from industry, so that government and industry could enjoy the 
mutually cooperative partnership called for in the PDD-63.
    I ask unanimous consent the rest of my statement be put in 
the record, and I appreciate the opportunity to be here today.
    Mr. Greenwood. Without objection, the gentleman's statement 
in its entirety will be placed in the record.
    [The prepared statement of Hon. Tom Davis follows:]

Prepared Statement of Hon. Tom Davis, a Representative in Congress from 
                         the State of Virginia

    Mr. Chairman, thank you very much for allowing me to participate 
today in this hearing. I want to compliment you and your staff for your 
diligent work on this pressing issue.
    It is vitally important that we in Congress recognize and 
understand the complexities we face in pursuing the protection of our 
nation's critical infrastructure--those systemic activities that are 
essential to the minimum operations of our economy and government. 
Although 95% of our critical infrastructure is owned and operated by 
the private sector, as our nation's front line, the Federal Government 
plays an essential role in sharing information about cyber threats 
against our assets.
    But the evidence demonstrates that the Federal Government is 
dangerously behind the curve in getting its house in order. Simply put, 
we are losing time. Since 1997, GAO has listed information security as 
a governmentwide high risk area and has conducted numerous reviews 
which have continuously sounded the alarm about widespread weaknesses 
and vulnerabilities in the Federal Government's information systems. 
During March of last year, as part of a review requested by the 
Subcommittee on Government Management, Information, and Technology, of 
which I was a Member, GAO found that 22 of the largest federal agencies 
were providing inadequate protection for critical federal operations 
and assets from computer-based attacks. They were able to identify 
systemic weaknesses in the information security practices of the 
Department of Defense, the National Aeronautics and Space 
Administration, the Department of State, and the Department of Veterans 
Affairs. And then as many of you know, in September 2000, the 
Subcommittee gave the Federal Government an overall D- on its computer 
security practices report card.
    Just as the Romans built the greatest network of roads at the 
height of the Roman Empire and the Barbarians later used this same 
network to destroy the Romans, so may we face the same vulnerabilities 
with the advances we have made in technology and the interconnectivity 
of our networks. There is no doubt that nations are in the process of 
developing tools to penetrate and cripple these networks.
    At the same time, the outside world is but one source of the threat 
to government information systems. Much of the threat comes from within 
the government. A key challenge to making the Federal Government more 
secure lies in the mind set of many federal agencies vis-a-vis the 
importance of information security to their operations and assets. For 
many, implementing best practices for controlling and protecting 
information resources is a low priority.
    The question before us then is what do we do about it? What steps 
should Congress take to change the direction and reduce the 
vulnerability of federal operations and assets?
    As one who has studied these issues for over a year now, I have 
come to the conclusion that there are two necessary components to 
achieving this goal. First, I strongly believe that there is dire need 
for a strong central leader who can coordinate the implementation of 
information security best practices across government. Currently, these 
responsibilities are shared by several federal agencies (some of whom 
are before us today), which makes the coordination and uniformity of 
information security practices a formidable obstacle. The government 
information security community needs an advocate who can ensure that 
information security becomes an integrated component of information 
systems. Let me also say that I agree with those who assert that 
funding for implementing information security measures is inadequate, 
and I submit that having a Federal CIO with this responsibility as I 
have put forth in legislation, who can champion the agencies' security 
needs, would be an effective voice in this respect.
    Second, we need to encourage information sharing between the 
private sector and government. As many of our witnesses would likely 
agree, the ownership dynamic of our nation's critical assets makes 
crucial the development of thriving public/private partnerships for 
this purpose. Yet with the current state of Federal computer systems, 
it is in my mind entirely reasonable that many in the private sector 
are wary of entering into those partnerships. At the same time, current 
law is retarding the implementation of the National Infrastructure 
Assurance Plan. It is for this reason that I introduced legislation 
last year that gives critical infrastructure industries the assurances 
they need in order to confidently share information with the Federal 
Government. My measure would provide a limited FOIA exemption, civil 
litigation protection for shared information, and an antitrust 
exemption for information shared within an Information Sharing and 
Analysis (ISAC). These three protections were cited by the past 
Administration as necessary legislative remedies in Version 1.0 of the 
National Plan for Information Systems Protection and PDD-63. This 
legislation would enable the ISACs to move forward without fear from 
industry so that government and industry may enjoy the mutually 
cooperative partnership called for in PDD-63.
    As Chairman of the House Government Reform Subcommittee on 
Technology and Procurement Policy, I will be continuing to explore this 
matter, along with Chairman Steve Horn of the Government Efficiency, 
Financial Management, and Intergovernmental Affairs Subcommittee. I am 
grateful that you, Mr. Chairman, have also taken an active approach to 
addressing this problem today, and I look forward to working with you 
to make the Federal Government a model for risk management and the 
protection of information systems. As well, I am pleased to have the 
opportunity to hear the testimony of our distinguished panelists and 
appreciate their being here. I want to particularly welcome here today, 
Mr. Tom Noonan, the President and CEO of Internet Security Systems, 
which is headquartered in Atlanta but has an important presence in my 
district. I look forward to hearing from all of you.

    Mr. Greenwood. The Chair recognizes the chairman of the 
full committee, the gentleman from Louisiana, Mr. Tauzin, for 
an opening statement.
    Chairman Tauzin. Thank you, Mr. Chairman, for holding this 
important hearing on the inadequacy of the Federal efforts to 
protect our Nation's critical cyberinfrastructure and the vast 
amount of sensitive data that is stored on Federal computer 
systems.
    I really don't think that many people realize the extent to 
which the Federal civilian agencies collect and store so much 
sensitive information, whether it is medical, financial or 
other personal information on American citizens, confidential, 
proprietary data from America's corporations, cutting-edge 
scientific research, or whether it is export controlled 
information or even sensitive law enforcement information. 
There are tons of it that is subject to hacking and to 
compromise.
    We learned, for example, in the GAO report that even the 
IRS had allowed a cookie on its Web site. Nor do most people 
realize the extent to which we as a Nation have become so 
independent on these computer systems to assure our national 
economic security, and I think it would come as quite a 
surprise for most Americans to learn which these Federal 
agencies are the target of attacks by foreign and domestic 
sources bent upon espionage and other very malicious actions.
    Faced with this kind of serious challenge, the Federal 
Government has not performed well. This committee's oversight 
continues to reveal troubling computer security deficiencies 
across the Federal Government, deficiencies that place critical 
services and sensitive data at significant risk of compromise. 
Here, the connection between the security and the privacy of 
American citizens cannot be ignored.
    A recent inspector general's audit of the Health Care 
Financing Administration and several of its Medicare 
contractors, which the committee is releasing publicly today, 
found numerous system control weaknesses that permitted 
unauthorized access to sensitive beneficiary information. This 
is sensitive health care information about Americans that we 
discovered could be easily compromised in the Federal HCFA 
systems; and while we don't know today whether the information 
was in fact compromised, we intend to find out whether that has 
in fact happened. And I can assure you, in a private 
conversation I had with Secretary Thompson yesterday, he 
intends to see what is going on at HCFA in this critical area 
and he intends to get it fixed before this is an issue of 
enormous importance to Americans and one that this committee, I 
hope, Mr. Chairman, will continue to take a very close and 
diligent look at.
    The Clinton administration talked a great deal about 
cybersecurity and critical infrastructure protection over the 
past several years, holding Presidential summits and issuing 
Presidential directives. The administration, for example, said 
the Federal Government would serve as a model for good security 
practice for the private sector, which controls much of the 
Nation's infrastructure, that it might follow and emulate. 
Despite all the rhetoric and the photo ops and the paper 
exercises, the bad news continues to roll in with every GAO 
report, every inspector general's audit, with every 
congressional oversight hearing, with each day's newspaper 
accounts which each real-world test of government's computer 
systems security, no matter how recent, we continue to learn 
how bad the situation is.
    For example, two reports released this year show little 
progress that Federal agencies have made in protecting critical 
cyberassets in the 3 years since the President issued his PDD-
63. Essentially, we are still in the process of identifying the 
critical assets and their interdependencies, which raises the 
question, how can we adequately protect our most critical 
cybersystems when we haven't yet identified them all.
    This is not to say that there have not been improvements in 
the area, and certainly there have been some, particularly at 
those agencies that have felt the sting of public 
embarrassment, but overall we are barely treading water; and 
unless we get serious about the effort, we will never keep up 
with the rapid advances of technology in this area which 
continue to reveal new ways to attack cybersystems.
    The technology to get into our systems is advancing much 
more rapidly than the deployment of security to protect them, 
and in this increasingly interconnected world, we are either 
going to prioritize our resources better to meet this 
challenge, something that today Congress has not yet forced the 
agencies to do, or we are going to find ourselves in deep, deep 
trouble, and Americans are going to wake up angrier than you 
can possibly imagine to learn that in many cases their 
personal, sensitive data, which they shared not voluntarily, 
but involuntarily with the Federal Government, has been 
compromised and perhaps will be used in ways that they find 
very offensive.
    This committee has both the responsibility and the 
authority to conduct oversight as to whether a nation's 
critical and computer systems are being adequately protected, 
and we intend to do that. And I want to thank you, Mr. 
Chairman, for taking this job and this assignment so seriously.
    This is an extremely important hearing. If Americans are 
concerned about privacy and security on the Internet as they do 
commerce voluntarily, let me assure you their concern, as they 
share sensitive information with government agencies 
involuntarily, is even deeper, and our obligations here are 
much stronger.
    Thank you for taking this seriously, and I yield back the 
balance of my time.
    Mr. Greenwood. Thanks to the chairman for his statement.
    [Additional statement submitted for the record follows:]

Prepared Statement of Diana DeGette, a Representative in Congress from 
                         the State of Colorado

    I want to thank the Chair for holding this important hearing, and I 
want to thank our witnesses for being here today.
    The positive aspects of advanced technology in communications go 
without saying. Enhanced inter-connectivity brings a whole new level of 
efficiency and speed to our systems.
    The downside is that this same inter-connectivity can create 
vulnerability. I think a good analogy is when the gene pool of a 
certain species loses its diversity, a certain strain of virus can come 
in and wipe out the whole population because they all share the same 
vulnerabilities.
    It is certainly eye opening to learn, as I did when preparing for 
this hearing, that the number of serious security breaches of federal 
systems is on the rise. Most unnerving of all is the knowledge that 
there were over 150 incidents of the utmost severity last year alone 
when an unauthorized user was able to gain complete control of a system 
within 32 federal civilian agencies.
    The Government Information Security Reform Act, passed last year, 
appears to be a step in the right direction to evaluate government 
computer system weaknesses and then address the problems that exist. I 
expect that this subcommittee will be among the first to gain the 
results of the independent tests that are due to be completed by 
October of this year and again in 2002.
    It is reassuring to learn that action has already been taken to 
evaluate the government's system weaknesses. I think the Clinton 
Administration deserves great credit for recognizing the growing 
threats to our nations security within this area, and taking steps to 
address the risk that poor federal computer security poses to our 
country. The Executive Order in 1996 that established the President's 
Commission on Critical Infrastructure Protection (PCCIP) was a 
tremendous step in officially recognizing this growing problem and 
bringing the public and private sector together to address it.
    In 1998, a Presidential Directive was issued to have federal 
officials to create and implement a strategy for protecting the 
nations' critical infrastructures, which was another crucial step for 
the security of our country.
    I am glad to learn that the new Administration is taking this issue 
seriously and am anxious to learn more about its plans to continue this 
important work and who will be in charge of coordinating this effort 
within each agency.
    Thanks again to the witnesses for coming, and I look forward to 
hearing the testimony.

    Mr. Greenwood. If there are no more opening statements by 
members, I would like to turn to our cybersecurity penetration 
demonstration and welcome Mr. Glenn Podonsky, Director of the 
Department of Energy's Office of Independent Oversight and 
Performance Assurance, and his excellent team of cyberexperts 
to this hearing. And I thank you for putting together this 
demonstration for the committee.
    Mr. Podonsky, although you and your team technically are 
not witnesses today and are not testifying before the 
subcommittee, it is our general practice to swear in all 
persons who appear before the subcommittee; and if you and your 
team have no objection, I would like to do that now. I ask that 
you rise and raise your right hand.
    Do any of you have any objections to testifying under oath?
    Seeing none, the Chair then advises you that under the 
rules of the House and the rules of the committee, you are 
entitled to be advised by counsel. Do you desire to be advised 
by counsel during your testimony?
    Mr. Podonsky. No.
    Ms. Matthews. No.
    Mr. Bellone. No.
    Mr. Huston. No.
    Mr. Peterson. No.
    Mr. Greenwood. In that case, would you please rise and 
raise your right hand, as you already have.
    [Witnesses sworn.]
    Mr. Greenwood. You may be seated and we recognize you, Mr. 
Podonsky, and look forward to your demonstration.

TESTIMONY OF GLENN S. PODONSKY, DIRECTOR, OFFICE OF INDEPENDENT 
  OVERSIGHT AND PERFORMANCE ASSURANCE, ACCOMPANIED BY, JASON 
BELLONE, FORMER MEMBER OF THE COMPUTER ANALYSIS RESPONSE TEAM, 
FEDERAL BUREAU OF INVESTIGATION; KAREN MATTHEWS, FORMERLY WITH 
  COMPUTER FORENSICS LABORATORY, U.S. DEPARTMENT OF DEFENSE; 
    BRENT HUSTON, AUTHOR OF BOOK ON HACKPROOFING; AND BRAD 
   PETERSON, DIRECTOR, OFFICE OF CYBER SECURITY AND SPECIAL 
               REVIEWS, U.S. DEPARTMENT OF ENERGY

    Mr. Podonsky. Thank you, Mr. Chairman. We appreciate the 
opportunity to appear before this subcommittee for the sole 
purpose of demonstrating the cyberpenetration techniques 
employed by my office. As you are aware, my office provides the 
Secretary of Energy with an independent view of the 
effectiveness of Department policies, programs and procedures 
in the areas of cybersecurity, safeguard security and emergency 
management.
    Today, my staff will provide a brief demonstration of our 
cybersecurity penetration capabilities. With me for the 
demonstration today are Mr. Jason Bellone, formerly with the 
FBI's computer analysis response team; Ms. Karen Matthews, 
formerly with the Department of Defense computer forensics 
laboratory; Mr. Brent Huston, author of a soon-to-be-published 
book on hack-proofing your e-commerce Web site; and Mr. Brad 
Peterson, my Director of the Office of Cybersecurity.
    Our cybersecurity office maintains a continuous program for 
assessing Internet security to identify vulnerabilities that 
hackers and others could exploit. As part of the program, we 
continuously attempt to penetrate the DOE cybercommunity. We 
use this--we do this by using off-the-shelf software of hacking 
programs that are available to virtually anybody. Using these 
tools, we have been successful in identifying numerous 
vulnerabilities on DOE cybersecurity programs, and I am pleased 
to report, at the same time, those have been largely corrected 
by the Department.
    We will take a few minutes to demonstrate the results of 
some actual inspections that have taken place over the last 6 
months in order to show you the hacking techniques that we use 
and others employ. After the demonstration, we would be happy 
to respond to questions about the demonstration.
    Let me now introduce Mr. Jason Bellone to lead the 
demonstration.
    Mr. Bellone. Thank you, Mr. Podonsky.
    Mr. Greenwood. Why doesn't it surprise me that it is the 
youngest member of the team?
    Mr. Bellone. We are very proud to present our cybersecurity 
laboratory to you today. Although it is small in presence here, 
this laboratory is a comprehensive suite of headquarters, 
regional and mobile assets that we use, in effect, to attack 
and subsequently performance-assess the Department's 
information systems. It is our goal here to provide as much 
realism as possible to illustrate our cybersecurity penetration 
capabilities. The demonstration should give you an inside look 
at our process, and at the same time, I think you will see that 
the demonstrations will demystify the attacker process.
    Let me highlight two points before I begin. First, each 
demonstration you will see derives from a real penetration test 
conducted against government sites within the past 6 months. 
Sites, however, will not be mentioned by name.
    Second, all tools demonstrated are real, meaning employed 
as utilities by the attacker community. Some of these products 
are commercial. All are available downloads from the Internet 
and most are free. Nor will they be mentioned by name.
    When we assess, we don't use rubber bullets and paint 
pellets. To the greatest extent possible, we use the same 
process, tactics and tools as an attacker. This process I refer 
to here is the attacker's modus operandi; hence, it is our 
modus operandi. We will follow this process throughout the 
demo, about one level of detail away from teaching you how to 
attack a system. So don't try this at home.
    Without further delay, let's begin the demonstration.
    We will start with footprinting. Footprinting is a 50,000-
foot view, a snapshot, a bird's-eye view of your targets. It is 
anonymous. It is unintrusive. It is generally undetected. It is 
basically reconnaissance to gather a lay of the land. The 
ultimate goal is the who, the what and the where of the target.
    I will turn your attention to the demonstration screen. The 
following demo will illustrate a utility, again freely 
available on the Internet, that will graphically depict the 
who, the what, the where of the target. Although this operation 
was conducted from Maryland, the source of our efforts appear 
to come from Tampa, Florida. I will refer you to line one of 
the table.
    The table represents the path that our data flowed from, 
the launch point which was redirected from Florida to Maryland. 
In this case and only this case, I will tell you that we are 
looking at the Department of Energy's Web site for the purpose 
of illustration. The analysis section indicates the type of 
system of the target. This is the basic idea of what we are 
looking at, so what we have here is the who, the what, the 
where data collected. We are ready to move on to the second 
step of the process, which is scanning.
    The scanning process enables us to generate our target, our 
target list, and develop an attack plan. The scanning operation 
employs hundreds to thousands of agents acting as virtual 
detectives checking the target systems for specific 
vulnerabilities. Each virtual detective reports its findings 
back to the attacker. The probing process emulates hostile 
operations and searches for known vulnerabilities.
    The data base of vulnerabilities and exploit change daily. 
At the present time we test for over 900 vulnerabilities. 
Importantly, the scanning operation can be conducted with what 
we call ``low and slow,'' which means covertly without 
detection. The end result is a vulnerability profile, or intact 
plan ultimately.
    The next demonstration will show you exactly what the 
digital detectives delivered to us from an assessment we 
conducted a few months ago. I will again turn your attention to 
the demonstration screen.
    These results represent the output of a very robust 
scanning effort directed at one of our sites. This was a source 
of our attack plan.
    The significance of what you are looking at is this: The 
red icon represents the presence of a high-risk vulnerability, 
meaning it is probable for the vulnerability to result in 
system compromise. The yellow represents a medium-risk 
vulnerability that equates to a medium probability of system 
compromise. Let me drill down one level of detail to help you 
understand what you look at.
    If I click the red icon, the high vulnerability icon, I can 
drill down to understand the exact nature of the finding. The 
detail supports a focused attack and later a corrective action.
    The attack name is clear. It reads NBTDIC. More 
importantly, the description reads as follows, a share that 
requires only a password may be compromised using a dictionary 
file. Put simply, it details exactly what we need to do to 
focus our attack.
    Our third example is a separate product that may serve in a 
similar capacity. In contrast to the commercial product we 
demoed, this is a free utility. You will notice the 
presentation is similar, red equals high risk, yellow equals 
medium risk.
    Something interesting to note here: In the upper left-hand 
corner is a summary of the findings. It is quantitative, tells 
us how many targets, how many vulnerabilities, how many 
warnings. Let me point out, there have been instances where the 
scan results did not yield significant vulnerabilities and, 
hence, the process can stop there. So each step is requisite 
for the next step, and with that we are on to enumeration.
    As the scan results identify specific vulnerabilities for 
specific targets, we use this data to concentrate our efforts 
for more intrusive probing. The goal is to refine the attack 
plan with information about user accounts, file-sharing and 
system characteristics.
    The next demo will show you how to use the scan data to 
concentrate efforts and probe for more valuable information. I 
will again turn your attention to the demonstration screen.
    This utility enables us to probe for specific information 
relating to the scan results. The list has several possible 
targets. You can see that they are over 20 targets at the 
moment. So, next, although over 20 exist, we are going to focus 
on one. We have a game plan for attack then, to gain access to 
a user C drive. So--to remotely gain connectivity to a user's C 
drive over the Internet.
    So with footprinting, scanning, and enumeration data in 
hand, we are ready to gain access to the system. The demo you 
are about to see is a playback of the exact same exploit that 
we used in the course of our assessment; the process, the tools 
and the data to include the password are directly from the 
assessment. The demo is technical, so I am going to narrate as 
we go through it, so you will understand what you are about to 
see. Keep in mind, our goal here is to run an attack on target 
X to gain access to the user's C drive. We will begin the demo.
    This is Step 1. This is collecting basic configuration 
data. We use this data to enter into our utility, basically an 
attack utility, that will be used to crack the password. You 
will see that it is iterating through special characters, 
through letters, through numbers and so forth. It goes one 
character at a time; and for the purpose of this demo, we did 
select out of our set a four-character password. Again, it is 
original password from the site.
    We have I, and we have A--still moving through, lasts only 
a few seconds--I-A-E, and you can see it is almost there.
    We now have password in hand, so we move on to step three. 
Step three is to use that password to connect across the 
Internet to the user's drive. We enter the password and, voila, 
across the Internet, we have total access to this person's hard 
drive.
    At this point, we can load anything we want or we can 
download anything we want. In particular, here, we are going to 
load something called a key stroker logger, and we are going to 
download a sniffer. We could equally upload the person's 
password file at this point. So for step five we will move on 
to escalating privileges.
    As you could see from the demo, we gained unrestricted 
access to a user's hard drive, but an attacker would never stop 
here, nor do we. The idea now is to discover how far can we go, 
can we propagate throughout the network?
    What you will see next is, we will crack a password. So 
with this foothold, we have downloaded the password file. The 
password cracking demonstration uses a password file captured 
from exploits similar to the ones we have demonstrated. The 
demo will highlight the fact that cracking passwords is simply 
a matter of time.
    The tool you are about to see is designed to serve as a 
password auditing tool; that is, it is to check a department's 
password policy, eight characters, nine characters and so 
forth. It is publicly available and widely used in the 
information security community. Needless to say, it can have 
alternative uses to a malicious user.
    Before we begin the demo, let me explain what you will be 
looking at. In the first column, that is the user name. When 
you log in, generally you enter a user name and a password. So 
that would be the user name, and the columns that are empty, 
those will be where passwords appear. It is empty at this 
point. At the blink of an eye you will start to see passwords 
appear. In the far column, that's the encrypted representation 
of the password. Let's start to crack.
    We saw, at the blink of an eye, 25,000 words in the English 
dictionary and about 5 million tries occurred in a second. Less 
than a minute will pass for us to have the super-user password. 
We talk about root, super-user, administrator; bottom line, 
complete and utter control over the system. We will let it go 
for a moment. It is very far along. You see administrator, and 
you see it says MOTOROL. We are about two characters away from 
its completing. We find that we get to this point in under a 
minute most of the time.
    You also notice that it is telling us that they are not 
under eight characters. However, this is still not compliant 
with policy. So you can use this to support policy programs 
that may exist for a department.
    So it is completed. We now have super-user privileges. We 
will move on to the next demonstration.
    You recall that we were able to upload both a key stroke 
logger and a sniffer to the target's hard drive. Commonly, we 
install the logger to capture the user's monitoring log in 
session. When you come in in the morning most likely you check 
your e-mail and so forth. The idea for what we do is, we load 
it that night so that we can catch what you do in the morning.
    I refer you to the demo screen for a large picture, fairly 
hard to decipher, and that is because every key--escape, 
control, delete--is captured. It also runs in stealth mode, 
unknowing to the user, very hard to detect, and all of the 
results go to a text file which the attacker can bring to their 
system. Embedded between all of those escape keys and tab keys 
actually are passwords.
    Of course, an attacker doesn't stop here either, nor should 
we, so we will go on to pilfering.
    A sniffer is a stealth utility that will act as a wiretap, 
a wiretap that will listen to traffic traversing throughout the 
network. The idea of pilfering is to turn a compromised target 
into a listening device to capture not only what you are 
typing, but also what your peers are doing. Clear text 
passwords, e-mail correspondence, documents are all routed to 
the original recipient and, at the same time, rerouted to the 
attacker. In many cases, we have used this to propagate our 
control to other areas of the network. This courtesy, with 
small footholds, escalating privileges and pilfering, enables 
us or an attacker to gain more and more control in the network.
    The next short demonstration will demonstrate how a freely 
available tool can turn your machine into a secret listening 
device. Let me set up what you're looking at here.
    I mentioned wiretap as an example. This is one snippet, 1 
second from a wiretap, so to speak; and the purpose of this is 
to highlight that we indeed have user name and password. So we 
have gone from an exploit on a local machine to finding a way 
further on the network to other machines now. That is the point 
of pilfering.
    We move on to covering tracks. Covering tracks is hacker 
101. Hackers don't want to get caught. We do not employ this 
tactic as part of our process so that we can work with the 
sites to engage in what we call ``post-incident analysis.'' 
Simply put, we leave our traces to enable the site and us to 
collaborate to understand the nature of the attack.
    The following demo will demonstrate yet another freely 
available tool, erasing the traces of an attack with a few 
button clicks. What will be important to recognize here is that 
you will notice that it is only the traces of the attacking 
activity that are deleted. So a systems administrator would 
never be aware of what happened because all of the other logs, 
those that are from a normal conduct of a computer, would still 
be there. A button click, the traces are gone. Let's move on to 
back doors.
    For the following demo I will submit this machine. Karen 
will do the heavy lifting here. Although this machine is 
separated by 20 feet of cable, we have executed the exact same 
exploitation with hundreds to thousands of miles of separation 
between our lab and the site. The message is clear that 
ownership and control of a resource is, to the fullest extent 
possible, in many cases more than the user. The goal is to make 
a key that only you can use to enter, create accounts, plant 
remote control services and to install Trojans. I will now 
start the demo.
    Let me set the scene again here. Imagine yourself working 
in front of this screen, doing normal business work wherever--
anywhere in the world, for that matter, okay? We have exploited 
this system unknowing to you, and we are now going to take over 
control by doing things like change colors. So you are sitting 
there and this is happening to you, okay?
    The other thing we are going to do is, we are going to 
eject the CD on you--again, from 3,000, 2,000, 1,000 miles 
away--and the other thing we might do, just to harass you a 
little more, is to hide icons. There we go. The point being--
these are visual examples; ultimately, it is complete control.
    A popular news organization reported about this tool, and 
let me quote: ``he or she can access your files, monitor your 
key strokes, move your mouse around the screen. If you have a 
Web cam, they can watch what you are doing. If you have a 
microphone, they can listen to you. It is complete power.''
    This concludes the demonstration portion of our testimony. 
In closing, I will highlight the end product of this 
capability.
    The essence of our capability is our final product. Our 
product encapsulates every element of what you have just seen--
process, tactics, tools, every vulnerability and exploit. Along 
with meticulous note-taking and recordkeeping, we deliver all 
of this information to the site in a user friendly, Web-based 
CD-ROM. So anything and everything that is collected, yellow 
sticky and so forth, is given to the site for corrective 
action. I know you are also familiar with our paper product, 
which combines the technical elements with the policy, program 
and procedural analysis.
    Thank you.
    I will now offer our technical team for technical 
questions, as well as Mr. Podonsky and Mr. Peterson, who can 
entertain questions about our program.
    Mr. Greenwood. Thank you. Now, I know why I can't open my 
e-mail in the morning.
    I don't know if you are able to answer this in anything 
like a brief response, but what are the fundamental things that 
agencies and Federal entities ought to do to protect themselves 
from this kind of assault?
    Mr. Bellone. It is due diligence. This--what you are seeing 
here is such a dynamic process that it is a snapshot in time 
when we do an assessment. The fundamental core of doing this is 
to have program, policy, procedure and technology working 
together. That is why the scope of our assessments is what is 
important, that we do the technical elements, but at the same 
time, we have a team who looks at policy, looks at programs, 
looks at procedures. We put it together so that we can 
understand the health of a program and how they are able to 
sustain the program. It is the sustainability that is most 
significant.
    Mr. Greenwood. So what I hear you saying is that you are 
never finished with your security precautions. You can't build 
a firewall or create air space and stay permanently fixed. You 
always need to be----
    Mr. Bellone. The quote that I think about is, ``as 
technology evolves, sneakiness finds new ways of expression;'' 
and that's exactly where we are. We can assume technology will 
evolve, especially in this growing field of information 
technology. Hence, the task is always ahead of us.
    Mr. Greenwood. That is a fascinating, fascinating 
demonstration.
    Are there questions from the members for the technical 
panel here?
    The Chair recognizes the chairman, Mr. Tauzin.
    Chairman Tauzin. Thank you very much.
    I simply want to put what you have told us in layman's 
terms a little bit. Am I correct in that, with this 
demonstration, you have shown us how a hacker cannot only 
compromise the system but take it over and actually control the 
information on that system? Is that correct?
    Mr. Bellone. Yes.
    Chairman Tauzin. You have shown us how someone who could 
compromise, let's say, a third-party payment system at HCFA to 
get into that system--how they might not only gather the 
information that's in that system about patient's health care 
and problems, but that they might even alter the information on 
that system?
    Mr. Bellone. Absolutely.
    Chairman Tauzin. So that I take it your answer is, yes, 
right?
    Mr. Bellone. My answer is yes.
    Chairman Tauzin. So the person who is using the systems you 
have demonstrated can actually change the medical condition or 
the treatment profile or the payment requirements of that 
system; is that correct?
    Mr. Bellone. That is exactly correct.
    Chairman Tauzin. And, therefore, compromise the integrity 
of the payment system?
    Mr. Bellone. Absolutely.
    Chairman Tauzin. I can envision incredible fraud 
opportunities with that scenario, is that right, as well as 
privacy problems?
    Mr. Bellone. You can assume that with what we have shown, 
an attacker can gain more privileges than the user has.
    Chairman Tauzin. Say that again, ``An attacker can gain 
more privileges than the user.'' What do you mean by that?
    Mr. Bellone. What I mean is that once you exploit it, you 
can deny them service to that resource.
    Chairman Tauzin. So you can not only take charge of their 
operation, you can make it more difficult for them to actually 
use it themselves?
    Mr. Bellone. Absolutely.
    Chairman Tauzin. You can deny them total use, if you want, 
of these systems?
    Mr. Bellone. Absolutely.
    Chairman Tauzin. You also indicated--obviously, I am just 
using health care systems as an example for us to understand 
this technology, but this, in the case of an energy lab, might 
explain how someone might get in and compromise, with espionage 
intent, not only the information in that lab, but you might do 
it from across the world.
    You don't need necessarily someone working in the lab; is 
that right?
    Mr. Bellone. To a certain extent. The one thing that I 
think the Department of Energy recognizes is, given that risk, 
there are certain assets that they are not willing to subject 
to that risk.
    Chairman Tauzin. Well, let's hope so.
    Mr. Bellone. Yes.
    Chairman Tauzin. But we have some confidence problem with 
that.
    Yes, sir.
    Mr. Podonsky. Also the fact that we exist as an 
organization to continue doing these penetrations is a 
compliment to the current Secretary and the Department because 
we are allowed, without legislation, to go anywhere that we 
need to and report on anything that we find.
    Chairman Tauzin. On the technical side again, the last 
thing you said was quite disturbing as well, that if you had a 
camera, once this system is compromised, that you take over 
that camera, that you can actually watch activities in that 
room in front of that screen; is that correct?
    Mr. Bellone. Absolutely.
    Chairman Tauzin. And if you have a microphone, which most 
computers do, you can, with this technology, install your 
sniffer and actually listen in on all conversation inside that 
room; is that correct?
    Mr. Bellone. Absolutely. If the machine has a microphone, 
that is the case.
    Chairman Tauzin. And unless all the Federal sites in which 
sensitive information is being discussed are protected against 
this technology, anyone from around the world using it could 
enter any room where sensitive conversations are being held and 
eavesdrop on those conversations without a court order covering 
their tracks, without anybody ever knowing they have done it; 
is that correct?
    Mr. Bellone. To a certain extent, it is correct.
    What I could say is that in some environments they look 
harder at things like hardware, the presence of microphones and 
so forth, and so that is looked very carefully upon. In other 
environments where there is less, where there is not the 
presence of sensitive information, it is more likely that that 
may be the case.
    Chairman Tauzin. But it is a problem. Unless the Federal 
official who is operating in front of that computer screen 
which has camera and microphone capabilities is aware of what 
you have just shown us, if he has no awareness of it, if it is 
not a priority item in his thinking or her thinking that day, 
that conceivably those systems can be compromised in the way 
you have demonstrated and the conversations, the actions even 
in that room can be in someone else's domain, unknown to the 
Federal officials involved.
    Mr. Huston. That is correct, sir, but you have to realize 
that it should never get that far. There should be defensive 
measures installed in these systems to prevent that from 
occurring long before that ever becomes a risk.
    Chairman Tauzin. That is, of course, the next question.
    You know, I have raised in the opening statement the 
concern that enough of our Federal agencies are not keenly 
aware, we have not yet made them keenly aware nor instructed 
them nor appropriated funds for them to install these defensive 
systems. Is that generally correct as well? Who can answer?
    Mr. Podonsky. Well, we are better off to keep focus on what 
we do know about the Department of Energy. On the technical 
side, we don't know what all the other agencies are doing, but 
we do know that because of some very good reasons, the 
Department was very motivated in the last 2 years to really 
focus on cybersecurity.
    Chairman Tauzin. Something called public embarrassment, I 
think.
    Mr. Podonsky. That often helps.
    So to answer your question, from our standpoint, as we 
pointed out here, not only do we continue to probe, but the 
people who are responsible for filling the vulnerabilities that 
we find are actively doing that as we speak on a regular basis.
    Chairman Tauzin. And I guess, as a final question, these 
technologies are also available for private snooping and 
private compromising of homes and businesses across America; is 
that correct? Unless Americans are aware, keenly, of the 
capabilities of these systems and take as much concern about 
installing defensive systems, their private homes, their most 
private conferences, in many cases their most private spaces 
and activities can be easily compromised by someone invading 
their home through these devices and literally listening in and 
watching the most private of circumstances of Americans in 
their personal and business lives; is that correct?
    Mr. Huston. That is correct. However, awareness is the 
primary means of defense against any security threat, and much 
like a physical security threat, where you have started to see 
the evolution of homeowners installing alarm systems and other 
threat and risk mitigation strategies, I think you will see a 
growth in that marketplace, as well, for cybersystems.
    Chairman Tauzin. Thank you, Mr. Chairman.
    Mr. Greenwood. Let me just ask a question about motivation.
    Obviously, we know that there are some hackers who do this 
for the sport of it, just to see what they can do, and they may 
or may not have nefarious intentions other than to sneak in and 
see what they can do. But what nefarious opportunities are 
there once you get in?
    In other words, I assume a lot of people wouldn't get all 
the way there just to hide your icons or change the colors on 
your screen; that they would be there to--is there a market for 
the information? Can you get information and then sell it? Is 
it a question of compromising and destroying internal systems 
for strategic purposes?
    Talk, if you would, briefly about some of the motivations 
for doing this.
    Ms. Matthews. I think the answer to your question is all of 
the above and then some.
    There are over 100 countries that have some sort of 
information operations capabilities, and you saw what we could 
do with publicly available software and hardware. If you could 
imagine them turning their expertise and resources to debunking 
those information and operations, you can imagine what damage 
that could do. So the motivations are various, depending on 
whether it is a teenager or whether it is a nation-state or a 
terrorist organization that has motivation behind them.
    Mr. Greenwood. And given the ability to cover tracks, it is 
safe to say that this has probably happened to Federal systems, 
and we don't know what was done, have no way of knowing what 
was done? They could have covered the tracks and left no trail 
whatsoever?
    Mr. Bellone. Part of strength and defense is having an 
effective intrusion detection system--and I emphasize the word 
``system,'' because what we showed you is covering tracks at a 
very micro level. When we assess a site, one of our topical 
areas is intrusion detection systems, meaning their ability to 
respond to an event and provide that for an investigation, if 
you will. That is a critical component of detecting that level 
of activity. Sure, there are point-and-click tools available to 
vanish yourself from one machine, but with a very comprehensive 
system of alarms, you can still detect the activity.
    So there are defense elements that are available.
    Mr. Greenwood. Mr. Strickland, do you have questions for 
the panel?
    Mr. Strickland. No, sir, but I want to thank the panel. 
They have been very stimulating, and I am sitting here 
wondering what their IQs must be.
    Mr. Greenwood. We can assume it is higher than ours.
    Mr. Davis.
    Mr. Davis. Thank you. You can never have 100 percent 
protection in an information system; do you agree with that?
    Mr. Bellone. That is correct.
    Mr. Davis. Information security best practices really means 
using effective risk management in their implementation. How do 
you collaborate with your clients to assist them in meeting 
those objectives?
    Mr. Peterson. We have--as part of our process, we do the 
technical performance testing, what Mr. Bellone has shown you 
today. We then go in with our programmatic team and we take a 
look at their processes, and one of the key ones would be the 
risk management process, you know, does the site understand the 
threat. Then you do a risk assessment, understanding your 
critical systems and your critical information need protection. 
You then devise risk mitigation strategies and a protection 
strategy as well.
    You implement those, and then there is going to be some 
residual risk left over. What we do then is, we go in to see, 
do you understand your residual risk, has there been an 
appropriately designated official--has that person accepted 
that risk. That is what we look for.
    Mr. Davis. Thanks.
    Mr. Greenwood. Ms. DeGette.
    Ms. DeGette. Thank you, Mr. Chairman.
    I want to follow up on the full committee chairman's 
questions about, if you had microphones and video capability in 
computers. I would assume that for someone to be able to 
intercept that, the computer would have to be on at that time. 
And is that a yes?
    Mr. Bellone. That is correct.
    Ms. DeGette. And I would also assume that many meetings 
that take place where secret information is discussed are not 
in people's cubicles or offices where their PC is on, but 
rather in a conference room or some other venue. Would that be 
correct?
    Mr. Bellone. Absolutely.
    Ms. DeGette. And in those venues, in your experience in 
your agency, are there computers running in those rooms at the 
time those meetings are taking place? I am trying to figure out 
how real a threat this really is.
    Mr. Bellone. In the sensitive realm, there is a very clear 
accreditation process that looks at the room--the nature of the 
room, the hardware, the software and so forth. So it is very 
much a controlled environment, and because there are so many 
checks and balances and procedures and signatures and so forth, 
generally the process resolves or reconciles those kinds of 
concerns.
    Ms. DeGette. And that is happening under current DOE 
protocols?
    Mr. Bellone. Accreditation process.
    Mr. Podonsky. Yes.
    Ms. DeGette. And what about the training of personnel, are 
personnel currently, under current protocols, trained about the 
risks of interception of verbal communications?
    Mr. Peterson. It is part of what we look at in our 
programmatic review, we look for annual training of users--
obviously more detailed training down to the systems 
administrator level, managers--making sure that they understand 
their roles and responsibilities, making sure that the site has 
good procedures that actually push policy down from the broad 
national perspective down to the working level.
    Ms. DeGette. Well, these particular concerns that Mr. 
Tauzin was expressing are--is that part of your current 
training for personnel about the risks of hackers coming in and 
actually being able to intercept visual or verbal discussions? 
Is that a policy right now?
    Mr. Peterson. Again, that is part of the risk assessment 
process that is evaluated at the site level for each individual 
network. You know, depending on what information they have, 
again it is going to drive the level of concern. Again, that is 
a process at the site level.
    Then that feeds into the training based on, we know we have 
these risks, we need to inform our users and our systems 
administrators.
    Ms. DeGette. I understand what your general protocols are, 
but specifically, are people advised of these risks?
    Mr. Bellone. One thing that comes to mind, we run through 
computer-based training in yearly training sessions that go 
over counterintelligence and cybersecurity, and the 
cybersecurity awareness training covers these elements. They 
talk about the exploit or attacker threat. That is required 
yearly.
    Ms. DeGette. Now, let us talk for a minute about classified 
systems. By the way, I apologize, I missed your demonstration. 
I was caught in the cherry blossom traffic, I think.
    But apparently, according to Mr. Strickland, we are never 
turning on our computers again because of the risk of people 
getting our information, and I want to know how very real the 
risk is with your Agency? Are the classified systems at your 
Agency connected to the Internet?
    Mr. Peterson. We take a very close look at that. With 
classified systems, there is either an air gap between the 
Internet and the classified system or NSA-approved encryption.
    Ms. DeGette. So some are connected to the Internet, but 
there are protections that you believe would be effective in 
place?
    Mr. Peterson. Yes.
    Ms. DeGette. How many of the classified systems, what 
percentage of your classified systems are connected to the 
Internet?
    Mr. Peterson. I am not sure if we can provide a good number 
for that.
    Ms. DeGette. If you can supplement your answer in writing, 
I would appreciate it. Mr. Chairman, thank you.
    [The following was received for the record:]

