[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]
PROTECTING AMERICA'S CRITICAL INFRASTRUCTURE: HOW SECURE ARE GOVERNMENT
COMPUTER SYSTEMS?
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
OVERSIGHT AND INVESTIGATIONS
of the
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
FIRST SESSION
__________
APRIL 5, 2001
__________
Serial No. 107-13
__________
Printed for the use of the Committee on Energy and Commerce
Available via the World Wide Web: http://www.access.gpo.gov/congress/
house
__________
U.S. GOVERNMENT PRINTING OFFICE
73-508 WASHINGTON : 2001
_______________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON ENERGY AND COMMERCE
W.J. ``BILLY'' TAUZIN, Louisiana, Chairman
MICHAEL BILIRAKIS, Florida JOHN D. DINGELL, Michigan
JOE BARTON, Texas HENRY A. WAXMAN, California
FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida RALPH M. HALL, Texas
PAUL E. GILLMOR, Ohio RICK BOUCHER, Virginia
JAMES C. GREENWOOD, Pennsylvania EDOLPHUS TOWNS, New York
CHRISTOPHER COX, California FRANK PALLONE, Jr., New Jersey
NATHAN DEAL, Georgia SHERROD BROWN, Ohio
STEVE LARGENT, Oklahoma BART GORDON, Tennessee
RICHARD BURR, North Carolina PETER DEUTSCH, Florida
ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois
GREG GANSKE, Iowa ANNA G. ESHOO, California
CHARLIE NORWOOD, Georgia BART STUPAK, Michigan
BARBARA CUBIN, Wyoming ELIOT L. ENGEL, New York
JOHN SHIMKUS, Illinois TOM SAWYER, Ohio
HEATHER WILSON, New Mexico ALBERT R. WYNN, Maryland
JOHN B. SHADEGG, Arizona GENE GREEN, Texas
CHARLES ``CHIP'' PICKERING, KAREN McCARTHY, Missouri
Mississippi TED STRICKLAND, Ohio
VITO FOSSELLA, New York DIANA DeGETTE, Colorado
ROY BLUNT, Missouri THOMAS M. BARRETT, Wisconsin
TOM DAVIS, Virginia BILL LUTHER, Minnesota
ED BRYANT, Tennessee LOIS CAPPS, California
ROBERT L. EHRLICH, Jr., Maryland MICHAEL F. DOYLE, Pennsylvania
STEVE BUYER, Indiana CHRISTOPHER JOHN, Louisiana
GEORGE RADANOVICH, California JANE HARMAN, California
CHARLES F. BASS, New Hampshire
JOSEPH R. PITTS, Pennsylvania
MARY BONO, California
GREG WALDEN, Oregon
LEE TERRY, Nebraska
David V. Marventano, Staff Director
James D. Barnette, General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Oversight and Investigations
JAMES C. GREENWOOD, Pennsylvania, Chairman
MICHAEL BILIRAKIS, Florida PETER DEUTSCH, Florida
CLIFF STEARNS, Florida BART STUPAK, Michigan
PAUL E. GILLMOR, Ohio TED STRICKLAND, Ohio
STEVE LARGENT, Oklahoma DIANA DeGETTE, Colorado
RICHARD BURR, North Carolina CHRISTOPHER JOHN, Louisiana
ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois
Vice Chairman JOHN D. DINGELL, Michigan,
CHARLES F. BASS, New Hampshire (Ex Officio)
W.J. ``BILLY'' TAUZIN, Louisiana
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Dacey, Robert F., Director, Information Security Issues, U.S.
General Accounting Office.................................. 53
Dick, Ronald L., Director, National Infrastructure Protection
Center..................................................... 30
McDonald, Sallie, Assistant Commissioner, Office of
Information Assurance and Critical Infrastructure, U.S.
General Services Administration............................ 26
Noonan, Tom, President and CEO, Internet Security Systems,
Inc........................................................ 39
Podonsky, Glenn S., Director, Office of Independent Oversight
and Performance Assurance, accompanied by Jason Bellone,
former member of the Computer Analysis Response Team,
Federal Bureau of Investigation; Karen Matthews, formerly
with Computer Forensics Laboratory, U.S. Department of
Defense; Brent Huston, author of book on hackproofing; and
Brad Peterson, Director, Office of Cyber Security and
Special Reviews, U.S. Department of Energy................. 13
Tritak, John S., Director, Critical Infrastructure Assurance
Office, U.S. Department of Commerce........................ 65
Material submitted for the record by:
Kemper, Jason, III, Vice President, Government Affairs,
Cryptek, letter dated April 5, 2001, enclosing testimony
for the record............................................. 76
(iii)
PROTECTING AMERICA'S CRITICAL INFRASTRUCTURE: HOW SECURE ARE GOVERNMENT
COMPUTER SYSTEMS?
----------
THURSDAY, APRIL 5, 2001
House of Representatives,
Committee on Energy and Commerce,
Subcommittee on Oversight and Investigations,
Washington, DC.
The subcommittee met, pursuant to notice, at 9:40 a.m., in
room 2322, Rayburn House Office Building, Hon. James C.
Greenwood (chairman) presiding.
Members present: Representatives Greenwood, Tauzin, (ex
officio), Strickland, and DeGette.
Also present: Representatives Norwood and Davis.
Staff present: Tom DiLenge, majority counsel; Amit Sachdev,
majority counsel; Peter Kielty, legislative clerk; and Edith
Holleman, minority counsel.
Mr. Greenwood. This hearing of the Oversight and
Investigations Subcommittee will come to order. The Chair
recognizes himself for 5 minutes for the purpose of an opening
statement.
Today, the subcommittee holds a hearing to assess the
security of government computer systems. In particular, we will
assess how well or how poorly they are protecting our most
critical cyberinfrastructures and operations from the threat of
disgruntled insiders, hackers, criminals, terrorists, and rogue
nation-states. Over the past 2 years this committee has
conducted extensive oversight of computer security at
particular government agencies, most notably EPA, the
Department of Energy, and to a lesser extent, FDA and the
Department of Commerce. Our reviews consistently have found
poor computer security planning and management and a general
lack of compliance with existing requirements of law and
policy.
We also found that, with few exceptions, the agencies were
not testing their own systems to determine whether their
security plans and policies were as effective in practice as
they looked on paper. And we found that whenever real testing
of agency systems was conducted numerous significant and easily
exploitable vulnerabilities were almost always discovered.
In response, Congress passed a law last October that
reiterated computer security requirements contained in prior
Federal laws and OMB directives mandating that agencies develop
security plans for their systems and conduct periodic risk
assessments and tests of those systems. But it also imposed a
new requirement, that agency inspectors general conduct an
independent test of an appropriate subset of agency systems
each year.
One month ago, in order to set a benchmark for measuring
agency progress under this new law, I wrote to 15 Federal
departments, agencies, and commissions within this committee's
jurisdiction to inquire about their compliance with computer
security directives and their plans to implement the new law.
While a few of the agencies are still in the process of
producing documentation for us, it is fair to say that, at this
point, we are not surprised or pleased by what we are finding.
In particular, very few of the responding agencies have had
any true penetration tests of their computer systems conducted
and many of these were very limited in nature and scope,
conducted as part of financial system audits. A few other
agencies have conducted automated scans of their network to
search for vulnerabilities in their configurations or operating
systems which, while worthwhile, do not reveal the real degree
of potential exploits of their systems. And several other
agencies reported no scans or penetration tests whatsoever.
Also, not surprising, the tests and scans that have been
done continue to reveal real computer security problems at
these agencies:
A recent internal scan conducted by a Commerce Department
bureau found more than 5,000 security ``holes,'' or known
vulnerabilities, in its networks and systems; and that of 1,200
hosts or workstations scanned, fully 30 percent suffered from
category ``red'' vulnerabilities, which is the most severe
rating because of the potential to compromise an entire
account.
An internal test of a Medicare contractor 2 years ago
found, unbelievably, that the network system administrator's
account--let me repeat that, the network system administrator's
account--could be easily compromised because his password was
the same as his user name.
A recent internal test of a critical HHS operating
division, using freely available password cracking software,
resulted in 60 percent of passwords being cracked in under 10
minutes.
Unfortunately, these findings are not the exception. They
are just some of the many examples of poor computer security we
are finding during the course of our review. Consistent with
the broad swath of GAO and inspector general computer security
audits across the Federal Government over the past 4 or 5
years.
I point these out not to embarrass particular agencies--
actually, they should be commended for testing their systems to
find these problems in the first place--but rather to emphasize
the need for the Federal Government to begin taking
cybersecurity much more seriously than we have been. They also
clearly demonstrate the need to increase our level of testing
so that problems can like these can be found and corrected
before real damage is done.
Why is this so important? Because as we will see and hear
today, the threats and attacks on government systems are
increasing and the technology used to perpetrate such attack is
becoming both more sophisticated and more generally available.
An expert team from the Department of Energy will demonstrate
this morning how such attacks are conducted, using freely
available software tools found on the Internet, and they will
show us the results from some recent real-world testing the
team conducted at several DOE sites.
For its part, GSA, which tracks overall security incidents
at Federal civilian agencies, will testify today that in the
year 2000 alone 32 agencies reported 155 known ``root''
compromises of their computer systems, the most serious type of
incident tracked because the unauthorized user was able to gain
complete control of the server or system compromised.
GSA also will testify that there were hundreds of incidents
of network reconnaissance reported by 18 different civilian
agencies last year, mostly from foreign sources and targeting
our scientific facilities. And these are only the incidents we
know about. GSA estimates that only 20 percent of all known
incidents are reported by the agencies and there likely are
thousands more that go undetected by the agencies themselves.
GSA and other experts in this field also estimate that
nearly all of the incidents reported on both government and
private systems could have been prevented had the system
administrators fixed well-known vulnerabilities with existing
patches or configuration changes.
While no network can ever be 100 percent secure from the
most sophisticated and novel attacks, it should not be an
unreasonable expectation that our sensitive systems would be
secure from commonly known vulnerabilities.
Finally, as the title of this hearing suggests, we also
will focus today on the related issue of critical
cyberinfrastructure protection, that is, the protection of
those Federal cybersystems that are truly critical to the
Nation's security for the public's health and welfare. Not all
computer systems are created equal, nor do they deserve the
same level of security attention.
The Clinton administration realized the need to focus the
attention on threats posed to our most critical cybersystems by
terrorists or others intent on doing the Nation harm.
Accordingly, in May 1998, the President issued a directive
mandating the Federal agencies identify their critical assets,
assess the vulnerabilities of those assets, and then implement
plans to fix the vulnerabilities by May 2003. However, several
recent reports confirm what the committee's own review has
found that, 3 years later, most agencies are still in the
process of identifying their critical assets and virtually none
have made significant progress in assessing and mitigating
vulnerabilities in those systems or the private sector
resources on which these Federal systems so often rely. Given
this state of affairs, it appears that we will not meet this
deadline unless we dramatically increase our focus on this
problem in the very near term.
Clearly, we need to do better both with respect to critical
cybersystems and to overall computer security throughout the
Federal Government. I hope that today's hearing will be the
first in a series on these important and related topics, that
we can work together on both sides of the aisle and with this
new administration to improve the security of our Nation and
the sensitive data held by our Federal Government.
The Chair recognizes Mr. Strickland for an opening
statement.
Mr. Strickland. Mr. Chairman, thank you for holding this
hearing on this very important question.
As one of our witnesses will testify today, the existence
of the Internet ties together a vast array of computer systems
and networks. For communications, commerce, and the democratic
exchange of ideas, there are enormous benefits from this full
and open access; but like any technology that is new, or
relatively new, it has a serious downside. By tying these
networks together, the Internet makes them all vulnerable to
hacking by creative teenagers and others with more nefarious
purposes such as fraud, identity theft, extortion, disruptions
of commercial service, and terrorist attacks.
One system can be used as a platform to attack other
systems. Without appropriate safeguards, any system can be hit,
whether it is essential to our defense and economy or it is a
site that sells goods in an electronic auction; and it appears
that the attempts to penetrate both government and private
systems are increasing. We must recognize that no system will
ever be completely secure, but the question is whether the
Federal response to safeguard their critical assets is adequate
and whether it has the resources to respond fully.
A great deal was done by the previous administration to
begin to address this enormous task. President Clinton
established a Commission on Critical Infrastructure Protection
in July 1996 to look at the scope and the nature of
vulnerabilities and threats to the Nation's critical
infrastructures and to recommend a comprehensive national
policy and implementation plan for protecting them, whether
public or private.
The result was the commission's 1997 report, which found no
immediate crisis threatening the infrastructure, but did find
that threat to and the vulnerability of the critical
infrastructure existed. President Clinton responded by issuing
Presidential Decision Directive 63 in May 1998, which ordered
the Federal agencies to identify their critical
infrastructures, take steps to protect them and work
cooperatively with private companies which control most of the
infrastructure, to secure those systems also. The target date
for completion was May of 2003.
Presidential Directive 63 listed the areas in which the
infrastructure should be protected, and established the
position of National Coordinator for Security and for
Structural Protection and Counterterrorism in the National
Security Council. It set up the critical Infrastructure
Assurance Office at the Commerce Department to support the
national coordinator and the agencies and gave the Federal
Bureau of Investigation the explicit authority to expand its
existing cybercrimes unit into the National Infrastructure
Protection Center.
Prior to this Presidential directive, President Clinton had
already established a Federal computer intrusion response
capability, which is housed at the General Services
Administration. A national plan for information systems
protection, the first in the world by a national government,
was issued in January of 2000. And just before he left office,
President Clinton nominated 18 members of the National
Infrastructure Assurance Council, which is to report on the
actions of private and public bodies to protect their critical
infrastructures.
Three industry sectors also have established information
sharing and analysis centers.
How far along are the agencies in implementing the
Presidential directive? Certainly they are ahead of where they
were 5 years ago when cybersecurity was given little, if any,
attention, but they are not far enough along and they remain
vulnerable. As we will hear from the Commerce Department
witnesses, most agencies still have to finish identifying their
critical infrastructure assets. They will not meet the 2003
deadline without significant additional resources.
Furthermore, no one know if the structure established by
the previous administration to enforce Presidential Directive
63 will be continued by the new administration. The old
structure was not perfect, and there are numerous overlapping
and conflicting responsibilities resulting from the differing
directives in PDD-63 and various other laws. But we must
request that the Bush administration tread lightly and consider
whether a completely new structure will delay even longer this
very important task.
A question for the Congress to address is whether the
agencies are getting the money they need to get the job done.
This body has not been particularly responsive to
appropriations for computer security, as evidenced by its
rejection of most of the requests last year for beefing up the
Energy Department security, its rejection of the $50 million
request for an Institute for Information Infrastructure
Protection, and an almost 50 percent reduction in GSA's request
for funding for their needs.
One other concern I must mention, however, is privacy. GSA
has published a very disturbing newsletter that tells agencies
to get around Congress' and the public's concerns about being
tracked by Federal agencies by contracting out the service and
calling it something else. I have attached that document to my
testimony and would like it placed in the record.
Mr. Chairman, these are all issues that I hope this
subcommittee will address in the next several months. I may
have additional documents to place in the record and would
request that the record be held open for that purpose.
Thank you, Mr. Chairman.
Mr. Greenwood. The Chair thanks the gentleman. Without
objection his attachment will be entered into the record.
[The prepared statement of Hon. Ted Strickland follows:]
Prepared Statement of Hon. Ted Strickland, a Representative in Congress
from the State of Ohio
Mr. Chairman, thank you for holding this hearing on this very
important question. The existence of the Internet ties together a vast
array of computer systems and networks. For communications, commerce
and the democratic exchange of ideas, there are enormous benefits from
full and open access to these systems. But, like any technological
advance, it also has a serious downside. By tying these networks
together, the Internet makes them all vulnerable to hacking by creative
teen-agers and others with more nefarious purposes such as: fraud;
identity theft; extortion; disruptions of commercial service; and
terrorist attacks. One system can be used as a platform to attack other
systems. Without appropriate safeguards, any system can be hit, whether
it is essential to our defense and economy, or it is a site that sells
goods in an electronic auction. And it appears that the attempts to
penetrate both government and private systems are increasing.
We must recognize that no system will ever be completely secure,
but the question is whether the federal government's response to
safeguard its critical assets is adequate, and whether it has the
resources to fully respond. A great deal was done by the previous
administration to begin to address this enormous task. President
Clinton established a Commission on Critical Infrastructure Protection
in July of 1996 to look at the scope and nature of vulnerabilities and
threats to the nation's critical infrastructures and recommend a
comprehensive national policy and implementation plan for protecting
them, whether public and private. The Commission's 1997 report found no
immediate crisis threatening the infrastructure, but did find that the
threat to and vulnerability of the critical infrastructure existed.
President Clinton responded by issuing Presidential Decision Directive
63 in May of 1998. It ordered federal agencies to identify their
critical infrastructures, take steps to protect them and work
cooperatively with private companies--which control most of the
infrastructure--to secure those systems also. The target date for
completion was May of 2003.
PDD 63 listed the areas in which the infrastructures should be
protected, and established the position of national coordinator for
security, infrastructure protection and counter-terrorism in the
National Security Council. It set up the Critical Infrastructure
Assurance Office at the Commerce Department to support the national
coordinator and the agencies and gave the Federal Bureau of
Investigation the explicit authority to expand its existing cyber
crimes unit into the National Infrastructure Protection Center (NIPC).
Prior to PDD 63, President Clinton had already established a Federal
Computer Intrusion Response Capability, or ``Fed CIRC'', which is
housed at the General Services Administration. A national plan for
information systems protection--the first in the world by a national
government--was issued in January of 2000. And just before he left
office, President Clinton nominated 18 members of the National
Infrastructure Assurance Council, which is to report on the actions of
private and public bodies to protect their critical infrastructures.
Three industry sectors also have established Information Sharing and
Analysis Centers or ISACs.
How far along are the agencies in implementing PDD 63? Certainly,
they are ahead of where they were five years ago when cyber security
was given little, if any, attention. But they are not far enough along,
and they remain vulnerable. As we will hear from the Commerce
Department witnesses, most agencies still have to finish identifying
their critical infrastructure assets. They will not meet the 2003
deadline without significant additional resources.