    The Department has one classified system connected to the 
Internet. However, all classified information that is 
transmitted over the Internet is protected using an encryption 
device approved by the National Security Agency.

    Mr. Greenwood. We thank you for that mind-bending 
demonstration. You are excused, and we will bring up the next 
panel. Thank you again.
    The Chair calls the witnesses, Ms. Sallie McDonald, 
Assistant Commissioner, Office of Information Assurance and 
Critical Infrastructure of the U.S. General Services 
Administration; Mr. Ron Dick, Director, National Infrastructure 
Protection Center of the FBI; and Mr. Tom Noonan, President and 
CEO of Internet Security Systems.
    The Chair would ask unanimous consent that the gentleman 
from Georgia, Mr. Isakson, be given permission to sit at the 
table and introduce his constituent, Mr. Noonan.
    I am going to have Mr. Isakson introduce Mr. Noonan first, 
and then we will turn to Ms. McDonald for her opening 
statement.
    Mr. Isakson. I commend the chairman and members of the 
committee for looking into an issue of major importance to the 
U.S. Government. It is also an issue of major importance as 
well to the private sector throughout this country.
    I am particularly pleased to have the honor to introduce a 
citizen of Atlanta, Georgia, Mr. Tom Noonan, Chairman and CEO 
of Internet Security Systems, whose software development, 
remote management of security systems, education and consulting 
is sought worldwide. ISS is a company that has offices in Asia, 
Latin America, Middle East, Europe and throughout North 
America. They have over 6,000 customers in the United States of 
America in the management and security of their network 
systems.
    To talk about the importance of the software that they 
developed and the remote management that they have, today 21 of 
the top 25 banks in the United States of America are clients of 
ISS. The top 10 telecommunications companies in the United 
States of America are clients of ISS, and 35 government 
agencies in this country, or possibly worldwide, are clients of 
ISS.
    But probably the best compliment that I can pay to Mr. 
Noonan is that 2 years or 3 years ago, following my election to 
Congress, I sought the opportunity, because of my business 
experience and knowing the importance of technology, to develop 
an advisory board of individuals to help me deal with the 
myriad of privacy and safety and security issues that deal with 
the Internet and technology. Tom Noonan's name was consistently 
mentioned as the paramount authority on security systems in 
Atlanta, and, in fact, in the United States. It is an honor and 
privilege for me to introduce him. I am going to apologize that 
I have to leave this table, but I have the intellectual 
capacity to be a Congressman; I am not sure that I have the 
capacity to sit at this table with these individuals, and I do 
not want to confuse anyone here. I thank the chairman.
    Mr. Greenwood. I thank the gentleman. The Chair recognizes 
Mr. Davis.
    Mr. Davis. Mr. Isakson, you missed one item in that 
introduction. That is, his company has a strong presence in 
Herndon, Virginia. Welcome.
    Mr. Greenwood. The Chair recognizes Ms. Sallie McDonald for 
her testimony.

TESTIMONY OF SALLIE McDONALD, ASSISTANT COMMISSIONER, OFFICE OF 
INFORMATION ASSURANCE AND CRITICAL INFRASTRUCTURE, U.S. GENERAL 
  SERVICES ADMINISTRATION; RONALD L. DICK, DIRECTOR, NATIONAL 
INFRASTRUCTURE PROTECTION CENTER; AND TOM NOONAN, PRESIDENT AND 
              CEO, INTERNET SECURITY SYSTEMS, INC.

    Ms. McDonald. Good morning, Mr. Chairman and members of the 
committee. I am the Assistant Commissioner for the Office of 
Information Assurance and Critical Infrastructure Protection. 
My office is a component of GSA's Federal Technology Service 
under which the Federal Computer Incident Response Center 
operates.
    We wish to thank you for the opportunity to offer testimony 
pertinent to the state of security for government information 
technology resources. The Federal Computer Incident Response 
Center, or FedCIRC, is a central coordination activity for 
dealing with computer security-related incidents affecting 
computer systems within the Federal civilian agencies and 
departments of the U.S. Government.
    As government industry system interconnectivity increases, 
the boundary between the two becomes more difficult to define 
and in some cases they simply do not exist. Any security 
weakness across the Internet has a potential of being exploited 
to gain unauthorized access to one or more of the connected 
systems, including those of government. Reports indicate that 
numerous countries have or are developing information warfare 
capabilities that could be used to target critical components 
of the national infrastructure, including government systems. 
The National Security Agency has determined that potential 
adversaries are collecting significant knowledge on U.S. 
information systems and also collecting information and 
techniques to attack these systems.
    Since October 1998, FedCIRC incident records have shown an 
alarming trend in the number of attacks targeting government 
systems. Overall, 376 incidents were reported in 1998, 
affecting 2,732 Federal Government systems.
    In 1999, the figure had risen to 580 reported incidents 
affecting 1.3 million systems. By 2000, reported incidents 
numbered 586; and those incidents impacted over 576,000 
government systems.
    Although these numbers are alarming, it should be noted 
that they reflect only those reported incidents and do not 
include statistics on the estimated 80 percent that go 
unreported. Studies indicate that the lack of reporting is not 
due to an organization overlooking its obligation to report, 
but rather a sign of the organization's inability to recognize 
that its systems have been penetrated. The increase in the 
number of route compromises, denial of service attacks, network 
reconnaissance activities, destructive viruses and malicious 
code, coupled with advances in attack sophistication, pose 
immeasurable threats to government systems and the critical 
missions and services they support.
    With the rapid transition to a paperless government and 
increasing dependence on e-government solutions, the focus on 
secure technology approaches must be a priority. We in 
government cannot afford to overlook our inherent 
responsibility to protect sensitive information from 
unauthorized disclosure. The unprecedented growth in technology 
is driving government to implement capabilities and services so 
rapidly that security concerns are often overlooked.
    Mr. Chairman, my brief summary today only begins to touch 
on the most significant information security challenges we have 
before us. The complete text of my testimony describes in 
greater deal the current and growing threat to the Federal 
information infrastructure. I trust that you will derive from 
my remarks an understanding of the cybersecurity issues, and 
also an appreciation for the commitment that those in the 
FedCIRC and participating organizations share for the 
protection of components of our critical infrastructure. We 
appreciate your leadership and that of the committee for 
helping us achieve our goals and allowing us to share 
information that we feel is crucial to the defenses of the 
Federal information technology resources. Thank you.
    [The prepared statement of Sallie McDonald follows:]

 Prepared Statement of Sallie McDonald, Assistant Commissioner, Office 
   of Information Assurance and Critical Infrastructure Protection, 
      Federal Technology Service, General Services Administration

    Good morning, Mr. Chairman and Members of the Committee. On behalf 
of the Federal Technology Service of the General Services 
Administration let me thank you for this opportunity to appear before 
you to discuss our perspective on the state of security for government 
information technology resources.
    As you know we operate an entity known as FedCIRC. FedCIRC stands 
for the Federal Computer Incident Response Center, and is a component 
of GSA's Federal Technology Service. FedCIRC is the central 
coordinating activity associated with security related incidents 
affecting computer systems within the Civilian Agencies and Departments 
of the United States Government. FedCIRC provides security incident 
identification, containment and recovery services and works within the 
Federal community to educate agencies on effective security practices 
and procedures. FedCIRC's prevention and awareness program includes 
security bulletins and advisories, hardware and software vulnerability 
notifications, and vulnerability fixes.
    With the recent enactment by Congress of the Government Information 
Security Reform Act, federal agencies and departments must report 
computer security incidents to FedCIRC. FedCIRC's role is to assist 
those federal agencies and departments with the containment of security 
incidents and to provide information and tools to aid them with the 
recovery process. In January, the Office of Management and Budget (OMB) 
issued implementing guidance on the new security act. In that guidance, 
OMB instructed agencies to implement both technical and procedural 
means to detect security incidents, report them to FedCIRC, and to use 
FedCIRC to share information on common vulnerabilities. Agencies were 
advised to work with their security officials and Inspectors General to 
remove all internal obstacles to timely reporting and sharing. 
Additionally, in October of last year, the Federal CIO Council worked 
with FedCIRC and developed procedural advice to agencies for efficient 
interaction with FedCIRC.
    When an incident is reported to FedCIRC, we work with those 
involved to collect pertinent information, analyze it for severity and 
potential impact, and offer guidance to minimize or eliminate further 
proliferation or damage. Additionally, FedCIRC assists in identifying 
system vulnerabilities associated with the incident and provides 
recommendations to prevent recurrence. Moreover, FedCIRC works closely 
with the FBI's NIPC and the national security community to ensure that 
incidents with potential law enforcement or national security impact 
are quickly reported to the appropriate authorities.
    As government and industry systems and network interconnectivity 
increase, the boundaries between the two begin to blur. This huge 
network of networks, known of course as the Internet, includes both 
government and private systems. In some fashion, through the Internet, 
all of these systems are interconnected. Thus, an inescapable fact of 
life in this Internet Age is that any risk associated with any part of 
the Internet environment is ultimately assumed by all systems connected 
to it. Any security weakness across the Internet has the potential of 
being exploited to gain unauthorized access to one or more of the 
connected systems.
    Reports from the Department of Defense and other sources tell us 
that over 100 countries have or are developing information warfare 
capabilities that could be used to target critical components of the 
national infrastructure including government systems. The National 
Security Agency has determined that potential adversaries are 
collecting significant knowledge on U.S. information systems and also 
collecting information and techniques to attack these systems. These 
techniques give an adversary the capability of launching attacks from 
anywhere in the world that are potentially impossible to trace.
    Since October 1998, FedCIRC incident records have shown an 
increasing trend in the number of attacks targeting government systems. 
Overall, there were 376 incidents reported in 1998 that affected 2,732 
Federal civilian systems and 86 military systems. In 1999, the figure 
had risen to 580 reported incidents affecting 1,306,271 Federal 
civilian systems and 614 military systems. By 2000, reported incidents 
numbered 586, which impacted 575,568 Federal civilian systems and 148 
of their military counterparts. Though these numbers are in themselves 
ample cause for concern, these numbers reflect only those reported 
incidents and do not include incidents that were not reported. Studies 
conducted by the Department of Defense as well as data collected from 
the broad Internet community by Carnegie Mellon University's CERT 
Coordination Center indicate that as many as 80% of actual security 
incidents go unreported. More importantly, perhaps is the reason 
incidents appear to remain unreported. In most cases incidents are not 
reported because the organization was unable to recognize that its 
systems had been penetrated or because there were no indications of 
penetration or attack.
    Of course computer security incidents vary in degree of severity 
and significance. Many incidents, such as web page defacements, are 
seemingly insignificant and generally categorized as ``cyber-
graffiti.'' Typically, systems that are victims of defacement have one 
thing in common, an overabundance of commonly known weaknesses in their 
respective operating system and server software. Though the damage from 
such incidents may be small, the rising number of occurrences suggests 
a clear pattern of inattentiveness to security problems, especially 
those that might be easily resolved with publicly available software 
patches.
    While these relatively minor incidents may amount to mostly 
nuisances, the more significant incidents are those associated with the 
development of sophisticated attack methodologies. Such attack 
methodologies involve the organized distribution of intrusion 
techniques across the Internet. So called ``hackers'', ``crackers,'' 
mischievous individuals, rogue nations and even state sponsored attacks 
are all threats to systems in government and the private sector.
    In particular, unauthorized intrusions into government systems 
containing sensitive information are also on the rise. In 2000, as I 
reported earlier, FedCIRC documented 586 incidents affecting government 
systems. 155 of those were reported from 32 agencies and resulted in 
what is known as ``root compromise.'' A root compromise means the 
intruder has gained full administrative or ``root'' privileges over the 
targeted system. This means that any information or capability of the 
system is totally owned by and controllable by the intruder. With 
``root'' privileges, the intruder can cover his or her tracks because 
the privileges allow them to alter system logs and thereby erase any 
evidence of intrusion activities. In at least 5 of the incidents 
involving a root compromise, access to sensitive government information 
was verified. For the remaining 150 incidents, compromise of any and 
all information must be assumed. Root compromises were also employed in 
17 separate instances where the compromised systems were used to host 
and then launch attacks. Attacks of this nature are particularly 
egregious since they work to erode the public trust in government 
systems integrity while serving to openly demonstrate security 
vulnerabilities within government systems.
    More recently, as a byproduct of the Y2K problem, a new type of 
attack has been gaining attention. This type of attack is known as the 
``Distributed Denial of Service'' attack and is considered one of the 
most potentially damaging attack methods yet to be developed. The 
Distributed Denial of Service or DDoS attack simply overwhelms a 
targeted system with so much information that the targeted system 
cannot grant access to legitimate users. This attack can be 
particularly damaging when components of the critical infrastructure 
such as power grid controls, traffic controls, emergency and medical 
services are subject to a DDoS attack, since these attacks render their 
targets effectively inoperative. And if that is not enough, the DDoS 
attack, after first identifying and compromising vulnerable systems 
anywhere across the Internet, next deposits on those compromised 
systems hostile software capable of launching further attacks. Once in 
place, the exploited systems can then be orchestrated to simultaneously 
launch attacks on a predetermined target, flooding the target with more 
information than it is capable of processing. Ninety three government 
systems were targets of DDoS attacks, many of which resulted in the 
disruption of critical government services.
    Perpetrators continually scan the Internet to identify systems with 
weak security profiles or vulnerabilities. These reconnaissance 
activities focus on identifying the active services, operating systems, 
software versions and any protective mechanism that may be in place. 
Armed with this information, a would-be intruder can consult publicly 
available information repositories and references for vulnerabilities 
particular to their selected target. Then they can devise attack 
strategies with the highest probabilities for successful compromise. 
Port scans, probes, network mapping applications and commonly used 
network administration tools are typical resources used by an intruder 
to identify weaknesses in the chosen organization's infrastructure and 
to simplify the intrusion effort. Incidents reported by Federal 
agencies to FedCIRC during 1998 indicated a mere 157 occurrences. 
However in 1999 there was a significant jump in network reconnaissance 
activity to 1,686 occurrences. Although 2000 showed a slight decrease, 
the number of reported reconnaissance incidents still was 1,207.
    The sophistication of computer viruses also poses a significant 
threat. While yesterday's viruses were destructive to files residing on 
a system, today's viruses come in many forms and self propagate by 
exploiting the advanced capabilities of modern-day software 
applications. Computer viruses may harbor capabilities to destroy both 
hardware and software. They may arrive in the form of so-called 
``trojan horse'' code capable of capturing and transmitting sensitive 
information, user account data or administrator passwords. As 
legitimate software programs incorporate more advanced capabilities, 
those same capabilities are being harnessed to very destructive 
purposes. As we observed during the ``Melissa'' and ``I Love You'' 
viruses, a single email on the other side of the globe began saturating 
mail servers within a few short hours. The number of virus incidents 
reported by Federal agencies in 1998, 1999 and 2000 totaled 55, 35, and 
36 respectively. Since anti-virus defenses are developed in response to 
a virus, there is a relatively significant period of time between the 
capturing of the virus code and the development of a defense. 
Considering the near-real-time communications capabilities available to 
a large percentage of the world population, microseconds can mean the 
difference between normal operations and system disruption.
    Statistics compiled by Carnegie Mellon University's CERT 
Coordination Center show a definite correlation between the growth of 
software vulnerabilities and the number of reported incidents. From 
1988 to present day, the number of vulnerabilities identified annually 
has increased from only single digits to well over 800. The number of 
reported incidents across industry and government closely track that of 
the vulnerabilities, from a meager few in 1988 to almost 25,000 as of 
the beginning of this year. These trends indicate that Internet 
connected systems are becoming increasingly vulnerable to attack and 
that defensive measures are not yet adequate to protect against 
exploitation of the vulnerabilities.
    With the rapid transition to a paperless government and increasing 
dependence on e-government solutions, the focus on secure technology 
approaches must be a high priority. The unprecedented growth in 
technology is driving government to implement capabilities and services 
so rapidly that security concerns are often overlooked. The adoption of 
e-commerce solutions, e-government solutions and countless forms of 
electronic information exchange is in danger of moving forward without 
adequate consideration of the protection of the systems and the 
information they store, process or transmit. We in government cannot 
afford to overlook our inherent responsibility to protect sensitive 
information from unauthorized disclosure. The implementation of 
strategic defenses for the Federal Information Infrastructure can only 
be realized if we act promptly to establish the proper foundation for 
already overdue initiatives to combat these issues. Information sharing 
and collaboration on the part of all concerned is key to the creation 
of effective defenses. FedCIRC, in cooperation with every Civilian 
Federal Agency, Industry, Law Enforcement, the Department of Defense 
and Academia, has begun building a virtual network of partners to 
facilitate the sharing of security relevant information and ideas. Each 
week, the list of partners increases as more and more realize that this 
battle cannot be fought in isolation. Every contributing piece of 
information from a participating partner has the potential of unlocking 
a critical cyber-defense problem.