Furthermore, no one knows if the structure established by the
previous administration to enforce PDD-63 will be continued in the new
administration. The old structure was not perfect, and there are
numerous overlapping and conflicting responsibilities resulting from
the differing directives in PDD-63 and various laws. But the Bush
Administration should tread lightly and consider whether a completely
new structure will delay even longer this very important task.
A question for the Congress to address is whether the agencies are
getting the money they need to get the job done. This body has not been
particularly responsive to appropriations for computer security as
evidenced by its rejection of most of the request last year for beefing
up the Energy Department's security; its rejection of NIST's $50
million request for an Institute for Information Infrastructure
Protection; and an almost 50 percent reduction of GSA's request for
funding for Fed CIRC.
One other concern that I must mention, however, is privacy. GSA has
published a very disturbing newsletter that tells agencies to get
around Congress' and the public's concerns about being tracked on the
Internet by federal agencies by contracting out the surveillance to
private contractors and calling it ``Management Security Services.'' I
have attached that document to my testimony and would like it placed
into the record.
Mr. Chairman, these are all issues that I hope this Subcommittee
will address in the next several months. I may have additional
documents to place in the record and would like to request that the
record to be held open for that purpose.
Mr. Norwood. Mr. Chairman, I ask unanimous consent that I
may make a brief opening statement.
Mr. Greenwood. Mr. Norwood, while an esteemed member of the
Energy and Commerce Committee, does not have the honor of
serving on this subcommittee. But we have the honor of his
presence, and without objection, we will ask that he be offered
time for an opening statement.
Mr. Norwood. Thank you very much, Mr. Chairman.
I am here for two or three reasons this morning, one of
which is to thank you and to congratulate you and to tell you
how pleased I am that you are taking the Commerce Committee in
this direction in terms of the security for our Nation. I thank
you for that, and I hope, too, you will have many other
hearings.
To give you some indication of how important I think this
subject is, about right now we are teeing off the first tee in
the Augusta National this morning, my home district, and I
promise you I would have loved to have been there, but I view
this as a little more important.
The other reason I wanted to come this morning is because I
am very pleased with the witnesses and especially that you have
the President and CEO of Internet Security Systems here as a
big player in all of this. ISS has been recognized as the
worldwide leader, Mr. Chairman, in the intrusion detection and
vulnerability assessment market. In addition, ISS has become
the world's largest provider of managed security service, and
they deliver a 24-7 security monitoring and management, just
sort of something we might be interested in. And I guess I am
just real tickled that a Georgia company has played such a
leading role in this extremely important area.
We have indications that this area of computer security is
growing very, very rapidly. For example, ISS has been named the
fifth fastest growing technology company in North America and,
listen to this, this is based on a 5-year revenue growth of
45,000 percent. There is some indication in that number that
tells us all how important this is and must be.
This achievement demonstrates to me that this is a large
emerging area that will impact today's Internet economy.
Now, the government has taken strides--I don't know whether
to say great or good--but at least strides in the past few
years. However, as you know, much more is needed. Funding must
be increased by a substantial amount if we take this seriously.
As industry has considered resources and expertise, a continued
partnership with industry on this subject is going to be very
critical; and it is my understanding that ISS has played a
leadership role in working and partnering with the government
on security issue s. And with any private company you do that
with some risk, but I think and hope this relationship will
continue, not just because it is good for a Georgia company,
but because it is so very needed for the national security of
this Nation. And with that, Mr. Chairman, I will submit the
rest for the record and thank you for your courtesy and
kindness this morning.
Mr. Greenwood. The Chair thanks the gentleman. Without
objection, the rest of his testimony, as well as the testimony
of all other members who may submit them, will be entered into
the record. Also a member of the committee, but not a member of
the Oversight and Investigation Subcommittee, is Mr. Davis of
Virginia, and we are happy to have him here as well.
Mr. Davis. Thank you very much. Let me--Mr. Chairman, I ask
unanimous consent that I be able to make some comments.
Mr. Greenwood. Without objection.
Mr. Davis. Thanks for allowing me to participate in this
hearing today. I want to compliment you and your staff on the
diligent work on this pressing issue. It is vitally important
that we in Congress recognize and understand the complexities
we face in pursuing our Nation's critical infrastructure, the
systematic activities that are essential to the minimum
operation of our economy and government.
Although 95 percent of our critical infrastructure is owned
and operated by the private sector as your Nation's front line,
the Federal Government plays an essential role in sharing
information about cyberthreats against our assets. But the
evidence demonstrates that the Federal Government is
dangerously behind the curve in getting its own house in order.
Simply put, we are losing time. Since 1997, GAO has listed
information security as a governmentwide high-risk area and has
conducted numerous reviews which have continuously sounded the
alarm about widespread weakness and vulnerabilities in the
Federal Government's information systems.
During March of last year, as part of a review requested by
the Subcommittee on Government Management Information and
Technology, of which I was a member, GAO has found that 22 of
the largest Federal agencies were providing inadequate
protection to critical Federal operations and assets from
computer-based attacks. They were able to identify systemic
weaknesses in the information security practice of the
Department of Defense, the National Aeronautics and Space
Administration, the Department of State, and the Department of
Veterans Affairs; and then, as many of you know, in September
of 2000, the subcommittee gave the Federal Government an
overall D-minus on its computer security practices report card.
Just as the Romans built the greatest network of roads at
the height of the Roman Empire and the barbarians used these
same networks to destroy the Romans, so we may face the same
vulnerabilities with the advances we have made in technology
and the interconnectivity of our networks. There is no doubt
that nations are in the process of developing tools to
penetrate and cripple these networks.
At the same time, the outside world is but one source of
the threat to government information systems. Much of the
threat comes from within the government. A key challenge to
making the Federal Government more secure lies in the mindSet
of many Federal agencies vis-a-vis the importance of
information security to their operations and assets.
For many, implementing best practices for controlling and
protecting information resources is just a low priority. The
question before us then is, what do we do about it? What steps
should Congress take to change the direction and reduce the
vulnerability of Federal operations and assets?
As one who has studied the issue for over a year, I come to
the conclusion there are two necessary components to achieving
the goal. First, I strongly believe there is a dire need for a
strong central leader who can coordinate implementation of
information security best practices across government.
Currently, these responsibilities are shared by several Federal
agencies, some of whom are before us today, which make the
coordination and uniformity of information security practices a
formidable obstacle.
The government information security community needs an
advocate who can ensure that information security becomes an
integrated component of information systems. Let me say I agree
with those who assert that funding for implementing information
security measures is inadequate. I submit that having a Federal
CIO with this responsibility, as I put forth in legislation,
who can champion the agency's security needs, would be an
effective voice in this respect.
Second, we need to encourage information sharing between
the private sector and government. As many of our witnesses
would likely agree, the ownership dynamic of our Nation's
critical assets makes crucial the development of thriving
public-private partnerships for this purpose, but with the
current Federal computer systems it is, in my mind, entirely
reasonable that many in the private sector are wary of entering
into these partnerships. At the same time, current law is
retarding the implementation of the National Infrastructure
Assurance Plan. It is for this reason we introduced legislation
last year that gives critical infrastructure industries the
assurances they need to confidently share information with the
Federal Government.
Our measure would provide a limited FOIA exemption, civil
litigation protection for shared information, and an antitrust
exemption for information shared within an information sharing
and analysis. These three protections were cited by the past
administration as necessary legislative remedies. This
legislation would enable the ISACs to move forward without fear
from industry, so that government and industry could enjoy the
mutually cooperative partnership called for in the PDD-63.
I ask unanimous consent the rest of my statement be put in
the record, and I appreciate the opportunity to be here today.
Mr. Greenwood. Without objection, the gentleman's statement
in its entirety will be placed in the record.
[The prepared statement of Hon. Tom Davis follows:]
Prepared Statement of Hon. Tom Davis, a Representative in Congress from
the State of Virginia
Mr. Chairman, thank you very much for allowing me to participate
today in this hearing. I want to compliment you and your staff for your
diligent work on this pressing issue.
It is vitally important that we in Congress recognize and
understand the complexities we face in pursuing the protection of our
nation's critical infrastructure--those systemic activities that are
essential to the minimum operations of our economy and government.
Although 95% of our critical infrastructure is owned and operated by
the private sector, as our nation's front line, the Federal Government
plays an essential role in sharing information about cyber threats
against our assets.
But the evidence demonstrates that the Federal Government is
dangerously behind the curve in getting its house in order. Simply put,
we are losing time. Since 1997, GAO has listed information security as
a governmentwide high risk area and has conducted numerous reviews
which have continuously sounded the alarm about widespread weaknesses
and vulnerabilities in the Federal Government's information systems.
During March of last year, as part of a review requested by the
Subcommittee on Government Management, Information, and Technology, of
which I was a Member, GAO found that 22 of the largest federal agencies
were providing inadequate protection for critical federal operations
and assets from computer-based attacks. They were able to identify
systemic weaknesses in the information security practices of the
Department of Defense, the National Aeronautics and Space
Administration, the Department of State, and the Department of Veterans
Affairs. And then as many of you know, in September 2000, the
Subcommittee gave the Federal Government an overall D- on its computer
security practices report card.
Just as the Romans built the greatest network of roads at the
height of the Roman Empire and the Barbarians later used this same
network to destroy the Romans, so may we face the same vulnerabilities
with the advances we have made in technology and the interconnectivity
of our networks. There is no doubt that nations are in the process of
developing tools to penetrate and cripple these networks.
At the same time, the outside world is but one source of the threat
to government information systems. Much of the threat comes from within
the government. A key challenge to making the Federal Government more
secure lies in the mind set of many federal agencies vis-a-vis the
importance of information security to their operations and assets. For
many, implementing best practices for controlling and protecting
information resources is a low priority.
The question before us then is what do we do about it? What steps
should Congress take to change the direction and reduce the
vulnerability of federal operations and assets?
As one who has studied these issues for over a year now, I have
come to the conclusion that there are two necessary components to
achieving this goal. First, I strongly believe that there is dire need
for a strong central leader who can coordinate the implementation of
information security best practices across government. Currently, these
responsibilities are shared by several federal agencies (some of whom
are before us today), which makes the coordination and uniformity of
information security practices a formidable obstacle. The government
information security community needs an advocate who can ensure that
information security becomes an integrated component of information
systems. Let me also say that I agree with those who assert that
funding for implementing information security measures is inadequate,
and I submit that having a Federal CIO with this responsibility as I
have put forth in legislation, who can champion the agencies' security
needs, would be an effective voice in this respect.
Second, we need to encourage information sharing between the
private sector and government. As many of our witnesses would likely
agree, the ownership dynamic of our nation's critical assets makes
crucial the development of thriving public/private partnerships for
this purpose. Yet with the current state of Federal computer systems,
it is in my mind entirely reasonable that many in the private sector
are wary of entering into those partnerships. At the same time, current
law is retarding the implementation of the National Infrastructure
Assurance Plan. It is for this reason that I introduced legislation
last year that gives critical infrastructure industries the assurances
they need in order to confidently share information with the Federal
Government. My measure would provide a limited FOIA exemption, civil
litigation protection for shared information, and an antitrust
exemption for information shared within an Information Sharing and
Analysis (ISAC). These three protections were cited by the past
Administration as necessary legislative remedies in Version 1.0 of the
National Plan for Information Systems Protection and PDD-63. This
legislation would enable the ISACs to move forward without fear from
industry so that government and industry may enjoy the mutually
cooperative partnership called for in PDD-63.
As Chairman of the House Government Reform Subcommittee on
Technology and Procurement Policy, I will be continuing to explore this
matter, along with Chairman Steve Horn of the Government Efficiency,
Financial Management, and Intergovernmental Affairs Subcommittee. I am
grateful that you, Mr. Chairman, have also taken an active approach to
addressing this problem today, and I look forward to working with you
to make the Federal Government a model for risk management and the
protection of information systems. As well, I am pleased to have the
opportunity to hear the testimony of our distinguished panelists and
appreciate their being here. I want to particularly welcome here today,
Mr. Tom Noonan, the President and CEO of Internet Security Systems,
which is headquartered in Atlanta but has an important presence in my
district. I look forward to hearing from all of you.
Mr. Greenwood. The Chair recognizes the chairman of the
full committee, the gentleman from Louisiana, Mr. Tauzin, for
an opening statement.
Chairman Tauzin. Thank you, Mr. Chairman, for holding this
important hearing on the inadequacy of the Federal efforts to
protect our Nation's critical cyberinfrastructure and the vast
amount of sensitive data that is stored on Federal computer
systems.
I really don't think that many people realize the extent to
which the Federal civilian agencies collect and store so much
sensitive information, whether it is medical, financial or
other personal information on American citizens, confidential,
proprietary data from America's corporations, cutting-edge
scientific research, or whether it is export controlled
information or even sensitive law enforcement information.
There are tons of it that is subject to hacking and to
compromise.
We learned, for example, in the GAO report that even the
IRS had allowed a cookie on its Web site. Nor do most people
realize the extent to which we as a Nation have become so
independent on these computer systems to assure our national
economic security, and I think it would come as quite a
surprise for most Americans to learn which these Federal
agencies are the target of attacks by foreign and domestic
sources bent upon espionage and other very malicious actions.
Faced with this kind of serious challenge, the Federal
Government has not performed well. This committee's oversight
continues to reveal troubling computer security deficiencies
across the Federal Government, deficiencies that place critical
services and sensitive data at significant risk of compromise.
Here, the connection between the security and the privacy of
American citizens cannot be ignored.
A recent inspector general's audit of the Health Care
Financing Administration and several of its Medicare
contractors, which the committee is releasing publicly today,
found numerous system control weaknesses that permitted
unauthorized access to sensitive beneficiary information. This
is sensitive health care information about Americans that we
discovered could be easily compromised in the Federal HCFA
systems; and while we don't know today whether the information
was in fact compromised, we intend to find out whether that has
in fact happened. And I can assure you, in a private
conversation I had with Secretary Thompson yesterday, he
intends to see what is going on at HCFA in this critical area
and he intends to get it fixed before this is an issue of
enormous importance to Americans and one that this committee, I
hope, Mr. Chairman, will continue to take a very close and
diligent look at.
The Clinton administration talked a great deal about
cybersecurity and critical infrastructure protection over the
past several years, holding Presidential summits and issuing
Presidential directives. The administration, for example, said
the Federal Government would serve as a model for good security
practice for the private sector, which controls much of the
Nation's infrastructure, that it might follow and emulate.
Despite all the rhetoric and the photo ops and the paper
exercises, the bad news continues to roll in with every GAO
report, every inspector general's audit, with every
congressional oversight hearing, with each day's newspaper
accounts which each real-world test of government's computer
systems security, no matter how recent, we continue to learn
how bad the situation is.
For example, two reports released this year show little
progress that Federal agencies have made in protecting critical
cyberassets in the 3 years since the President issued his PDD-
63. Essentially, we are still in the process of identifying the
critical assets and their interdependencies, which raises the
question, how can we adequately protect our most critical
cybersystems when we haven't yet identified them all.
This is not to say that there have not been improvements in
the area, and certainly there have been some, particularly at
those agencies that have felt the sting of public
embarrassment, but overall we are barely treading water; and
unless we get serious about the effort, we will never keep up
with the rapid advances of technology in this area which
continue to reveal new ways to attack cybersystems.
The technology to get into our systems is advancing much
more rapidly than the deployment of security to protect them,
and in this increasingly interconnected world, we are either
going to prioritize our resources better to meet this
challenge, something that today Congress has not yet forced the
agencies to do, or we are going to find ourselves in deep, deep
trouble, and Americans are going to wake up angrier than you
can possibly imagine to learn that in many cases their
personal, sensitive data, which they shared not voluntarily,
but involuntarily with the Federal Government, has been
compromised and perhaps will be used in ways that they find
very offensive.
This committee has both the responsibility and the
authority to conduct oversight as to whether a nation's
critical and computer systems are being adequately protected,
and we intend to do that. And I want to thank you, Mr.
Chairman, for taking this job and this assignment so seriously.
This is an extremely important hearing. If Americans are
concerned about privacy and security on the Internet as they do
commerce voluntarily, let me assure you their concern, as they
share sensitive information with government agencies
involuntarily, is even deeper, and our obligations here are
much stronger.
Thank you for taking this seriously, and I yield back the
balance of my time.
Mr. Greenwood. Thanks to the chairman for his statement.
[Additional statement submitted for the record follows:]
Prepared Statement of Diana DeGette, a Representative in Congress from
the State of Colorado
I want to thank the Chair for holding this important hearing, and I
want to thank our witnesses for being here today.
The positive aspects of advanced technology in communications go
without saying. Enhanced inter-connectivity brings a whole new level of
efficiency and speed to our systems.
The downside is that this same inter-connectivity can create
vulnerability. I think a good analogy is when the gene pool of a
certain species loses its diversity, a certain strain of virus can come
in and wipe out the whole population because they all share the same
vulnerabilities.
It is certainly eye opening to learn, as I did when preparing for
this hearing, that the number of serious security breaches of federal
systems is on the rise. Most unnerving of all is the knowledge that
there were over 150 incidents of the utmost severity last year alone
when an unauthorized user was able to gain complete control of a system
within 32 federal civilian agencies.
The Government Information Security Reform Act, passed last year,
appears to be a step in the right direction to evaluate government
computer system weaknesses and then address the problems that exist. I
expect that this subcommittee will be among the first to gain the
results of the independent tests that are due to be completed by
October of this year and again in 2002.
It is reassuring to learn that action has already been taken to
evaluate the government's system weaknesses. I think the Clinton
Administration deserves great credit for recognizing the growing
threats to our nations security within this area, and taking steps to
address the risk that poor federal computer security poses to our
country. The Executive Order in 1996 that established the President's
Commission on Critical Infrastructure Protection (PCCIP) was a
tremendous step in officially recognizing this growing problem and
bringing the public and private sector together to address it.
In 1998, a Presidential Directive was issued to have federal
officials to create and implement a strategy for protecting the
nations' critical infrastructures, which was another crucial step for
the security of our country.
I am glad to learn that the new Administration is taking this issue
seriously and am anxious to learn more about its plans to continue this
important work and who will be in charge of coordinating this effort
within each agency.
Thanks again to the witnesses for coming, and I look forward to
hearing the testimony.
Mr. Greenwood. If there are no more opening statements by
members, I would like to turn to our cybersecurity penetration
demonstration and welcome Mr. Glenn Podonsky, Director of the
Department of Energy's Office of Independent Oversight and
Performance Assurance, and his excellent team of cyberexperts
to this hearing. And I thank you for putting together this
demonstration for the committee.
Mr. Podonsky, although you and your team technically are
not witnesses today and are not testifying before the
subcommittee, it is our general practice to swear in all
persons who appear before the subcommittee; and if you and your
team have no objection, I would like to do that now. I ask that
you rise and raise your right hand.
Do any of you have any objections to testifying under oath?
Seeing none, the Chair then advises you that under the
rules of the House and the rules of the committee, you are
entitled to be advised by counsel. Do you desire to be advised
by counsel during your testimony?
Mr. Podonsky. No.
Ms. Matthews. No.
Mr. Bellone. No.
Mr. Huston. No.
Mr. Peterson. No.
Mr. Greenwood. In that case, would you please rise and
raise your right hand, as you already have.
[Witnesses sworn.]
Mr. Greenwood. You may be seated and we recognize you, Mr.
Podonsky, and look forward to your demonstration.
TESTIMONY OF GLENN S. PODONSKY, DIRECTOR, OFFICE OF INDEPENDENT
OVERSIGHT AND PERFORMANCE ASSURANCE, ACCOMPANIED BY, JASON
BELLONE, FORMER MEMBER OF THE COMPUTER ANALYSIS RESPONSE TEAM,
FEDERAL BUREAU OF INVESTIGATION; KAREN MATTHEWS, FORMERLY WITH
COMPUTER FORENSICS LABORATORY, U.S. DEPARTMENT OF DEFENSE;
BRENT HUSTON, AUTHOR OF BOOK ON HACKPROOFING; AND BRAD
PETERSON, DIRECTOR, OFFICE OF CYBER SECURITY AND SPECIAL
REVIEWS, U.S. DEPARTMENT OF ENERGY
Mr. Podonsky. Thank you, Mr. Chairman. We appreciate the
opportunity to appear before this subcommittee for the sole
purpose of demonstrating the cyberpenetration techniques
employed by my office. As you are aware, my office provides the
Secretary of Energy with an independent view of the
effectiveness of Department policies, programs and procedures
in the areas of cybersecurity, safeguard security and emergency
management.
Today, my staff will provide a brief demonstration of our
cybersecurity penetration capabilities. With me for the
demonstration today are Mr. Jason Bellone, formerly with the
FBI's computer analysis response team; Ms. Karen Matthews,
formerly with the Department of Defense computer forensics
laboratory; Mr. Brent Huston, author of a soon-to-be-published
book on hack-proofing your e-commerce Web site; and Mr. Brad
Peterson, my Director of the Office of Cybersecurity.
Our cybersecurity office maintains a continuous program for
assessing Internet security to identify vulnerabilities that
hackers and others could exploit. As part of the program, we
continuously attempt to penetrate the DOE cybercommunity. We
use this--we do this by using off-the-shelf software of hacking
programs that are available to virtually anybody. Using these
tools, we have been successful in identifying numerous
vulnerabilities on DOE cybersecurity programs, and I am pleased
to report, at the same time, those have been largely corrected
by the Department.
We will take a few minutes to demonstrate the results of
some actual inspections that have taken place over the last 6
months in order to show you the hacking techniques that we use
and others employ. After the demonstration, we would be happy
to respond to questions about the demonstration.
Let me now introduce Mr. Jason Bellone to lead the
demonstration.
Mr. Bellone. Thank you, Mr. Podonsky.
Mr. Greenwood. Why doesn't it surprise me that it is the
youngest member of the team?
Mr. Bellone. We are very proud to present our cybersecurity
laboratory to you today. Although it is small in presence here,
this laboratory is a comprehensive suite of headquarters,
regional and mobile assets that we use, in effect, to attack
and subsequently performance-assess the Department's
information systems. It is our goal here to provide as much
realism as possible to illustrate our cybersecurity penetration
capabilities. The demonstration should give you an inside look
at our process, and at the same time, I think you will see that
the demonstrations will demystify the attacker process.
Let me highlight two points before I begin. First, each
demonstration you will see derives from a real penetration test
conducted against government sites within the past 6 months.
Sites, however, will not be mentioned by name.
Second, all tools demonstrated are real, meaning employed
as utilities by the attacker community. Some of these products
are commercial. All are available downloads from the Internet
and most are free. Nor will they be mentioned by name.
When we assess, we don't use rubber bullets and paint
pellets. To the greatest extent possible, we use the same
process, tactics and tools as an attacker. This process I refer
to here is the attacker's modus operandi; hence, it is our
modus operandi. We will follow this process throughout the
demo, about one level of detail away from teaching you how to
attack a system. So don't try this at home.
Without further delay, let's begin the demonstration.
We will start with footprinting. Footprinting is a 50,000-
foot view, a snapshot, a bird's-eye view of your targets. It is
anonymous. It is unintrusive. It is generally undetected. It is
basically reconnaissance to gather a lay of the land. The
ultimate goal is the who, the what and the where of the target.
I will turn your attention to the demonstration screen. The
following demo will illustrate a utility, again freely
available on the Internet, that will graphically depict the
who, the what, the where of the target. Although this operation
was conducted from Maryland, the source of our efforts appear
to come from Tampa, Florida. I will refer you to line one of
the table.
The table represents the path that our data flowed from,
the launch point which was redirected from Florida to Maryland.
In this case and only this case, I will tell you that we are
looking at the Department of Energy's Web site for the purpose
of illustration. The analysis section indicates the type of
system of the target. This is the basic idea of what we are
looking at, so what we have here is the who, the what, the
where data collected. We are ready to move on to the second
step of the process, which is scanning.
The scanning process enables us to generate our target, our
target list, and develop an attack plan. The scanning operation
employs hundreds to thousands of agents acting as virtual
detectives checking the target systems for specific
vulnerabilities. Each virtual detective reports its findings
back to the attacker. The probing process emulates hostile
operations and searches for known vulnerabilities.
The data base of vulnerabilities and exploit change daily.
At the present time we test for over 900 vulnerabilities.
Importantly, the scanning operation can be conducted with what
we call ``low and slow,'' which means covertly without
detection. The end result is a vulnerability profile, or intact
plan ultimately.
The next demonstration will show you exactly what the
digital detectives delivered to us from an assessment we
conducted a few months ago. I will again turn your attention to
the demonstration screen.
These results represent the output of a very robust
scanning effort directed at one of our sites. This was a source
of our attack plan.
The significance of what you are looking at is this: The
red icon represents the presence of a high-risk vulnerability,
meaning it is probable for the vulnerability to result in
system compromise. The yellow represents a medium-risk
vulnerability that equates to a medium probability of system
compromise. Let me drill down one level of detail to help you
understand what you look at.
If I click the red icon, the high vulnerability icon, I can
drill down to understand the exact nature of the finding. The
detail supports a focused attack and later a corrective action.
The attack name is clear. It reads NBTDIC. More
importantly, the description reads as follows, a share that
requires only a password may be compromised using a dictionary
file. Put simply, it details exactly what we need to do to
focus our attack.
Our third example is a separate product that may serve in a
similar capacity. In contrast to the commercial product we
demoed, this is a free utility. You will notice the
presentation is similar, red equals high risk, yellow equals
medium risk.
Something interesting to note here: In the upper left-hand
corner is a summary of the findings. It is quantitative, tells
us how many targets, how many vulnerabilities, how many
warnings. Let me point out, there have been instances where the
scan results did not yield significant vulnerabilities and,
hence, the process can stop there. So each step is requisite
for the next step, and with that we are on to enumeration.
As the scan results identify specific vulnerabilities for
specific targets, we use this data to concentrate our efforts
for more intrusive probing. The goal is to refine the attack
plan with information about user accounts, file-sharing and
system characteristics.
The next demo will show you how to use the scan data to
concentrate efforts and probe for more valuable information. I
will again turn your attention to the demonstration screen.
This utility enables us to probe for specific information
relating to the scan results. The list has several possible
targets. You can see that they are over 20 targets at the
moment. So, next, although over 20 exist, we are going to focus
on one. We have a game plan for attack then, to gain access to
a user C drive. So--to remotely gain connectivity to a user's C
drive over the Internet.
So with footprinting, scanning, and enumeration data in
hand, we are ready to gain access to the system. The demo you
are about to see is a playback of the exact same exploit that
we used in the course of our assessment; the process, the tools
and the data to include the password are directly from the
assessment. The demo is technical, so I am going to narrate as
we go through it, so you will understand what you are about to
see. Keep in mind, our goal here is to run an attack on target
X to gain access to the user's C drive. We will begin the demo.
This is Step 1. This is collecting basic configuration
data. We use this data to enter into our utility, basically an
attack utility, that will be used to crack the password. You
will see that it is iterating through special characters,
through letters, through numbers and so forth. It goes one
character at a time; and for the purpose of this demo, we did
select out of our set a four-character password. Again, it is
original password from the site.
We have I, and we have A--still moving through, lasts only
a few seconds--I-A-E, and you can see it is almost there.
We now have password in hand, so we move on to step three.
Step three is to use that password to connect across the
Internet to the user's drive. We enter the password and, voila,
across the Internet, we have total access to this person's hard
drive.
At this point, we can load anything we want or we can
download anything we want. In particular, here, we are going to
load something called a key stroker logger, and we are going to
download a sniffer. We could equally upload the person's
password file at this point. So for step five we will move on
to escalating privileges.
As you could see from the demo, we gained unrestricted
access to a user's hard drive, but an attacker would never stop
here, nor do we. The idea now is to discover how far can we go,
can we propagate throughout the network?
What you will see next is, we will crack a password. So
with this foothold, we have downloaded the password file. The
password cracking demonstration uses a password file captured
from exploits similar to the ones we have demonstrated. The
demo will highlight the fact that cracking passwords is simply
a matter of time.
The tool you are about to see is designed to serve as a
password auditing tool; that is, it is to check a department's
password policy, eight characters, nine characters and so
forth. It is publicly available and widely used in the
information security community. Needless to say, it can have
alternative uses to a malicious user.
Before we begin the demo, let me explain what you will be
looking at. In the first column, that is the user name. When
you log in, generally you enter a user name and a password. So
that would be the user name, and the columns that are empty,
those will be where passwords appear. It is empty at this
point. At the blink of an eye you will start to see passwords
appear. In the far column, that's the encrypted representation
of the password. Let's start to crack.
We saw, at the blink of an eye, 25,000 words in the English
dictionary and about 5 million tries occurred in a second. Less
than a minute will pass for us to have the super-user password.
We talk about root, super-user, administrator; bottom line,
complete and utter control over the system. We will let it go
for a moment. It is very far along. You see administrator, and
you see it says MOTOROL. We are about two characters away from
its completing. We find that we get to this point in under a
minute most of the time.
You also notice that it is telling us that they are not
under eight characters. However, this is still not compliant
with policy. So you can use this to support policy programs
that may exist for a department.
So it is completed. We now have super-user privileges. We
will move on to the next demonstration.
You recall that we were able to upload both a key stroke
logger and a sniffer to the target's hard drive. Commonly, we
install the logger to capture the user's monitoring log in
session. When you come in in the morning most likely you check
your e-mail and so forth. The idea for what we do is, we load
it that night so that we can catch what you do in the morning.
I refer you to the demo screen for a large picture, fairly
hard to decipher, and that is because every key--escape,
control, delete--is captured. It also runs in stealth mode,
unknowing to the user, very hard to detect, and all of the
results go to a text file which the attacker can bring to their
system. Embedded between all of those escape keys and tab keys
actually are passwords.
Of course, an attacker doesn't stop here either, nor should
we, so we will go on to pilfering.
A sniffer is a stealth utility that will act as a wiretap,
a wiretap that will listen to traffic traversing throughout the
network. The idea of pilfering is to turn a compromised target
into a listening device to capture not only what you are
typing, but also what your peers are doing. Clear text
passwords, e-mail correspondence, documents are all routed to
the original recipient and, at the same time, rerouted to the
attacker. In many cases, we have used this to propagate our
control to other areas of the network. This courtesy, with
small footholds, escalating privileges and pilfering, enables
us or an attacker to gain more and more control in the network.
The next short demonstration will demonstrate how a freely
available tool can turn your machine into a secret listening
device. Let me set up what you're looking at here.
I mentioned wiretap as an example. This is one snippet, 1
second from a wiretap, so to speak; and the purpose of this is
to highlight that we indeed have user name and password. So we
have gone from an exploit on a local machine to finding a way
further on the network to other machines now. That is the point
of pilfering.
We move on to covering tracks. Covering tracks is hacker
101. Hackers don't want to get caught. We do not employ this
tactic as part of our process so that we can work with the
sites to engage in what we call ``post-incident analysis.''
Simply put, we leave our traces to enable the site and us to
collaborate to understand the nature of the attack.
The following demo will demonstrate yet another freely
available tool, erasing the traces of an attack with a few
button clicks. What will be important to recognize here is that
you will notice that it is only the traces of the attacking
activity that are deleted. So a systems administrator would
never be aware of what happened because all of the other logs,
those that are from a normal conduct of a computer, would still
be there. A button click, the traces are gone. Let's move on to
back doors.
For the following demo I will submit this machine. Karen
will do the heavy lifting here. Although this machine is
separated by 20 feet of cable, we have executed the exact same
exploitation with hundreds to thousands of miles of separation
between our lab and the site. The message is clear that
ownership and control of a resource is, to the fullest extent
possible, in many cases more than the user. The goal is to make
a key that only you can use to enter, create accounts, plant
remote control services and to install Trojans. I will now
start the demo.
Let me set the scene again here. Imagine yourself working
in front of this screen, doing normal business work wherever--
anywhere in the world, for that matter, okay? We have exploited
this system unknowing to you, and we are now going to take over
control by doing things like change colors. So you are sitting
there and this is happening to you, okay?
The other thing we are going to do is, we are going to
eject the CD on you--again, from 3,000, 2,000, 1,000 miles
away--and the other thing we might do, just to harass you a
little more, is to hide icons. There we go. The point being--
these are visual examples; ultimately, it is complete control.
A popular news organization reported about this tool, and
let me quote: ``he or she can access your files, monitor your
key strokes, move your mouse around the screen. If you have a
Web cam, they can watch what you are doing. If you have a
microphone, they can listen to you. It is complete power.''
This concludes the demonstration portion of our testimony.
In closing, I will highlight the end product of this
capability.
The essence of our capability is our final product. Our
product encapsulates every element of what you have just seen--
process, tactics, tools, every vulnerability and exploit. Along
with meticulous note-taking and recordkeeping, we deliver all
of this information to the site in a user friendly, Web-based
CD-ROM. So anything and everything that is collected, yellow
sticky and so forth, is given to the site for corrective
action. I know you are also familiar with our paper product,
which combines the technical elements with the policy, program
and procedural analysis.
Thank you.
I will now offer our technical team for technical
questions, as well as Mr. Podonsky and Mr. Peterson, who can
entertain questions about our program.
Mr. Greenwood. Thank you. Now, I know why I can't open my
e-mail in the morning.
I don't know if you are able to answer this in anything
like a brief response, but what are the fundamental things that
agencies and Federal entities ought to do to protect themselves
from this kind of assault?
Mr. Bellone. It is due diligence. This--what you are seeing
here is such a dynamic process that it is a snapshot in time
when we do an assessment. The fundamental core of doing this is
to have program, policy, procedure and technology working
together. That is why the scope of our assessments is what is
important, that we do the technical elements, but at the same
time, we have a team who looks at policy, looks at programs,
looks at procedures. We put it together so that we can
understand the health of a program and how they are able to
sustain the program. It is the sustainability that is most
significant.
Mr. Greenwood. So what I hear you saying is that you are
never finished with your security precautions. You can't build
a firewall or create air space and stay permanently fixed. You
always need to be----
Mr. Bellone. The quote that I think about is, ``as
technology evolves, sneakiness finds new ways of expression;''
and that's exactly where we are. We can assume technology will
evolve, especially in this growing field of information
technology. Hence, the task is always ahead of us.
Mr. Greenwood. That is a fascinating, fascinating
demonstration.
Are there questions from the members for the technical
panel here?
The Chair recognizes the chairman, Mr. Tauzin.
Chairman Tauzin. Thank you very much.
I simply want to put what you have told us in layman's
terms a little bit. Am I correct in that, with this
demonstration, you have shown us how a hacker cannot only
compromise the system but take it over and actually control the
information on that system? Is that correct?
Mr. Bellone. Yes.
Chairman Tauzin. You have shown us how someone who could
compromise, let's say, a third-party payment system at HCFA to
get into that system--how they might not only gather the
information that's in that system about patient's health care
and problems, but that they might even alter the information on
that system?
Mr. Bellone. Absolutely.
Chairman Tauzin. So that I take it your answer is, yes,
right?
Mr. Bellone. My answer is yes.
Chairman Tauzin. So the person who is using the systems you
have demonstrated can actually change the medical condition or
the treatment profile or the payment requirements of that
system; is that correct?
Mr. Bellone. That is exactly correct.
Chairman Tauzin. And, therefore, compromise the integrity
of the payment system?
Mr. Bellone. Absolutely.
Chairman Tauzin. I can envision incredible fraud
opportunities with that scenario, is that right, as well as
privacy problems?
Mr. Bellone. You can assume that with what we have shown,
an attacker can gain more privileges than the user has.
Chairman Tauzin. Say that again, ``An attacker can gain
more privileges than the user.'' What do you mean by that?
Mr. Bellone. What I mean is that once you exploit it, you
can deny them service to that resource.
Chairman Tauzin. So you can not only take charge of their
operation, you can make it more difficult for them to actually
use it themselves?
Mr. Bellone. Absolutely.
Chairman Tauzin. You can deny them total use, if you want,
of these systems?
Mr. Bellone. Absolutely.