                                SUMMARY

    Mr. Chairman, in my remarks here this morning, I have merely 
touched on the most significant information security challenges we face 
in this Internet Age dawning before us. My goal was to inform you and 
this committee about the nature of the cyber-security issues we face 
collectively as a nation. I also want to help you appreciate the degree 
and level of commitment that those in FedCIRC and participating 
organizations share regarding the protection of the components of our 
Critical Infrastructure. We appreciate your leadership and that of the 
Committee in helping us achieve our goals and allowing us to share 
information that is crucial to the effective defense of Federal 
Information Technology resources.

    Mr. Greenwood. Thank you.
    Mr. Dick.

                   TESTIMONY OF RONALD L. DICK

    Mr. Dick. Mr. Chairman, I am the Director of the National 
Infrastructure Protection Center which is located at the FBI. I 
want to thank you today for inviting me to discuss cyber-
intrusion issues into government systems. Because of the impact 
that cyber-intrusions have on our national security, as well as 
the economic well-being of government and industries to provide 
vital goods and services to Americans, this is a very important 
topic.
    I would ask that my full statement be entered into the 
record, and I will focus on a few brief comments.
    Computer intrusions into government systems are a serious 
problem. In my statement, I cite that we have currently 102 
pending investigations of government systems out of a total of 
approximately 1,219. But each case can represent multiple 
intrusions and multiple victims. Thus the caseload denotes a 
large number of incidents. That is the bad news.
    The good news is that National Security Advisor Rice's 
recent statement at the Partnership for Critical Infrastructure 
for Security meeting indicated the administration's view that 
this is a high priority.
    Let me briefly outline some threats we face and discuss a 
few examples that highlight the vulnerability.
    Insiders have always been a major threat. Their motive is 
usually against a current or former employer. In many instances 
they do not need to be sophisticated because they do know the 
passwords, or controls are such that passwords are not changed 
routinely. Further, they have the greatest knowledge of how to 
defeat the system's internal controls.
    In one case, a dismissed employee of the National Library 
of Medicine created a back door in the system through which he 
could alter and destroy data on the system. These intrusions 
were a threat to public safety, as doctors from around the 
world depended on the integrity of this information for 
diagnosis and drug prescriptions.
    Computer virus writers have become a dangerous problem in 
the last few years. They write their programs, often just to 
cause mayhem in the networks. The result is that important 
systems are made or forced to come off-line for repairs. This 
is at a cost of billions of dollars; last year, as we all 
remember, the well known love letter virus which began in the 
Philippines but soon spread globally. The FBI and Philippine 
authorities were able to trace the virus back to its source, 
but because the Philippines lacked a cybercrime statute at the 
time, he could not be prosecuted.
    Along with viruses, hacking cases are the best known. In 
February 1998, just as the Center was being established, we had 
one of the largest hacks ever of U.S. Government systems. 
Intruders had compromised hundreds of Department of Defense 
computers. We initially thought it could be an attack from a 
foreign power. It turned out to be teenagers from California 
and Israel. Those teens have since been prosecuted by the U.S. 
Government; but it was a wake-up call regarding cybersecurity.
    While the motive was less malicious in this case than 
others we had seen, it highlighted the potential for use of 
cyberspace to prepare the battlefield.
    Let me touch further on national security threats. There 
are thousands of intrusions or attempts into government systems 
every year. Many of them emanate from abroad. We know many 
nations are developing information warfare capabilities, as 
well as adapting cybertools as information-gathering trade 
craft. That is about as far as I can go today, but this is an 
evolving area for us.
    Let me talk about the response to these threats. In the 
middle of the 1990's, the Federal Government, as has been 
recognized already, recognized the potential dangerous problem 
regarding cyber-vulnerabilities.
    In February 1998, the Attorney General authorized the 
creation of the National Infrastructure Protection Center. In 
May 1998, President Clinton authorized the expansion of Justice 
Department efforts to a full-scale National Protection Center. 
The Center's mission is for detecting, assessing, warning of, 
and investigating significant threats and incidents concerning 
our critical infrastructures. The NIPC is an interagency 
center. Of the 101 persons currently working in the Center, we 
currently have 18 detailees from outside the FBI, and two 
foreign detailees. The leadership of the Center comes from 
several agencies. The NIPC's Deputy Director is Rear Admiral 
James Playhall from the Navy, who is with us today. Over the 
last 3 years the Center has issued 82 warning products. Many of 
these products, such as the one issued last week on the ``Lion 
Internet Worm'' are issued before any attacks occur.
    These warning products are sent to our Federal partners, as 
well as State and Federal law enforcement, international 
partners with whom we have connectivity, the information 
sharing and analysis centers, and others in the private sector 
so as to enhance security worldwide.
    What makes the NIPC unique is that we have access to 
information from law enforcement sources and investigations, 
the intelligence community, international sources, private 
sector contacts and open sources. No other entity has access to 
such a complete range of information.
    In cyberspace, we all look the same as has been pointed out 
here today in the demonstration. Thus, investigations is an 
important component of what the center does. Finding out the 
origin of an intrusion and who is sitting behind that keyboard 
is a huge challenge. What makes the NIPC unique is that through 
the FBI, we have access to both criminal and national security 
authorities to conduct such investigations. As an interagency 
center, we can coordinate our investigative efforts more 
efficiently. If the intruder is overseas, we can use our 
partners regarding investigations and prosecutions through our 
legal attaches in over 40 countries around the world. Once we 
have determined the facts regarding the attack and the identity 
of the attacker, we can confer with the Department of Justice, 
and just as importantly, policymakers, to fashion the 
appropriate response.
    That response may be criminal prosecution or it might be 
diplomatic, intelligence, or military action, or a combination 
of all three of those things.
    In summary, I must stress that cooperation lies at the 
heart of everything that we do within the Center. We are 
actively engaged with our Federal partners, domestic law 
enforcement, international agencies, the private sector, and 
our international counterparts across the globe. Without 
cooperation and information sharing, we cannot hope to come to 
grips with this problem. We have made a lot of progress, but 
much work remains to be done. Thank you.
    [The prepared statement of Ronald L. Dick follows:]

Prepared Statement of Ronald L. Dick, Director, National Infrastructure 
           Protection Center, Federal Bureau of Investigation

    Representative Greenwood, Members of the subcommittee, thank you 
for inviting me here today to speak to the important issue of 
intrusions into government computer networks. The problem is serious. 
The Department of Defense reports thousands of potential cyber attacks 
launched against DoD systems. GAO reports that ``in 1999 and 2000, the 
Air Force, Army, and Navy recorded a combined total of 600 and 715 
[serious] cyber attacks, respectively.'' This does not even consider 
attacks on civilian agencies. Two weeks ago National Security Advisor 
Condoleezza Rice stated that ``The President himself is on record as 
stating that infrastructure protection is important to our economy and 
to our national security and therefore it will be a priority for this 
administration.''
    Dr. Rice also stated during that same speech that, ``We have to 
maximize our resources and energies by making sure that they are 
focused, instead of allowing them to be dissipated through dispersal.'' 
The need for a coordinated interagency approach to address intrusions 
into government networks was one of the principal reasons for having 
established the National Infrastructure Protection Center (NIPC). When 
the NIPC was founded three years ago, it was during one of the largest 
intrusions ever into U.S. government systems. The lessons learned from 
that intrusion and from the response to it have helped shape the NIPC.
    Let me provide you with a snapshot of our caseload on government 
intrusions. Currently we have 102 cases (of a current total of 1,219 
pending cases) involving computer intrusions into government systems. 
This includes intrusions into federal, state and local systems, as well 
as the military. It should be noted that a single case can consist of 
hundreds of compromised systems that have experienced thousands of 
intrusions. In addition, many agencies conduct investigations 
concerning intrusions into their systems that are not reported to the 
FBI. In short, this case load represents a large number of incidents.
    Several critical elements are required to deal with intrusions into 
government computer systems. There must be an interagency structure to 
deal with this problem. No agency should or should have to address 
these issues alone. Information must be shared with law enforcement and 
the NIPC. We must work to ensure that any intrusions are stemmed and 
the vulnerability that allowed the intrusion is patched.
    Interagency cooperation is essential in dealing with intrusions 
into government systems. As I said at the outset, that is why the NIPC 
was created. Currently the NIPC has representatives from the following 
agencies at the Center: FBI, Army, Navy, Air Force Office of Special 
Investigations, Defense Criminal Investigative Service, National 
Security Agency, United States Postal Service, Department of 
Transportation/Federal Aviation Administration, Central Intelligence 
Agency, Department of Commerce/Critical Infrastructure Assurance 
Office, and the Department of Energy. This representation has given us 
the unprecedented ability to reach back into the parent organizations 
of our interagency detailees on intrusions and infrastructure 
protection matters. In addition, we have formed an interagency 
coordination cell at the Center which holds monthly meetings with U.S. 
Secret Service, U.S. Customs Service, representatives from DoD 
investigative agencies, the Offices of Inspector General of NASA, 
Social security administration, Departments of Energy, State, and 
Education, and the U.S. Postal Service, to discuss topics of mutual 
concern.
    This representation is not enough, however. The PDD states that,--
The NIPC will include FBI, USSS, and other investigators experienced in 
computer crimes and infrastructure protection, as well as 
representatives detailed from the Department of Defense, the 
Intelligence Community and Lead Agencies.'' The NIPC would like to see 
all lead agencies represented in the Center. The more broadly 
representative the NIPC is, the better job it can do in responding to 
intrusions into government systems.
    The NIPC is pursuing three sets of activities that address computer 
intrusions into government systems: prevention, detection, and 
response.

                              PREVENTION:

    Our role in preventing cyber intrusions into government systems is 
not to provide advice on what hardware or software to use or to act as 
a federal systems administrator. Rather our role is to provide 
information about threats, ongoing incidents, and exploited 
vulnerabilities so that government and private sector system 
administrators can take the appropriate protective measures. The NIPC 
has a variety of products to inform the private sector and other 
domestic and international government agencies of the threat, 
including: alerts, advisories, and assessments; biweekly CyberNotes; 
monthly Highlights; and topical electronic reports. These products are 
designed for tiered distribution to both government and private sector 
entities consistent with applicable law and the need to protect 
intelligence sources and methods, and law enforcement investigations. 
For example, Highlights is a monthly publication for sharing analysis 
and information on critical infrastructure issues. It provides 
analytical insights into major trends and events affecting the nation's 
critical infrastructures. It is usually published in an unclassified 
format and reaches national security and civilian government agency 
officials as well as infrastructure owners. CyberNotes is another NIPC 
publication designed to provide security and information system 
professionals with timely information on cyber vulnerabilities, hacker 
exploit scripts, hacker trends, virus information, and other critical 
infrastructure-related best practices. It is published twice a month on 
our website and disseminated in hardcopy to government and private 
sector audiences.
    The NIPC has elements responsible for both analysis and warning. 
What makes the NIPC unique is that it has access to all-source 
intelligence from law enforcement, the intelligence community, private 
sector, international arena, and open sources. No other entity has this 
range of information. Complete and timely reporting of incidents from 
private industry and government agencies allows NIPC analysts to make 
the linkages between government intrusions and private sector activity. 
We are currently working on an integrated database to allow us to more 
quickly make the linkages among seemingly disparate intrusions. This 
database will leverage both the unique information available to the 
NIPC through FBI investigations and information available from the 
intelligence community and open sources. Having these analytic 
functions at the NIPC is a central element of its ability to carry out 
its preventive mission.
    This initiative expands direct contacts with the private sector 
infrastructure owners and operators and shares information about cyber 
intrusions and exploited vulnerabilities through the formation of local 
InfraGard chapters within the jurisdiction of each of the 56 FBI Field 
Offices. This is critical to infrastructure protection, since private 
industry owns most of the infrastructures. Further, InfraGard's success 
belies the notion that private industry will not share information with 
NIPC or law enforcement. All 56 FBI field offices have InfraGard 
chapters. There are currently over 900 InfraGard members. The national 
InfraGard rollout was held on January 5, 2001.
    The NIPC is also working with the Information Sharing and Analysis 
Centers established under the auspices of PDD-63. For example, the 
North American Electric Reliability Council (NERC) serves as the 
electric power ISAC. We have developed a program with the NERC to 
develop an Indications and Warning System for physical and cyber 
attacks. Under the program, electric utility companies and other power 
entities transmit incident reports to the NIPC. These reports are 
analyzed and assessed to determine whether an NIPC alert, advisory, or 
assessment is warranted to the electric utility community. Electric 
power participants in the pilot program have stated that the 
information and analysis provided by the NIPC back to the power 
companies make this program especially worthwhile. NERC has recently 
decided to expand this initiative nationwide. This initiative will 
serve as a good example of government and industry working together to 
share information and the Electrical Power Indications and Warning 
System will provide a model for the other critical infrastructures. 
Eventually the NIPC will need to be able to have a comprehensive 
nation-wide system for all the infrastructures.
    The NIPC is the Sector Lead Agency for the Emergency Law 
Enforcement Services sector. As part of this mission, the Center has 
also been asked to by ELES Sector the to have the NIPC Watch and 
Warning Unit act as the ISAC for the sector. The NIPC is working to 
implement this request.

                               DETECTION:

    Given the ubiquitous vulnerabilities in existing Commercial Off-
the-Shelf (COTS) software, intrusions into critical systems are 
inevitable for the foreseeable future. Thus detection of these 
intrusions is critical if the U.S. Government and critical 
infrastructure owners and operators are going to be able to respond. To 
improve our detection capabilities, we first need to ensure that we are 
fully collecting, sharing, and analyzing all extant information from 
all relevant sources. It is often the case that intrusions can be 
discerned simply by collecting bits of information from various 
sources; conversely, if we don't collate these pieces of information 
for analysis, we might not detect the intrusions at all. Thus the 
NIPC's role in collecting information from all sources and performing 
analysis in itself serves the role of detection.
    Agency system administrators need to work with FedCIRC and the 
NIPC. PDD-63 makes clear the importance of such reporting. It states, 
``All executive departments and agencies shall cooperate with the NIPC 
and provide such assistance, information and advice that the NIPC may 
request, to the extent permitted by law. All executive departments 
shall also share with the NIPC information about threats and warning of 
attacks and about actual attacks on critical government and private 
sector infrastructures, to the extent permitted by law.'' Currently OMB 
has instructed the agencies that they must report their intrusions to 
FedCIRC, but reporting to the NIPC is not mentioned. We are working 
with FedCIRC to define criteria for reporting of incidents to the NIPC 
for analytical as well as investigative purposes.
    In some cases, in response to victims' reports, the NIPC has 
sponsored the development of tools to detect malicious software code. 
For example, in December 1999, in anticipation of possible Y2K related 
malicious conduct, the NIPC posted a detection tool on its web site 
that allowed systems administrators to detect the presence of certain 
Distributed Denial of Service (DDoS) tools on their networks. In these 
cases, hackers plant tools such as Trinoo, Tribal Flood Net (TFN), 
TFN2K, or Stacheldraht (German for barbed wire) on a number of 
unwitting victim systems. Then when the hacker sends the command, the 
victim systems in turn begin sending messages against a target system. 
The target system is overwhelmed with the traffic and is unable to 
function. Users trying to access that system are denied its services. 
The NIPC's detection tools were downloaded thousands of times and have 
no doubt prevented many DDoS attacks.
    The NIPC also led the FBI's multiagency Y2K command center. NIPC 
personnel were on alert during the rollover period watching for 
possible malicious activity under the guise of Y2K. NIPC coordinated a 
nationwide watch effort and distributed reports every four hours round 
the clock on the situation.
    Regarding warning, if we determine that an intrusion is imminent or 
underway, the NIPC Watch is responsible for formulating assessments, 
advisories, and alerts, and quickly disseminating them. The substance 
of those products will come from analytical work done by NIPC analysts. 
If we determine an attack is underway, we can notify both private 
sector and government entities using an array of mechanisms so they can 
take protective steps. In some cases these warning products can prevent 
a wider attack; in other cases warnings can mitigate an attack already 
underway. Finally, these notices can prevent attacks from ever 
happening in the first place. For example, the NIPC released an 
advisory on March 30, 2001 regarding the ``Lion Internet Worm,'' which 
is a DDoS tool targeting Unix-based systems. Based on all-source 
information and analysis, the NIPC alerted systems administrators how 
to look for this compromise of their system and what specific steps to 
take to remove the tools if they are found. This alert was issued after 
consultation with FedCIRC, JTF-CND, a private sector ISAC, and other 
infrastructure partners.

                               RESPONSE:

    Despite our efforts, we know that government systems will continue 
to be attacked. Thus we need to determine the origin of these attacks 
in order to get to the person behind the keyboard for our government to 
formulate the appropriate response. In the cyber world, determining 
what is happening is difficult at the early stages. An event could be a 
system probe to find vulnerabilities or entry points, an intrusion to 
steal data or plant sniffers or malicious code, an act of teenage 
vandalism, an attack to disrupt or deny service, or even an act of war. 
The crime scene itself is totally different from the physical world in 
that it is dynamic--it grows, contracts, and can change shape. Further, 
the tools used to perpetrate a major infrastructure attack can be the 
same ones used for other cyber intrusions (simple hacking, foreign 
intelligence gathering, organized crime activity to steal property, 
data, etc. . . .), making identification more difficult. Determining 
that an event is even occurring thus can often be difficult in the 
cyber world, and usually a determination cannot be made without a 
thorough investigation. In the physical world one can see instantly if 
a building has been bombed or an airliner brought down. In the cyber 
world, an intrusion may go undetected for some time.
    Identification of the perpetrators and their objectives during an 
event is critical especially in the initial stages. The perpetrators 
could be criminal hackers, teenagers, electronic protestors, 
terrorists, or foreign intelligence services. In order to attribute an 
attack, the NIPC coordinates an investigation that gathers information 
from within the United Sates using either criminal investigative or 
foreign counter-intelligence authorities, depending on the 
circumstances. We also rely on the assistance of other nations when 
appropriate. Obtaining reliable information is necessary not only to 
identify the perpetrator but also to determine the size and nature of 
the intrusion: how many systems are affected, what techniques are being 
used, and what is the purpose of the intrusions--disruption, economic 
espionage, theft of money, etc. . . .
    Relevant information could come from existing criminal 
investigations or other contacts at the FBI Field Office level. It 
could come from the U.S. Intelligence Community, other U.S. Government 
agency information, through private sector contacts, the media, other 
open sources, or foreign law enforcement contacts. The NIPC's role is 
to coordinate, collect, analyze, and disseminate this information. 
Indeed this is one of the principal reasons the NIPC was created.
    Because the Internet by its nature embodies a degree of anonymity, 
our government's proper response to an attack first requires 
significant investigative steps. Investigators typically need a full 
range of criminal and/or national security authorities to determine who 
launched the attack. Under our system the legal authorities for 
conducting investigations within the United States include: the 
Computer Fraud and Abuse Act, the Economic Espionage Statute, the 
Electronic Communications Privacy Act, the Foreign Intelligence 
Surveillance Act, as well as the relevant executive orders delineating 
the responsibilities of the intelligence community. Thus the FBI can 
apply for court orders to get subscriber information from Internet 
Service Providers, and monitor communications under the Electronic 
Communications Privacy Act or under the Foreign Intelligence 
Surveillance Act, depending on the facts of the case as they are known 
at the time the order is requested. The FBI has designated the NIPC to 
act as the program manager for all of its computer intrusion 
investigations, and the NIPC has made enormous strides in developing 
this critical nationwide program. In that connection, the NIPC works 
closely with the Criminal Division's Section on Computer Crime and 
Intellectual Property, the Department's Office of Intelligence Policy 
and Review, and the U.S. Attorney's Offices in coordinating legal 
responses.
    In the event of a national-level set of intrusions into significant 
systems, the NIPC will form a Cyber Crisis Action Team (C-CAT) to 
coordinate response activities and use the facilities of the FBI's 
Strategic Information and Operations Center (SIOC). The team will have 
expert investigators, computer scientists, analysts, watch standers, 
and other U.S. government agency representatives. Part of the U.S. 
government team might be physically located at FBI Headquarters and 
part of the team may be just electronically connected. The C-CAT will 
immediately contact field offices responsible for the jurisdictions 
where the attacks are occurring and where the attacks may be 
originating. The C-CAT will continually assess the situation and 
support/coordinate investigative activities, issue updated warnings, as 
necessary, to all those affected by or responding to the crisis. The C-
CAT will then coordinate the investigative effort to discern the scope 
of the attack, the technology being used, and the possible source and 
purpose of the attack.
    While we have not seen an example of cyber terrorism directed 
against U.S. government systems, the NIPC's placement in the FBI's 
counterterrorism division will allow for a seamless FBI response in the 
event of a terrorist action that encompasses both cyber and physical 
attacks. The NIPC and the other elements of the FBI's Counterterrorism 
Division have conducted joint operations and readiness exercises in the 
FBI's SIOC. We are prepared to respond if called upon.
Case Examples
    Over the past several years we have seen a wide range of cyber 
threats ranging from defacement of websites by juveniles to 
sophisticated intrusions sponsored by foreign powers, and everything in 
between. Some of these are obviously more significant than others. The 
theft of national security information from a government agency or the 
interruption of electrical power to a major metropolitan area would 
have greater consequences for national security, public safety, and the 
economy than the defacement of a web-site. But even the less serious 
categories have real consequences and, ultimately, can undermine 
confidence in e-commerce and violate privacy or property rights. A web 
site hack that shuts down an e-commerce site can have disastrous 
consequences for a business. An intrusion that results in the theft of 
credit card numbers from an online vendor can result in significant 
financial loss and, more broadly, reduce consumers' willingness to 
engage in e-commerce. Because of these implications, it is critical 
that we have in place the programs and resources to investigate and, 
ultimately, to deter these sorts of crimes.
    In addition, because it is often difficult to determine whether an 
intrusion or denial of service attack, for instance, is the work of an 
individual with criminal motives or foreign nation state, we must treat 
each case as potentially serious until we gather sufficient information 
to determine the nature, purpose, scope, and perpetrator of the attack. 
While we cannot discuss ongoing investigations, we can discuss closed 
cases that involve FBI and other agency investigations in which the 
intruder's methods and motivation were similar to what we are currently 
seeing. A few illustrative are described below:
    In hacker cases, the attacker's motivation is just to see how far 
he can intrude into a system. This seems to be the motivation for the 
California teens in the well-known Solar Sunrise case. In this case the 
intruders exploited a well known vulnerability in computers that run on 
the Sun Solaris operating system. By exploiting this vulnerability, the 
intruder can gain root access (total control) of the system. As in the 
Solar Sunrise case, the intruders can then install their own accounts 
on the system and create backdoors into the system from which they can 
then install additional programs to find passwords. They also had the 
ability to alter, remove, or destroy data on those systems. This case 
demonstrated to the interagency community how difficult it is to 
identify an intruder until all of the facts are gathered through an 
investigation, and why assumptions cannot be made until sufficient 
facts are available. The incident also vividly demonstrated the 
vulnerabilities that exist in our networks; if these individuals were 
able to assume ``root access'' to certain unclassified DoD systems, it 
is not difficult to imagine what hostile adversaries with greater 
skills and resources would be able to do. Finally, Solar Sunrise 
demonstrated the need for interagency coordination to deal with such 
attacks. The perpetrators in this case were two 16 and an 18 years old.
    We have also seen cases of hacking and mischief for what might be 
termed personal reasons. For example, Eric Burns, a.k.a Zyklon, hacked 
into the White House web site as well as other sites. This case was 
worked jointly by the U.S. Secret Service and the FBI. He was caught 
and pled guilty to one count of 18 U.S.C.1030. In November 1999 he was 
sentenced to 15 months in prison, 3 years supervised release, and 
ordered to pay $36,240 in restitution and a $100 fine.
    In another example, the Melissa Macro Virus was reportedly named 
after an exotic dancer from Florida; this virus wreaked havoc on 
government and private sector networks in March 1999. He pled guilty to 
one federal count of violating 18 U.S.C. 1030 and four state counts. He 
admitted to causing $80 million in damage as well. David Smith, the 
author of the virus, faces a maximum sentence of five years and 
$250,000 on the federal charge. He is currently awaiting sentencing. 
This is a good example of how federal and state governments are 
increasingly coordinating investigations and prosecutions in combating 
computer crime.
    In another case, system penetration coupled with theft can be the 
motivation. A Florida youth admitted to breaking into 13 computers at 
the Marshall Space Flight Center in Huntsville, Alabama in June 1999 
and downloading $1.7 million in NASA proprietary software that supports 
the International Space Station's environmental systems. NASA has 
estimated the cost to repair the damage at $41,000. The subject has 
also admitted to entering Defense Department systems of the Defense 
Threat Reduction Agency, intercepting 3,300 e-mail messages, and 
stealing passwords from Pentagon computers. This case was investigated 
by NASA. He was sentenced to six months in a juvenile detention center 
for hacking into NASA computers which support the International Space 
Station.
    Virus writers have become a more prevalent threat in recent years. 
We have seen virus writers unleash havoc on the Internet for a variety 
of motivations. In May 2000 companies and individuals around the world 
were stricken by the ``Love Bug,'' a virus (or, technically, a 
``worm'') that traveled as an attachment to an e-mail message and 
propagated itself extremely rapidly through the address books of 
Microsoft Outlook users. The virus/worm also reportedly penetrated at 
least 14 federal agenciesCincluding the Department of Defense (DOD), 
the Social Security Administration, the Central Intelligence Agency, 
the Immigration and Naturalization Service, the Department of Energy, 
the Department of Agriculture, the Department of Education, the 
National Aeronautics and Space Administration (NASA), along with the 
House and Senate.
    Investigative work by the FBI's New York Field Office, with 
assistance from the NIPC, traced the source of the virus to the 
Philippines within 24 hours. The FBI then worked, through the FBI Legal 
Attache in Manila, with the Philippines' National Bureau of 
Investigation, to identify the perpetrator. The speed with which the 
virus was traced back to its source is unprecedented. The prosecution 
in the Philippines was hampered by the lack of a specific computer 
crime statute. Nevertheless, Onel de Guzman was charged on June 29, 
2000 with fraud, theft, malicious mischief, and violation of the 
Devices Regulation Act. However, those charges were dropped in August 
by Philippine judicial authorities. As a postscript, it is important to 
note that the Philippines' government on June 14, 2000 reacted quickly 
and approved the E-Commerce Act, which now specifically criminalizes 
computer hacking and virus propagation. The Philippine government will 
not be hindered by insufficient charging authorities should an incident 
like this one ever occur again. Also, the NIPC continues to work with 
other nations to provide guidance on the need to update criminal law 
statutes.
    In some cases, we have been able to prevent the release of 
disastrous viruses against public systems. On March 29, 2000, FBI 
Houston initiated an investigation when it was discovered that certain 
small businesses in the Houston area had been targeted by someone who 
was using their Internet accounts in an unauthorized manner and causing 
their hard drives to be erased. On March 30, 2000, FBI Houston 
conducted a search warrant on a residence of an individual who 
allegedly created a computer ``worm'' that seeks out computers on the 
Internet. This ``worm'' looks for computer networks that have certain 
sharing capabilities enabled, and uses them for the mass replication of 
the worm. The worm causes the hard drives of randomly selected 
computers to be erased. The computers whose hard drives are not erased 
actively scan the Internet for other computers to infect and force the 
infected computers to use their modems to dial 911. Because each 
infected computer can scan approximately 2,550 computers at a time, 
this worm could have the potential to create a denial of service attack 
against the E911 system. The NIPC issued a warning to the public 
through the NIPC webpage, SANS, NLETS, InfraGard, and teletypes to 
government agencies. On May 15, 2000 Franklin Wayne Adams of Houston 
was charged by a federal grand jury with knowingly causing the 
transmission of a program onto the Internet which caused damage to a 
protected computer system by threatening public health and safety and 
by causing loss aggregated to at least $5000. Adams was also charged 
with unauthorized access to electronic or wire communications while 
those communications were in electronic storage. He faces 5 years in 
prison and a $250,000 fine.
    Revenge by disgruntled employees seems to be another strong 
motivation for attacks. Insiders do not need a great deal of knowledge 
about computer intrusions, because their knowledge of victim systems 
often allows them to gain unrestricted access to cause damage to the 
system or to steal system data. For example, in July 1997 Shakuntla 
Devi Singla used her insider knowledge and another employee's password 
and logon identification to delete data from a U.S. Coast Guard 
personnel database system. It took 115 agency employees over 1800 hours 
to recover and reenter the lost data. Ms. Singla was convicted and 
sentenced to five months in prison, five months home detention, and 
ordered to pay $35,000 in restitution.
    Another case involved a National Library of Medicine (NLM) 
employee. In January and February 1999 the National Library of Medicine 
computer system, relied on by hundreds of thousands of doctors and 
medical professionals from around the world for the latest information 
on diseases, treatments, drugs, and dosage units, suffered a series of 
intrusions where system administrator passwords were obtained and 
hundreds of files downloaded, including sensitive medical ``alert'' 
files and programming files that kept the system running properly. The 
intrusions were a significant threat to public safety and resulted in a 
monetary loss in excess of $25,000. FBI investigation identified the 
intruder as Montgomery Johns Gray, III, a former computer programmer 
for NLM, whose access to the computer system had been revoked. Gray was 
able to access the system through a ``backdoor'' he had created in the 
programming code. Due to the threat to public safety, a search warrant 
was executed for Gray's computers and Gray was arrested by the FBI 
within a few days of the intrusions. Subsequent examination of the 
seized computers disclosed evidence of the intrusion as well as images 
of child pornography. Gray was convicted by a jury in December 1999 on 
three counts for violation of 18 U.S.C. 1030. Subsequently, Gray 
pleaded guilty to receiving obscene images through the Internet, in 
violation of 47 U.S.C. 223. Montgomery Johns Gray III was sentenced to 
5 months prison, 5 months halfway house, 3 years probation and ordered 
to pay $10,000 in restitution and assessments.
    We are also seeing the increased use of cyber intrusions by 
criminal groups who attack systems for purposes of monetary gain. In 
September, 1999, two members of a group dubbed the ``Phonemasters'' 
were sentenced after their conviction for theft and possession of 
unauthorized access devices (18 USC Sec. 1029) and unauthorized access 
to a federal interest computer (18 USC Sec. 1030). The ``Phonemasters'' 
were an international group of criminals who penetrated the computer 
systems of MCI, Sprint, AT&T, Equifax, and even the National Crime 
Information Center. The Phonemasters' methods included ``dumpster 
diving'' to gather old phone books and technical manuals for systems. 
They used this information to trick employees into giving up their 
logon and password information. The group then used this information to 
break into victim systems. One member of this group, Mr. Calvin 
Cantrell, downloaded thousands of Sprint calling card numbers, which he 
sold to a Canadian individual, who passed them on to someone in Ohio. 
These numbers made their way to an individual in Switzerland and 
eventually ended up in the hands of organized crime groups in Italy. 
Cantrell was sentenced to two years as a result of his guilty plea, 
while one of his associates, Cory Lindsay, was sentenced to 41 months.
    Terrorists groups are increasingly using new information technology 
and the Internet to formulate plans, raise funds, spread propaganda, 
and to communicate securely. In his statement on the worldwide threat 
in 2000, Director of Central Intelligence George Tenet testified that 
terrorists groups, ``including Hizbollah, HAMAS, the Abu Nidal 
organization, and Bin Laden's al Qa'ida organization are using 
computerized files, e-mail, and encryption to support their 
operations.'' In one example, convicted terrorist Ramzi Yousef, the 
mastermind of the World Trade Center bombing, stored detailed plans to 
destroy United States airliners on encrypted files on his laptop 
computer. While we have not yet seen these groups employ cyber tools as 
a weapon to use against critical infrastructures, their reliance on 
information technology and acquisition of computer expertise are clear 
warning signs. Moreover, we have seen other terrorist groups, such as 
the Internet Black Tigers (who are reportedly affiliated with the Tamil 
Tigers), engage in attacks on foreign government web-sites and email 
servers. During the riots on the West Bank in the fall of 2000, Israeli 
government sites were subjected to e-mail flooding and ``ping'' 
attacks. The attacks allegedly originated with Islamic elements trying 
to inundate the systems with email messages. As one can see from these 
examples overseas, ``cyber terrorism''--meaning the use of cyber tools 
to shut down critical national infrastructures (such as energy, 
transportation, or government operations) for the purpose of coercing 
or intimidating a government or civilian population--is thus a very 
real threat.
    We have worked closely with our international partners on computer 
intrusion cases, including cases in which hackers have illegally 
accessed U.S. government systems. In 1999 the FBI cooperated with New 
Scotland Yard in the United Kingdom on a case in which a UK citizen 
confessed to breaking into U.S. Navy systems. He was further suspected 
of intruding into other systems, including that of the U.S. Senate. He 
was sentenced to a term of 3 years on a probation-like status.
    We believe that foreign intelligence services have adapted to using 
cyber tools as part of their information gathering tradecraft. While I 
cannot go into specific cases, there are overseas probes against U.S. 
government systems every day. It would be naive to ignore the 
possibilty or even probability that foreign powers were behind some or 
all of these probes. The motivation of such intelligence gathering is 
obvious. By combining law enforcement and intelligence community assets 
and authorities under one Center, the NIPC can work with other agencies 
of the U.S. government to detect these foreign intrusion attempts.
    The prospect of ``information warfare'' by foreign militaries 
against our critical infrastructures is perhaps the greatest potential 
cyber threat to our national security. We know that many foreign 
nations are developing information warfare doctrine, programs, and 
capabilities for use against the United States or other nations. 
Knowing that they cannot match our military might with conventional or 
``kinetic'' weapons, nations see cyber attacks on our critical 
infrastructures or military operations as a way to hit what they 
perceive as America's Achilles heel B our growing dependence on 
information technology in government and commercial operations. For 
example, two Chinese military officers recently published a book that 
called for the use of unconventional measures, including the 
propagation of computer viruses, to counterbalance the military power 
of the United States.

                               CONCLUSION

    While the NIPC has accomplished much over the last three years in 
building the first nationallevel operational capability to respond to 
cyber intrusions, much work remains. We have learned from cases that 
successful network investigation is highly dependent on expert 
investigators and analysts, with state-of-the-art equipment and 
training. We have built that capability both in the FBI Field Offices 
and at NIPC Headquarters, but we have much work ahead if we are to 
build our resources and capability to keep pace with the changing 
technology and growing threat environment, while at the same time being 
able to respond to several major incidents at once.
    We are building the international, agency to agency, government to 
private sector, and law enforcement partnerships that are vital to this 
effort. The NIPC is well suited to foster these partnerships since it 
has analysis, information sharing, outreach, and investigative 
missions. We are working with the executives in the infrastructure 
protection community with the goal of fostering the development of safe 
and secure networks for our critical infrastructures. While this is a 
daunting task, we are making progress.
    Within the federal sector, we have seen how much can be 
accomplished when agencies work together, share information, and 
coordinate their activities as much as legally permissible. But on this 
score, too, more can be done to achieve the interagency and 
publicprivate partnerships called for by PDD63. We need to ensure that 
all relevant agencies are sharing information about threats and 
incidents with the NIPC and devoting personnel and other resources to 
the Center so that we can continue to build a truly interagency, 
``national'' center. Finally, we must work with Congress to make sure 
that policy makers understand the threats we face in the Information 
Age and what measures are necessary to secure our Nation against them. 
I look forward to working with the Members and Staff of this Committee 
to address these vitally important issues.
    Thank you.

    Mr. Greenwood. We thank you for your testimony.
    Mr. Noonan.

                    TESTIMONY OF TOM NOONAN

    Mr. Noonan. Mr. Chairman, thank you for having me today, 
and other members of the committee. I am very pleased to be 
here to talk about an issue that we are both passionate about, 
and an issue of, I believe, very critical national security.
    Although the folks from the DOE are not here, I thank them 
because I recognize some of the technology that we pioneered 
about 8 years ago, and they are using it today effectively to 
protect the DOE, as are other government agencies, and I am 
always pleased to see our technology in use.
    I am here today to provide you with some background 
information on threat assessment, on the vulnerabilities and 
threats that we see in the commercial sector, on the 
vulnerabilities and threats that we see in working with some 26 
foreign governments outside of the United States as well as 
some 9,000 commercial customers around the globe.
    Every day we get involved in one side or the other of 
hacking, either protecting networks from hackers, cyber thieves 
and others; or addressing vulnerabilities, fixing the 
weaknesses necessary to protect those systems. These 
individuals typically use the Internet to address their own 
pursuits, including international cyberterrorism, causing havoc 
and mayhem. I am far less concerned about teenage hackers, 
although they seem to make the press more often, and become far 
more concerned with the sophisticated attacks against not just 
our government but our industry.
    As a company, we monitor and manage the security of 
companies around the world through security operations centers 
we have located in Sweden, the U.S., Japan, the Philippines, 
Italy, Rio de Janeiro, and Atlanta, Georgia. So we have an 
interconnected network of security operation centers monitoring 
companies and detecting and tracking threats around the world.
    Over the years, I have watched computer vulnerabilities 
increase dramatically. The Internet is so useful for the 
reasons that it is so vulnerable. I would like to share two 
analogies. The first analogy I would like to use is to compare 
a computer to that of a house. Most of you are familiar with 
your house. You typically have a front door, a back door, and 
some windows that periodically you lock or monitor through your 
system. Every single computer connected to the Internet has the 
equivalent of 65,536 doors and windows, and many of them cannot 
be locked. They cannot be locked because you are using those 
doors and windows for legitimate access. So the real challenge 
becomes, with all of these doors and windows, how do we 
ultimately determine which need to be locked and which need to 
be left open, and those that are left open, how are they 
monitored to assure proper use and access of the system?
    If you multiply 65,000 times all of the computers on the 
Internet, that is how many potential ways to access computers 
there are. It is simply not a problem that we can address 
manually. We have to use technology and automation as part of 
that solution.
    So just as physical security companies like ADT or 
Honeywell or Brinks monitor physical locations, security 
companies, ours being one of them, have not only pioneered the 
technology to provide this monitoring--some of the tools you 
saw from the DOE, for instance--but also to deliver that as a 
service. I think that is an area that government ought to 
responsibly look at as we move forward: the area of managed 
security systems.
    My second analogy compares computer security to a chess 
game. In a chess game, the goal is to protect the king. In 
information security, the goal is to protect information but 
otherwise provide legitimate access to it for nonmalicious 
purposes. But a knowledgeable chess player is required to 
maneuver and play the chess game, just like a knowledgeable 
security person is required to help coordinate and manage the 
overall security posture of a system.
    I think we are fooling ourselves if we think that every 
single user of every computer is going to be aware enough to 
check their own systems for back doors, to deal with the 
problems that are so deeply routed in the technology underneath 
this. Just as a chess game environment is constantly changing, 
so is the network. New applications, new users, new trading 
partners, new introductions of sensitive data, et cetera. Over 
the years, as the Internet has become more used in business and 
more acceptable to the masses, it has been attacked at an 
increasing rate.
    Incidents occur when hackers maneuver through a system, 
take advantage of the vulnerabilities and cause a system 
breach.
    So as to your question, Mr. Chairman, there is a whole new 
currency on the Internet, it is called the back door. Today I 
could easily trade two DOTs for one GM or a Procter & Gamble 
for another back door in some other case. So on the Internet, 
back doors or accounts are being used as a new currency, and 
they are being traded frequently.
    Vulnerabilities are holes or weaknesses and problems that 
exist in the computer systems, as we saw from the DOE 
demonstration, and these incidents include everything from 
credit card theft, which seems to be where the consumers' fear 
is, to the compromise of very sensitive systems. And it comes 
down to three things:
    One, confidentiality. Is and can the information be 
protected?
    Two, integrity. Can it be changed to questions that came 
from the Chair?
    And, last, is it available? Denial of service, which you 
have heard, the ability to completely shut down or destroy data 
is possible here.
    So what I would like to do is introduce three slides to 
demonstrate what is happening in industry. The first slide 
demonstrates top security breaches. As you can see, 4 percent 
of the breaches are actually physical security breaches such as 
breaking into a window or getting through a locked door.
    Let us look beyond that into where the real computer 
security problems are. Twenty percent are system unavailability 
breaches or denial of service breaches. We learned about those 
in February of last year when some of the most important 
commerce sites on the Internet were taken off line by malicious 
activity.
    Also, as Mr. Dick has commented on, the ``ILUVYOU'' e-mail 
virus cost industry billions of dollars. Electronic exploits 
represent about 20 percent of the breaches. An example of an 
electronic exploit is finding a hole and installing a back 
door. The gentleman from the DOE showed you how easy that is. 
Last, 25 percent of the breaches are loss of privacy or 
confidentiality breaches such as when someone compromises a 
record or data base and removes information. Twenty-six percent 
are malicious code breaches, things like when a hacker sends an 
attachment with a malicious payload and, when opened, it 
deletes files automatically.
    To give you an idea how fast incidents are occurring, the 
second slide examines the increase in one type of breach: the 
virus. If you look at the threat spectrum, on one side you have 
the traditional virus all of the way up through denial of 
service attacks, trojans, worms, electronic compromise of data 
bases and operating systems.
    But if you look at this slide, you can see that viruses in 
October 1999 alone, there were more than 2,000 new known 
viruses. In November 1999, there were over 2,400. In December 
1999, over 2,500 more were added. In October 2000, there were 
30,678 new viruses being tracked; and in November of 2000, 
there were some 23,962 new viruses. What we are seeing here is 
exponential growth of an issue that is getting out of hand and 
causing significant damage and problems to the global computing 
infrastructure.
    I would like to give you a better idea of how incidents 
generally occur and how computer security companies protect 
against these incidents.
    The third slide is an example of a Website where crackers 
can get information to help them break into a system. This is a 
Website that I have deattributed. Being in the protection 
business, I don't like to pass along where people can go get 
these weapons. This actually came from an African hacking site, 
and in this hacking site it is basically the equivalent of 
being able to anonymously walk down to your corner store, pick 
up an anthrax bomb and a couple of grenades, and be able to 
launch them from your own computer anonymously and without any 
visibility as to who you are. These happen to be computer 
exploits.
    You can take back doors that monitor and take advantage of 
microphones, denial of service attacks, you have a whole 
smorgasbord up here to fill your palate.
    This site lists new vulnerabilities that have been 
discovered and programs that allow anyone to use these exploits 
to damage a system. There are literally thousands of these 
sites on the Internet, so you do not have to be very 
sophisticated or have a high IQ to cause a lot of damage to our 
infrastructure.
    We monitor the Websites that discover the latest trends. In 
addition, thousands of private chat rooms exist where more 
sophisticated crackers trade hacking tools over the Internet.
    We are pleased that the government is interested in taking 
computer security seriously. The United States spends billions 
of dollars buying weapons and gaining intelligence to protect 
our country. Our computer systems must be adequately protected 
or our entire infrastructure could be compromised by one single 
person with one single computer.
    Even though the task is complicated, computer systems can 
be protected. I think today we focused on how easy they are to 
break in. I think it might be helpful someday to have a session 
on how effectively we can protect the computer systems today 
because this is where we are going to take action. I think the 
government has taken great strides in the past few years, but 
much more is needed. I think we are moving from the topical to 
the awareness to let us start taking some action here.
    As industry has considerable resources and expertise, a 
continued partnership with industry is crucial. In addition, 
computer systems should be a priority, and leadership and 
coordination are necessary in the government. The government 
has done well with the resources it has been given. However, 
computer security specialists we believe are required to 
implement and coordinate many different security products and 
services to adequately secure a system.
    In my company alone, the average salary of one of my 2,000 
employees is around $80,000. I don't know of an industry where 
the average employee from the mailman to the CEO is $80,000. 
Computer security experts are scarce. They are in short supply 
and they are expensive. To help address the cost of computer 
security, I think we ought to focus not just on what do we do 
to protect our infrastructure, but we ought to extend these 
efforts to educational efforts that we can undertake to train 
the personnel coming out of our schools, not just our 
engineering schools, but our colleges and universities. 
Computer programmers should be trained in computer security. 
Today they are not. Today they are trained in how do you make 
the best feature. What they do not focus on is the 
vulnerability that they leave behind.
    Specialized programs in computer security should be 
encouraged, and we are strongly supportive of the universities 
that are implementing them today. I look forward to a 
continuing dialog on computer security issues. Working 
together, we are confident we can adequately secure our 
country's assets and information. Thank you.
    [The prepared statement of Tom Noonan follows:]

Prepared Statement of Tom Noonan, President and CEO, Internet Security 
 SystemsGood Morning, Mr. Chairman and Members of the Committee. I am 
    pleased to appear before you today to discuss an issue of great 
                       importance to our country.

                               BACKGROUND

    In 1991, the founder and Chief Technology Officer of Internet 
Security Systems, Chris Klaus, became interested in government security 
while interning at the Department of Energy. Chris then began working 
on a groundbreaking technology that actively identified and fixed 
computer security weaknesses. The next year, while attending Georgia 
Institute of Technology (``Georgia Tech''), Chris released his product 
for free on the Internet. He received thousands of requests for his 
invention, and decided that he should sell it. In 1994, I met Chris 
over the Internet and teamed with him to form Internet Security 
Systems. I was then working for a computer company, having attended GA 
Tech and Harvard Business School. Chris and I then launched the 
company's first product, Internet Scanner, and went public in March 
1998. And yes, we're a profitable company, even in today's market. 
Today, Internet Security Systems is the worldwide leader in security 
management software. For nearly 10 years, which is several lifetimes in 
Internet time, we have been involved in computer security, watching the 
area grow from the outset. Chris Klaus (who is now 26) is one of a 
handful of premiere experts in the world on computer security, and 
Internet Security Systems is a widely recognized pioneer in computer 
security. Computer security is all we do. We have nearly 2,000 
employees in 18 countries focused exclusively on computer security. 
Altogether, we now have more than 8,000 customers, including 68 percent 
of the Fortune 500, and 21 of the 25 largest U.S. commercial banks. We 
also serve the ten largest telecommunication companies, numerous U.S. 
government agencies, and other non-U.S. governments.

                            VULNERABILITIES

    I'm here today to provide you with some background information on 
threat assessment. Every day, Internet Security Systems stops criminal 
hackers and cyber-thieves by addressing vulnerabilities in computers. 
The individuals who use the Internet for business to business warfare, 
for international cyber-terrorism, or to cause havoc and mayhem in our 
technology infrastructure. Internet Security Systems is involved in 
every aspect of computer security, whether in making the security 
products or in managing them. We also monitor networks and systems 
around the clock (24 x 7 x 365) from the US, Japan, South America, and 
Europe in our Security Operations Centers (``SOCs''). We search for 
attacks and misuse, identify and prioritize security risks, and 
generate reports explaining the security risks and what can be done to 
fix them. At the heart of our solution is our team of world-class 
security experts focused on uncovering and protecting against the 
latest threats. This team of 200 global specialists, dubbed the X-
Force, understands exactly how to transform the complex technical 
challenges into an effective, practical, and affordable strategy. 
Because of all of these capabilities, companies and governments turn to 
us as their trusted computer security advisor.
    Over the years, I have watched computer vulnerabilities increase 
dramatically. The Internet is so useful for the very reasons that it is 
so vulnerable. To give you an idea of what we are dealing with, I'd 
like to share two analogies. First, I'll compare a computer to a house. 
Every computer connected to the Internet has the equivalent of 65,536 
doors and windows which need to be locked and monitored to make sure no 
one breaks in. Multiply 65,536 by every computer in every company and 
you begin to see the extent of the problem. Just as physical security 
companies like ADT monitor your physical doors and windows, computer 
security companies must lock and monitor the doors and windows of 
computers.
    My second analogy compares this complicated area of computer 
security to a Chess game. In a Chess game, the goal is to protect the 
king--or mission critical information. The other Chess pieces protect 
the king. But a knowledgeable Chess player is required to maneuver the 
Chess pieces. With computer security, the goal is to protect the 
information. A variety of computer security products, including 
Intrusion Detection Systems (IDS) and vulnerability assessment, 
function as Chess pieces, and protect and watch the information. These 
products are absolutely essential. However, you also need to have a 
computer security expert to manage these products, just as you have to 
have a knowledgeable Chess player maneuver the Chess pieces. Just as a 
Chess game environment is constantly changing, the computer security 
environment is also constantly changing. Computer security companies, 
such as Internet Security Systems, produce the products and perform the 
services that protect the information and manage the products so that 
they function in the proper way.
    Over the years, as the Internet has become more used in business 
and more accessible to the masses, it has been attacked at an 
increasing rate. Incidents occur when hackers maneuver through a 
system, take advantage of the vulnerabilities, and cause a system 
breach. Vulnerabilities are holes, weaknesses, and problems that exist 
in computer systems. Incidents include credit card theft or other 
information theft. The first slide documents the top security breaches. 
4% of these breaches are actual physical security breaches, such as 
breaking a window or getting in through a locked door. 20% are system 
unavailability breaches or denial-of-service breaches, such as the 
``ILUVYOU'' email virus. Electronic exploits represent 20% of the 
breaches. An example of an electronic exploit is finding a hole where 
you can install a backdoor to get into a computer system. 25% of the 
breaches are loss of privacy or confidentiality breaches, such as when 
a cracker breaks into a database server and gains access to credit card 
information. 26% are malicious code breaches, such as when a hacker 
sends an email with an attachment that when opened, deletes files on 
the computer system. 5% of the breaches are other breaches.
    To give you an idea of how fast incidents are occurring, the second 
slide examines the increase in just one type of breach, the virus. 
Viruses, such as the ``ILUVYOU'' virus are mini computer programs that 
flood a computer system with email so that the system slows down or 
crashes. Viruses can also destroy information on a computer system. In 
October 1999 alone there were more than 2000 new known viruses. In 
November 1999, there were 2,427 new viruses. In December 1999, 2,586 
were added. Look at how these numbers have dramatically increased in 
2000. In October 2000, there were 30,678 new viruses. In November 2000, 
there were 23,962 new viruses. In December 2000, there were 16,762 new 
viruses. Keep in mind that the vast impact caused by the ``ILUVYOU'' 
virus was caused by only one of these viruses.
    To give you a better idea of how incidents generally occur, and how 
computer security companies protect against these incidents, the third 
slide is an example of a Web site where crackers can get information 
that will help them break into a system. Because we are in the 
protection business, we have modified this site and removed the 
identifying information. This site lists new vulnerabilities that have 
been discovered, and includes programs that allow anyone to use these 
to exploit vulnerabilities to damage a system. There are thousands of 
similar Web sites. Our X-Force monitors the most important Web sites to 
discover the latest trends. In addition, thousands of private chat 
rooms exist where more sophisticated crackers trade hacking tools over 
the Internet. Our X-Force gains access to important chat rooms and 
monitors them as well.

                            RECOMMENDATIONS

    We are pleased that the Government is interested in taking computer 
security seriously. The United States spends billions of dollars buying 
weapons and gaining intelligence to protect our country from more 
conventional types of attack. Our computer systems must also be 
adequately protected, or our entire infrastructure could be compromised 
by one person with one computer. Even though the task is complicated, 
computer systems can be protected.
    The Government has taken great strides in the past few years. 
However, much, much more is needed. As industry has considerable 
resources and expertise, a continued partnership with industry is 
crucial. In addition, computer security must be a priority, and 
leadership and coordination are necessary in the Government. 
International leadership is also required. Perhaps most importantly, 
funding for secure Government systems must be increased by a 
substantial amount, and outsourcing should be considered as an option. 
The Government often does well with the resources it has been given. 
However, computer security specialists are required to implement and 
coordinate many different security products and services to adequately 
secure a system. As computer security expertise is extremely rare, the 
cost of computer security specialists is astronomical. In my company 
alone, the average salary of my 2000 employees is around $80,000. To 
help address the cost of computer security, educational efforts must be 
undertaken to train the personnel required. Computer programmers in 
universities should be trained in computer security. Currently, they 
are not. In addition, specialized programs in computer security should 
be encouraged.
    Thank you for inviting me here today. I look forward to a 
continuing dialog on the computer security issue, and hope that, 
working together, we can adequately secure our country's assets and 
information.