Chairman Tauzin. You also indicated--obviously, I am just
using health care systems as an example for us to understand
this technology, but this, in the case of an energy lab, might
explain how someone might get in and compromise, with espionage
intent, not only the information in that lab, but you might do
it from across the world.
You don't need necessarily someone working in the lab; is
that right?
Mr. Bellone. To a certain extent. The one thing that I
think the Department of Energy recognizes is, given that risk,
there are certain assets that they are not willing to subject
to that risk.
Chairman Tauzin. Well, let's hope so.
Mr. Bellone. Yes.
Chairman Tauzin. But we have some confidence problem with
that.
Yes, sir.
Mr. Podonsky. Also the fact that we exist as an
organization to continue doing these penetrations is a
compliment to the current Secretary and the Department because
we are allowed, without legislation, to go anywhere that we
need to and report on anything that we find.
Chairman Tauzin. On the technical side again, the last
thing you said was quite disturbing as well, that if you had a
camera, once this system is compromised, that you take over
that camera, that you can actually watch activities in that
room in front of that screen; is that correct?
Mr. Bellone. Absolutely.
Chairman Tauzin. And if you have a microphone, which most
computers do, you can, with this technology, install your
sniffer and actually listen in on all conversation inside that
room; is that correct?
Mr. Bellone. Absolutely. If the machine has a microphone,
that is the case.
Chairman Tauzin. And unless all the Federal sites in which
sensitive information is being discussed are protected against
this technology, anyone from around the world using it could
enter any room where sensitive conversations are being held and
eavesdrop on those conversations without a court order covering
their tracks, without anybody ever knowing they have done it;
is that correct?
Mr. Bellone. To a certain extent, it is correct.
What I could say is that in some environments they look
harder at things like hardware, the presence of microphones and
so forth, and so that is looked very carefully upon. In other
environments where there is less, where there is not the
presence of sensitive information, it is more likely that that
may be the case.
Chairman Tauzin. But it is a problem. Unless the Federal
official who is operating in front of that computer screen
which has camera and microphone capabilities is aware of what
you have just shown us, if he has no awareness of it, if it is
not a priority item in his thinking or her thinking that day,
that conceivably those systems can be compromised in the way
you have demonstrated and the conversations, the actions even
in that room can be in someone else's domain, unknown to the
Federal officials involved.
Mr. Huston. That is correct, sir, but you have to realize
that it should never get that far. There should be defensive
measures installed in these systems to prevent that from
occurring long before that ever becomes a risk.
Chairman Tauzin. That is, of course, the next question.
You know, I have raised in the opening statement the
concern that enough of our Federal agencies are not keenly
aware, we have not yet made them keenly aware nor instructed
them nor appropriated funds for them to install these defensive
systems. Is that generally correct as well? Who can answer?
Mr. Podonsky. Well, we are better off to keep focus on what
we do know about the Department of Energy. On the technical
side, we don't know what all the other agencies are doing, but
we do know that because of some very good reasons, the
Department was very motivated in the last 2 years to really
focus on cybersecurity.
Chairman Tauzin. Something called public embarrassment, I
think.
Mr. Podonsky. That often helps.
So to answer your question, from our standpoint, as we
pointed out here, not only do we continue to probe, but the
people who are responsible for filling the vulnerabilities that
we find are actively doing that as we speak on a regular basis.
Chairman Tauzin. And I guess, as a final question, these
technologies are also available for private snooping and
private compromising of homes and businesses across America; is
that correct? Unless Americans are aware, keenly, of the
capabilities of these systems and take as much concern about
installing defensive systems, their private homes, their most
private conferences, in many cases their most private spaces
and activities can be easily compromised by someone invading
their home through these devices and literally listening in and
watching the most private of circumstances of Americans in
their personal and business lives; is that correct?
Mr. Huston. That is correct. However, awareness is the
primary means of defense against any security threat, and much
like a physical security threat, where you have started to see
the evolution of homeowners installing alarm systems and other
threat and risk mitigation strategies, I think you will see a
growth in that marketplace, as well, for cybersystems.
Chairman Tauzin. Thank you, Mr. Chairman.
Mr. Greenwood. Let me just ask a question about motivation.
Obviously, we know that there are some hackers who do this
for the sport of it, just to see what they can do, and they may
or may not have nefarious intentions other than to sneak in and
see what they can do. But what nefarious opportunities are
there once you get in?
In other words, I assume a lot of people wouldn't get all
the way there just to hide your icons or change the colors on
your screen; that they would be there to--is there a market for
the information? Can you get information and then sell it? Is
it a question of compromising and destroying internal systems
for strategic purposes?
Talk, if you would, briefly about some of the motivations
for doing this.
Ms. Matthews. I think the answer to your question is all of
the above and then some.
There are over 100 countries that have some sort of
information operations capabilities, and you saw what we could
do with publicly available software and hardware. If you could
imagine them turning their expertise and resources to debunking
those information and operations, you can imagine what damage
that could do. So the motivations are various, depending on
whether it is a teenager or whether it is a nation-state or a
terrorist organization that has motivation behind them.
Mr. Greenwood. And given the ability to cover tracks, it is
safe to say that this has probably happened to Federal systems,
and we don't know what was done, have no way of knowing what
was done? They could have covered the tracks and left no trail
whatsoever?
Mr. Bellone. Part of strength and defense is having an
effective intrusion detection system--and I emphasize the word
``system,'' because what we showed you is covering tracks at a
very micro level. When we assess a site, one of our topical
areas is intrusion detection systems, meaning their ability to
respond to an event and provide that for an investigation, if
you will. That is a critical component of detecting that level
of activity. Sure, there are point-and-click tools available to
vanish yourself from one machine, but with a very comprehensive
system of alarms, you can still detect the activity.
So there are defense elements that are available.
Mr. Greenwood. Mr. Strickland, do you have questions for
the panel?
Mr. Strickland. No, sir, but I want to thank the panel.
They have been very stimulating, and I am sitting here
wondering what their IQs must be.
Mr. Greenwood. We can assume it is higher than ours.
Mr. Davis.
Mr. Davis. Thank you. You can never have 100 percent
protection in an information system; do you agree with that?
Mr. Bellone. That is correct.
Mr. Davis. Information security best practices really means
using effective risk management in their implementation. How do
you collaborate with your clients to assist them in meeting
those objectives?
Mr. Peterson. We have--as part of our process, we do the
technical performance testing, what Mr. Bellone has shown you
today. We then go in with our programmatic team and we take a
look at their processes, and one of the key ones would be the
risk management process, you know, does the site understand the
threat. Then you do a risk assessment, understanding your
critical systems and your critical information need protection.
You then devise risk mitigation strategies and a protection
strategy as well.
You implement those, and then there is going to be some
residual risk left over. What we do then is, we go in to see,
do you understand your residual risk, has there been an
appropriately designated official--has that person accepted
that risk. That is what we look for.
Mr. Davis. Thanks.
Mr. Greenwood. Ms. DeGette.
Ms. DeGette. Thank you, Mr. Chairman.
I want to follow up on the full committee chairman's
questions about, if you had microphones and video capability in
computers. I would assume that for someone to be able to
intercept that, the computer would have to be on at that time.
And is that a yes?
Mr. Bellone. That is correct.
Ms. DeGette. And I would also assume that many meetings
that take place where secret information is discussed are not
in people's cubicles or offices where their PC is on, but
rather in a conference room or some other venue. Would that be
correct?
Mr. Bellone. Absolutely.
Ms. DeGette. And in those venues, in your experience in
your agency, are there computers running in those rooms at the
time those meetings are taking place? I am trying to figure out
how real a threat this really is.
Mr. Bellone. In the sensitive realm, there is a very clear
accreditation process that looks at the room--the nature of the
room, the hardware, the software and so forth. So it is very
much a controlled environment, and because there are so many
checks and balances and procedures and signatures and so forth,
generally the process resolves or reconciles those kinds of
concerns.
Ms. DeGette. And that is happening under current DOE
protocols?
Mr. Bellone. Accreditation process.
Mr. Podonsky. Yes.
Ms. DeGette. And what about the training of personnel, are
personnel currently, under current protocols, trained about the
risks of interception of verbal communications?
Mr. Peterson. It is part of what we look at in our
programmatic review, we look for annual training of users--
obviously more detailed training down to the systems
administrator level, managers--making sure that they understand
their roles and responsibilities, making sure that the site has
good procedures that actually push policy down from the broad
national perspective down to the working level.
Ms. DeGette. Well, these particular concerns that Mr.
Tauzin was expressing are--is that part of your current
training for personnel about the risks of hackers coming in and
actually being able to intercept visual or verbal discussions?
Is that a policy right now?
Mr. Peterson. Again, that is part of the risk assessment
process that is evaluated at the site level for each individual
network. You know, depending on what information they have,
again it is going to drive the level of concern. Again, that is
a process at the site level.
Then that feeds into the training based on, we know we have
these risks, we need to inform our users and our systems
administrators.
Ms. DeGette. I understand what your general protocols are,
but specifically, are people advised of these risks?
Mr. Bellone. One thing that comes to mind, we run through
computer-based training in yearly training sessions that go
over counterintelligence and cybersecurity, and the
cybersecurity awareness training covers these elements. They
talk about the exploit or attacker threat. That is required
yearly.
Ms. DeGette. Now, let us talk for a minute about classified
systems. By the way, I apologize, I missed your demonstration.
I was caught in the cherry blossom traffic, I think.
But apparently, according to Mr. Strickland, we are never
turning on our computers again because of the risk of people
getting our information, and I want to know how very real the
risk is with your Agency? Are the classified systems at your
Agency connected to the Internet?
Mr. Peterson. We take a very close look at that. With
classified systems, there is either an air gap between the
Internet and the classified system or NSA-approved encryption.
Ms. DeGette. So some are connected to the Internet, but
there are protections that you believe would be effective in
place?
Mr. Peterson. Yes.
Ms. DeGette. How many of the classified systems, what
percentage of your classified systems are connected to the
Internet?
Mr. Peterson. I am not sure if we can provide a good number
for that.
Ms. DeGette. If you can supplement your answer in writing,
I would appreciate it. Mr. Chairman, thank you.
[The following was received for the record:]
The Department has one classified system connected to the
Internet. However, all classified information that is
transmitted over the Internet is protected using an encryption
device approved by the National Security Agency.
Mr. Greenwood. We thank you for that mind-bending
demonstration. You are excused, and we will bring up the next
panel. Thank you again.
The Chair calls the witnesses, Ms. Sallie McDonald,
Assistant Commissioner, Office of Information Assurance and
Critical Infrastructure of the U.S. General Services
Administration; Mr. Ron Dick, Director, National Infrastructure
Protection Center of the FBI; and Mr. Tom Noonan, President and
CEO of Internet Security Systems.
The Chair would ask unanimous consent that the gentleman
from Georgia, Mr. Isakson, be given permission to sit at the
table and introduce his constituent, Mr. Noonan.
I am going to have Mr. Isakson introduce Mr. Noonan first,
and then we will turn to Ms. McDonald for her opening
statement.
Mr. Isakson. I commend the chairman and members of the
committee for looking into an issue of major importance to the
U.S. Government. It is also an issue of major importance as
well to the private sector throughout this country.
I am particularly pleased to have the honor to introduce a
citizen of Atlanta, Georgia, Mr. Tom Noonan, Chairman and CEO
of Internet Security Systems, whose software development,
remote management of security systems, education and consulting
is sought worldwide. ISS is a company that has offices in Asia,
Latin America, Middle East, Europe and throughout North
America. They have over 6,000 customers in the United States of
America in the management and security of their network
systems.
To talk about the importance of the software that they
developed and the remote management that they have, today 21 of
the top 25 banks in the United States of America are clients of
ISS. The top 10 telecommunications companies in the United
States of America are clients of ISS, and 35 government
agencies in this country, or possibly worldwide, are clients of
ISS.
But probably the best compliment that I can pay to Mr.
Noonan is that 2 years or 3 years ago, following my election to
Congress, I sought the opportunity, because of my business
experience and knowing the importance of technology, to develop
an advisory board of individuals to help me deal with the
myriad of privacy and safety and security issues that deal with
the Internet and technology. Tom Noonan's name was consistently
mentioned as the paramount authority on security systems in
Atlanta, and, in fact, in the United States. It is an honor and
privilege for me to introduce him. I am going to apologize that
I have to leave this table, but I have the intellectual
capacity to be a Congressman; I am not sure that I have the
capacity to sit at this table with these individuals, and I do
not want to confuse anyone here. I thank the chairman.
Mr. Greenwood. I thank the gentleman. The Chair recognizes
Mr. Davis.
Mr. Davis. Mr. Isakson, you missed one item in that
introduction. That is, his company has a strong presence in
Herndon, Virginia. Welcome.
Mr. Greenwood. The Chair recognizes Ms. Sallie McDonald for
her testimony.
TESTIMONY OF SALLIE McDONALD, ASSISTANT COMMISSIONER, OFFICE OF
INFORMATION ASSURANCE AND CRITICAL INFRASTRUCTURE, U.S. GENERAL
SERVICES ADMINISTRATION; RONALD L. DICK, DIRECTOR, NATIONAL
INFRASTRUCTURE PROTECTION CENTER; AND TOM NOONAN, PRESIDENT AND
CEO, INTERNET SECURITY SYSTEMS, INC.
Ms. McDonald. Good morning, Mr. Chairman and members of the
committee. I am the Assistant Commissioner for the Office of
Information Assurance and Critical Infrastructure Protection.
My office is a component of GSA's Federal Technology Service
under which the Federal Computer Incident Response Center
operates.
We wish to thank you for the opportunity to offer testimony
pertinent to the state of security for government information
technology resources. The Federal Computer Incident Response
Center, or FedCIRC, is a central coordination activity for
dealing with computer security-related incidents affecting
computer systems within the Federal civilian agencies and
departments of the U.S. Government.
As government industry system interconnectivity increases,
the boundary between the two becomes more difficult to define
and in some cases they simply do not exist. Any security
weakness across the Internet has a potential of being exploited
to gain unauthorized access to one or more of the connected
systems, including those of government. Reports indicate that
numerous countries have or are developing information warfare
capabilities that could be used to target critical components
of the national infrastructure, including government systems.
The National Security Agency has determined that potential
adversaries are collecting significant knowledge on U.S.
information systems and also collecting information and
techniques to attack these systems.
Since October 1998, FedCIRC incident records have shown an
alarming trend in the number of attacks targeting government
systems. Overall, 376 incidents were reported in 1998,
affecting 2,732 Federal Government systems.
In 1999, the figure had risen to 580 reported incidents
affecting 1.3 million systems. By 2000, reported incidents
numbered 586; and those incidents impacted over 576,000
government systems.
Although these numbers are alarming, it should be noted
that they reflect only those reported incidents and do not
include statistics on the estimated 80 percent that go
unreported. Studies indicate that the lack of reporting is not
due to an organization overlooking its obligation to report,
but rather a sign of the organization's inability to recognize
that its systems have been penetrated. The increase in the
number of route compromises, denial of service attacks, network
reconnaissance activities, destructive viruses and malicious
code, coupled with advances in attack sophistication, pose
immeasurable threats to government systems and the critical
missions and services they support.
With the rapid transition to a paperless government and
increasing dependence on e-government solutions, the focus on
secure technology approaches must be a priority. We in
government cannot afford to overlook our inherent
responsibility to protect sensitive information from
unauthorized disclosure. The unprecedented growth in technology
is driving government to implement capabilities and services so
rapidly that security concerns are often overlooked.
Mr. Chairman, my brief summary today only begins to touch
on the most significant information security challenges we have
before us. The complete text of my testimony describes in
greater deal the current and growing threat to the Federal
information infrastructure. I trust that you will derive from
my remarks an understanding of the cybersecurity issues, and
also an appreciation for the commitment that those in the
FedCIRC and participating organizations share for the
protection of components of our critical infrastructure. We
appreciate your leadership and that of the committee for
helping us achieve our goals and allowing us to share
information that we feel is crucial to the defenses of the
Federal information technology resources. Thank you.
[The prepared statement of Sallie McDonald follows:]
Prepared Statement of Sallie McDonald, Assistant Commissioner, Office
of Information Assurance and Critical Infrastructure Protection,
Federal Technology Service, General Services Administration
Good morning, Mr. Chairman and Members of the Committee. On behalf
of the Federal Technology Service of the General Services
Administration let me thank you for this opportunity to appear before
you to discuss our perspective on the state of security for government
information technology resources.
As you know we operate an entity known as FedCIRC. FedCIRC stands
for the Federal Computer Incident Response Center, and is a component
of GSA's Federal Technology Service. FedCIRC is the central
coordinating activity associated with security related incidents
affecting computer systems within the Civilian Agencies and Departments
of the United States Government. FedCIRC provides security incident
identification, containment and recovery services and works within the
Federal community to educate agencies on effective security practices
and procedures. FedCIRC's prevention and awareness program includes
security bulletins and advisories, hardware and software vulnerability
notifications, and vulnerability fixes.
With the recent enactment by Congress of the Government Information
Security Reform Act, federal agencies and departments must report
computer security incidents to FedCIRC. FedCIRC's role is to assist
those federal agencies and departments with the containment of security
incidents and to provide information and tools to aid them with the
recovery process. In January, the Office of Management and Budget (OMB)
issued implementing guidance on the new security act. In that guidance,
OMB instructed agencies to implement both technical and procedural
means to detect security incidents, report them to FedCIRC, and to use
FedCIRC to share information on common vulnerabilities. Agencies were
advised to work with their security officials and Inspectors General to
remove all internal obstacles to timely reporting and sharing.
Additionally, in October of last year, the Federal CIO Council worked
with FedCIRC and developed procedural advice to agencies for efficient
interaction with FedCIRC.
When an incident is reported to FedCIRC, we work with those
involved to collect pertinent information, analyze it for severity and
potential impact, and offer guidance to minimize or eliminate further
proliferation or damage. Additionally, FedCIRC assists in identifying
system vulnerabilities associated with the incident and provides
recommendations to prevent recurrence. Moreover, FedCIRC works closely
with the FBI's NIPC and the national security community to ensure that
incidents with potential law enforcement or national security impact
are quickly reported to the appropriate authorities.
As government and industry systems and network interconnectivity
increase, the boundaries between the two begin to blur. This huge
network of networks, known of course as the Internet, includes both
government and private systems. In some fashion, through the Internet,
all of these systems are interconnected. Thus, an inescapable fact of
life in this Internet Age is that any risk associated with any part of
the Internet environment is ultimately assumed by all systems connected
to it. Any security weakness across the Internet has the potential of
being exploited to gain unauthorized access to one or more of the
connected systems.
Reports from the Department of Defense and other sources tell us
that over 100 countries have or are developing information warfare
capabilities that could be used to target critical components of the
national infrastructure including government systems. The National
Security Agency has determined that potential adversaries are
collecting significant knowledge on U.S. information systems and also
collecting information and techniques to attack these systems. These
techniques give an adversary the capability of launching attacks from
anywhere in the world that are potentially impossible to trace.
Since October 1998, FedCIRC incident records have shown an
increasing trend in the number of attacks targeting government systems.
Overall, there were 376 incidents reported in 1998 that affected 2,732
Federal civilian systems and 86 military systems. In 1999, the figure
had risen to 580 reported incidents affecting 1,306,271 Federal
civilian systems and 614 military systems. By 2000, reported incidents
numbered 586, which impacted 575,568 Federal civilian systems and 148
of their military counterparts. Though these numbers are in themselves
ample cause for concern, these numbers reflect only those reported
incidents and do not include incidents that were not reported. Studies
conducted by the Department of Defense as well as data collected from
the broad Internet community by Carnegie Mellon University's CERT
Coordination Center indicate that as many as 80% of actual security
incidents go unreported. More importantly, perhaps is the reason
incidents appear to remain unreported. In most cases incidents are not
reported because the organization was unable to recognize that its
systems had been penetrated or because there were no indications of
penetration or attack.
Of course computer security incidents vary in degree of severity
and significance. Many incidents, such as web page defacements, are
seemingly insignificant and generally categorized as ``cyber-
graffiti.'' Typically, systems that are victims of defacement have one
thing in common, an overabundance of commonly known weaknesses in their
respective operating system and server software. Though the damage from
such incidents may be small, the rising number of occurrences suggests
a clear pattern of inattentiveness to security problems, especially
those that might be easily resolved with publicly available software
patches.
While these relatively minor incidents may amount to mostly
nuisances, the more significant incidents are those associated with the
development of sophisticated attack methodologies. Such attack
methodologies involve the organized distribution of intrusion
techniques across the Internet. So called ``hackers'', ``crackers,''
mischievous individuals, rogue nations and even state sponsored attacks
are all threats to systems in government and the private sector.
In particular, unauthorized intrusions into government systems
containing sensitive information are also on the rise. In 2000, as I
reported earlier, FedCIRC documented 586 incidents affecting government
systems. 155 of those were reported from 32 agencies and resulted in
what is known as ``root compromise.'' A root compromise means the
intruder has gained full administrative or ``root'' privileges over the
targeted system. This means that any information or capability of the
system is totally owned by and controllable by the intruder. With
``root'' privileges, the intruder can cover his or her tracks because
the privileges allow them to alter system logs and thereby erase any
evidence of intrusion activities. In at least 5 of the incidents
involving a root compromise, access to sensitive government information
was verified. For the remaining 150 incidents, compromise of any and
all information must be assumed. Root compromises were also employed in
17 separate instances where the compromised systems were used to host
and then launch attacks. Attacks of this nature are particularly
egregious since they work to erode the public trust in government
systems integrity while serving to openly demonstrate security
vulnerabilities within government systems.
More recently, as a byproduct of the Y2K problem, a new type of
attack has been gaining attention. This type of attack is known as the
``Distributed Denial of Service'' attack and is considered one of the
most potentially damaging attack methods yet to be developed. The
Distributed Denial of Service or DDoS attack simply overwhelms a
targeted system with so much information that the targeted system
cannot grant access to legitimate users. This attack can be
particularly damaging when components of the critical infrastructure
such as power grid controls, traffic controls, emergency and medical
services are subject to a DDoS attack, since these attacks render their
targets effectively inoperative. And if that is not enough, the DDoS
attack, after first identifying and compromising vulnerable systems
anywhere across the Internet, next deposits on those compromised
systems hostile software capable of launching further attacks. Once in
place, the exploited systems can then be orchestrated to simultaneously
launch attacks on a predetermined target, flooding the target with more
information than it is capable of processing. Ninety three government
systems were targets of DDoS attacks, many of which resulted in the
disruption of critical government services.
Perpetrators continually scan the Internet to identify systems with
weak security profiles or vulnerabilities. These reconnaissance
activities focus on identifying the active services, operating systems,
software versions and any protective mechanism that may be in place.
Armed with this information, a would-be intruder can consult publicly
available information repositories and references for vulnerabilities
particular to their selected target. Then they can devise attack
strategies with the highest probabilities for successful compromise.
Port scans, probes, network mapping applications and commonly used
network administration tools are typical resources used by an intruder
to identify weaknesses in the chosen organization's infrastructure and
to simplify the intrusion effort. Incidents reported by Federal
agencies to FedCIRC during 1998 indicated a mere 157 occurrences.
However in 1999 there was a significant jump in network reconnaissance
activity to 1,686 occurrences. Although 2000 showed a slight decrease,
the number of reported reconnaissance incidents still was 1,207.
The sophistication of computer viruses also poses a significant
threat. While yesterday's viruses were destructive to files residing on
a system, today's viruses come in many forms and self propagate by
exploiting the advanced capabilities of modern-day software
applications. Computer viruses may harbor capabilities to destroy both
hardware and software. They may arrive in the form of so-called
``trojan horse'' code capable of capturing and transmitting sensitive
information, user account data or administrator passwords. As
legitimate software programs incorporate more advanced capabilities,
those same capabilities are being harnessed to very destructive
purposes. As we observed during the ``Melissa'' and ``I Love You''
viruses, a single email on the other side of the globe began saturating
mail servers within a few short hours. The number of virus incidents
reported by Federal agencies in 1998, 1999 and 2000 totaled 55, 35, and
36 respectively. Since anti-virus defenses are developed in response to
a virus, there is a relatively significant period of time between the
capturing of the virus code and the development of a defense.
Considering the near-real-time communications capabilities available to
a large percentage of the world population, microseconds can mean the
difference between normal operations and system disruption.
Statistics compiled by Carnegie Mellon University's CERT
Coordination Center show a definite correlation between the growth of
software vulnerabilities and the number of reported incidents. From
1988 to present day, the number of vulnerabilities identified annually
has increased from only single digits to well over 800. The number of
reported incidents across industry and government closely track that of
the vulnerabilities, from a meager few in 1988 to almost 25,000 as of
the beginning of this year. These trends indicate that Internet
connected systems are becoming increasingly vulnerable to attack and
that defensive measures are not yet adequate to protect against
exploitation of the vulnerabilities.
With the rapid transition to a paperless government and increasing
dependence on e-government solutions, the focus on secure technology
approaches must be a high priority. The unprecedented growth in
technology is driving government to implement capabilities and services
so rapidly that security concerns are often overlooked. The adoption of
e-commerce solutions, e-government solutions and countless forms of
electronic information exchange is in danger of moving forward without
adequate consideration of the protection of the systems and the
information they store, process or transmit. We in government cannot
afford to overlook our inherent responsibility to protect sensitive
information from unauthorized disclosure. The implementation of
strategic defenses for the Federal Information Infrastructure can only
be realized if we act promptly to establish the proper foundation for
already overdue initiatives to combat these issues. Information sharing
and collaboration on the part of all concerned is key to the creation
of effective defenses. FedCIRC, in cooperation with every Civilian
Federal Agency, Industry, Law Enforcement, the Department of Defense
and Academia, has begun building a virtual network of partners to
facilitate the sharing of security relevant information and ideas. Each
week, the list of partners increases as more and more realize that this
battle cannot be fought in isolation. Every contributing piece of
information from a participating partner has the potential of unlocking
a critical cyber-defense problem.
SUMMARY
Mr. Chairman, in my remarks here this morning, I have merely
touched on the most significant information security challenges we face
in this Internet Age dawning before us. My goal was to inform you and
this committee about the nature of the cyber-security issues we face
collectively as a nation. I also want to help you appreciate the degree
and level of commitment that those in FedCIRC and participating
organizations share regarding the protection of the components of our
Critical Infrastructure. We appreciate your leadership and that of the
Committee in helping us achieve our goals and allowing us to share
information that is crucial to the effective defense of Federal
Information Technology resources.
Mr. Greenwood. Thank you.
Mr. Dick.
TESTIMONY OF RONALD L. DICK
Mr. Dick. Mr. Chairman, I am the Director of the National
Infrastructure Protection Center which is located at the FBI. I
want to thank you today for inviting me to discuss cyber-
intrusion issues into government systems. Because of the impact
that cyber-intrusions have on our national security, as well as
the economic well-being of government and industries to provide
vital goods and services to Americans, this is a very important
topic.
I would ask that my full statement be entered into the
record, and I will focus on a few brief comments.
Computer intrusions into government systems are a serious
problem. In my statement, I cite that we have currently 102
pending investigations of government systems out of a total of
approximately 1,219. But each case can represent multiple
intrusions and multiple victims. Thus the caseload denotes a
large number of incidents. That is the bad news.
The good news is that National Security Advisor Rice's
recent statement at the Partnership for Critical Infrastructure
for Security meeting indicated the administration's view that
this is a high priority.
Let me briefly outline some threats we face and discuss a
few examples that highlight the vulnerability.
Insiders have always been a major threat. Their motive is
usually against a current or former employer. In many instances
they do not need to be sophisticated because they do know the
passwords, or controls are such that passwords are not changed
routinely. Further, they have the greatest knowledge of how to
defeat the system's internal controls.
In one case, a dismissed employee of the National Library
of Medicine created a back door in the system through which he
could alter and destroy data on the system. These intrusions
were a threat to public safety, as doctors from around the
world depended on the integrity of this information for
diagnosis and drug prescriptions.
Computer virus writers have become a dangerous problem in
the last few years. They write their programs, often just to
cause mayhem in the networks. The result is that important
systems are made or forced to come off-line for repairs. This
is at a cost of billions of dollars; last year, as we all
remember, the well known love letter virus which began in the
Philippines but soon spread globally. The FBI and Philippine
authorities were able to trace the virus back to its source,
but because the Philippines lacked a cybercrime statute at the
time, he could not be prosecuted.
Along with viruses, hacking cases are the best known. In
February 1998, just as the Center was being established, we had
one of the largest hacks ever of U.S. Government systems.
Intruders had compromised hundreds of Department of Defense
computers. We initially thought it could be an attack from a
foreign power. It turned out to be teenagers from California
and Israel. Those teens have since been prosecuted by the U.S.
Government; but it was a wake-up call regarding cybersecurity.
While the motive was less malicious in this case than
others we had seen, it highlighted the potential for use of
cyberspace to prepare the battlefield.
Let me touch further on national security threats. There
are thousands of intrusions or attempts into government systems
every year. Many of them emanate from abroad. We know many
nations are developing information warfare capabilities, as
well as adapting cybertools as information-gathering trade
craft. That is about as far as I can go today, but this is an
evolving area for us.
Let me talk about the response to these threats. In the
middle of the 1990's, the Federal Government, as has been
recognized already, recognized the potential dangerous problem
regarding cyber-vulnerabilities.
In February 1998, the Attorney General authorized the
creation of the National Infrastructure Protection Center. In
May 1998, President Clinton authorized the expansion of Justice
Department efforts to a full-scale National Protection Center.
The Center's mission is for detecting, assessing, warning of,
and investigating significant threats and incidents concerning
our critical infrastructures. The NIPC is an interagency
center. Of the 101 persons currently working in the Center, we
currently have 18 detailees from outside the FBI, and two
foreign detailees. The leadership of the Center comes from
several agencies. The NIPC's Deputy Director is Rear Admiral
James Playhall from the Navy, who is with us today. Over the
last 3 years the Center has issued 82 warning products. Many of
these products, such as the one issued last week on the ``Lion
Internet Worm'' are issued before any attacks occur.
These warning products are sent to our Federal partners, as
well as State and Federal law enforcement, international
partners with whom we have connectivity, the information
sharing and analysis centers, and others in the private sector
so as to enhance security worldwide.
What makes the NIPC unique is that we have access to
information from law enforcement sources and investigations,
the intelligence community, international sources, private
sector contacts and open sources. No other entity has access to
such a complete range of information.
In cyberspace, we all look the same as has been pointed out
here today in the demonstration. Thus, investigations is an
important component of what the center does. Finding out the
origin of an intrusion and who is sitting behind that keyboard
is a huge challenge. What makes the NIPC unique is that through
the FBI, we have access to both criminal and national security
authorities to conduct such investigations. As an interagency
center, we can coordinate our investigative efforts more
efficiently. If the intruder is overseas, we can use our
partners regarding investigations and prosecutions through our
legal attaches in over 40 countries around the world. Once we
have determined the facts regarding the attack and the identity
of the attacker, we can confer with the Department of Justice,
and just as importantly, policymakers, to fashion the
appropriate response.
That response may be criminal prosecution or it might be
diplomatic, intelligence, or military action, or a combination
of all three of those things.
In summary, I must stress that cooperation lies at the
heart of everything that we do within the Center. We are
actively engaged with our Federal partners, domestic law
enforcement, international agencies, the private sector, and
our international counterparts across the globe. Without
cooperation and information sharing, we cannot hope to come to
grips with this problem. We have made a lot of progress, but
much work remains to be done. Thank you.
[The prepared statement of Ronald L. Dick follows:]
Prepared Statement of Ronald L. Dick, Director, National Infrastructure
Protection Center, Federal Bureau of Investigation
Representative Greenwood, Members of the subcommittee, thank you
for inviting me here today to speak to the important issue of
intrusions into government computer networks. The problem is serious.
The Department of Defense reports thousands of potential cyber attacks
launched against DoD systems. GAO reports that ``in 1999 and 2000, the
Air Force, Army, and Navy recorded a combined total of 600 and 715
[serious] cyber attacks, respectively.'' This does not even consider
attacks on civilian agencies. Two weeks ago National Security Advisor
Condoleezza Rice stated that ``The President himself is on record as
stating that infrastructure protection is important to our economy and
to our national security and therefore it will be a priority for this
administration.''
Dr. Rice also stated during that same speech that, ``We have to
maximize our resources and energies by making sure that they are
focused, instead of allowing them to be dissipated through dispersal.''
The need for a coordinated interagency approach to address intrusions
into government networks was one of the principal reasons for having
established the National Infrastructure Protection Center (NIPC). When
the NIPC was founded three years ago, it was during one of the largest
intrusions ever into U.S. government systems. The lessons learned from
that intrusion and from the response to it have helped shape the NIPC.
Let me provide you with a snapshot of our caseload on government
intrusions. Currently we have 102 cases (of a current total of 1,219
pending cases) involving computer intrusions into government systems.
This includes intrusions into federal, state and local systems, as well
as the military. It should be noted that a single case can consist of
hundreds of compromised systems that have experienced thousands of
intrusions. In addition, many agencies conduct investigations
concerning intrusions into their systems that are not reported to the
FBI. In short, this case load represents a large number of incidents.
Several critical elements are required to deal with intrusions into
government computer systems. There must be an interagency structure to
deal with this problem. No agency should or should have to address
these issues alone. Information must be shared with law enforcement and
the NIPC. We must work to ensure that any intrusions are stemmed and
the vulnerability that allowed the intrusion is patched.
Interagency cooperation is essential in dealing with intrusions
into government systems. As I said at the outset, that is why the NIPC
was created. Currently the NIPC has representatives from the following
agencies at the Center: FBI, Army, Navy, Air Force Office of Special
Investigations, Defense Criminal Investigative Service, National
Security Agency, United States Postal Service, Department of
Transportation/Federal Aviation Administration, Central Intelligence
Agency, Department of Commerce/Critical Infrastructure Assurance
Office, and the Department of Energy. This representation has given us
the unprecedented ability to reach back into the parent organizations
of our interagency detailees on intrusions and infrastructure
protection matters. In addition, we have formed an interagency
coordination cell at the Center which holds monthly meetings with U.S.
Secret Service, U.S. Customs Service, representatives from DoD
investigative agencies, the Offices of Inspector General of NASA,
Social security administration, Departments of Energy, State, and
Education, and the U.S. Postal Service, to discuss topics of mutual
concern.
This representation is not enough, however. The PDD states that,--
The NIPC will include FBI, USSS, and other investigators experienced in
computer crimes and infrastructure protection, as well as
representatives detailed from the Department of Defense, the
Intelligence Community and Lead Agencies.'' The NIPC would like to see
all lead agencies represented in the Center. The more broadly
representative the NIPC is, the better job it can do in responding to
intrusions into government systems.
The NIPC is pursuing three sets of activities that address computer
intrusions into government systems: prevention, detection, and
response.
PREVENTION:
Our role in preventing cyber intrusions into government systems is
not to provide advice on what hardware or software to use or to act as
a federal systems administrator. Rather our role is to provide
information about threats, ongoing incidents, and exploited
vulnerabilities so that government and private sector system
administrators can take the appropriate protective measures. The NIPC
has a variety of products to inform the private sector and other
domestic and international government agencies of the threat,
including: alerts, advisories, and assessments; biweekly CyberNotes;
monthly Highlights; and topical electronic reports. These products are
designed for tiered distribution to both government and private sector
entities consistent with applicable law and the need to protect
intelligence sources and methods, and law enforcement investigations.
For example, Highlights is a monthly publication for sharing analysis
and information on critical infrastructure issues. It provides
analytical insights into major trends and events affecting the nation's
critical infrastructures. It is usually published in an unclassified
format and reaches national security and civilian government agency
officials as well as infrastructure owners. CyberNotes is another NIPC
publication designed to provide security and information system
professionals with timely information on cyber vulnerabilities, hacker
exploit scripts, hacker trends, virus information, and other critical
infrastructure-related best practices. It is published twice a month on
our website and disseminated in hardcopy to government and private
sector audiences.
The NIPC has elements responsible for both analysis and warning.