    Mr. Greenwood. Thank you very much for your extraordinary 
testimony.
    The Chair recognizes himself for 5 minutes for questions.
    Ms. McDonald, on your chart, the route compromises, 155 
last year, are those the kind of compromises that we saw in the 
demonstration where you can essentially take over an entire 
system?
    Ms. McDonald. Yes.
    Mr. Greenwood. Question for Mr. Dick. You referred to the 
issue of who is sitting behind the keyboard. Can you elaborate 
on what the FBI has discovered as to who these perpetrators 
are? We know that there are teenagers who will hack into 
systems for the fun of it. But in terms of identified 
perpetrators, can you share with us what their motivations have 
been?
    Mr. Dick. In the physical world, the range and motives 
associated with who are perpetrating these kinds of acts runs 
the full gamut. As Tom was referring to, we have the teenage 
hackers that are doing it for sport and notoriety on the 
Internet, to the other range where we have state-sponsored 
activities associated with trying to discern how to conduct 
information warfare.
    What we see in the range of what we refer to as southern 
vulnerabilities, you have a high volume of, let us say, the 
hackers that are going into systems for the honor or 
recognition of it--which is relatively low impact as far as our 
national security and economic well-being--which is going down 
the virus writers, which does have an economic impact on us, to 
criminal organizations. We are now seeing both U.S. and foreign 
criminal organizations attacking systems for credit card 
information, and then going back and extorting the businesses 
out of funds for not recognizing or exposing that they have 
been vulnerable to espionage and so forth.
    Mr. Greenwood. What are the kind of penalties that have 
been exacted against these perpetrators, and do you believe the 
penalties are adequate under the current Federal statutes?
    Mr. Dick. For violations of Title 18, section 1030, the 
penalties are 10 years in jail for each violation. The maximum 
penalties associated probably are adequate.
    Now, have the courts, based upon the sentencing guidelines, 
levied those kinds of penalties to subjects which have been 
convicted? Not at this point. It is very similar to white 
collar crime investigations where the penalties are perceived 
by some to be less than adequate. But I think with time, that 
will change also.
    Mr. Greenwood. What about international cooperation? You 
referenced the case in the Philippines where they were not--
their laws did not permit us to prosecute that perpetrator. Are 
there in process efforts to create international agreements or 
treaties with regard to these hackers?
    Mr. Dick. Yes. There are a number of things ongoing right 
now through the G-8 and the Council of Europe to implement laws 
that will more standardize not only our ability to prosecute, 
but our ability to access information.
    One of the difficulties in investigating these cases is 
almost 99 percent of the time, we are going to end up overseas 
in some faction of the case because of particular hot point or 
place that they intruded into overseas to get into the U.S. 
system exists. So we have to go to a foreign entity just to get 
the information as to what occurred over there. There are 
efforts going on and more could be done. There is a lot of 
emphasis on that at this point in time.
    Mr. Greenwood. Thank you.
    Mr. Noonan, I think you made some reference in your 
testimony to Federal customers that you have, U.S. Government 
customers.
    Mr. Noonan. Yes.
    Mr. Greenwood. Do they tend to be the inspectors general 
buying your services and software so they can check on the 
departments, or do they tend to be the managers of those 
departments buying your software so as to provide the 
protections necessary?
    Mr. Noonan. Historically they have been more the watchdog 
or audit, inspector general type function, meaning using the 
technology to determine where the systems are vulnerable.
    Today we are beginning, and just beginning to see the 
beginnings of more widespread use in intrusion detection. 
Vulnerability detection and intrusion detection are kind of the 
yin and yang. One finds the holes, and the other watches to 
make sure that the other does not exploit the holes.
    Operationally, you want to see the units, using both 
vulnerability detection to fortify the environment and 
intrusion detection to monitor it to ensure that it is being 
used judiciously.
    Historically it has been mainly the watchdog part. That is 
just now beginning to turn to more operational use.
    Mr. Greenwood. Do you and your competitors aggressively 
market your services to the systems managers within the Federal 
Government? Do you have conferences and exhibits and so forth 
where these Federal managers can come and survey this 
technology?
    Mr. Noonan. Yes, we do, as do many in the industry. One 
thing that is of particular note is movement in this area has 
really just begun in the last 6 to 9 months in terms of active 
technologies that can be deployed to protect the 
infrastructure. If I had to take a guess, I would probably say 
that 5 percent, maybe, of the government actually is protected 
with these types of technologies operationally. And I could be 
off by as much as 5 percent. Regardless, I think we have a long 
way to go.
    Ms. McDonald. Mr. Chairman, one of the things that we are 
doing in FedCIRC this fiscal year is evolving into an intrusion 
detection system that is called Managed Security Services, much 
like what Mr. Noonan's company offers.
    We are encouraging Federal agencies to deploy managed 
security services; and hopefully we are responsible for maybe 
some of that 5 percent, if 5 percent exists. It is our 
intention in the FedCIRC organization to, after we have 
encouraged agencies to implement managed security services and 
intrusion detection systems, that we will develop an analysis 
capability within FedCIRC so that these intrusion detection 
systems will feed up into the FedCIRC program office and we 
will be able to get a picture, a much better picture across 
government as to what is actually occurring.
    With this step we feel that we can move from the 20 percent 
of the incidents that are being discovered to closer to the 100 
percent.
    Mr. Greenwood. Mr. Noonan, since the bad guys can use your 
services or at least your software, do you have any process of 
screening out the bad guys?
    Mr. Noonan. Mr. Chairman, it would be very difficult for 
the bad guys to use our technology. Each is encrypted with a 
special key. Each user that licenses the software is required 
to provide information and sign a license agreement. So our 
systems are not freely available, and they do not operate 
unless you have a key generated by us, and each key is specific 
to that user.
    So if the DOE licensed our vulnerability system, they could 
not use it on the Department of Transportation computers 
because it would not match up with their IP addresses.
    Mr. Greenwood. The Chair recognizes the gentleman, Mr. 
Strickland.
    Mr. Strickland. Ms. McDonald, I have a copy here of a March 
2001 newsletter from FedCIRC about the demise of the FedNet, 
which has been described as a conceptualized weapon to defend 
the Federal information infrastructure by tracking anomalous 
behavior. According to this newsletter, FedNet was buried 
because of concerns of the public, media, and Congress because 
it was a threat to privacy rights. Are you familiar with this?
    Ms. McDonald. I am familiar with that, sir. If I could 
explain----
    Mr. Strickland. If you could explain to me what you do not 
agree with.
    Ms. McDonald. We did not bury FedNet. FedNet first came to 
the public's attention in a New York Times article in 1998. 
That article said that FedNet was a system that was going to be 
run by the FBI, and that it was going to monitor all citizens' 
e-mails, including the content of those e-mails, in the United 
States. FedNet was actually a program the GSA was sponsoring, 
not the FBI, and the idea was to develop an intrusion detection 
network with all of the Federal civilian agencies.
    Because of the bad publicity that it got, we revamped the 
program. We now call it the managed security services, which is 
what I alluded to. And what we have done, so that agencies have 
confidence in what we are doing in the FedCIRC program, is we 
are encouraging agencies to establish intrusion detection 
systems within their own organizations and then work with 
FedCIRC on a voluntary basis.
    One of the important facts of this entire area is trust. We 
lost a lot of trust with the FedNet program, which is why we 
chose to rename it managed security services. And as the 
industry has matured, and as Mr. Noonan has testified, these 
services are commercially available and we are encouraging 
agencies to procure these services themselves and then work 
with FedCIRC.
    Mr. Strickland. Ms. McDonald, this is your publication?
    Ms. McDonald. That's correct.
    Mr. Strickland. It indicates that Federal civilian agencies 
for questionable activities, to provide those same agencies a 
vehicle to obtain those services from private industry. I think 
we are talking about the services that were envisioned in 
FedNet. FedCIRC is preparing a new offering that would employ 
private industry and will consist of a variety of information 
security services under the caveat managed security services.
    Now, is this an attempt by the GSA to go--to sneak around 
behind the back of Congress and set up, if not the same system, 
certainly a similar system, as a way of avoiding the kind of 
criticism that was directed toward the previous effort?
    Ms. McDonald. Absolutely not. The idea was to make it much 
more palatable to the Federal civilian agencies, to put them in 
control of the systems because they would be the ones that 
would be procuring what is now a commercially available 
service. FedNet as it was designed or thought of in 1998 didn't 
really exist. But that shows the maturity in this entire field. 
Now these services are available commercially, and it is 
important for agencies to trust the FedCIRC operation. So we 
are encouraging them to deploy these services and then share 
the results of those systems with us.
    Mr. Strickland. Yes. If you can just speak to this 
question. Under the services available from the managed 
security services program, will the public be able to have 
confidence that all of their communications will not be tracked 
or trackable?
    Ms. McDonald. Absolutely.
    Mr. Strickland. That is still a concern?
    Ms. McDonald. That was a misunderstanding from the New York 
Times article. These systems are going to be deployed only at 
Federal agencies looking at Federal agency systems, and they 
will not be looking at the content of those systems.
    Mr. Strickland. So you are saying to me, if a private 
citizen attempts or does gather information from some Federal 
source, some Federal agency, that it will not be possible to 
track that communication to identify it?
    Ms. McDonald. That's correct. Unless that private citizen 
does something like the Department of Energy demonstrated this 
morning, it won't show up on an intrusion detection system if 
it is a normal, approved-type activity.
    Mr. Strickland. Reference is made to anomalous behavior. Do 
you have a definition of what that would be?
    Ms. McDonald. Behavior that is beyond the normal. For 
instance, most of us work 9-to-5 jobs. Profiles are developed 
on a user. If all of a sudden somebody was working at their job 
at 2 a.m., that would fall into that type of behavior, and that 
would kick out on the intrusion detection system.
    Mr. Strickland. I suspect that a lot of committee and staff 
members of the House of Representatives would be identified as 
engaging in anomalous behavior because many of them work at 
strange hours.
    Ms. McDonald. That is true. I am sure that if you looked at 
Mr. Noonan's company's hours, his hours would be quite 
different than perhaps a Federal agency's hours. But with an 
intrusion detection system, you profile the culture that occurs 
in your organization. So perhaps maybe the staffers are not 
working at 2 o'clock in the afternoon.
    Mr. Strickland. It seems to me that the result of this 
could be, the profiling, a very innocent behavior on the part 
of American citizens that seem to have work habits that were 
perceived by someone as anomalous. Is that not something that 
the American public should have some reasonable concern about?
    Ms. McDonald. Let me say that this whole area of 
technology, as you very well know, opens up a tremendous amount 
of privacy concerns, and people's activities can be tracked. It 
is something that we need to balance with the need to protect.
    Mr. Strickland. I appreciate the difficulty of the issue 
that we are discussing today. I think it is important to be 
open and have full disclosure. I think it is important that the 
concerns that resulted in the initial action to not proceed be 
fully explored.
    Mr. Chairman, I do think this is a matter that we should 
continue to follow and to explore as we look more deeply into 
this.
    Ms. McDonald. We would be glad to work with you on that. 
Thank you.
    Mr. Strickland. Thank you.
    Mr. Greenwood. The Chair thanks the gentleman and 
recognizes the gentlelady from Colorado.
    Ms. DeGette. Thank you, Mr. Chairman.
    We have been hearing a lot of pretty chilling testimony 
this morning about the risks of this cyberterrorism and other 
kinds of compromises of our systems.
    I am just sitting here wondering--for example, this slide 
that Mr. Noonan put up with this Website from--not the Website, 
but this slide from Africa. And I think you said that we wonder 
if people from places like Africa couldn't hack into our 
systems and even launch nuclear weapons or biological warfare.
    Mr. Dick, in your written testimony you say we have not 
seen an example of cyberterrorism. With all of this activity 
going on, I guess I am wondering why we have not seen an 
example of cyberterrorism yet.
    Mr. Dick. In the continuum of incidents and times, over 
time as people get familiar with the technology, the tools, 
even get greater availability out on the Internet, you are 
going to see the volume of activity go up. Eventually we are 
going to see it.
    Ms. DeGette. Why do you think that we have not seen it yet?
    Mr. Noonan. I was just going to comment on that. I think we 
have seen it. We see it in industry. It is just a microcosm. It 
is not the same necessarily as in the physical world. I have 
seen entire customer records destroyed. That is terrorism to a 
business.
    Ms. DeGette. And that is certainly serious to us. What is 
your definition of cyberterrorism?
    Mr. Noonan. I think that is a very good question. The tools 
that I represented--and that is actually a Website which has 
been copied now and made into a slide. You can click on any one 
of those and download those weapons, if you will.
    My definition of cyberterrorism for a commercial industry 
is anything that causes significant problems with the 
availability, the confidentiality, or the integrity of those 
systems. We can now have very small incidences of 
cyberterrorism, or very coordinated, large-scale attacks.
    Mr. Dick. My definition is different. What he described 
there, those would be criminal acts that we would investigate 
under criminal authorities.
    When we talk about terrorism in the Department of Justice 
and from an investigation standpoint, we have governed by 
certain laws and by who are defined as foreign powers. So my 
definition is much more restrictive.
    Ms. DeGette. What is your definition?
    Mr. Dick. Basically those foreign powers that are attacking 
the United States and its assets for political motives as 
opposed to some sort of economic reason.
    Ms. DeGette. Why do you think that we have not had any 
incidence of cyberterrorism on the scale of what Mr. Noonan 
describes?
    Mr. Dick. My statement says we have not had any that we can 
attribute to any foreign powers, organizations, and acts at 
this point in time. I am not saying that there never has been.
    Ms. DeGette. So you think that we might have had 
cyberterrorism, but we do not know?
    Mr. Dick. I have no empirical data that says specifically.
    Ms. DeGette. First of all, I think we should figure out 
what our definition of cyberterrorism is. That might be helpful 
in this analysis. It might be helpful to the public when we 
think about the safety of our government and Internet systems. 
I agree with Mr. Strickland that we need a lot more research 
and hearings on this. But the reason that I am concerned about 
this issue is because we are here today talking about 
compromise of government computer systems, and I am trying to 
figure out what the very real risk is of, say, someone hacking 
into our military intelligence systems or our defense systems 
and actually launching these biological weapons or nuclear 
weapons or obtaining top secret information.
    I understand that there are a lot of incidents, but what is 
the real risk here?
    Mr. Dick. When we say, ``terrorism,'' we are looking at 
things that are politically motivated in an attempt to 
intimidate our society or policies, or change policies, as 
opposed to affect a business's way of doing business.
    Ms. DeGette. Why do you think that we have not had this 
happen? Do we have pretty good integrity of those critical 
systems and what we need to do is work on other systems? Ms. 
McDonald, do you have an opinion on this?
    Ms. McDonald. I think we are lucky that we have not had it 
happen.
    Ms. DeGette. Mr. Noonan, do you have any comments?
    Mr. Noonan. I think we have a lot of problems. I think in 
terms of the infrastructure, I think that it is very, very 
widespread; and whether I would comment on whether we have had 
cyberterrorism or not, I know we have had compromises. I have 
tracked them and watched them in and out of our own government 
and agencies.
    What networks the Pentagon actually uses to launch nuclear 
weapons, I don't know. I hope that those are not easily 
accessible from the Internet. But I know that we have had 
compromises. Whether we want to call that terrorism or not is 
up to us.
    Ms. DeGette. Shifting direction a little bit, Mr. Noonan, 
these 65,000 doors that you talk about, and computers that 
allow unauthorized entries, those are part of the operating 
systems that come with computers when people obtain them?
    Mr. Noonan. That's correct. That is a world standard.
    Ms. DeGette. Right. I would think that a good portion of 
the blame for the vulnerabilities in operating systems would 
lie on the developers of those products; wouldn't you agree?
    Mr. Noonan. Not entirely, but partially, yes; because the 
Internet standard, PCPIP, which we use all over the world, is 
open by design, and this is the fundamental challenge.
    Ms. DeGette. In fact, Microsoft says customers want 
openness, not closed doors, correct?
    Mr. Noonan. Absolutely. So the conundrum is how do you 
secure the integrity of the system when it is based on an open 
design.
    Ms. DeGette. Do you have any ideas how to do that?
    Mr. Noonan. Absolutely. I absolutely do.
    Ms. DeGette. Would you share one?
    Mr. Noonan. I believe we are entering an age where 
everything is going to be microprocessor driven, not just our 
computers, but the Internet will be the base foundation for 
command and control systems for distribution tracking systems, 
for satellite tracking systems, for everything that we do that 
needs information. The only way that we are going to secure 
these systems out into the future is if each individual system 
on the network has its own capability to intelligently monitor 
itself and discern between good and bad behavior.
    Ms. DeGette. Thank you. I have one last question, and that 
is to Ms. McDonald. I assume that is your chart behind you?
    Ms. McDonald. Yes. It is based upon our data.
    Ms. DeGette. My question to you is of the route compromises 
on that chart which are in red, it says a route compromise 
means that the intruder has gained full administrative or route 
privileges over the targeted system, meaning that any 
information or capability of the system is totally owned and is 
controllable by the intruder.
    Ms. McDonald. That's correct.
    Ms. DeGette. How many of those route compromises have been 
to confidential or secret data?
    Ms. McDonald. To my knowledge, none.
    Ms. DeGette. Thank you.
    Mr. Chairman, I can see that we have a lot more work to do. 
I want to thank this excellent panel and the previous one.
    Mr. Greenwood. The Chair is going to recognize himself for 
a second round of questions, and I turn to you first, Ms. 
McDonald.
    Of the 586 incidents reported in 2000, is it true that at 
least several of those are known to have resulted in the 
compromise of sensitive agency information; and if so, can you 
give us some sense of the type of information that was 
compromised?
    Ms. McDonald. Every Federal civilian agency, as we have 
heard this morning, maintains very sensitive information on 
American citizens. I can tell you that most of the increases 
that we have seen, and most of the incidents in the year 2000 
had to do with scientific research and environmentally involved 
agencies. Again, because this is an area that FedCIRC needs to 
develop the trust of the agencies that we work with, I could 
not go into identifying which particular agencies and what 
systems.
    But generally the scientific area is--as Mr. Noonan alluded 
to, the whole Internet is very open. And it was developed by 
the scientific area and they, as part of their research, are a 
very open community.
    Mr. Greenwood. Your testimony notes there has been a rise 
in reconnaissance activities, scans of government computers by 
foreign sources over the past year, up from 60 percent in 1999 
to 75 percent in 2000. Are we talking about terrorism 
activities, teenage hackers from abroad, espionage, or a 
combination of these; and how does FedCIRC determine if a scan 
is by a foreign source, and what information are these foreign 
sources trying to gain access to?
    Ms. McDonald. Well, we can determine whether it's a foreign 
address where these scans are coming from. If with working with 
the agency we feel that it is a nation-state then we work with 
Mr. Dick's area or the NSA and transfer that information over 
to them. We do not investigate incidents. Our job is to report 
incidents, assist agencies to recover from incidents, and to 
give agencies the tools that they need in order to protect 
themselves.
    Mr. Greenwood. Mr. Dick, according to a Washington Post 
article dated March 21 of this year, your current assessment of 
computer security at Federal facilities is that they are 
extremely vulnerable to potentially crippling cyberattacks. Is 
that an accurate assessment of your view; and if so, what is 
that view based on?
    Mr. Dick. It is an accurate assessment of my view of not 
only government systems but private sector systems as has been 
demonstrated in this committee today. There are numerous tools 
out there for which to exploit the vulnerabilities in those 
systems; and unless there is due diligence on the part of 
systems administrators, CEOs and executive managements of 
government agencies, as well as the private sector as a whole, 
you're going to have vulnerabilities and that includes due 
diligence not only in the implementation of firewalls and 
intrusion detection software, but as has been pointed out 
earlier, continually updating and correcting your systems.
    For example, we are conducting an investigation currently, 
or several investigations, regarding known vulnerabilities to 
certain operating systems. These intruders are going in, as I 
alluded to earlier, and taking credit card numbers and then 
extorting the businesses. In December of this year we issued a 
warning based upon our investigative efforts to the public 
saying that these are the known vulnerabilities in this 
operating system which need to be repaired because of this. We 
got very little play.
    In March we became much more public after coordinating with 
the information sharing and analysis centers and our other 
partners and came out with a very--a much more public 
announcement and beat the drum louder, if you will, to try and 
get these vulnerabilities fixed because there are known patches 
that can prevent this. Because of that, one of the information 
sharing and analysis centers indicated that we were able to 
prevent over 1,600 attempts.
    So the point is that it is continual vigilance and 
implementation in security; and unless you do that, you are 
vulnerable.
    Mr. Greenwood. GSA told this committee--told our staff that 
in excess of 95 percent of the intrusions into Federal 
computers could have been prevented had well-known 
vulnerabilities been patched with existing remedies. What does 
that say about the state of our computer security and 
vigilance, Ms. McDonald?
    Ms. McDonald. It doesn't say a lot.
    Mr. Greenwood. Actually, it does say a lot.
    Ms. McDonald. Well, yes it does; but not what I would like 
to say about it. One of the things that we're doing in the Fed 
service area, recognizing this being an issue, is working with 
a number of companies to see what capabilities they have to 
offer the Federal Government for a patch distribution system so 
that we can profile the agency systems to determine where--what 
type systems they have, where they stand on their patches, and 
then, as patches come out, feed them down to the agencies in a 
hope that that will encourage them to apply the patches and 
therefore allow them to recover from----
    Mr. Greenwood. Well, you're hoping that it will encourage 
them, but are they required? If you do an advisory indicating a 
vulnerability in a known patch and you distribute that to the 
Federal agency, is the Federal agency required----
    Ms. McDonald. No.
    Mr. Greenwood. [continuing] under any----
    Ms. McDonald. No. This would only allow us the knowledge 
that the patch was delivered to them, and we can establish the 
system so that we can see if they actually took the patch; but 
they're under no requirement to apply the patch.
    Mr. Greenwood. Do you keep records of to what extent your 
encouragement works in the patches?
    Ms. McDonald. We will, once we implement the system.
    Mr. Greenwood. Okay. The Chair thanks all three of our 
witnesses for their superb testimony and you are excused. And I 
would call the second panel, consisting of Mr. Robert Dacey, 
director of information security systems at the U.S. General 
Accounting Office, and Mr. John S. Tritak, director of Critical 
Infrastructure Assurance Office of the U.S. Department of 
Commerce.
    I'm going to do what I failed to do in the last panel and 
that is remind you this committee is holding an investigative 
hearing and when doing so it has had the practice of taking 
testimony under oath. Do either of you have any objection to 
testify under oath?
    Mr. Dacey. No.
    Mr. Tritak. Not at all.
    Mr. Greenwood. You're also then advised that under the 
rules of the House and under the rules of the committee you're 
entitled to be advised by counsel. Do you desire to be advised 
by counsel during your testimony?
    Mr. Dacey. I do not.
    Mr. Tritak. I do not.
    Mr. Greenwood. In that case, will you rise and raise your 
right hand and I will swear you in.
    [Witnesses sworn.]
    Thank you. Please be seated.
    We will recognize Mr. Dacey for his testimony for 5 
minutes.

 TESTIMONY OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY 
  ISSUES, U.S. GENERAL ACCOUNTING OFFICE; AND JOHN S. TRITAK, 
   DIRECTOR, CRITICAL INFRASTRUCTURE ASSURANCE OFFICE, U.S. 
                     DEPARTMENT OF COMMERCE

    Mr. Dacey. Mr. Chairman, I am pleased to be here this 
afternoon to discuss information security in the Federal 
Government. Evaluations by GAO and the Inspectors General 
continue to show that computer security over the government's 
unclassified systems are fraught with serious and widespread 
weaknesses. The risk associated with these weaknesses as has 
been discussed earlier are heightened by the increasing 
interconnectivity of our systems, as well as the use of the 
Internet. While the government cannot estimate the actual 
damage and loss, principally because many incidents are either 
not identified or not reported, I'd like to provide several 
examples that illustrate the effect that can happen to Federal 
agencies.
    First, there can be theft or misuse of Federal Government 
resources. For example, one individual embezzled over $435,000 
at the Department of Defense. At EPA, a hacker chat room was 
surreptitiously installed on an agency server. An EPA system 
was used by hackers to launch attacks against others, and 
numerous Federal Web sites have been reportedly defaced.
    Ineffective security can also result in inappropriate 
disclosure or misuse of sensitive personal and proprietary 
business information. For example, sensitive information was 
reported stolen by the Department of Defense. IRS employees 
have browsed taxpayer records and used information obtained to 
commit financial and other crimes. Social security information 
has been sold to facilitate identity theft.
    Another effect is potential disruption of business 
operations. For example, operations at several agencies were 
disrupted by the ``I love you'' virus. Also, users were locked 
out of EPA systems using some of the techniques we saw 
demonstrated earlier today.
    And third, DOE stood down its Internet connections on 
several occasions. The last can result in modification or 
destruction of programs or data. For example, sensitive 
information was corrupted and malicious software installed at 
the Department of Defense.
    While agencies' operations and risks vary, the types of 
weaknesses reported are strikingly similar. In general, systems 
did not have adequate controls to prevent and detect 
unauthorized changes to systems software, to prevent or detect 
unauthorized access to facilities, systems, programs and data, 
and to ensure the continuity of business operations.
    We and the Inspectors General made scores of 
recommendations to improve security, and in 2001 we again 
reported information security as a high-risk area, as we have 
in 1997 and 1999.
    I would like to point out that GAO employs similar tests to 
those that were demonstrated this morning and would like to add 
that even though those generally result in our ability to gain 
root access or other access to systems, we sometimes are just 
as successful in guessing passwords and using social 
engineering to gain access to those systems.
    Even if agencies do implement the corrective actions that 
have been identified, all too often subsequent reviews have 
uncovered the same types of vulnerabilities. As we've reported 
in the past, these weaknesses continue to exist principally 
because agencies have not established effective computer 
security management programs. Effective programs would allow 
for processes and procedures to assess risks, to ensure that 
controls are adequately put in place to address those risks, to 
have a regular process of raising awareness by the employees, 
and last, to have a process to monitor the effectiveness of 
security on an ongoing basis.
    While we have seen that some agencies have implemented 
policies and procedures and have established risk awareness 
programs, little has been done by most agencies to actively 
monitor the effectiveness of the controls, unlike what was 
demonstrated today by the Department of Energy.
    The Congress has expressed concern about the serious and 
pervasive nature of computer security and recently passed 
legislation that would require some additional reporting and 
work to be done. Specifically, the legislation requires that 
agencies establish computer security management programs over 
all operations and assets of the agency.
    Second, the legislation requires both agency and Inspector 
General annual reviews to be performed, and the information 
from those reviews could be very helpful in oversight and 
monitoring of agencies' progress.
    Other actions have been initiated across government, 
including several agencies that have taken important steps to 
improve computer security. The Federal Chief Information 
Officers Council has issued a guide for measuring agency 
progress, which we assisted in developing; and the prior 
administration has issued a national plan for information 
systems protection as well as the current administration 
issuing the first annual update on the status of critical 
infrastructure.
    It is important to maintain the momentum of these efforts 
and ensure that the activities currently underway are 
coordinated under a comprehensive strategy and that the roles 
and responsibilities of the numerous organizations with central 
responsibilities for computer security are clearly defined.
    Mr. Chairman, that concludes our statement. I would be 
pleased to answer any questions that you or the members of the 
subcommittee may have.
    [The prepared statement of Robert F. Dacey follows:]

 Prepared Statement of Robert F. Dacey, Director, Information Security 
                   Issues, General Accounting Office

    Mr. Chairman and Members of the Subcommittee: I am pleased to be 
here today to discuss our analysis of information security audits at 
federal agencies. As with other large organizations, federal agencies 
rely extensively on computerized systems and electronic data to support 
their missions. Accordingly, the security of these systems and data is 
essential to avoiding disruptions in critical operations, data 
tampering, fraud, and inappropriate disclosure of sensitive 
information.
    Today, I will summarize the results of our analysis of information 
security audits performed by us and by agency inspectors general since 
July 1999 at 24 major federal departments and agencies. In summarizing 
these results, I will discuss the types of pervasive weaknesses that we 
and agency inspectors general have identified. I will then describe the 
serious risks that these weaknesses pose at selected individual 
agencies of particular interest to this subcommittee, and the major 
common weaknesses that agencies need to address. Finally, I will 
describe the management improvements that are needed to resolve these 
weaknesses and the significant challenges that remain.