What makes the NIPC unique is that it has access to all-source
intelligence from law enforcement, the intelligence community, private
sector, international arena, and open sources. No other entity has this
range of information. Complete and timely reporting of incidents from
private industry and government agencies allows NIPC analysts to make
the linkages between government intrusions and private sector activity.
We are currently working on an integrated database to allow us to more
quickly make the linkages among seemingly disparate intrusions. This
database will leverage both the unique information available to the
NIPC through FBI investigations and information available from the
intelligence community and open sources. Having these analytic
functions at the NIPC is a central element of its ability to carry out
its preventive mission.
This initiative expands direct contacts with the private sector
infrastructure owners and operators and shares information about cyber
intrusions and exploited vulnerabilities through the formation of local
InfraGard chapters within the jurisdiction of each of the 56 FBI Field
Offices. This is critical to infrastructure protection, since private
industry owns most of the infrastructures. Further, InfraGard's success
belies the notion that private industry will not share information with
NIPC or law enforcement. All 56 FBI field offices have InfraGard
chapters. There are currently over 900 InfraGard members. The national
InfraGard rollout was held on January 5, 2001.
The NIPC is also working with the Information Sharing and Analysis
Centers established under the auspices of PDD-63. For example, the
North American Electric Reliability Council (NERC) serves as the
electric power ISAC. We have developed a program with the NERC to
develop an Indications and Warning System for physical and cyber
attacks. Under the program, electric utility companies and other power
entities transmit incident reports to the NIPC. These reports are
analyzed and assessed to determine whether an NIPC alert, advisory, or
assessment is warranted to the electric utility community. Electric
power participants in the pilot program have stated that the
information and analysis provided by the NIPC back to the power
companies make this program especially worthwhile. NERC has recently
decided to expand this initiative nationwide. This initiative will
serve as a good example of government and industry working together to
share information and the Electrical Power Indications and Warning
System will provide a model for the other critical infrastructures.
Eventually the NIPC will need to be able to have a comprehensive
nation-wide system for all the infrastructures.
The NIPC is the Sector Lead Agency for the Emergency Law
Enforcement Services sector. As part of this mission, the Center has
also been asked to by ELES Sector the to have the NIPC Watch and
Warning Unit act as the ISAC for the sector. The NIPC is working to
implement this request.
DETECTION:
Given the ubiquitous vulnerabilities in existing Commercial Off-
the-Shelf (COTS) software, intrusions into critical systems are
inevitable for the foreseeable future. Thus detection of these
intrusions is critical if the U.S. Government and critical
infrastructure owners and operators are going to be able to respond. To
improve our detection capabilities, we first need to ensure that we are
fully collecting, sharing, and analyzing all extant information from
all relevant sources. It is often the case that intrusions can be
discerned simply by collecting bits of information from various
sources; conversely, if we don't collate these pieces of information
for analysis, we might not detect the intrusions at all. Thus the
NIPC's role in collecting information from all sources and performing
analysis in itself serves the role of detection.
Agency system administrators need to work with FedCIRC and the
NIPC. PDD-63 makes clear the importance of such reporting. It states,
``All executive departments and agencies shall cooperate with the NIPC
and provide such assistance, information and advice that the NIPC may
request, to the extent permitted by law. All executive departments
shall also share with the NIPC information about threats and warning of
attacks and about actual attacks on critical government and private
sector infrastructures, to the extent permitted by law.'' Currently OMB
has instructed the agencies that they must report their intrusions to
FedCIRC, but reporting to the NIPC is not mentioned. We are working
with FedCIRC to define criteria for reporting of incidents to the NIPC
for analytical as well as investigative purposes.
In some cases, in response to victims' reports, the NIPC has
sponsored the development of tools to detect malicious software code.
For example, in December 1999, in anticipation of possible Y2K related
malicious conduct, the NIPC posted a detection tool on its web site
that allowed systems administrators to detect the presence of certain
Distributed Denial of Service (DDoS) tools on their networks. In these
cases, hackers plant tools such as Trinoo, Tribal Flood Net (TFN),
TFN2K, or Stacheldraht (German for barbed wire) on a number of
unwitting victim systems. Then when the hacker sends the command, the
victim systems in turn begin sending messages against a target system.
The target system is overwhelmed with the traffic and is unable to
function. Users trying to access that system are denied its services.
The NIPC's detection tools were downloaded thousands of times and have
no doubt prevented many DDoS attacks.
The NIPC also led the FBI's multiagency Y2K command center. NIPC
personnel were on alert during the rollover period watching for
possible malicious activity under the guise of Y2K. NIPC coordinated a
nationwide watch effort and distributed reports every four hours round
the clock on the situation.
Regarding warning, if we determine that an intrusion is imminent or
underway, the NIPC Watch is responsible for formulating assessments,
advisories, and alerts, and quickly disseminating them. The substance
of those products will come from analytical work done by NIPC analysts.
If we determine an attack is underway, we can notify both private
sector and government entities using an array of mechanisms so they can
take protective steps. In some cases these warning products can prevent
a wider attack; in other cases warnings can mitigate an attack already
underway. Finally, these notices can prevent attacks from ever
happening in the first place. For example, the NIPC released an
advisory on March 30, 2001 regarding the ``Lion Internet Worm,'' which
is a DDoS tool targeting Unix-based systems. Based on all-source
information and analysis, the NIPC alerted systems administrators how
to look for this compromise of their system and what specific steps to
take to remove the tools if they are found. This alert was issued after
consultation with FedCIRC, JTF-CND, a private sector ISAC, and other
infrastructure partners.
RESPONSE:
Despite our efforts, we know that government systems will continue
to be attacked. Thus we need to determine the origin of these attacks
in order to get to the person behind the keyboard for our government to
formulate the appropriate response. In the cyber world, determining
what is happening is difficult at the early stages. An event could be a
system probe to find vulnerabilities or entry points, an intrusion to
steal data or plant sniffers or malicious code, an act of teenage
vandalism, an attack to disrupt or deny service, or even an act of war.
The crime scene itself is totally different from the physical world in
that it is dynamic--it grows, contracts, and can change shape. Further,
the tools used to perpetrate a major infrastructure attack can be the
same ones used for other cyber intrusions (simple hacking, foreign
intelligence gathering, organized crime activity to steal property,
data, etc. . . .), making identification more difficult. Determining
that an event is even occurring thus can often be difficult in the
cyber world, and usually a determination cannot be made without a
thorough investigation. In the physical world one can see instantly if
a building has been bombed or an airliner brought down. In the cyber
world, an intrusion may go undetected for some time.
Identification of the perpetrators and their objectives during an
event is critical especially in the initial stages. The perpetrators
could be criminal hackers, teenagers, electronic protestors,
terrorists, or foreign intelligence services. In order to attribute an
attack, the NIPC coordinates an investigation that gathers information
from within the United Sates using either criminal investigative or
foreign counter-intelligence authorities, depending on the
circumstances. We also rely on the assistance of other nations when
appropriate. Obtaining reliable information is necessary not only to
identify the perpetrator but also to determine the size and nature of
the intrusion: how many systems are affected, what techniques are being
used, and what is the purpose of the intrusions--disruption, economic
espionage, theft of money, etc. . . .
Relevant information could come from existing criminal
investigations or other contacts at the FBI Field Office level. It
could come from the U.S. Intelligence Community, other U.S. Government
agency information, through private sector contacts, the media, other
open sources, or foreign law enforcement contacts. The NIPC's role is
to coordinate, collect, analyze, and disseminate this information.
Indeed this is one of the principal reasons the NIPC was created.
Because the Internet by its nature embodies a degree of anonymity,
our government's proper response to an attack first requires
significant investigative steps. Investigators typically need a full
range of criminal and/or national security authorities to determine who
launched the attack. Under our system the legal authorities for
conducting investigations within the United States include: the
Computer Fraud and Abuse Act, the Economic Espionage Statute, the
Electronic Communications Privacy Act, the Foreign Intelligence
Surveillance Act, as well as the relevant executive orders delineating
the responsibilities of the intelligence community. Thus the FBI can
apply for court orders to get subscriber information from Internet
Service Providers, and monitor communications under the Electronic
Communications Privacy Act or under the Foreign Intelligence
Surveillance Act, depending on the facts of the case as they are known
at the time the order is requested. The FBI has designated the NIPC to
act as the program manager for all of its computer intrusion
investigations, and the NIPC has made enormous strides in developing
this critical nationwide program. In that connection, the NIPC works
closely with the Criminal Division's Section on Computer Crime and
Intellectual Property, the Department's Office of Intelligence Policy
and Review, and the U.S. Attorney's Offices in coordinating legal
responses.
In the event of a national-level set of intrusions into significant
systems, the NIPC will form a Cyber Crisis Action Team (C-CAT) to
coordinate response activities and use the facilities of the FBI's
Strategic Information and Operations Center (SIOC). The team will have
expert investigators, computer scientists, analysts, watch standers,
and other U.S. government agency representatives. Part of the U.S.
government team might be physically located at FBI Headquarters and
part of the team may be just electronically connected. The C-CAT will
immediately contact field offices responsible for the jurisdictions
where the attacks are occurring and where the attacks may be
originating. The C-CAT will continually assess the situation and
support/coordinate investigative activities, issue updated warnings, as
necessary, to all those affected by or responding to the crisis. The C-
CAT will then coordinate the investigative effort to discern the scope
of the attack, the technology being used, and the possible source and
purpose of the attack.
While we have not seen an example of cyber terrorism directed
against U.S. government systems, the NIPC's placement in the FBI's
counterterrorism division will allow for a seamless FBI response in the
event of a terrorist action that encompasses both cyber and physical
attacks. The NIPC and the other elements of the FBI's Counterterrorism
Division have conducted joint operations and readiness exercises in the
FBI's SIOC. We are prepared to respond if called upon.
Case Examples
Over the past several years we have seen a wide range of cyber
threats ranging from defacement of websites by juveniles to
sophisticated intrusions sponsored by foreign powers, and everything in
between. Some of these are obviously more significant than others. The
theft of national security information from a government agency or the
interruption of electrical power to a major metropolitan area would
have greater consequences for national security, public safety, and the
economy than the defacement of a web-site. But even the less serious
categories have real consequences and, ultimately, can undermine
confidence in e-commerce and violate privacy or property rights. A web
site hack that shuts down an e-commerce site can have disastrous
consequences for a business. An intrusion that results in the theft of
credit card numbers from an online vendor can result in significant
financial loss and, more broadly, reduce consumers' willingness to
engage in e-commerce. Because of these implications, it is critical
that we have in place the programs and resources to investigate and,
ultimately, to deter these sorts of crimes.
In addition, because it is often difficult to determine whether an
intrusion or denial of service attack, for instance, is the work of an
individual with criminal motives or foreign nation state, we must treat
each case as potentially serious until we gather sufficient information
to determine the nature, purpose, scope, and perpetrator of the attack.
While we cannot discuss ongoing investigations, we can discuss closed
cases that involve FBI and other agency investigations in which the
intruder's methods and motivation were similar to what we are currently
seeing. A few illustrative are described below:
In hacker cases, the attacker's motivation is just to see how far
he can intrude into a system. This seems to be the motivation for the
California teens in the well-known Solar Sunrise case. In this case the
intruders exploited a well known vulnerability in computers that run on
the Sun Solaris operating system. By exploiting this vulnerability, the
intruder can gain root access (total control) of the system. As in the
Solar Sunrise case, the intruders can then install their own accounts
on the system and create backdoors into the system from which they can
then install additional programs to find passwords. They also had the
ability to alter, remove, or destroy data on those systems. This case
demonstrated to the interagency community how difficult it is to
identify an intruder until all of the facts are gathered through an
investigation, and why assumptions cannot be made until sufficient
facts are available. The incident also vividly demonstrated the
vulnerabilities that exist in our networks; if these individuals were
able to assume ``root access'' to certain unclassified DoD systems, it
is not difficult to imagine what hostile adversaries with greater
skills and resources would be able to do. Finally, Solar Sunrise
demonstrated the need for interagency coordination to deal with such
attacks. The perpetrators in this case were two 16 and an 18 years old.
We have also seen cases of hacking and mischief for what might be
termed personal reasons. For example, Eric Burns, a.k.a Zyklon, hacked
into the White House web site as well as other sites. This case was
worked jointly by the U.S. Secret Service and the FBI. He was caught
and pled guilty to one count of 18 U.S.C.1030. In November 1999 he was
sentenced to 15 months in prison, 3 years supervised release, and
ordered to pay $36,240 in restitution and a $100 fine.
In another example, the Melissa Macro Virus was reportedly named
after an exotic dancer from Florida; this virus wreaked havoc on
government and private sector networks in March 1999. He pled guilty to
one federal count of violating 18 U.S.C. 1030 and four state counts. He
admitted to causing $80 million in damage as well. David Smith, the
author of the virus, faces a maximum sentence of five years and
$250,000 on the federal charge. He is currently awaiting sentencing.
This is a good example of how federal and state governments are
increasingly coordinating investigations and prosecutions in combating
computer crime.
In another case, system penetration coupled with theft can be the
motivation. A Florida youth admitted to breaking into 13 computers at
the Marshall Space Flight Center in Huntsville, Alabama in June 1999
and downloading $1.7 million in NASA proprietary software that supports
the International Space Station's environmental systems. NASA has
estimated the cost to repair the damage at $41,000. The subject has
also admitted to entering Defense Department systems of the Defense
Threat Reduction Agency, intercepting 3,300 e-mail messages, and
stealing passwords from Pentagon computers. This case was investigated
by NASA. He was sentenced to six months in a juvenile detention center
for hacking into NASA computers which support the International Space
Station.
Virus writers have become a more prevalent threat in recent years.
We have seen virus writers unleash havoc on the Internet for a variety
of motivations. In May 2000 companies and individuals around the world
were stricken by the ``Love Bug,'' a virus (or, technically, a
``worm'') that traveled as an attachment to an e-mail message and
propagated itself extremely rapidly through the address books of
Microsoft Outlook users. The virus/worm also reportedly penetrated at
least 14 federal agenciesCincluding the Department of Defense (DOD),
the Social Security Administration, the Central Intelligence Agency,
the Immigration and Naturalization Service, the Department of Energy,
the Department of Agriculture, the Department of Education, the
National Aeronautics and Space Administration (NASA), along with the
House and Senate.
Investigative work by the FBI's New York Field Office, with
assistance from the NIPC, traced the source of the virus to the
Philippines within 24 hours. The FBI then worked, through the FBI Legal
Attache in Manila, with the Philippines' National Bureau of
Investigation, to identify the perpetrator. The speed with which the
virus was traced back to its source is unprecedented. The prosecution
in the Philippines was hampered by the lack of a specific computer
crime statute. Nevertheless, Onel de Guzman was charged on June 29,
2000 with fraud, theft, malicious mischief, and violation of the
Devices Regulation Act. However, those charges were dropped in August
by Philippine judicial authorities. As a postscript, it is important to
note that the Philippines' government on June 14, 2000 reacted quickly
and approved the E-Commerce Act, which now specifically criminalizes
computer hacking and virus propagation. The Philippine government will
not be hindered by insufficient charging authorities should an incident
like this one ever occur again. Also, the NIPC continues to work with
other nations to provide guidance on the need to update criminal law
statutes.
In some cases, we have been able to prevent the release of
disastrous viruses against public systems. On March 29, 2000, FBI
Houston initiated an investigation when it was discovered that certain
small businesses in the Houston area had been targeted by someone who
was using their Internet accounts in an unauthorized manner and causing
their hard drives to be erased. On March 30, 2000, FBI Houston
conducted a search warrant on a residence of an individual who
allegedly created a computer ``worm'' that seeks out computers on the
Internet. This ``worm'' looks for computer networks that have certain
sharing capabilities enabled, and uses them for the mass replication of
the worm. The worm causes the hard drives of randomly selected
computers to be erased. The computers whose hard drives are not erased
actively scan the Internet for other computers to infect and force the
infected computers to use their modems to dial 911. Because each
infected computer can scan approximately 2,550 computers at a time,
this worm could have the potential to create a denial of service attack
against the E911 system. The NIPC issued a warning to the public
through the NIPC webpage, SANS, NLETS, InfraGard, and teletypes to
government agencies. On May 15, 2000 Franklin Wayne Adams of Houston
was charged by a federal grand jury with knowingly causing the
transmission of a program onto the Internet which caused damage to a
protected computer system by threatening public health and safety and
by causing loss aggregated to at least $5000. Adams was also charged
with unauthorized access to electronic or wire communications while
those communications were in electronic storage. He faces 5 years in
prison and a $250,000 fine.
Revenge by disgruntled employees seems to be another strong
motivation for attacks. Insiders do not need a great deal of knowledge
about computer intrusions, because their knowledge of victim systems
often allows them to gain unrestricted access to cause damage to the
system or to steal system data. For example, in July 1997 Shakuntla
Devi Singla used her insider knowledge and another employee's password
and logon identification to delete data from a U.S. Coast Guard
personnel database system. It took 115 agency employees over 1800 hours
to recover and reenter the lost data. Ms. Singla was convicted and
sentenced to five months in prison, five months home detention, and
ordered to pay $35,000 in restitution.
Another case involved a National Library of Medicine (NLM)
employee. In January and February 1999 the National Library of Medicine
computer system, relied on by hundreds of thousands of doctors and
medical professionals from around the world for the latest information
on diseases, treatments, drugs, and dosage units, suffered a series of
intrusions where system administrator passwords were obtained and
hundreds of files downloaded, including sensitive medical ``alert''
files and programming files that kept the system running properly. The
intrusions were a significant threat to public safety and resulted in a
monetary loss in excess of $25,000. FBI investigation identified the
intruder as Montgomery Johns Gray, III, a former computer programmer
for NLM, whose access to the computer system had been revoked. Gray was
able to access the system through a ``backdoor'' he had created in the
programming code. Due to the threat to public safety, a search warrant
was executed for Gray's computers and Gray was arrested by the FBI
within a few days of the intrusions. Subsequent examination of the
seized computers disclosed evidence of the intrusion as well as images
of child pornography. Gray was convicted by a jury in December 1999 on
three counts for violation of 18 U.S.C. 1030. Subsequently, Gray
pleaded guilty to receiving obscene images through the Internet, in
violation of 47 U.S.C. 223. Montgomery Johns Gray III was sentenced to
5 months prison, 5 months halfway house, 3 years probation and ordered
to pay $10,000 in restitution and assessments.
We are also seeing the increased use of cyber intrusions by
criminal groups who attack systems for purposes of monetary gain. In
September, 1999, two members of a group dubbed the ``Phonemasters''
were sentenced after their conviction for theft and possession of
unauthorized access devices (18 USC Sec. 1029) and unauthorized access
to a federal interest computer (18 USC Sec. 1030). The ``Phonemasters''
were an international group of criminals who penetrated the computer
systems of MCI, Sprint, AT&T, Equifax, and even the National Crime
Information Center. The Phonemasters' methods included ``dumpster
diving'' to gather old phone books and technical manuals for systems.
They used this information to trick employees into giving up their
logon and password information. The group then used this information to
break into victim systems. One member of this group, Mr. Calvin
Cantrell, downloaded thousands of Sprint calling card numbers, which he
sold to a Canadian individual, who passed them on to someone in Ohio.
These numbers made their way to an individual in Switzerland and
eventually ended up in the hands of organized crime groups in Italy.
Cantrell was sentenced to two years as a result of his guilty plea,
while one of his associates, Cory Lindsay, was sentenced to 41 months.
Terrorists groups are increasingly using new information technology
and the Internet to formulate plans, raise funds, spread propaganda,
and to communicate securely. In his statement on the worldwide threat
in 2000, Director of Central Intelligence George Tenet testified that
terrorists groups, ``including Hizbollah, HAMAS, the Abu Nidal
organization, and Bin Laden's al Qa'ida organization are using
computerized files, e-mail, and encryption to support their
operations.'' In one example, convicted terrorist Ramzi Yousef, the
mastermind of the World Trade Center bombing, stored detailed plans to
destroy United States airliners on encrypted files on his laptop
computer. While we have not yet seen these groups employ cyber tools as
a weapon to use against critical infrastructures, their reliance on
information technology and acquisition of computer expertise are clear
warning signs. Moreover, we have seen other terrorist groups, such as
the Internet Black Tigers (who are reportedly affiliated with the Tamil
Tigers), engage in attacks on foreign government web-sites and email
servers. During the riots on the West Bank in the fall of 2000, Israeli
government sites were subjected to e-mail flooding and ``ping''
attacks. The attacks allegedly originated with Islamic elements trying
to inundate the systems with email messages. As one can see from these
examples overseas, ``cyber terrorism''--meaning the use of cyber tools
to shut down critical national infrastructures (such as energy,
transportation, or government operations) for the purpose of coercing
or intimidating a government or civilian population--is thus a very
real threat.
We have worked closely with our international partners on computer
intrusion cases, including cases in which hackers have illegally
accessed U.S. government systems. In 1999 the FBI cooperated with New
Scotland Yard in the United Kingdom on a case in which a UK citizen
confessed to breaking into U.S. Navy systems. He was further suspected
of intruding into other systems, including that of the U.S. Senate. He
was sentenced to a term of 3 years on a probation-like status.
We believe that foreign intelligence services have adapted to using
cyber tools as part of their information gathering tradecraft. While I
cannot go into specific cases, there are overseas probes against U.S.
government systems every day. It would be naive to ignore the
possibilty or even probability that foreign powers were behind some or
all of these probes. The motivation of such intelligence gathering is
obvious. By combining law enforcement and intelligence community assets
and authorities under one Center, the NIPC can work with other agencies
of the U.S. government to detect these foreign intrusion attempts.
The prospect of ``information warfare'' by foreign militaries
against our critical infrastructures is perhaps the greatest potential
cyber threat to our national security. We know that many foreign
nations are developing information warfare doctrine, programs, and
capabilities for use against the United States or other nations.
Knowing that they cannot match our military might with conventional or
``kinetic'' weapons, nations see cyber attacks on our critical
infrastructures or military operations as a way to hit what they
perceive as America's Achilles heel B our growing dependence on
information technology in government and commercial operations. For
example, two Chinese military officers recently published a book that
called for the use of unconventional measures, including the
propagation of computer viruses, to counterbalance the military power
of the United States.
CONCLUSION
While the NIPC has accomplished much over the last three years in
building the first nationallevel operational capability to respond to
cyber intrusions, much work remains. We have learned from cases that
successful network investigation is highly dependent on expert
investigators and analysts, with state-of-the-art equipment and
training. We have built that capability both in the FBI Field Offices
and at NIPC Headquarters, but we have much work ahead if we are to
build our resources and capability to keep pace with the changing
technology and growing threat environment, while at the same time being
able to respond to several major incidents at once.
We are building the international, agency to agency, government to
private sector, and law enforcement partnerships that are vital to this
effort. The NIPC is well suited to foster these partnerships since it
has analysis, information sharing, outreach, and investigative
missions. We are working with the executives in the infrastructure
protection community with the goal of fostering the development of safe
and secure networks for our critical infrastructures. While this is a
daunting task, we are making progress.
Within the federal sector, we have seen how much can be
accomplished when agencies work together, share information, and
coordinate their activities as much as legally permissible. But on this
score, too, more can be done to achieve the interagency and
publicprivate partnerships called for by PDD63. We need to ensure that
all relevant agencies are sharing information about threats and
incidents with the NIPC and devoting personnel and other resources to
the Center so that we can continue to build a truly interagency,
``national'' center. Finally, we must work with Congress to make sure
that policy makers understand the threats we face in the Information
Age and what measures are necessary to secure our Nation against them.
I look forward to working with the Members and Staff of this Committee
to address these vitally important issues.
Thank you.
Mr. Greenwood. We thank you for your testimony.
Mr. Noonan.
TESTIMONY OF TOM NOONAN
Mr. Noonan. Mr. Chairman, thank you for having me today,
and other members of the committee. I am very pleased to be
here to talk about an issue that we are both passionate about,
and an issue of, I believe, very critical national security.
Although the folks from the DOE are not here, I thank them
because I recognize some of the technology that we pioneered
about 8 years ago, and they are using it today effectively to
protect the DOE, as are other government agencies, and I am
always pleased to see our technology in use.
I am here today to provide you with some background
information on threat assessment, on the vulnerabilities and
threats that we see in the commercial sector, on the
vulnerabilities and threats that we see in working with some 26
foreign governments outside of the United States as well as
some 9,000 commercial customers around the globe.
Every day we get involved in one side or the other of
hacking, either protecting networks from hackers, cyber thieves
and others; or addressing vulnerabilities, fixing the
weaknesses necessary to protect those systems. These
individuals typically use the Internet to address their own
pursuits, including international cyberterrorism, causing havoc
and mayhem. I am far less concerned about teenage hackers,
although they seem to make the press more often, and become far
more concerned with the sophisticated attacks against not just
our government but our industry.
As a company, we monitor and manage the security of
companies around the world through security operations centers
we have located in Sweden, the U.S., Japan, the Philippines,
Italy, Rio de Janeiro, and Atlanta, Georgia. So we have an
interconnected network of security operation centers monitoring
companies and detecting and tracking threats around the world.
Over the years, I have watched computer vulnerabilities
increase dramatically. The Internet is so useful for the
reasons that it is so vulnerable. I would like to share two
analogies. The first analogy I would like to use is to compare
a computer to that of a house. Most of you are familiar with
your house. You typically have a front door, a back door, and
some windows that periodically you lock or monitor through your
system. Every single computer connected to the Internet has the
equivalent of 65,536 doors and windows, and many of them cannot
be locked. They cannot be locked because you are using those
doors and windows for legitimate access. So the real challenge
becomes, with all of these doors and windows, how do we
ultimately determine which need to be locked and which need to
be left open, and those that are left open, how are they
monitored to assure proper use and access of the system?
If you multiply 65,000 times all of the computers on the
Internet, that is how many potential ways to access computers
there are. It is simply not a problem that we can address
manually. We have to use technology and automation as part of
that solution.
So just as physical security companies like ADT or
Honeywell or Brinks monitor physical locations, security
companies, ours being one of them, have not only pioneered the
technology to provide this monitoring--some of the tools you
saw from the DOE, for instance--but also to deliver that as a
service. I think that is an area that government ought to
responsibly look at as we move forward: the area of managed
security systems.
My second analogy compares computer security to a chess
game. In a chess game, the goal is to protect the king. In
information security, the goal is to protect information but
otherwise provide legitimate access to it for nonmalicious
purposes. But a knowledgeable chess player is required to
maneuver and play the chess game, just like a knowledgeable
security person is required to help coordinate and manage the
overall security posture of a system.
I think we are fooling ourselves if we think that every
single user of every computer is going to be aware enough to
check their own systems for back doors, to deal with the
problems that are so deeply routed in the technology underneath
this. Just as a chess game environment is constantly changing,
so is the network. New applications, new users, new trading
partners, new introductions of sensitive data, et cetera. Over
the years, as the Internet has become more used in business and
more acceptable to the masses, it has been attacked at an
increasing rate.
Incidents occur when hackers maneuver through a system,
take advantage of the vulnerabilities and cause a system
breach.
So as to your question, Mr. Chairman, there is a whole new
currency on the Internet, it is called the back door. Today I
could easily trade two DOTs for one GM or a Procter & Gamble
for another back door in some other case. So on the Internet,
back doors or accounts are being used as a new currency, and
they are being traded frequently.
Vulnerabilities are holes or weaknesses and problems that
exist in the computer systems, as we saw from the DOE
demonstration, and these incidents include everything from
credit card theft, which seems to be where the consumers' fear
is, to the compromise of very sensitive systems. And it comes
down to three things:
One, confidentiality. Is and can the information be
protected?
Two, integrity. Can it be changed to questions that came
from the Chair?
And, last, is it available? Denial of service, which you
have heard, the ability to completely shut down or destroy data
is possible here.
So what I would like to do is introduce three slides to
demonstrate what is happening in industry. The first slide
demonstrates top security breaches. As you can see, 4 percent
of the breaches are actually physical security breaches such as
breaking into a window or getting through a locked door.
Let us look beyond that into where the real computer
security problems are. Twenty percent are system unavailability
breaches or denial of service breaches. We learned about those
in February of last year when some of the most important
commerce sites on the Internet were taken off line by malicious
activity.
Also, as Mr. Dick has commented on, the ``ILUVYOU'' e-mail
virus cost industry billions of dollars. Electronic exploits
represent about 20 percent of the breaches. An example of an
electronic exploit is finding a hole and installing a back
door. The gentleman from the DOE showed you how easy that is.
Last, 25 percent of the breaches are loss of privacy or
confidentiality breaches such as when someone compromises a
record or data base and removes information. Twenty-six percent
are malicious code breaches, things like when a hacker sends an
attachment with a malicious payload and, when opened, it
deletes files automatically.
To give you an idea how fast incidents are occurring, the
second slide examines the increase in one type of breach: the
virus. If you look at the threat spectrum, on one side you have
the traditional virus all of the way up through denial of
service attacks, trojans, worms, electronic compromise of data
bases and operating systems.
But if you look at this slide, you can see that viruses in
October 1999 alone, there were more than 2,000 new known
viruses. In November 1999, there were over 2,400. In December
1999, over 2,500 more were added. In October 2000, there were
30,678 new viruses being tracked; and in November of 2000,
there were some 23,962 new viruses. What we are seeing here is
exponential growth of an issue that is getting out of hand and
causing significant damage and problems to the global computing
infrastructure.
I would like to give you a better idea of how incidents
generally occur and how computer security companies protect
against these incidents.
The third slide is an example of a Website where crackers
can get information to help them break into a system. This is a
Website that I have deattributed. Being in the protection
business, I don't like to pass along where people can go get
these weapons. This actually came from an African hacking site,
and in this hacking site it is basically the equivalent of
being able to anonymously walk down to your corner store, pick
up an anthrax bomb and a couple of grenades, and be able to
launch them from your own computer anonymously and without any
visibility as to who you are. These happen to be computer
exploits.
You can take back doors that monitor and take advantage of
microphones, denial of service attacks, you have a whole
smorgasbord up here to fill your palate.
This site lists new vulnerabilities that have been
discovered and programs that allow anyone to use these exploits
to damage a system. There are literally thousands of these
sites on the Internet, so you do not have to be very
sophisticated or have a high IQ to cause a lot of damage to our
infrastructure.
We monitor the Websites that discover the latest trends. In
addition, thousands of private chat rooms exist where more
sophisticated crackers trade hacking tools over the Internet.
We are pleased that the government is interested in taking
computer security seriously. The United States spends billions
of dollars buying weapons and gaining intelligence to protect
our country. Our computer systems must be adequately protected
or our entire infrastructure could be compromised by one single
person with one single computer.
Even though the task is complicated, computer systems can
be protected. I think today we focused on how easy they are to
break in. I think it might be helpful someday to have a session
on how effectively we can protect the computer systems today
because this is where we are going to take action. I think the
government has taken great strides in the past few years, but
much more is needed. I think we are moving from the topical to
the awareness to let us start taking some action here.
As industry has considerable resources and expertise, a
continued partnership with industry is crucial. In addition,
computer systems should be a priority, and leadership and
coordination are necessary in the government. The government
has done well with the resources it has been given. However,
computer security specialists we believe are required to
implement and coordinate many different security products and
services to adequately secure a system.
In my company alone, the average salary of one of my 2,000
employees is around $80,000. I don't know of an industry where
the average employee from the mailman to the CEO is $80,000.
Computer security experts are scarce. They are in short supply
and they are expensive. To help address the cost of computer
security, I think we ought to focus not just on what do we do
to protect our infrastructure, but we ought to extend these
efforts to educational efforts that we can undertake to train
the personnel coming out of our schools, not just our
engineering schools, but our colleges and universities.
Computer programmers should be trained in computer security.
Today they are not. Today they are trained in how do you make
the best feature. What they do not focus on is the
vulnerability that they leave behind.
Specialized programs in computer security should be
encouraged, and we are strongly supportive of the universities
that are implementing them today. I look forward to a
continuing dialog on computer security issues. Working
together, we are confident we can adequately secure our
country's assets and information. Thank you.
[The prepared statement of Tom Noonan follows:]
Prepared Statement of Tom Noonan, President and CEO, Internet Security
SystemsGood Morning, Mr. Chairman and Members of the Committee. I am
pleased to appear before you today to discuss an issue of great
importance to our country.
BACKGROUND
In 1991, the founder and Chief Technology Officer of Internet
Security Systems, Chris Klaus, became interested in government security
while interning at the Department of Energy. Chris then began working
on a groundbreaking technology that actively identified and fixed
computer security weaknesses. The next year, while attending Georgia
Institute of Technology (``Georgia Tech''), Chris released his product
for free on the Internet. He received thousands of requests for his
invention, and decided that he should sell it. In 1994, I met Chris
over the Internet and teamed with him to form Internet Security
Systems. I was then working for a computer company, having attended GA
Tech and Harvard Business School. Chris and I then launched the
company's first product, Internet Scanner, and went public in March
1998. And yes, we're a profitable company, even in today's market.
Today, Internet Security Systems is the worldwide leader in security
management software. For nearly 10 years, which is several lifetimes in
Internet time, we have been involved in computer security, watching the
area grow from the outset. Chris Klaus (who is now 26) is one of a
handful of premiere experts in the world on computer security, and
Internet Security Systems is a widely recognized pioneer in computer
security. Computer security is all we do. We have nearly 2,000
employees in 18 countries focused exclusively on computer security.
Altogether, we now have more than 8,000 customers, including 68 percent
of the Fortune 500, and 21 of the 25 largest U.S. commercial banks. We
also serve the ten largest telecommunication companies, numerous U.S.
government agencies, and other non-U.S. governments.
VULNERABILITIES
I'm here today to provide you with some background information on
threat assessment. Every day, Internet Security Systems stops criminal
hackers and cyber-thieves by addressing vulnerabilities in computers.
The individuals who use the Internet for business to business warfare,
for international cyber-terrorism, or to cause havoc and mayhem in our
technology infrastructure. Internet Security Systems is involved in
every aspect of computer security, whether in making the security
products or in managing them. We also monitor networks and systems
around the clock (24 x 7 x 365) from the US, Japan, South America, and
Europe in our Security Operations Centers (``SOCs''). We search for
attacks and misuse, identify and prioritize security risks, and
generate reports explaining the security risks and what can be done to
fix them. At the heart of our solution is our team of world-class
security experts focused on uncovering and protecting against the
latest threats. This team of 200 global specialists, dubbed the X-
Force, understands exactly how to transform the complex technical
challenges into an effective, practical, and affordable strategy.
Because of all of these capabilities, companies and governments turn to
us as their trusted computer security advisor.
Over the years, I have watched computer vulnerabilities increase
dramatically. The Internet is so useful for the very reasons that it is
so vulnerable. To give you an idea of what we are dealing with, I'd
like to share two analogies. First, I'll compare a computer to a house.
Every computer connected to the Internet has the equivalent of 65,536
doors and windows which need to be locked and monitored to make sure no
one breaks in. Multiply 65,536 by every computer in every company and
you begin to see the extent of the problem. Just as physical security
companies like ADT monitor your physical doors and windows, computer
security companies must lock and monitor the doors and windows of
computers.
My second analogy compares this complicated area of computer
security to a Chess game. In a Chess game, the goal is to protect the
king--or mission critical information. The other Chess pieces protect
the king. But a knowledgeable Chess player is required to maneuver the
Chess pieces. With computer security, the goal is to protect the
information. A variety of computer security products, including
Intrusion Detection Systems (IDS) and vulnerability assessment,
function as Chess pieces, and protect and watch the information. These
products are absolutely essential. However, you also need to have a
computer security expert to manage these products, just as you have to
have a knowledgeable Chess player maneuver the Chess pieces. Just as a
Chess game environment is constantly changing, the computer security
environment is also constantly changing. Computer security companies,
such as Internet Security Systems, produce the products and perform the
services that protect the information and manage the products so that
they function in the proper way.