                               BACKGROUND

    Dramatic increases in computer interconnectivity, especially in the 
use of the Internet, are revolutionizing the way our government, our 
nation, and much of the world communicate and conduct business. The 
benefits have been enormous. Vast amounts of information are now 
literally at our fingertips, facilitating research on virtually every 
topic imaginable; financial and other business transactions can be 
executed almost instantaneously, often on a 24-hour-a-day basis; and 
electronic mail, Internet web sites, and computer bulletin boards allow 
us to communicate quickly and easily with a virtually unlimited number 
of individuals and groups.
    In addition to such benefits, however, this widespread 
interconnectivity poses significant risks to our computer systems and, 
more important, to the critical operations and infrastructures they 
support. For example, telecommunications, power distribution, water 
supply, public health services, and national defense--including the 
military's warfighting capability--law enforcement, government 
services, and emergency services all depend on the security of their 
computer operations. The speed and accessibility that create the 
enormous benefits of the computer age likewise, if not properly 
controlled, allow individuals and organizations to inexpensively 
eavesdrop on or interfere with these operations from remote locations 
for mischievous or malicious purposes, including fraud or sabotage.
    Reports of attacks and disruptions abound. The March 2001 report of 
the ``Computer Crime and Security Survey,'' conducted by the Computer 
Security Institute and the Federal Bureau of Investigation's San 
Francisco Computer Intrusion Squad, showed that 85 percent of 
respondents (primarily large corporations and government agencies) had 
detected computer security breaches within the last 12 months. 
Disruptions caused by virus attacks, such as the ILOVEYOU virus in May 
2000 and 1999's Melissa virus, have illustrated the potential for 
damage that such attacks hold.\1\ A sampling of reports summarized in 
Daily Reports by the FBI's National Infrastructure Protection Center 
\2\ during two recent weeks in March illustrates the problem further:
---------------------------------------------------------------------------
    \1\ Critical Infrastructure Protection: ``ILOVEYOU'' Computer Virus 
Highlights Need for Improved Alert and Coordination Capabilities (GAO/
T-AIMD-00-181, May 18, 2000); Information Security: ``ILOVEYOU'' 
Computer Virus Emphasizes Critical Need for Agency and Governmentwide 
Improvements (GAO/T-AIMD-00-171, May 10, 2000); Information Security: 
The Melissa Computer Virus Demonstrates Urgent Need for Stronger 
Protection Over Systems and Sensitive Data (GAO/T-AIMD-99-146, April 
15, 1999).
    \2\ In its Daily Reports, the National Infrastructure Protection 
Center states that these summaries are for information purposes only 
and do not constitute any verification of the information contained in 
the reports or endorsement by the FBI.

 Hackers suspected of having links to a foreign government 
        successfully broke into the Sandia National Laboratory's 
        computer system and were able to access sensitive classified 
        information. (Source: Washington Times, March 16, 2001.)
 A hacker group by the name of ``PoizonB0x'' defaced numerous 
        government web sites, including those of the Department of 
        Transportation, the Administrative Office of the U.S. Courts, 
        the National Science Foundation, the National Oceanic and 
        Atmospheric Administration, the Princeton Plasma Physics 
        Laboratory, the General Services Administration, the U.S. 
        Geological Survey, the Bureau of Land Management, and the 
        Office of Science & Technology Policy. (Source: Attrition.org., 
        March 19, 2001.)
 The ``Russian Hacker Association'' is offering over the 
        Internet an e-mail bombing system that will destroy a persons 
        ``web enemy'' for a fee. (Source: UK Ministry of Defense Joint 
        Security Coordination Center)
 Two San Diego men allegedly crashed a company's computer 
        system by rerouting tens of thousands of unsolicited e-mails 
        through its servers. (Source: ZDNet News, March 18, 2001.)
    Government officials are increasingly concerned about attacks from 
individuals and groups with malicious intent, such as crime, terrorism, 
foreign intelligence gathering, and acts of war. According to the FBI, 
terrorists, transnational criminals, and intelligence services are 
quickly becoming aware of and using information exploitation tools such 
as computer viruses, Trojan horses, worms, logic bombs, and 
eavesdropping sniffers that can destroy, intercept, or degrade the 
integrity of and deny access to data. As greater amounts of money are 
transferred through computer systems, as more sensitive economic and 
commercial information is exchanged electronically, and as the nation's 
defense and intelligence communities increasingly rely on commercially 
available information technology, the likelihood that information 
attacks will threaten vital national interests increases. In addition, 
the disgruntled organization insider is a significant threat, since 
such individuals often have knowledge that allows them to gain 
unrestricted access and inflict damage or steal assets without a great 
deal of knowledge about computer intrusions.
    Since 1996, our analyses of information security at major federal 
agencies have shown that federal systems were not being adequately 
protected from these threats, even though these systems process, store, 
and transmit enormous amounts of sensitive data and are indispensable 
to many federal agency operations. In September 1996, we reported that 
serious weaknesses had been found at 10 of the 15 largest federal 
agencies, and we concluded that poor information security was a 
widespread federal problem with potentially devastating 
consequences.\3\ In 1998 and in 2000, we analyzed audit results for 24 
of the largest federal agencies: both analyses found that all 24 
agencies had significant information security weaknesses.\4\ As a 
result of these analyses, we have identified information security as a 
high-risk issue in reports to the Congress since 1997-most recently in 
January 2001.\5\
---------------------------------------------------------------------------
    \3\ Information Security: Opportunities for Improved OMB Oversight 
of Agency Practices (GAO/AIMD-96-110, September 24, 1996).
    \4\ Information Security: Serious Weaknesses Place Critical Fedearl 
Operations and Assets at Risk (GAO/AIMD-98-92, September 23, 1998); 
Information Security: Serious and Widespread Weaknesses Persist at 
Federal Agencies (GAO/AIMD-00-295, September 6, 2000).
    \5\ High-Risk Series: Information Management and Technology (GAO/
HR-97-9, February 1, 1997); High-Risk Series: An Update (GAO/HR-99-1, 
January 1999); High Risk Series: An Update (GAO-01-263, January 2001).
---------------------------------------------------------------------------

                      WEAKNESSES REMAIN PERVASIVE

    Evaluations published since July 1999 show that federal computer 
systems are riddled with weaknesses that continue to put critical 
operations and assets at risk. Significant weaknesses have been 
identified in each of the 24 agencies covered by our review. These 
weaknesses covered all six major areas of general controls--the 
policies, procedures, and technical controls that apply to all or a 
large segment of an entity's information systems and help ensure their 
proper operation. These six areas are (1) security program management, 
which provides the framework for ensuring that risks are understood and 
that effective controls are selected and implemented, (2) access 
controls, which ensure that only authorized individuals can read, 
alter, or delete data, (3) software development and change controls, 
which ensure that only authorized software programs are implemented, 
(4) segregation of duties, which reduces the risk that one individual 
can independently perform inappropriate actions without detection, (5) 
operating systems controls, which protect sensitive programs that 
support multiple applications from tampering and misuse, and (6) 
service continuity, which ensures that computer-dependent operations 
experience no significant disruptions.
    Weaknesses in these areas placed a broad range of critical 
operations and assets at risk for fraud, misuse, and disruption. In 
addition, they placed an enormous amount of highly sensitive data--much 
of it pertaining to individual taxpayers and beneficiaries--at risk of 
inappropriate disclosure.
    The scope of audit work performed has continued to expand to more 
fully cover all six major areas of general controls at each agency. Not 
surprisingly, this has led to the identification of additional areas of 
weakness at some agencies. While these increases in reported weaknesses 
are disturbing, they do not necessarily mean that information security 
at federal agencies is getting worse. They more likely indicate that 
information security weaknesses are becoming more fully understood-an 
important step toward addressing the overall problem. Nevertheless, our 
analysis leaves no doubt that serious, pervasive weaknesses persist. As 
auditors increase their proficiency and the body of audit evidence 
expands, it is probable that additional significant deficiencies will 
be identified.
    Most of the audits covered in our analysis were performed as part 
of financial statement audits. At some agencies with primarily 
financial missions, such as the Department of the Treasury and the 
Social Security Administration, these audits covered the bulk of 
mission-related operations. However, at agencies whose missions are 
primarily nonfinancial, such as the Departments of Defense and Justice, 
the audits may provide a less complete picture of the agency's overall 
security posture because the audit objectives focused on the financial 
statements and did not include evaluations of systems supporting 
nonfinancial operations.
    In response to congressional interest, during fiscal years 1999 and 
2000, we expanded our audit focus to cover a wider range of 
nonfinancial operations. We expect this trend to continue.

     RISKS TO FEDERAL OPERATIONS, ASSETS, AND CONFIDENTIALITY ARE 
                              SUBSTANTIAL

    To fully understand the significance of the weaknesses we 
identified, it is necessary to link them to the risks they present to 
federal operations and assets. Virtually all federal operations are 
supported by automated systems and electronic data, and agencies would 
find it difficult, if not impossible, to carry out their missions and 
account for their resources without these information assets. Hence, 
the degree of risk caused by security weaknesses is extremely high.
    The weaknesses identified place a broad array of federal operations 
and assets at risk of fraud, misuse, and disruption. For example, 
weaknesses at the Department of the Treasury increase the risk of fraud 
associated with billions of dollars of federal payments and 
collections, and weaknesses at the Department of Defense increase the 
vulnerability of various military operations. Further, information 
security weaknesses place enormous amounts of confidential data, 
ranging from personal and tax data to proprietary business information, 
at risk of inappropriate disclosure. For example, in 1999, a Social 
Security Administration employee pled guilty to unauthorized access to 
the administration's systems. The related investigation determined that 
the employee had made many unauthorized queries, including obtaining 
earnings information for members of the local business community.
    Such risks, if inadequately addressed, may limit government's 
ability to take advantage of new technology and improve federal 
services through electronic means. For example, this past February, we 
reported on serious control weaknesses in the Internal Revenue 
Service's (IRS) electronic filing system, noting that failure to 
maintain adequate security could erode public confidence in electronic 
filing, jeopardize the Service's ability to meet its goal of 80 percent 
of returns being filed electronically by 2007, and deprive it of 
financial and other anticipated benefits. Specifically, we found that, 
during the 2000 tax filing season, IRS did not adequately secure access 
to its electronic filing systems or to the electronically transmitted 
tax return data those systems contained. We demonstrated that 
unauthorized individuals, both internal and external to IRS, could have 
gained access to these systems and viewed, copied, modified, or deleted 
taxpayer data. In addition, the weaknesses we identified jeopardized 
the security of the sensitive business, financial, and taxpayer data on 
other critical IRS systems that were connected to the electonic filing 
systems. The IRS Commissioner has stated that, in response to 
recommendations we made, IRS has completed corrective action for all of 
the critical access control vulnerabilities we identified and that, as 
a result, the electronic filing systems now satisfactorily meet 
critical federal security requirements to protect the taxpayer.\6\ As 
part of our audit follow up activities, we plan to evaluate the 
effectiveness of IRS's corrective actions.
---------------------------------------------------------------------------
    \6\ Information Security: IRS Electronic Filing Systems (GAO-01-
306, February 16, 2001).
---------------------------------------------------------------------------
    I would now like to describe the risks associated with specific 
recent audit findings at agencies of particular interest to this 
subcommittee.
     Information technology is essential to the Department of 
Energy's (DOE) scientific research mission, which is supported by a 
large and diverse set of computing systems, including very powerful 
supercomputers located at DOE laboratories across the nation. In June 
2000, we reported that computer systems at DOE laboratories supporting 
civilian research had become a popular target of the hacker community, 
with the result that the threat of attacks had grown dramatically in 
recent years.\7\ Further, because of security breaches, several 
laboratories had been forced to temporarily disconnect their networks 
from the Internet, disrupting the laboratories' ability to do 
scientific research for up to a full week on at least two occasions. In 
February 2001, the DOE's Inspector General reported network 
vulnerabilities and access control weaknesses in unclassified systems 
that increased the risk that malicious destruction or alteration of 
data or the processing of unauthorized operations could occur.\8\
---------------------------------------------------------------------------
    \7\ Information Security: Vulnerabilities in DOE's Systems for 
Unclassified Civilian Research (GAO/AIMD-00-140, June 9, 2000).
    \8\ Report on the Department of Energy's Consolidated Financial 
Statements, DOE/IG-FS-01-01, February 16, 2001.
---------------------------------------------------------------------------
     In February, the Department of Health and Human Services' 
Inspector General again reported serious control weaknesses affecting 
the integrity, confidentiality, and availability of data maintained by 
the department.\9\ Most significant were weaknesses associated with the 
department's Health Care Financing Administration, which was 
responsible, during fiscal year 2000, for processing more than $200 
billion in medicare expenditures. HCFA relies on extensive data 
processing operations at its central office to maintain administrative 
data, such as Medicare enrollment, eligibility, and paid claims data, 
and to process all payments for managed care. HCFA also relies on 
Medicare contractors, who use multiple shared systems to collect and 
process personal health, financial, and medical data associated with 
Medicare claims. Significant weaknesses were also reported for the Food 
and Drug Administration and the department's Division of Financial 
Operations.
---------------------------------------------------------------------------
    \9\ Report on the Financial Statement Audit of the Department of 
Health and Human Services for Fiscal Year 2000, A-17-00-00014, February 
26, 2001.
---------------------------------------------------------------------------
     The Environmental Protection Agency (EPA) relies on its 
computer systems to collect and maintain a wealth of environmental data 
under various statutory and regulatory requirements. EPA makes much of 
its information available to the public through Internet access in 
order to encourage public awareness of and participation in managing 
human health and environmental risks and to meet statutory 
requirements. EPA also maintains confidential data from private 
businesses, data of varying sensitivity on human health and 
environmental risks, financial and contract data, and personal 
information on its employees. Consequently, EPA's information security 
program must accommodate the often competing goals of making much of 
its environmental information widely accessible while maintaining data 
integrity, availability, and appropriate confidentiality. In July 2000, 
we reported serious and pervasive problems that essentially rendered 
EPA's agencywide information security program ineffective.\10\ Our 
tests of computer-based controls concluded that the computer operating 
systems and agencywide computer network that support most of EPA's 
mission-related and financial operations were riddled with security 
weaknesses.
---------------------------------------------------------------------------
    \10\ Information Security: Fundamental Weaknesses Place EPA Data 
and Operations at Risk (GAO/AIMD-00-215 July 6, 2000).
---------------------------------------------------------------------------
    In addition, EPA's records showed that its vulnerabilities had been 
exploited by both external and internal sources, as illustrated by the 
following examples.
--In June 1998, EPA was notified that one of its computers was used by 
        a remote intruder as a means of gaining unauthorized access to 
        a state university's computers. The problem report stated that 
        vendor-supplied software updates were available to correct the 
        vulnerability, but EPA had not installed them.
--In July 1999, a chat room was set up on a network server at one of 
        EPA's regional financial management centers for hackers to post 
        notes and, in effect, conduct on-line electronic conversations.
--In February 1999, a sophisticated penetration affected three of EPA's 
        computers. EPA was unaware of this penetration until notified 
        by the FBI.
--In June 1999, an intruder penetrated an Internet web server at EPA's 
        National Computer Center by exploiting a control weakness 
        specifically identified by EPA about 3 years earlier during a 
        previous penetration of a different system. The vulnerability 
        continued to exist because EPA had not implemented vendor 
        software updates (patches), some of which had been available 
        since 1996.
--On two occasions during 1998, extraordinarily large volumes of 
        network traffic--synonymous with a commonly used denial-of-
        service hacker technique--affected computers at one of EPA's 
        field offices. In one case, an Internet user significantly 
        slowed EPA's network activity and interrupted network service 
        for over 450 EPA computer users. In a second case, an intruder 
        used EPA computers to successfully launch a denial-of-service 
        attack against an Internet service provider.
--In September 1999, an individual gained access to an EPA computer and 
        altered the computer's access controls, thereby blocking 
        authorized EPA employees from accessing files. This individual 
        was no longer officially affiliated with EPA at the time of the 
        intrusion, indicating a serious weakness in EPA's process for 
        applying changes in personnel status to computer accounts.
    Of particular concern was that many of the most serious weaknesses 
we identified-those related to inadequate protection from intrusions 
through the Internet and poor security planning-had been previously 
reported to EPA management in 1997 by EPA's inspector general.\11\ The 
negative effects of such weaknesses are illustrated by EPA's own 
records, which show several serious computer security incidents since 
early 1998 that have resulted in damage and disruption to agency 
operations. As a result of these weaknesses, EPA's computer systems and 
the operations that rely on them were highly vulnerable to tampering, 
disruption, and misuse from both internal and external sources.
---------------------------------------------------------------------------
    \11\ EPA's Internet Connectivity Controls, Office of Inspector 
General Report Audit (Redacted Version), September 5, 1997.
---------------------------------------------------------------------------
    EPA management has developed and begun to implement a detailed 
action plan to address reported weaknesses. However, the agency does 
not expect to complete these corrective actions until 2002 and 
continued to report a material weakness in this area in its fiscal year 
2000 report on internal controls under the Federal Managers' Financial 
Integrity Act of 1982.\12\
---------------------------------------------------------------------------
    \12\ Audit Rewport on EPA's Fiscal 2000 Financial Statements, 
Office of the Inspector General Audit Report 2001-1-00107, February 28, 
2001.
---------------------------------------------------------------------------
     The Department of Commerce is responsible for systems that 
the department has designated as critical for national security, 
national economic security, and public health and safety. Its member 
bureaus include the National Oceanic and Atmospheric Administration, 
the Patent and Trademark Office, the Bureau of the Census, and the 
International Trade Administration. During December 2000 and January 
2001, Commerce 's inspector general reported significant computer 
security weaknesses in several of the department's bureaus and, last 
month, reported multiple material information security weaknesses 
affecting the department's ability to produce accurate data for 
financial statements. These included a lack of formal, current security 
plans and weaknesses in controls over access to systems and over 
software development and changes.\13\ At the request of the full 
committee, we are currently evaluating information security controls at 
selected other Commerce bureaus.
---------------------------------------------------------------------------
    \13\ Department of Commerce's Fiscal year 2000 Consolidated 
Financial Statements, Inspector General Audit Report No. FSD-12849-1-
0001.
---------------------------------------------------------------------------
  WHILE NATURE OF RISK VARIES, CONTROL WEAKNESSES ACROSS AGENCIES ARE 
                           STRIKINGLY SIMILAR

    The nature of agency operations and their related risks vary. 
However, striking similarities remain in the specific types of general 
control weaknesses reported and in their serious negative impact on an 
agency's ability to ensure the integrity, availability, and appropriate 
confidentiality of its computerized operations--and therefore on what 
corrective actions they must take. The sections that follow describe 
the six areas of general controls and the specific weaknesses that were 
most widespread at the agencies covered by our analysis.

Security Program Management
    Each organization needs a set of management procedures and an 
organizational framework for identifying and assessing risks, deciding 
what policies and controls are needed, periodically evaluating the 
effectiveness of these policies and controls, and acting to address any 
identified weaknesses. These are the fundamental activities that allow 
an organization to manage its information security risks cost 
effectively, rather than react to individual problems in an ad-hoc 
manner only after a violation has been detected or an audit finding 
reported.
    Despite the importance of this aspect of an information security 
program, poor security program management continues to be a widespread 
problem. Virtually all of the agencies for which this aspect of 
security was reviewed had deficiencies. Specifically, many had not 
developed security plans for major systems based on risk, had not 
documented security policies, and had not implemented a program for 
testing and evaluating the effectiveness of the controls they relied 
on. As a result, agencies

 were not fully aware of the information security risks to 
        their operations,
 had accepted an unknown level of risk by default rather than 
        consciously deciding what level of risk was tolerable,
 had a false sense of security because they were relying on 
        controls that were not effective, and
 could not make informed judgments as to whether they were 
        spending too little or too much of their resources on security.
    With the October 2000 enactment of the government information 
security reform provisions of the fiscal year 2001 National Defense 
Authorization Act, agencies are now required by law to adopt the 
practices described above, including annual management evaluations of 
agency security.

Access Controls
    Access controls limit or detect inappropriate access to computer 
resources (data, equipment, and facilities), thereby protecting these 
resources against unauthorized modification, loss, and disclosure. 
Access controls include physical protections--such as gates and 
guards--as well as logical controls, which are controls built into 
software that require users to authenticate themselves through the use 
of secret passwords or other identifiers and limit the files and other 
resources that an authenticated user can access and the actions that he 
or she can execute. Without adequate access controls, unauthorized 
individuals, including outside intruders and terminated employees, can 
surreptitiously read and copy sensitive data and make undetected 
changes or deletions for malicious purposes or personal gain. Even 
authorized users can unintentionally modify or delete data or execute 
changes that are outside their span of authority.
    For access controls to be effective, they must be properly 
implemented and maintained. First, an organization must analyze the 
responsibilities of individual computer users to determine what type of 
access (e.g., read, modify, delete) they need to fulfill their 
responsibilities. Then, specific control techniques, such as 
specialized access control software, must be implemented to restrict 
access to these authorized functions. Such software can be used to 
limit a user's activities associated with specific systems or files and 
to keep records of individual users' actions on the computer. Finally, 
access authorizations and related controls must be maintained and 
adjusted on an ongoing basis to accommodate new and terminated 
employees, and changes in users' responsibilities and related access 
needs.
    Significant access control weaknesses were reported for all of the 
agencies covered by our analysis, as evidenced by the following 
examples:

 Accounts and passwords for individuals no longer associated 
        with the agency were not deleted or disabled; neither were they 
        adjusted for those whose responsibilities, and thus need to 
        access certain files, changed. At one agency, as a result, 
        former employees and contractors could and in many cases did 
        still read, modify, copy, or delete data. At this same agency, 
        even after 160 days of inactivity, 7,500 out of 30,000 users' 
        accounts had not been deactivated.
 Users were not required to periodically change their 
        passwords.
 Managers did not precisely identify and document access needs 
        for individual users or groups of users. Instead, they provided 
        overly broad access privileges to very large groups of users. 
        As a result, far more individuals than necessary had the 
        ability to browse and, sometimes, modify or delete sensitive or 
        critical information. At one agency, all 1,100 users were 
        granted access to sensitive system directories and settings. At 
        another agency, 20,000 users had been provided access to one 
        system without written authorization.
 Use of default, easily guessed, and unencrypted passwords 
        significantly increased the risk of unauthorized access. During 
        testing at one agency, we were able to guess many passwords 
        based on our knowledge of commonly used passwords and were able 
        to observe computer users' keying in passwords and then use 
        those passwords to obtain ``high level'' system administration 
        privileges.
 Software access controls were improperly implemented, 
        resulting in unintended access or gaps in access-control 
        coverage. At one agency data center, all users, including 
        programmers and computer operators, had the capability to read 
        sensitive production data, increasing the risk that such 
        sensitive information could be disclosed to unauthorized 
        individuals. Also at this agency, certain users had the 
        unrestricted ability to transfer system files across the 
        network, increasing the risk that unauthorized individuals 
        could gain access to the sensitive data or programs.
    To illustrate the risks associated with poor authentication and 
access controls, in recent years we have begun to incorporate network 
vulnerability testing into our audits of information security. Such 
tests involve attempting--with agency cooperation--to gain unauthorized 
access to sensitive files and data by searching for ways to circumvent 
existing controls, often from remote locations. Our auditors have been 
successful, in almost every test, in readily gaining unauthorized 
access that would allow intruders to read, modify, or delete data for 
whatever purpose they had in mind. Further, user activity was 
inadequately monitored. At one agency, much of the activity associated 
with our intrusion testing was not recognized and recorded, and the 
problem reports that were recorded did not recognize the magnitude of 
our activity or the severity of the security breaches we initiated.

Application Software Development and Change Controls
    Application software development and change controls prevent 
unauthorized software programs or modifications to programs from being 
implemented. Key aspects of such controls are ensuring that (1) 
software changes are properly authorized by the managers responsible 
for the agency program or operations that the application supports, (2) 
new and modified software programs are tested and approved prior to 
their implementation, and (3) approved software programs are maintained 
in carefully controlled libraries to protect them from unauthorized 
changes and to ensure that different versions are not misidentified.
    Such controls can prevent both errors in software programming as 
well as malicious efforts to insert unauthorized computer program code. 
Without adequate controls, incompletely tested or unapproved software 
can result in erroneous data processing that, depending on the 
application, could lead to losses or faulty outcomes. In addition, 
individuals could surreptitiously modify software programs to include 
processing steps or features that could later be exploited for personal 
gain or sabotage.
    Weaknesses in software program change controls were identified for 
almost all of the agencies where such controls were evaluated. Examples 
of weaknesses in this area included the following:

 Testing procedures were undisciplined and did not ensure that 
        implemented software operated as intended. For example, at one 
        agency, senior officials authorized some systems for processing 
        without testing access controls to ensure that they had been 
        implemented and were operating effectively. At another, 
        documentation was not retained to demonstrate user testing and 
        acceptance.
 Implementation procedures did not ensure that only authorized 
        software was used. In particular, procedures did not ensure 
        that emergency changes were subsequently tested and formally 
        approved for continued use and that implementation of ``locally 
        developed'' (unauthorized) software programs was prevented or 
        detected.
 Agencies' policies and procedures frequently did not address 
        the maintenance and protection of program libraries.

Segregation of Duties
    Segregation of duties refers to the policies, procedures, and 
organizational structure that help ensure that one individual cannot 
independently control all key aspects of a process or computer-related 
operation and thereby conduct unauthorized actions or gain unauthorized 
access to assets or records without detection. For example, one 
computer programmer should not be allowed to independently write, test, 
and approve program changes.
    Although segregation of duties alone will not ensure that only 
authorized activities occur, inadequate segregation of duties increases 
the risk that erroneous or fraudulent transactions could be processed, 
improper program changes implemented, and computer resources damaged or 
destroyed. For example,

 an individual who was independently responsible for 
        authorizing, processing, and reviewing payroll transactions 
        could inappropriately increase payments to selected individuals 
        without detection; or
 a computer programmer responsible for authorizing, writing, 
        testing, and distributing program modifications could either 
        inadvertently or deliberately implement computer programs that 
        did not process transactions in accordance with management's 
        policies or that included malicious code.
    Controls to ensure appropriate segregation of duties consist mainly 
of documenting, communicating, and enforcing policies on group and 
individual responsibilities. Enforcement can be accomplished by a 
combination of physical and logical access controls and by effective 
supervisory review.
    Segregation of duties weaknesses were identified at most of the 
agencies covered by our analysis. Common problems involved computer 
programmers and operators who were authorized to perform a variety of 
duties, thus providing them the ability to independently modify, 
circumvent, and disable system security features. For example, at one 
data center, a single individual could independently develop, test, 
review, and approve software changes for implementation.
    Segregation of duties problems were also identified related to 
transaction processing. For example, at one agency, 11 staff members 
involved with procurement had system access privileges that allowed 
them to individually request, approve, and record the receipt of 
purchased items. In addition, 9 of the 11 had system access privileges 
that allowed them to edit the vendor file, which could result in 
fictitious vendors being added to the file for fraudulent purposes. For 
fiscal year 1999, we identified 60 purchases, totaling about $300,000, 
that were requested, approved, and receipt-recorded by the same 
individual.

Operating System Controls
    Operating system software controls limit and monitor access to the 
powerful programs and sensitive files associated with the computer 
systems operation. Generally, one set of system software is used to 
support and control a variety of applications that may run on the same 
computer hardware. System software helps control and coordinate the 
input, processing, output, and data storage associated with all of the 
applications that run on the system. Some system software can change 
data and program code on files without leaving an audit trail or can be 
used to modify or delete audit trails. Examples of system software 
include the operating system, system utilities, program library 
systems, file maintenance software, security software, data 
communications systems, and database management systems.
    Controls over access to and modification of system software are 
essential in providing reasonable assurance that operating system-based 
security controls are not compromised and that the system will not be 
impaired. If controls in this area are inadequate, unauthorized 
individuals might use system software to circumvent security controls 
to read, modify, or delete critical or sensitive information and 
programs. Also, authorized users of the system may gain unauthorized 
privileges to conduct unauthorized actions or to circumvent edits and 
other controls built into application programs. Such weaknesses 
seriously diminish the reliability of information produced by all of 
the applications supported by the computer system and increase the risk 
of fraud, sabotage, and inappropriate disclosure. Further, system 
software programmers are often more technically proficient than other 
data processing personnel and, thus, have a greater ability to perform 
unauthorized actions if controls in this area are weak.
    The control concerns for system software are similar to the access 
control issues and software program change control issues discussed 
earlier. However, because of the high level of risk associated with 
system software activities, most entities have a separate set of 
control procedures that apply to them.
    Weaknesses were identified at each of the agencies for which 
operating system controls were reviewed. A common type of problem 
reported was insufficiently restricted access that made it possible for 
knowledgeable individuals to disable or circumvent controls in a 
variety of ways. For example, at one agency, system support personnel 
had the ability to change data in the system audit log. As a result, 
they could have engaged in a wide array of inappropriate and 
unauthorized activity and could have subsequently deleted related 
segments of the audit log, thus diminishing the likelihood that their 
actions would be detected.
    Further, pervasive vulnerabilities in network configuration exposed 
agency systems to attack. These vulnerabilities stemmed from agencies' 
failure to (1) install and maintain effective perimeter security, such 
as firewalls and screening routers, (2) implement current software 
patches, and (3) protect against commonly known methods of attack.

Service Continuity
    Finally, service continuity controls ensure that when unexpected 
events occur, critical operations will continue without undue 
interruption and that crucial, sensitive data are protected. For this 
reason, an agency should have (1) procedures in place to protect 
information resources and minimize the risk of unplanned interruptions 
and (2) a plan to recover critical operations, should interruptions 
occur. These plans should consider the activities performed at general 
support facilities, such as data processing centers, as well as the 
activities performed by users of specific applications. To determine 
whether recovery plans will work as intended, they should be tested 
periodically in disaster simulation exercises.
    Losing the capability to process, retrieve, and protect information 
maintained electronically can significantly affect an agency's ability 
to accomplish its mission. If controls are inadequate, even relatively 
minor interruptions can result in lost or incorrectly processed data, 
which can cause financial losses, expensive recovery efforts, and 
inaccurate or incomplete financial or management information. Controls 
to ensure service continuity should address the entire range of 
potential disruptions. These may include relatively minor 
interruptions, such as temporary power failures or accidental loss or 
erasure of files, as well as major disasters, such as fires or natural 
disasters that would require reestablishing operations at a remote 
location.
    Service continuity controls include (1) taking steps, such as 
routinely making backup copies of files, to prevent and minimize 
potential damage and interruption, (2) developing and documenting a 
comprehensive contingency plan, and (3) periodically testing the 
contingency plan and adjusting it as appropriate.
    Service continuity control weaknesses were reported for most of the 
agencies covered by our analysis. Examples of weaknesses included the 
following:

 Plans were incomplete because operations and supporting 
        resources had not been fully analyzed to determine which were 
        the most critical and would need to be resumed as soon as 
        possible should a disruption occur.
 Disaster recovery plans were not fully tested to identify 
        their weaknesses. At one agency, periodic walkthroughs or 
        unannounced tests of the disaster recovery plan had not been 
        performed. Conducting these types of tests provides a scenario 
        more likely to be encountered in the event of an actual 
        disaster.

           IMPROVED SECURITY PROGRAM MANAGEMENT IS ESSENTIAL

    The audit reports cited in this statement and in our prior 
information security reports include many recommendations to individual 
agencies that address specific weaknesses in the areas I have just 
described. It is each individual agency's responsibility to ensure that 
these recommendations are implemented. Agencies have taken steps to 
address problems and many have good remedial efforts underway. However, 
these efforts will not be fully effective and lasting unless they are 
supported by a strong agencywide security management framework.
    Establishing such a management framework requires that agencies 
take a comprehensive approach that involves both (1) senior agency 
program managers who understand which aspects of their missions are the 
most critical and sensitive and (2) technical experts who know the 
agencies' systems and can suggest appropriate technical security 
control techniques. We studied the practices of organizations with 
superior security programs and summarized our findings in a May 1998 
executive guide entitled Information Security Management: Learning From 
Leading Organizations (GAO/AIMD-98-68). Our study found that these 
organizations managed their information security risks through a cycle 
of risk management activities that included

 assessing risks and determining protection needs,
 selecting and implementing cost-effective policies and 
        controls to meet these needs,
 promoting awareness of policies and controls and of the risks 
        that prompted their adoption among those responsible for 
        complying with them, and
 implementing a program of routine tests and examinations for 
        evaluating the effectiveness of policies and related controls 
        and reporting the resulting conclusions to those who can take 
        appropriate corrective action.
    In addition, a strong, centralized focal point can help ensure that 
the major elements of the risk management cycle are carried out and 
serve as a communications link among organizational units. Such 
coordination is especially important in today's highly networked 
computing environments. This cycle of risk management activities is 
depicted below.
    This cycle of activity, as described in our May 1998 executive 
guide, is consistent with guidance on information security program 
management provided to agencies by the Office of Management and Budget 
(OMB) and by NIST. In addition, the guide has been endorsed by the 
federal Chief Information Officers (CIO) Council as a useful resource 
for agency managers. We believe that implementing such a cycle of 
activity is the key to ensuring that information security risks are 
adequately considered and addressed on an ongoing basis.
    While instituting this framework is essential, there are several 
steps that agencies can take immediately. Specifically, they can (1) 
increase awareness, (2) ensure that existing controls are operating 
effectively, (3) ensure that software patches are up-to-date, (4) use 
automated scanning and testing tools to quickly identify problems, (5) 
propagate their best practices, and (6) ensure that their most common 
vulnerabilities are addressed. None of these actions alone will ensure 
good security. However, they take advantage of readily available 
information and tools and, thus, do not involve significant new 
resources. As a result, they are steps that can be made without delay.

   NEW LEGAL REQUIREMENTS PROVIDE BASIS FOR IMPROVED MANAGEMENT AND 
                               OVERSIGHT

    Due to concerns about the repeated reports of computer security 
weaknesses at federal agencies, in 2000, the Congress passed government 
information security reform provisions require agencies to implement 
the activities I have just described. These provisions were enacted in 
late 2000 as part of the fiscal year 2001 NationalDefense Authorization 
Act. In addition to requiring these management improvements, the new 
provisions require annual evaluations of agency information security 
programs by both management and agency inspectors general. The results 
of these reviews, which are initially scheduled to become available in 
late 2001, will provide a more complete picture of the status of 
federal information security than currently exists, thereby providing 
the Congress and OMB an improved means of overseeing agency progress 
and identifying areas needing improvement.

      IMPROVEMENT EFFORTS ARE UNDERWAY, BUT MANY CHALLENGES REMAIN

    During the last two years, a number of improvement efforts have 
been initiated. Several agencies have taken significant steps to 
redesign and strengthen their information security programs; the 
Federal Chief Information Officers Council has issued a guide for 
measuring agency progress, which we assisted in developing; and the 
President issued a National Plan for Information Systems Protection and 
designated the related goals of computer security and critical 
infrastructure protection as a priority management objective in his 
fiscal year 2001 budget. These actions are laudable. However, recent 
reports and events indicate that they are not keeping pace with the 
growing threats and that critical operations and assets continue to be 
highly vulnerable to computer-based attacks.
    While OMB, the Chief Information Officers Council, and the various 
federal entities involved in critical infrastructure protection have 
expanded their efforts, it will be important to maintain the momentum. 
As we have noted in previous reports and testimonies, there are actions 
that can be taken on a governmentwide basis to enhance agencies' 
abilities to implement effective information security.
    First, it is important that the federal strategy delineate the 
roles and responsibilities of the numerous entities involved in federal 
information security and related aspects of critical infrastructure 
protection. Under current law, OMB is responsible for overseeing and 
coordinating federal agency security; and NIST, with assistance from 
the National Security Agency (NSA), is responsible for establishing 
related standards. In addition, interagency bodies, such as the CIO 
Council and the entities created under Presidential Decision Directive 
63 on critical infrastructure protection are attempting to coordinate 
agency initiatives. While these organizations have developed 
fundamentally sound policies and guidance and have undertaken 
potentially useful initiatives, effective improvements are not taking 
place, and it is unclear how the activities of these many organizations 
interrelate, who should be held accountable for their success or 
failure, and whether they will effectively and efficiently support 
national goals.
    Second, more specific guidance to agencies on the controls that 
they need to implement could help ensure adequate protection. Currently 
agencies have wide discretion in deciding what computer security 
controls to implement and the level of rigor with which they enforce 
these controls. In theory, this is appropriate since, as OMB and NIST 
guidance states, the level of protection that agencies provide should 
be commensurate with the risk to agency operations and assets. In 
essence, one set of specific controls will not be appropriate for all 
types of systems and data.
    However, our studies of best practices at leading organizations 
have shown that more specific guidance is important. In particular, 
specific mandatory standards for varying risk levels can clarify 
expectations for information protection, including audit criteria; 
provide a standard framework for assessing information security risk; 
and help ensure that shared data are appropriately protected. 
Implementing such standards for federal agencies would require 
developing a single set of information classification categories for 
use by all agencies to define the criticality and sensitivity of the 
various types of information they maintain. It would also necessitate 
establishing minimum mandatory requirements for protecting information 
in each classification category.
    Third, routine periodic audits, such as those required in the 
government information security reforms recently enacted, would allow 
for more meaningful performance measurement. Ensuring effective 
implementation of agency information security and critical 
infrastructure protection plans will require monitoring to determine if 
milestones are being met and testing to determine if policies and 
controls are operating as intended.
    Fourth, the Congress and the executive branch can use of audit 
results to monitor agency performance and take whatever action is 
deemed advisable to remedy identified problems. Such oversight is 
essential to holding agencies accountable for their performance as was 
demonstrated by the OMB and congressional efforts to oversee the year 
2000 computer challenge.
    Fifth, it is important for agencies to have the technical expertise 
they need to select, implement, and maintain controls that protect 
their computer systems. Similarly, the federal government must maximize 
the value of its technical staff by sharing expertise and information. 
As the year 2000 challenge showed, the availability of adequate 
technical expertise has been a continuing concern to agencies.
    Sixth, agencies can allocate resources sufficient to support their 
computer security and infrastructure protection activities. Funding for 
security is already embedded to some extent in agency budgets for 
computer system development efforts and routine network and system 
management and maintenance. However, some additional amounts are likely 
to be needed to address specific weaknesses and new tasks. OMB and 
congressional oversight of future spending on computer security will be 
important to ensuring that agencies are not using the funds they 
receive to continue ad hoc, piecemeal security fixes not supported by a 
strong agency risk management framework.
    Mr. Chairman, this concludes my statement. I would be pleased to 
answer any questions that you or other members of the Subcommittee may 
have at this time.

    Mr. Greenwood. Thank you, Mr. Dacey.
    Mr. Tritak.

                  TESTIMONY OF JOHN S. TRITAK

    Mr. Tritak. Thank you, Mr. Chairman. I welcome the 
opportunity to appear before this subcommittee to discuss 
internal Federal Government efforts in securing its critical 
infrastructures. I ask that my written statement be introduced 
into the record at this time.
    Mr. Greenwood. It will be.
    Mr. Tritak. My opening remarks will focus primarily on 
those efforts through the end of the Clinton administration. A 
detailed discussion of those efforts are provided in the 
President's report to the Congress which was published in 
January and was prepared both by the National Security Council 
and my office, the Critical Infrastructure Assurance Office, in 
coordination with Federal Governments and agencies that 
actually reported on their activities.
    Mr. Chairman, as you know, the administration is currently 
conducting a thorough review of its critical infrastructure 
protection policy. While the results of that review are still 
several weeks away, several things we already know, which I 
think should be discussed here.
    First, President Bush himself has indicated that critical 
infrastructure protection is important to U.S. Economic and 
national security and will be a priority of his administration.
    Second, and the point goes to remarks made by Congressman 
Tauzin, National Security Adviser Rice has recently stated with 
regard to government agency organizations that on the one hand 
no single government agency can handle all of the critical 
infrastructure assurance problems for the Federal Government. 
All agencies are stakeholders and have a role in the solution. 
That said, however, coordination among governments naturally 
occurring stovepipes must take place and must take place better 
than it has in the past. Moreover there must be a common point 
of contact that is accessible both to private industry and the 
government, Federal Government, the Congress, and the American 
people in addressing this issue.
    A third point was also made by Dr. Rice. She stated that 
the Federal Government bears a direct responsibility to ensure 
that it can deliver essential services and perform critical 
functions necessary for the Nation's defense, the health and 
welfare and safety of its citizens. I think this statement 
deserves a little explanation because it makes a very important 
point about critical infrastructure policy.
    In the first instance, critical infrastructure protection 
is about assured delivery of vital services that are provided 
by key sectors of government and the economy, including 
electric power, oil and gas, telecommunications, banking and 
finance, transportation, water, health and emergency services. 
To the extent these infrastructures depend on computer systems 
and networks to deliver those vital services, and increasingly 
they do, to that extent critical infrastructure policy must be 
concerned with computer security and information assurance.
    Now, under Presidential directive 63 the previous 
administration established as one of its goals the achievement 
of the ability to protect the Nation's critical infrastructures 
from deliberate attacks. That could significantly diminish the 
government's ability to perform national security missions and 
ensure the public health and safety of the American people.
    When I first took office, this office, I often asked how 
are we going to know when we've achieved this goal and what 
does it take to achieve it. I had more than a passing interest 
in the question because one of the mandates under PDD-63 for my 
office is to assist Federal agencies in assessing their 
dependence on critical infrastructures.
    Ultimately, our response was to develop what we call 
``project matrix.'' That decision came out of a sense of 
frustration both within our own office as well as some 
government agencies asking the question how do we go about 
doing this, managing this very large problem.
    Now project matrix basically takes a systems-analysis 
approach to the critical infrastructure problem. It starts by 
asking each participating department and agency what services 
do you provide that are necessary to the Nation's defense, the 
orderly functioning of the economy, or the health, welfare and 
safety of Americans. More importantly, of those services, which 
if disrupted even for short periods of time could have a 
significant and immediate impact on the public.
    You will note, Mr. Chairman, that there's a time-
sensitivity element that is important to our analysis. I have 
to explain why. We believe that those types of services, those 
types of critical and time-sensitive services, and the systems 
that are necessary for their delivery, are at the greatest risk 
if attacked and therefore deserve priority attention in terms 
of security. Let me give you an example.
    Timely hurricane warnings would be deemed under our 
approach as a critical service; and, therefore, NOAA's national 
hurricane warning center would be deemed a critical asset. This 
is because disruption of timely warnings of hurricanes during a 
hurricane season could have absolutely catastrophic effects on 
the public.
    The matrix approach requires agencies also to think 
functionally rather than bureaucratically. It is not enough in 
the case of the national hurricane warning center to determine 
whether it alone is secure. So, too, must all the other 
government and private sector entities necessary to the 
performance of the center's warning operations be secure as 
well. In many instances, vital functions performed by one 
agency depend on services provided by another. Assured delivery 
of critical services are only as good as the weakest link in 
the delivery chain.
    Having essentially mapped a critical government service 
across government agencies and between government and the 
private sector, we are now--agencies are better able then to 
direct their efforts toward determining whether or not that 
service is vulnerable to disruption and immediate disruption. 
Among other things, this sort of approach also helps 
rationalize the budgetary process and prioritizing your 
security activities within an agency.
    Let me say in conclusion, Mr. Chairman, a number of things. 
First, critical infrastructure policy is inherently a risk-
management problem. A number of people here today have all 
indicated there's no such thing as perfect security. We need to 
know what is at risk however; and we need to decide how to 
manage those risks, balancing costs and consequences.
    Also, critical infrastructure protection is concerned with 
computer security, but it is not synonymous with it. There are 
very good reasons for having good computer security besides 
those in support of critical infrastructure policy. We've heard 
about many. Privacy of data bases that have information about 
citizens is critical, whether or not it would meet the standard 
of creating an immediate impact and harm on the public in some 
broader sense. Protecting classified systems is important 
regardless of what is contained in them.
    Now, how we decide to allocate resources for all computer 
security demands within the Federal Government is essentially a 
public-policy choice, a choice the administration is currently 
weighing in its review. That said, if securing critical 
government services are to be a priority, particularly time-
sensitive ones, then going through a process along the lines 
I've just described is required. In addition, having identified 
government--critical government assets essential to delivery of 
critical services, priority must also be given to assessing 
their vulnerabilities and developing and implementing 
remediation plans in those instances where vulnerabilities 
exist. And I can't overemphasize that last point. Just because 
a government asset is critical doesn't necessarily mean it's 
vulnerable to cyberattacks. If it is not connected to the 
Internet, if it is not connected to any part of the world, it 
by definition would not be vulnerable to outside attack, 
putting aside the internal problems you may have with 
disgruntled employees, which we all acknowledge is a problem.
    For example, I use the hurricane warning center as an 
example of how we go through the analytic process. I didn't by 
any means want to imply it is necessarily vulnerable to attack. 
In fact, from what I know, it's quite secure. What is the 
point, however, and what I wish to leave you with is that 
unless you know how the government's crown jewels function and 
how having identified those elements all other relevant 
government assets and private assets that are essential to the 
functioning of those crown jewels you don't know whether you're 
vulnerable or not; and, therefore, you don't know whether 
you're secure or not against cyber-based attacks.
    That concludes my remarks, Mr. Chairman; and I welcome any 
questions you may have.
    [The prepared statement of John S. Tritak follows:]

Prepared Statement of John S. Tritak, Director, Critical Infrastructure 
                            Assurance Office

    Mr. Chairman, members of the Subcommittee, it is an honor to appear 
before you today to discuss the status, as of the time that the Bush 
Administration took office, of Federal government efforts to secure 
internal critical systems and infrastructure within Departments and 
Agencies. These efforts are described in some detail in the Report of 
the President of the United States on the Status of Federal Critical 
Infrastructure Protection Activities, January 2001.
    This Subcommittee has shown exceptional leadership on a broad range 
of national and economic security issues and I am grateful for the 
opportunity to work closely with you and the Congress to find ways to 
advance infrastructure assurance for all Americans. As you know, the 
Bush Administration currently is conducting a thorough review of our 
critical infrastructure protection policy. We expect the results of 
that review over the next couple of months. President Bush has 
indicated already, however, that securing our nation's critical 
infrastructures will be a priority of his Administration. Your decision 
to hold this hearing could not be more timely. We all recognize that no 
viable solutions will be developed or implemented without the executive 
and legislative branches working together.
    I believe the work of your subcommittee, along with that of others, 
will make an important contribution to establishing a new consensus on 
safeguarding critical government services against cyber attacks.

                               BACKGROUND

    America has long depended on a complex of systems--or critical 
infrastructures--to assure the delivery of services vital to its 
national defense, economic prosperity, and social well-being. These 
infrastructures include telecommunications, water supplies, electric 
power, oil and gas delivery and storage, banking and finance, 
transportation, and vital human and government services.
    The Information Age has fundamentally altered the nature and extent 
of our dependency on these infrastructures. Increasingly, our 
government, economy, and society are being connected together into an 
ever expanding and interdependent digital nervous system of computers 
and information systems. With this interdependence come new 
vulnerabilities. One person with a computer, a modem, and a telephone 
line anywhere in the world potentially can break into sensitive 
government files, shut down an airport's air traffic control system, or 
cause a power outage in an entire region.
    Events such as the 1995 bombing of the Murrah Federal Building in 
Oklahoma City demonstrated that the Federal government needed to 
address new types of threats and vulnerabilities, many of which the 
nation was unprepared to defend against. In response to the Murrah 
Building tragedy and other events, an inter-agency working group was 
formed to examine the nature of the threat, our vulnerabilities, and 
possible long-term solutions for this aspect of our national security. 
The National Security Council's Critical Infrastructure Working Group 
(CIWG) included representatives from the defense, intelligence, law 
enforcement and national security communities. The working group 
identified both physical and cyber threats and recommended formation of 
a Presidential Commission to address more thoroughly many of these 
growing concerns.
    In July 1996 the President's Commission on Critical Infrastructure 
Protection (PCCIP) was established by Executive Order 13010. The 
bipartisan PCCIP included senior representatives from private industry, 
government, and academia; its Advisory Committee consisted of industry 
leaders who provided counsel to the Commission.
    After examining infrastructure issues for over a year, the 
Commission issued its report, Critical Foundations: Protecting 
America's Infrastructures. The Report reached four significant 
conclusions:

 First, critical infrastructure protection is central to our 
        national defense, including national security and national 
        economic power;
 Second, growing complexity and interdependence between 
        critical infrastructures may create the increased risk that 
        rather minor and routine disturbances can cascade into national 
        security emergencies;
 Third, vulnerabilities are increasing steadily and the means 
        to exploit weaknesses are readily available; practical measures 
        and mechanisms, the Commission argued, must be urgently 
        undertaken before we are confronted with a national crisis; and
 Fourth, laying a foundation for security will depend on new 
        forms of cooperation with the private sector, which owns and 
        operates a majority of these critical infrastructure 
        facilities.

                                 PDD-63

    On May 22, 1998, Presidential Decision Directive 63 (PDD-63) was 
issued to achieve and maintain the capability to protect our nation's 
critical infrastructures from acts that would significantly diminish 
the abilities of:

 The Federal government to perform essential national security 
        missions and to ensure the general public health and safety;
 State and local governments to maintain order and to deliver 
        minimum essential public services; and
 The private sector to ensure the orderly functioning of the 
        economy and the delivery of essential telecommunications, 
        energy, financial, and transportation services.
    To achieve these ends, PDD-63 articulates a strategy of:

 Creating a public-private partnership to address the problem 
        of information technology security;
 Raising awareness of the importance of cyber security in the 
        government and in the private sector;
 Stimulating market forces to increase the demand for cyber 
        security and to create standards or best practices;
 funding or facilitating research into new information 
        technology systems with improved security inherent in their 
        design;
 Working with educational facilities to increase the number of 
        students specializing in cyber security; and
 Helping to prevent, mitigate, or respond to major cyber 
        attacks by building an information sharing system among 
        government agencies, among corporations, and between government 
        and industry.
    The Federal government's basic approach to critical infrastructure 
protection, as reflected in PDD-63, has been built around a strong 
policy preference for consensus-building and voluntary cooperation 
rather than regulatory actions. In an economy as complex as ours, and 
with technology changing as quickly as it is, cooperation offers the 
best and surest way to achieve our shared goals in this emerging area. 
However, the government's approach also recognizes the need for 
coordinated actions to improve its internal defenses and the nation's 
overall posture against these new threats.
    PDD-63 called for the Federal government to produce a detailed plan 
to protect and defend the nation against cyber disruptions. Version 1 
of this effort, entitled The National Plan for Information Systems 
Protection, was released in January 2000, and represents the first 
attempt by a national government to design a comprehensive approach to 
protect its critical infrastructures. This initial version of the plan 
focused mainly on domestic efforts being undertaken by the Federal 
government to protect the nation's critical cyber-based 
infrastructures. The next version of the plan, due out this summer, 
will focus on the efforts of the infrastructure owners and operators, 
as well as the risk management and broader business community.
    Under PDD-63, Federal Agencies have a number of distinct 
responsibilities:

 All agencies are required to protect their own internal 
        critical infrastructures, especially their cyber systems.
 Some agencies with special expertise or functional 
        responsibilities are tasked with providing services to the 
        government as a whole.
 A number of agencies also are charged with developing 
        partnerships with private industry in their sectors of the 
        economy.
    I will focus the remainder of my remarks on the first 
responsibility--securing internal critical systems. Specifically, I 
will discuss the work of my office, the Critical Infrastructure 
Assurance Office, in assisting agencies to identify and prioritize 
these systems. I also will discuss briefly Federal Government efforts 
to formulate security and best practices standards that apply to 
information, security, and critical infrastructure assets.
    Time constraints prevent me from fully describing the internal 
efforts of each federal agency to secure their critical systems. I urge 
the subcommittee to review the status reports of each Department and 
Agency provided in Section III of the President's January Report. 
Likewise, I strongly recommend that the subcommittee study the 
agencies' sector partnership efforts described in Section II of the 
Report. These efforts are as important to overall national critical 
infrastructure assurance as the internal activities that have been 
undertaken within the Federal government. I would welcome the 
opportunity to brief the sub-committee on another occasion on the work 
of the CIAO and the federal lead agencies (Commerce, Energy, Treasury, 
Transportation, Justice, Health and Human Services, EPA and Defense) in 
promoting meaningful public-private partnerships.

   IDENTIFYING CRITICAL FEDERAL INFRASTRUCTURES AND SYSTEMS: PROJECT 
                                 MATRIX

    In response to PDD 63, my office established Project Matrix last 
year to ``coordinate analyses of the U.S. Government's own dependencies 
on critical infrastructures.''
    This is a government-wide issue. Federal Departments and Agencies 
do not operate independently of one another. Due to significant 
advances in information technology, the public and private sectors have 
become inextricably intertwined. As a result, there is limited utility 
in each Federal Department and Agency viewing physical and cyber 
security only in the context of its own organization. Project Matrix 
provides each Federal Department and Agency an expanded, more 
comprehensive, realistic, and useful view of the world within which it 
actually functions. The Administration, Congress, and private sector 
providers of the nation's critical infrastructures will require such 
information to implement cost efficient and effective physical and 
cyber security enhancement measures in the future. Project Matrix 
provides a common methodology and approach and allows the government to 
develop a clearer picture of cross-agency interdependencies.
    Participating in Project Matrix helps each Federal Department and 
Agency identify the assets, nodes and networks, and associated 
infrastructure dependencies and interdependencies that are required for 
it to fulfill its national security, economic stability, and critical 
public health and safety responsibilities to the American people. A 
number of Departments and Agencies refer to Project Matrix in their 
reports.
    Project Matrix also helps each participating Federal Department and 
Agency:

 Identify the nodes and networks that should receive robust 
        cyber and physical vulnerability assessments;
 Conduct near-term risk management assessments;
 Justify funding requests for high-priority security 
        enhancement measures in the areas of physical security, 
        information system security, industrial security, emergency 
        preparedness, counter-intelligence, counter-terrorism; and
 Review actual business processes to better understand and 
        improve the efficiencies of its organization's functions and 
        information technology architectures.
    Project Matrix involves a three-step process. In Step 1, the 
Project Matrix team identifies and prioritizes each Federal 
Department's and Agency's PDD 63 relevant assets. In Step 2, the team 
provides a business process topology on, and identifies significant 
points of failure associated with, each Department's or Agency's most 
critical assets. In Step 3, the team identifies the infrastructure 
dependencies associated with select assets identified in Step 1 and 
analyzed in-depth in Step 2.
    In FY 2001, the Project Matrix team will complete the documentation 
of its entire analytical process for use throughout the public and 
private sectors, improve its Step One automated data collection tool, 
and develop compatible automated Step Two and Three tools.
  integrating security into the capital planning and budget processes
    In February 2000, OMB issued important new guidance to the agencies 
on incorporating and funding security in information technology 
investments. In brief, this policy states that funding will not be 
provided for agency requests that fail to demonstrate how security is 
built into and funded as part of each system.
    This policy carries through on the requirements of the Clinger-
Cohen Act of 1996 and emphasizes that security must be incorporated in 
and practiced throughout the life cycle of each agency's system and 
program. To accomplish this, beginning with the FY 2002 budget, each 
agency budget request to OMB for information technology funding must, 
among other things:

 Demonstrate life cycle security costs for each system;
 Include a security plan that complies with applicable policy;
 Show specific methods used to ensure that risks are 
        understood, continually assessed, and effectively controlled; 
        and
 Demonstrate that security is an integral part of the agency's 
        enterprise architecture including interdependencies and 
        interrelationships.

             THE GOVERNMENT INFORMATION SECURITY REFORM ACT

    On October 30, 2000 the President signed into law the FY 2001 
Defense Authorization Act (P.L. 106398) including Title X, subtitle G, 
``Government Information Security Reform (Security Act).'' The security 
provision amends the Paperwork Reduction Act of 1995 (44 U.S.C. Chapter 
35) and primarily addresses the program management and program 
evaluation aspects of security.
    In concert with OMB policy, the Security Act requires agencies to 
incorporate and practice risk-based and cost-effective security 
throughout the life cycle of each agency system and thus firmly ties 
security to the agencies' capital planning and budget processes.
    The Security Act also requires on an annual basis:

 Agency program reviews;
 Inspector General evaluations of agency security programs;
 Agency reports to OMB; and
 An OMB report to Congress.
    The annual review and reporting requirements will promote 
consistent, ongoing assessments of government security performance. 
Recently a uniform method for agency program reviews has been 
developed.

         THE CIO AND CFO COUNCILS: STANDARDS AND BEST PRACTICES

    Standardizing the security controls for government systems has a 
conceptual appeal because it can reduce the complexity and expense of 
developing, implementing, and monitoring security on a system-by-system 
basis. This is increasingly important given the government's shortage 
of expert information security personnel. Government computer security 
almost certainly would improve if specific standards were prescribed 
and implemented for each government information system.
    However, specific standards for all systems--a ``one-size-fits-
all'' security approach--may not accommodate the vastly different 
operational requirements of each information system and could 
unnecessarily impede business operations. Executive branch agencies 
operate more than 26,000 major information systems, many of which 
directly interact with the public, industry, or State and local 
governments. Just as each system has its own unique operational 
requirements, so too are its security requirements unique.
    The CIO Council and the CFO Council recognize both the benefits and 
potential problems with standardized security approaches. They have 
undertaken the following important initiatives:
    Securing Electronic Government Transactions to the Public--Resource 
Guide: The CIO Council, the CFO Council, and the Information Technology 
Association of America are working together to develop a benchmark for 
risk-based, cost-effective security for three types of electronic 
government services:

 Web-based information services;
 Government procurement; and
 Financial transactions with the public.
    A resource guide for securing electronic transactions with the 
public will be released in 2001 to assist agency CIOs in promoting 
electronic government initiatives within their agencies. Together with 
the CFO Council initiative for agency financial systems, this effort 
may prove to be an effective pilot for establishing similar benchmarks 
for other discrete classes of programs and information systems.
    Best Security Practices: The CIO Council, led by the U.S. Agency 
for International Development and NIST, has developed a web-based 
repository of sound Federal agency security practices that have worked 
in the real world. The CIO Council's Best Security Practices initiative 
collects, documents, and disseminates these practices to help agencies 
reduce the cost of developing and testing new security controls, 
improve the speed of implementation, and increase the quality of their 
security programs.
    The goal is to populate the repository with more than 100 practices 
by mid 2001 and continually expand offerings from then on. In their 
guidance to the agencies on implementing the Government Information 
Security Reform Act, OMB has instructed agencies to use the CIO 
Council's best practices initiative to fulfill the new act's 
requirement to share best practices.
    Measuring Performance--Federal Information Technology Security 
Assessment Framework: Over the past year, the CIO Council, working with 
NIST, OMB, and the GAO, developed the Federal Information Technology 
Security Assessment Framework. The framework, issued in December 2000, 
provides agencies with a self-assessment methodology to determine the 
current status of their security programs and, where necessary, 
establish a target for improvement. In developing the framework, the 
CIO Council recognizes that the security needs for the tens of 
thousands of Federal information systems differ and must be addressed 
in different ways.
    The framework comprises five levels to guide agency self 
assessments and to assist them in prioritizing efforts for improvement:

 Level 1 reflects a documented security policy;
 Level 2 shows documented procedures and controls to implement 
        the policy;
 Level 3 indicates that the procedures and controls have in 
        fact been implemented;
 Level 4 shows that the procedures and controls are continually 
        tested and reviewed; and
 Level 5 demonstrates that procedures and controls are fully 
        integrated into a comprehensive program.
    Each level represents a more complete and effective security 
program. Agencies should bring all systems and programs to level 4 and 
ultimately level 5. OMB and the CIO Council have alerted agencies that 
when individual systems do not meet the framework's level 4 
requirements, the system may not meet OMB's security funding criteria.
    As mentioned earlier, the new Government Information Security 
Reform Act emphasizes the importance of assessing security 
effectiveness and requires annual agency reporting to OMB of the 
results of the agency security reviews. OMB has instructed agencies to 
use the framework to fulfill their assessment and reporting obligations 
under the Security Act.

                               CONCLUSION

    While much has been accomplished in recent years, much more needs 
to be done to ensure our critical government systems are adequately 
protected from cyber attack. I look forward to working with members of 
this subcommittee, and the entire Congress, as we address the 
challenges ahead. I look forward to your questions.

    Mr. Greenwood. Thank you. Appreciate your testimony.
    I will direct some questions to Mr. Dacey, if I may. 
Overall, if you had to give the Federal agencies the GAO has 
reviewed a collective grade A through F, i.e., passing or 
failing, how would you rate them as a group?
    Mr. Dacey. I think overall the types of weaknesses we've 
seen, again, are pervasive. In terms of a grade, I'll leave 
that to Chairman Horn. He's given grades last year, and I am 
not sure they've changed a whole lot since then.
    Mr. Greenwood. Would this grade be different for defense 
versus military agencies than civilian agencies? How would you 
compare them?
    Mr. Dacey. I just wanted to clarify, the main part of the 
work that's been done has been on unclassified systems. So with 
respect to those, we're finding similar types of 
vulnerabilities in both.
    Mr. Greenwood. The committee's reviews of computer security 
at various Federal agencies has largely found that security has 
been mostly a paperwork exercise up to now. Do you agree with 
that?
    Mr. Dacey. There are certain areas, I guess, in terms of a 
paperwork exercise, that there are documented policies in many 
cases that aren't carried through in terms of execution. Also, 
there are many places where the policies aren't even 
documented. One of the areas that we look at is, again, whether 
the agencies have a process such as Energy to really determine 
what the effectiveness of their controls are. We've many times 
identified vulnerabilities for the first time to agencies; and 
although they have been generally very responsive, it's a 
process that we think ought to take place in the management 
role, not as an audit function. So that is, I guess, how I'd 
answer that question.
    Mr. Greenwood. It's safe to say that every agency ought to 
be constantly testing its own security systems; isn't that a 
fair statement?
    Mr. Dacey. I think there needs to be a regular process for 
that type of testing. Part of that is called for in the new 
legislation. The reports on that new legislation will be due 
out in the fall to Congress, and those should illustrate some 
of the issues and also indicate whether, in fact, that testing 
is being done. I believe in your opening statement you referred 
to the fact, based on evidence you obtained, that that wasn't 
being done. That is consistent with our--what we have seen 
actually. We've seen very little done by most agencies to 
assess the effectiveness of their security.
    Mr. Greenwood. You mentioned in your testimony some 
examples of unauthorized access, security breaches, compromised 
networks and data from GAO's body of work across Federal 
agencies. These are not just hypothetical, are they?
    Mr. Dacey. No. We have seen incidents where that has 
actually occurred, which I gave in my oral statement. The 
question really too is some of these vulnerabilities are, or 
were, sensitive when we found them, at least could have led to 
all kinds of other things that weren't detected. I would agree 
based upon the comments earlier that a large number of 
incidents that are occurring are probably not detected and 
reported. That is an area where we really need to get better 
systems because you can't protect the systems a hundred 
percent, as was discussed earlier; but you need to do the best 
you can to really implement known patches and address known 
vulnerabilities. Many of the tools and Web sites that were 
referred to earlier that provide evidence of ways in which 
systems can be hacked can also be used by agencies to identify 
those same types of weaknesses in their system and fix them. So 
I think that is an important area that needs to be addressed.
    Mr. Greenwood. It seems to me, as I think Ms. McDonald 
said, they encourage the use of patches; but there's no 
requirement that the patches be used, and perhaps we ought to 
consider a mechanism to make them mandatory.
    Mr. Tritak, could you describe for the committee a worst-
case scenario for a cyberattack or information-warfare attack 
on one of our Nation's critical infrastructures, just to make 
us all feel good?
    Mr. Tritak. Yeah, make me feel real good. If I may a little 
bit, sir, sort of qualify my remarks by saying the following: 
I've heard conversations earlier talk about cyberterrorism, 
information warfare; and that is a shorthand that we all use in 
describing certain types of threats. I think I prefer when I 
address these things is to turn around a little bit and not 
using cyberadjectives to modify traditional nouns but to say in 
a sense, for example, instead of cyberterrorism, I refer to it 
as terrorist activities that attempt to exploit cyberspace to 
achieve certain terrorist goals and objectives. Okay. And in an 
information warfare context, I think if we're using the term 
properly, we're in a state of war in which a country is 
utilizing or exploiting the cyberspace and vulnerabilities in 
the cyberspace to achieve certain goals and certain objectives.
    Now let me give you an idea of the kinds of things I think 
would be played out in that context. Let's pretend we go back, 
and we have to, God forbid, have to deal with Iraq again in a 
way that we had to deal with Iraq before. I think Iraq and the 
leadership of Iraq probably would prefer not to have to go toe 
to toe with the Americans the way it had to go toe to toe the 
first time around. One of the things it probably would attempt 
to do if it could--and I'm not saying any of this they can 
actually achieve, because I think it is very difficult to do 
this, but let's just suppose the intent would be to disrupt the 
deployment--mobilization and deployment of U.S. Forces in the 
United States and project them overseas and then also the 
logistics efforts going from Europe points of demarcation in 
Europe finally to the Middle East. To the extent they could 
achieve something like that, it could have strategic 
implications. So I think we need to look at it in that sense.
    Now if you're talking about in the case of a war where in a 
sense they would attempt to achieve through cyberattacks what 
bombers used to achieve, for example, then you would think of 
things that could cause mass problems, disruptions of 911, 
introduction of biological chemical weapons at the same time, 
the possibility of trying to hack into dams and potentially 
open floodgates, anything that would cause the kind of hysteria 
and potential loss of life that we tried to do in World War II 
or whatever.
    That is the kind of thing I think we all have to be 
concerned about because I think that is the sort of thing 
people would be thinking about if they were going to war with 
us and they wanted to exploit the cyberspace in order to 
achieve their military and political objectives. I want to also 
emphasize it's not clear that they could achieve that; and in 
fact, this the beauty of now as well as the curse of today is 
the fact that we haven't seen the worst because the worst that 
can be done over cyberspace is a function of interconnectivity 
and being hooked in. And we're still in the fairly early stages 
of doing this. Our society, our government, our economy are 
being transformed by information technologies; and increasingly 
we're going to be depending on wireless technologies in 
addition to the online versions.
    So I think that over time the potential for serious 
problems conducted over cyberspace will go up. That is why I 
applaud the efforts that you're trying to do now. Let's not 
wait for that eventuality. Let's take aggressive action now and 
perhaps preempt the problem altogether.
    Mr. Greenwood. Well, while these worst-case scenarios are 
theoretical, the fact of the matter is would you agree with us 
that the only thing that stands between us and the worst-case 
scenario is the extent to which the Federal agencies involved 
utilize the billions of dollars that we've appropriated to them 
and the tools, the technological tools that are available to 
protect against those scenarios?
    Mr. Tritak. Yes. I think that to the extent that Federal 
agencies are increasingly relying on information technology to 
do key services in national defense and to the extent that 
those services are linked into the ever-expanding digital 
nervous system that is spanning the country and the globe, you 
are exposing yourself to a risk that you have never had before; 
and if you are not safeguarding yourself against that, the 
potential for the kinds of concerns that you have, I think, 
can't be ignored.
    Mr. Greenwood. The means will always be there; the 
motivation will always be there. The only protection is the 
security systems, and the only long-range protection against 
those scenarios is constant vigilance, constant testing of our 
systems to protect us.
    Mr. Tritak. Yes.
    Mr. Greenwood. Okay. A recent report by a committee of 
Inspectors General issued just last week found PDD-63 
implementation to be progressing very slowly at most Federal 
agencies. They surveyed 15 Federal agencies including some key 
ones for PDD-63 purposes and found that quote ``many agency 
infrastructure plans were incomplete,'' that quote ``most 
agencies had not identified their critical assets yet and that 
almost none of the agencies had completed vulnerability 
assessments of those assets or developed remediation plans.'' 
Do you concur, Mr. Tritak, with this assessment, and why are we 
so far in the hole on this?
    Mr. Tritak. Well, a couple things. I think that there's 
some truth to what you have said. I can't articulate for you in 
full to what extent that is the case in each agency situation. 
What I can tell you is in the case of the work that we're doing 
with agencies under the project matrix all efforts that have 
been done so far are in the area of identifying the assets.
    I just want to qualify one piece about that because some of 
these assets may have been assessed for vulnerabilities during 
Y2K, for example, and for other reasons--and we can't 
necessarily assume that nothing has been done--but I think one 
of the points I am trying to get across to this committee is 
unless you understand the full--the way the systems operate in 
critical services and you have addressed every single aspect of 
that service for vulnerabilities, you don't know whether that 
service is assured or not. I think in that regard we have a 
long way to go, a real long way to go.
    Mr. Greenwood. Okay. We thank you both for your testimony. 
The Chair seeks unanimous consent that documents that have been 
agreed to by the staff majority and minority be admitted into 
the record and that the record remain open for 30 days for 
additional statements and materials. With that, this committee 
thanks all of its witnesses and adjourns.
    [Whereupon, at 12:15 p.m., the subcommittee was adjourned.]
    [Additional material submitted for the record follows:]

                                            CRYPTEK
                                 Secure Communications, LLC
                                                      April 5, 2001
The Honorable W.J. ``Billy'' Tauzin
Chairman
House Energy and Commerce Committee
2125 Rayburn House Office Building
Washington, DC 20515-6115
    Dear Mr. Chairman, I am submitting the following testimony and 
presentation for the record at the suggestion of Mr. Gary A. Dionne, a 
member of your Committee's professional staff. My firm is the developer 
and manufacturer of a network security product known as DiamondTEK. 
TM DiamondTEK is the only network security component to ever 
successfully complete the National Security Agency's (NSA) B2 level 
evaluation. What this means is that DiamondTEK is approved by the NSA 
to handle data of multiple levels of classification on a single 
workstation over a single network connection. This can translate in 
significant cost savings for government users who must worry about 
keeping data of various classification levels separate and secure.
    This technology is also invaluable to users of sensitive, valuable 
data in the commercial marketplace. An example that comes immediately 
to mind is ensuring the confidentiality of patient medical records. 
Another industry that could benefit from such technology is the 
financial services industries and any organization involved with funds 
transfer. One misplaced ``byte'' could mean the loss of billions of 
dollars.
    Cryptek developed DiamondTEK with internal R&D funds to meet 
stringent NSA requirements. The company has continued to invest in the 
technology, resulting in the worlds most ``trusted'' and secure network 
security product. This leading edge capability is available today for 
government and commercial users worldwide (Cryptek recently received a 
blanket export license from the Department of Commerce to export to any 
commercial or government entity in the world with the exception of the 
seven terrorist-sponsoring nations).
    I wanted to ensure that the Committee was aware that this 
technology was available as you consider various encryption and privacy 
issues during this Congress. Cryptek stands prepared to brief you, 
other Committee Members or staff on our unique products and 
capabilities and answer questions you may have.
    Thank you for your consideration of this information.
            Sincerely,
                                        Jackson Kemper, III
                             Vice President, Government Affairs6602
[GRAPHIC] [TIFF OMITTED] T2834.001

[GRAPHIC] [TIFF OMITTED] T2834.002

[GRAPHIC] [TIFF OMITTED] T2834.003

[GRAPHIC] [TIFF OMITTED] T2834.003

[GRAPHIC] [TIFF OMITTED] T2834.005

[GRAPHIC] [TIFF OMITTED] T2834.006

[GRAPHIC] [TIFF OMITTED] T2834.007

[GRAPHIC] [TIFF OMITTED] T2834.008

[GRAPHIC] [TIFF OMITTED] T2834.009

[GRAPHIC] [TIFF OMITTED] T2834.010

[GRAPHIC] [TIFF OMITTED] T2834.011

[GRAPHIC] [TIFF OMITTED] T2834.012

[GRAPHIC] [TIFF OMITTED] T2834.013

[GRAPHIC] [TIFF OMITTED] T2834.014

[GRAPHIC] [TIFF OMITTED] T2834.015

[GRAPHIC] [TIFF OMITTED] T2834.016

[GRAPHIC] [TIFF OMITTED] T2834.017

[GRAPHIC] [TIFF OMITTED] T2834.018

[GRAPHIC] [TIFF OMITTED] T2834.019

[GRAPHIC] [TIFF OMITTED] T2834.020

[GRAPHIC] [TIFF OMITTED] T2834.021

[GRAPHIC] [TIFF OMITTED] T2834.022

[GRAPHIC] [TIFF OMITTED] T2834.023

[GRAPHIC] [TIFF OMITTED] T2834.024

[GRAPHIC] [TIFF OMITTED] T2834.025

[GRAPHIC] [TIFF OMITTED] T2834.026

[GRAPHIC] [TIFF OMITTED] T2834.027

[GRAPHIC] [TIFF OMITTED] T2834.028

[GRAPHIC] [TIFF OMITTED] T2834.029

[GRAPHIC] [TIFF OMITTED] T2834.030

[GRAPHIC] [TIFF OMITTED] T2834.031

[GRAPHIC] [TIFF OMITTED] T2834.032

[GRAPHIC] [TIFF OMITTED] T2834.033

[GRAPHIC] [TIFF OMITTED] T2834.034

[GRAPHIC] [TIFF OMITTED] T2834.035

[GRAPHIC] [TIFF OMITTED] T2834.036

[GRAPHIC] [TIFF OMITTED] T2834.037

[GRAPHIC] [TIFF OMITTED] T2834.038

[GRAPHIC] [TIFF OMITTED] T2834.039

[GRAPHIC] [TIFF OMITTED] T2834.040

[GRAPHIC] [TIFF OMITTED] T2834.041

[GRAPHIC] [TIFF OMITTED] T2834.042

[GRAPHIC] [TIFF OMITTED] T2834.043

[GRAPHIC] [TIFF OMITTED] T2834.044

[GRAPHIC] [TIFF OMITTED] T2834.045

[GRAPHIC] [TIFF OMITTED] T2834.046

[GRAPHIC] [TIFF OMITTED] T2834.047

[GRAPHIC] [TIFF OMITTED] T2834.048

[GRAPHIC] [TIFF OMITTED] T2834.049

[GRAPHIC] [TIFF OMITTED] T2834.050

[GRAPHIC] [TIFF OMITTED] T2834.051

[GRAPHIC] [TIFF OMITTED] T2834.052

[GRAPHIC] [TIFF OMITTED] T2834.053

[GRAPHIC] [TIFF OMITTED] T2834.054

[GRAPHIC] [TIFF OMITTED] T2834.055

[GRAPHIC] [TIFF OMITTED] T2834.056

[GRAPHIC] [TIFF OMITTED] T2834.057

[GRAPHIC] [TIFF OMITTED] T2834.058

[GRAPHIC] [TIFF OMITTED] T2834.059

[GRAPHIC] [TIFF OMITTED] T2834.060

[GRAPHIC] [TIFF OMITTED] T2834.061

[GRAPHIC] [TIFF OMITTED] T2834.062

[GRAPHIC] [TIFF OMITTED] T2834.063

[GRAPHIC] [TIFF OMITTED] T2834.064

[GRAPHIC] [TIFF OMITTED] T2834.065

[GRAPHIC] [TIFF OMITTED] T2834.066

[GRAPHIC] [TIFF OMITTED] T2834.067

[GRAPHIC] [TIFF OMITTED] T2834.068

[GRAPHIC] [TIFF OMITTED] T2834.069

[GRAPHIC] [TIFF OMITTED] T2834.070

[GRAPHIC] [TIFF OMITTED] T2834.071

[GRAPHIC] [TIFF OMITTED] T2834.072

[GRAPHIC] [TIFF OMITTED] T2834.073

[GRAPHIC] [TIFF OMITTED] T2834.074

[GRAPHIC] [TIFF OMITTED] T2834.075

[GRAPHIC] [TIFF OMITTED] T2834.076

[GRAPHIC] [TIFF OMITTED] T2834.077

[GRAPHIC] [TIFF OMITTED] T2834.078

[GRAPHIC] [TIFF OMITTED] T2834.079

[GRAPHIC] [TIFF OMITTED] T2834.080

[GRAPHIC] [TIFF OMITTED] T2834.081

[GRAPHIC] [TIFF OMITTED] T2834.082

[GRAPHIC] [TIFF OMITTED] T2834.083

[GRAPHIC] [TIFF OMITTED] T2834.084

[GRAPHIC] [TIFF OMITTED] T2834.085

[GRAPHIC] [TIFF OMITTED] T2834.086

[GRAPHIC] [TIFF OMITTED] T2834.087

[GRAPHIC] [TIFF OMITTED] T2834.088

[GRAPHIC] [TIFF OMITTED] T2834.089

[GRAPHIC] [TIFF OMITTED] T2834.090

[GRAPHIC] [TIFF OMITTED] T2834.091

[GRAPHIC] [TIFF OMITTED] T2834.092

[GRAPHIC] [TIFF OMITTED] T2834.093

[GRAPHIC] [TIFF OMITTED] T2834.094

[GRAPHIC] [TIFF OMITTED] T2834.095

[GRAPHIC] [TIFF OMITTED] T2834.096

[GRAPHIC] [TIFF OMITTED] T2834.097

[GRAPHIC] [TIFF OMITTED] T2834.098

[GRAPHIC] [TIFF OMITTED] T2834.099

[GRAPHIC] [TIFF OMITTED] T2834.100

[GRAPHIC] [TIFF OMITTED] T2834.101

[GRAPHIC] [TIFF OMITTED] T2834.102

[GRAPHIC] [TIFF OMITTED] T2834.103

[GRAPHIC] [TIFF OMITTED] T2834.104

[GRAPHIC] [TIFF OMITTED] T2834.105

[GRAPHIC] [TIFF OMITTED] T2834.106

[GRAPHIC] [TIFF OMITTED] T2834.107

[GRAPHIC] [TIFF OMITTED] T2834.108

[GRAPHIC] [TIFF OMITTED] T2834.109

[GRAPHIC] [TIFF OMITTED] T2834.110

[GRAPHIC] [TIFF OMITTED] T2834.111

[GRAPHIC] [TIFF OMITTED] T2834.112

[GRAPHIC] [TIFF OMITTED] T2834.113

[GRAPHIC] [TIFF OMITTED] T2834.114

[GRAPHIC] [TIFF OMITTED] T2834.115

[GRAPHIC] [TIFF OMITTED] T2834.116

[GRAPHIC] [TIFF OMITTED] T2834.117

[GRAPHIC] [TIFF OMITTED] T2834.118

[GRAPHIC] [TIFF OMITTED] T2834.119

[GRAPHIC] [TIFF OMITTED] T2834.120

[GRAPHIC] [TIFF OMITTED] T2834.121

[GRAPHIC] [TIFF OMITTED] T2834.122

[GRAPHIC] [TIFF OMITTED] T2834.123

[GRAPHIC] [TIFF OMITTED] T2834.124

[GRAPHIC] [TIFF OMITTED] T2834.125

[GRAPHIC] [TIFF OMITTED] T2834.126

[GRAPHIC] [TIFF OMITTED] T2834.127

[GRAPHIC] [TIFF OMITTED] T2834.128

[GRAPHIC] [TIFF OMITTED] T2834.129

[GRAPHIC] [TIFF OMITTED] T2834.130

[GRAPHIC] [TIFF OMITTED] T2834.131

[GRAPHIC] [TIFF OMITTED] T2834.132

[GRAPHIC] [TIFF OMITTED] T2834.133

[GRAPHIC] [TIFF OMITTED] T2834.134

[GRAPHIC] [TIFF OMITTED] T2834.135

[GRAPHIC] [TIFF OMITTED] T2834.136

[GRAPHIC] [TIFF OMITTED] T2834.137

[GRAPHIC] [TIFF OMITTED] T2834.138

[GRAPHIC] [TIFF OMITTED] T2834.139

[GRAPHIC] [TIFF OMITTED] T2834.140

[GRAPHIC] [TIFF OMITTED] T2834.141

[GRAPHIC] [TIFF OMITTED] T2834.142

[GRAPHIC] [TIFF OMITTED] T2834.143

[GRAPHIC] [TIFF OMITTED] T2834.144

[GRAPHIC] [TIFF OMITTED] T2834.145

[GRAPHIC] [TIFF OMITTED] T2834.146

[GRAPHIC] [TIFF OMITTED] T2834.147

[GRAPHIC] [TIFF OMITTED] T2834.148

[GRAPHIC] [TIFF OMITTED] T2834.149

[GRAPHIC] [TIFF OMITTED] T2834.150

[GRAPHIC] [TIFF OMITTED] T2834.151

[GRAPHIC] [TIFF OMITTED] T2834.152

[GRAPHIC] [TIFF OMITTED] T2834.153

[GRAPHIC] [TIFF OMITTED] T2834.154