Over the years, as the Internet has become more used in business
and more accessible to the masses, it has been attacked at an
increasing rate. Incidents occur when hackers maneuver through a
system, take advantage of the vulnerabilities, and cause a system
breach. Vulnerabilities are holes, weaknesses, and problems that exist
in computer systems. Incidents include credit card theft or other
information theft. The first slide documents the top security breaches.
4% of these breaches are actual physical security breaches, such as
breaking a window or getting in through a locked door. 20% are system
unavailability breaches or denial-of-service breaches, such as the
``ILUVYOU'' email virus. Electronic exploits represent 20% of the
breaches. An example of an electronic exploit is finding a hole where
you can install a backdoor to get into a computer system. 25% of the
breaches are loss of privacy or confidentiality breaches, such as when
a cracker breaks into a database server and gains access to credit card
information. 26% are malicious code breaches, such as when a hacker
sends an email with an attachment that when opened, deletes files on
the computer system. 5% of the breaches are other breaches.
To give you an idea of how fast incidents are occurring, the second
slide examines the increase in just one type of breach, the virus.
Viruses, such as the ``ILUVYOU'' virus are mini computer programs that
flood a computer system with email so that the system slows down or
crashes. Viruses can also destroy information on a computer system. In
October 1999 alone there were more than 2000 new known viruses. In
November 1999, there were 2,427 new viruses. In December 1999, 2,586
were added. Look at how these numbers have dramatically increased in
2000. In October 2000, there were 30,678 new viruses. In November 2000,
there were 23,962 new viruses. In December 2000, there were 16,762 new
viruses. Keep in mind that the vast impact caused by the ``ILUVYOU''
virus was caused by only one of these viruses.
To give you a better idea of how incidents generally occur, and how
computer security companies protect against these incidents, the third
slide is an example of a Web site where crackers can get information
that will help them break into a system. Because we are in the
protection business, we have modified this site and removed the
identifying information. This site lists new vulnerabilities that have
been discovered, and includes programs that allow anyone to use these
to exploit vulnerabilities to damage a system. There are thousands of
similar Web sites. Our X-Force monitors the most important Web sites to
discover the latest trends. In addition, thousands of private chat
rooms exist where more sophisticated crackers trade hacking tools over
the Internet. Our X-Force gains access to important chat rooms and
monitors them as well.
RECOMMENDATIONS
We are pleased that the Government is interested in taking computer
security seriously. The United States spends billions of dollars buying
weapons and gaining intelligence to protect our country from more
conventional types of attack. Our computer systems must also be
adequately protected, or our entire infrastructure could be compromised
by one person with one computer. Even though the task is complicated,
computer systems can be protected.
The Government has taken great strides in the past few years.
However, much, much more is needed. As industry has considerable
resources and expertise, a continued partnership with industry is
crucial. In addition, computer security must be a priority, and
leadership and coordination are necessary in the Government.
International leadership is also required. Perhaps most importantly,
funding for secure Government systems must be increased by a
substantial amount, and outsourcing should be considered as an option.
The Government often does well with the resources it has been given.
However, computer security specialists are required to implement and
coordinate many different security products and services to adequately
secure a system. As computer security expertise is extremely rare, the
cost of computer security specialists is astronomical. In my company
alone, the average salary of my 2000 employees is around $80,000. To
help address the cost of computer security, educational efforts must be
undertaken to train the personnel required. Computer programmers in
universities should be trained in computer security. Currently, they
are not. In addition, specialized programs in computer security should
be encouraged.
Thank you for inviting me here today. I look forward to a
continuing dialog on the computer security issue, and hope that,
working together, we can adequately secure our country's assets and
information.
Mr. Greenwood. Thank you very much for your extraordinary
testimony.
The Chair recognizes himself for 5 minutes for questions.
Ms. McDonald, on your chart, the route compromises, 155
last year, are those the kind of compromises that we saw in the
demonstration where you can essentially take over an entire
system?
Ms. McDonald. Yes.
Mr. Greenwood. Question for Mr. Dick. You referred to the
issue of who is sitting behind the keyboard. Can you elaborate
on what the FBI has discovered as to who these perpetrators
are? We know that there are teenagers who will hack into
systems for the fun of it. But in terms of identified
perpetrators, can you share with us what their motivations have
been?
Mr. Dick. In the physical world, the range and motives
associated with who are perpetrating these kinds of acts runs
the full gamut. As Tom was referring to, we have the teenage
hackers that are doing it for sport and notoriety on the
Internet, to the other range where we have state-sponsored
activities associated with trying to discern how to conduct
information warfare.
What we see in the range of what we refer to as southern
vulnerabilities, you have a high volume of, let us say, the
hackers that are going into systems for the honor or
recognition of it--which is relatively low impact as far as our
national security and economic well-being--which is going down
the virus writers, which does have an economic impact on us, to
criminal organizations. We are now seeing both U.S. and foreign
criminal organizations attacking systems for credit card
information, and then going back and extorting the businesses
out of funds for not recognizing or exposing that they have
been vulnerable to espionage and so forth.
Mr. Greenwood. What are the kind of penalties that have
been exacted against these perpetrators, and do you believe the
penalties are adequate under the current Federal statutes?
Mr. Dick. For violations of Title 18, section 1030, the
penalties are 10 years in jail for each violation. The maximum
penalties associated probably are adequate.
Now, have the courts, based upon the sentencing guidelines,
levied those kinds of penalties to subjects which have been
convicted? Not at this point. It is very similar to white
collar crime investigations where the penalties are perceived
by some to be less than adequate. But I think with time, that
will change also.
Mr. Greenwood. What about international cooperation? You
referenced the case in the Philippines where they were not--
their laws did not permit us to prosecute that perpetrator. Are
there in process efforts to create international agreements or
treaties with regard to these hackers?
Mr. Dick. Yes. There are a number of things ongoing right
now through the G-8 and the Council of Europe to implement laws
that will more standardize not only our ability to prosecute,
but our ability to access information.
One of the difficulties in investigating these cases is
almost 99 percent of the time, we are going to end up overseas
in some faction of the case because of particular hot point or
place that they intruded into overseas to get into the U.S.
system exists. So we have to go to a foreign entity just to get
the information as to what occurred over there. There are
efforts going on and more could be done. There is a lot of
emphasis on that at this point in time.
Mr. Greenwood. Thank you.
Mr. Noonan, I think you made some reference in your
testimony to Federal customers that you have, U.S. Government
customers.
Mr. Noonan. Yes.
Mr. Greenwood. Do they tend to be the inspectors general
buying your services and software so they can check on the
departments, or do they tend to be the managers of those
departments buying your software so as to provide the
protections necessary?
Mr. Noonan. Historically they have been more the watchdog
or audit, inspector general type function, meaning using the
technology to determine where the systems are vulnerable.
Today we are beginning, and just beginning to see the
beginnings of more widespread use in intrusion detection.
Vulnerability detection and intrusion detection are kind of the
yin and yang. One finds the holes, and the other watches to
make sure that the other does not exploit the holes.
Operationally, you want to see the units, using both
vulnerability detection to fortify the environment and
intrusion detection to monitor it to ensure that it is being
used judiciously.
Historically it has been mainly the watchdog part. That is
just now beginning to turn to more operational use.
Mr. Greenwood. Do you and your competitors aggressively
market your services to the systems managers within the Federal
Government? Do you have conferences and exhibits and so forth
where these Federal managers can come and survey this
technology?
Mr. Noonan. Yes, we do, as do many in the industry. One
thing that is of particular note is movement in this area has
really just begun in the last 6 to 9 months in terms of active
technologies that can be deployed to protect the
infrastructure. If I had to take a guess, I would probably say
that 5 percent, maybe, of the government actually is protected
with these types of technologies operationally. And I could be
off by as much as 5 percent. Regardless, I think we have a long
way to go.
Ms. McDonald. Mr. Chairman, one of the things that we are
doing in FedCIRC this fiscal year is evolving into an intrusion
detection system that is called Managed Security Services, much
like what Mr. Noonan's company offers.
We are encouraging Federal agencies to deploy managed
security services; and hopefully we are responsible for maybe
some of that 5 percent, if 5 percent exists. It is our
intention in the FedCIRC organization to, after we have
encouraged agencies to implement managed security services and
intrusion detection systems, that we will develop an analysis
capability within FedCIRC so that these intrusion detection
systems will feed up into the FedCIRC program office and we
will be able to get a picture, a much better picture across
government as to what is actually occurring.
With this step we feel that we can move from the 20 percent
of the incidents that are being discovered to closer to the 100
percent.
Mr. Greenwood. Mr. Noonan, since the bad guys can use your
services or at least your software, do you have any process of
screening out the bad guys?
Mr. Noonan. Mr. Chairman, it would be very difficult for
the bad guys to use our technology. Each is encrypted with a
special key. Each user that licenses the software is required
to provide information and sign a license agreement. So our
systems are not freely available, and they do not operate
unless you have a key generated by us, and each key is specific
to that user.
So if the DOE licensed our vulnerability system, they could
not use it on the Department of Transportation computers
because it would not match up with their IP addresses.
Mr. Greenwood. The Chair recognizes the gentleman, Mr.
Strickland.
Mr. Strickland. Ms. McDonald, I have a copy here of a March
2001 newsletter from FedCIRC about the demise of the FedNet,
which has been described as a conceptualized weapon to defend
the Federal information infrastructure by tracking anomalous
behavior. According to this newsletter, FedNet was buried
because of concerns of the public, media, and Congress because
it was a threat to privacy rights. Are you familiar with this?
Ms. McDonald. I am familiar with that, sir. If I could
explain----
Mr. Strickland. If you could explain to me what you do not
agree with.
Ms. McDonald. We did not bury FedNet. FedNet first came to
the public's attention in a New York Times article in 1998.
That article said that FedNet was a system that was going to be
run by the FBI, and that it was going to monitor all citizens'
e-mails, including the content of those e-mails, in the United
States. FedNet was actually a program the GSA was sponsoring,
not the FBI, and the idea was to develop an intrusion detection
network with all of the Federal civilian agencies.
Because of the bad publicity that it got, we revamped the
program. We now call it the managed security services, which is
what I alluded to. And what we have done, so that agencies have
confidence in what we are doing in the FedCIRC program, is we
are encouraging agencies to establish intrusion detection
systems within their own organizations and then work with
FedCIRC on a voluntary basis.
One of the important facts of this entire area is trust. We
lost a lot of trust with the FedNet program, which is why we
chose to rename it managed security services. And as the
industry has matured, and as Mr. Noonan has testified, these
services are commercially available and we are encouraging
agencies to procure these services themselves and then work
with FedCIRC.
Mr. Strickland. Ms. McDonald, this is your publication?
Ms. McDonald. That's correct.
Mr. Strickland. It indicates that Federal civilian agencies
for questionable activities, to provide those same agencies a
vehicle to obtain those services from private industry. I think
we are talking about the services that were envisioned in
FedNet. FedCIRC is preparing a new offering that would employ
private industry and will consist of a variety of information
security services under the caveat managed security services.
Now, is this an attempt by the GSA to go--to sneak around
behind the back of Congress and set up, if not the same system,
certainly a similar system, as a way of avoiding the kind of
criticism that was directed toward the previous effort?
Ms. McDonald. Absolutely not. The idea was to make it much
more palatable to the Federal civilian agencies, to put them in
control of the systems because they would be the ones that
would be procuring what is now a commercially available
service. FedNet as it was designed or thought of in 1998 didn't
really exist. But that shows the maturity in this entire field.
Now these services are available commercially, and it is
important for agencies to trust the FedCIRC operation. So we
are encouraging them to deploy these services and then share
the results of those systems with us.
Mr. Strickland. Yes. If you can just speak to this
question. Under the services available from the managed
security services program, will the public be able to have
confidence that all of their communications will not be tracked
or trackable?
Ms. McDonald. Absolutely.
Mr. Strickland. That is still a concern?
Ms. McDonald. That was a misunderstanding from the New York
Times article. These systems are going to be deployed only at
Federal agencies looking at Federal agency systems, and they
will not be looking at the content of those systems.
Mr. Strickland. So you are saying to me, if a private
citizen attempts or does gather information from some Federal
source, some Federal agency, that it will not be possible to
track that communication to identify it?
Ms. McDonald. That's correct. Unless that private citizen
does something like the Department of Energy demonstrated this
morning, it won't show up on an intrusion detection system if
it is a normal, approved-type activity.
Mr. Strickland. Reference is made to anomalous behavior. Do
you have a definition of what that would be?
Ms. McDonald. Behavior that is beyond the normal. For
instance, most of us work 9-to-5 jobs. Profiles are developed
on a user. If all of a sudden somebody was working at their job
at 2 a.m., that would fall into that type of behavior, and that
would kick out on the intrusion detection system.
Mr. Strickland. I suspect that a lot of committee and staff
members of the House of Representatives would be identified as
engaging in anomalous behavior because many of them work at
strange hours.
Ms. McDonald. That is true. I am sure that if you looked at
Mr. Noonan's company's hours, his hours would be quite
different than perhaps a Federal agency's hours. But with an
intrusion detection system, you profile the culture that occurs
in your organization. So perhaps maybe the staffers are not
working at 2 o'clock in the afternoon.
Mr. Strickland. It seems to me that the result of this
could be, the profiling, a very innocent behavior on the part
of American citizens that seem to have work habits that were
perceived by someone as anomalous. Is that not something that
the American public should have some reasonable concern about?
Ms. McDonald. Let me say that this whole area of
technology, as you very well know, opens up a tremendous amount
of privacy concerns, and people's activities can be tracked. It
is something that we need to balance with the need to protect.
Mr. Strickland. I appreciate the difficulty of the issue
that we are discussing today. I think it is important to be
open and have full disclosure. I think it is important that the
concerns that resulted in the initial action to not proceed be
fully explored.
Mr. Chairman, I do think this is a matter that we should
continue to follow and to explore as we look more deeply into
this.
Ms. McDonald. We would be glad to work with you on that.
Thank you.
Mr. Strickland. Thank you.
Mr. Greenwood. The Chair thanks the gentleman and
recognizes the gentlelady from Colorado.
Ms. DeGette. Thank you, Mr. Chairman.
We have been hearing a lot of pretty chilling testimony
this morning about the risks of this cyberterrorism and other
kinds of compromises of our systems.
I am just sitting here wondering--for example, this slide
that Mr. Noonan put up with this Website from--not the Website,
but this slide from Africa. And I think you said that we wonder
if people from places like Africa couldn't hack into our
systems and even launch nuclear weapons or biological warfare.
Mr. Dick, in your written testimony you say we have not
seen an example of cyberterrorism. With all of this activity
going on, I guess I am wondering why we have not seen an
example of cyberterrorism yet.
Mr. Dick. In the continuum of incidents and times, over
time as people get familiar with the technology, the tools,
even get greater availability out on the Internet, you are
going to see the volume of activity go up. Eventually we are
going to see it.
Ms. DeGette. Why do you think that we have not seen it yet?
Mr. Noonan. I was just going to comment on that. I think we
have seen it. We see it in industry. It is just a microcosm. It
is not the same necessarily as in the physical world. I have
seen entire customer records destroyed. That is terrorism to a
business.
Ms. DeGette. And that is certainly serious to us. What is
your definition of cyberterrorism?
Mr. Noonan. I think that is a very good question. The tools
that I represented--and that is actually a Website which has
been copied now and made into a slide. You can click on any one
of those and download those weapons, if you will.
My definition of cyberterrorism for a commercial industry
is anything that causes significant problems with the
availability, the confidentiality, or the integrity of those
systems. We can now have very small incidences of
cyberterrorism, or very coordinated, large-scale attacks.
Mr. Dick. My definition is different. What he described
there, those would be criminal acts that we would investigate
under criminal authorities.
When we talk about terrorism in the Department of Justice
and from an investigation standpoint, we have governed by
certain laws and by who are defined as foreign powers. So my
definition is much more restrictive.
Ms. DeGette. What is your definition?
Mr. Dick. Basically those foreign powers that are attacking
the United States and its assets for political motives as
opposed to some sort of economic reason.
Ms. DeGette. Why do you think that we have not had any
incidence of cyberterrorism on the scale of what Mr. Noonan
describes?
Mr. Dick. My statement says we have not had any that we can
attribute to any foreign powers, organizations, and acts at
this point in time. I am not saying that there never has been.
Ms. DeGette. So you think that we might have had
cyberterrorism, but we do not know?
Mr. Dick. I have no empirical data that says specifically.
Ms. DeGette. First of all, I think we should figure out
what our definition of cyberterrorism is. That might be helpful
in this analysis. It might be helpful to the public when we
think about the safety of our government and Internet systems.
I agree with Mr. Strickland that we need a lot more research
and hearings on this. But the reason that I am concerned about
this issue is because we are here today talking about
compromise of government computer systems, and I am trying to
figure out what the very real risk is of, say, someone hacking
into our military intelligence systems or our defense systems
and actually launching these biological weapons or nuclear
weapons or obtaining top secret information.
I understand that there are a lot of incidents, but what is
the real risk here?
Mr. Dick. When we say, ``terrorism,'' we are looking at
things that are politically motivated in an attempt to
intimidate our society or policies, or change policies, as
opposed to affect a business's way of doing business.
Ms. DeGette. Why do you think that we have not had this
happen? Do we have pretty good integrity of those critical
systems and what we need to do is work on other systems? Ms.
McDonald, do you have an opinion on this?
Ms. McDonald. I think we are lucky that we have not had it
happen.
Ms. DeGette. Mr. Noonan, do you have any comments?
Mr. Noonan. I think we have a lot of problems. I think in
terms of the infrastructure, I think that it is very, very
widespread; and whether I would comment on whether we have had
cyberterrorism or not, I know we have had compromises. I have
tracked them and watched them in and out of our own government
and agencies.
What networks the Pentagon actually uses to launch nuclear
weapons, I don't know. I hope that those are not easily
accessible from the Internet. But I know that we have had
compromises. Whether we want to call that terrorism or not is
up to us.
Ms. DeGette. Shifting direction a little bit, Mr. Noonan,
these 65,000 doors that you talk about, and computers that
allow unauthorized entries, those are part of the operating
systems that come with computers when people obtain them?
Mr. Noonan. That's correct. That is a world standard.
Ms. DeGette. Right. I would think that a good portion of
the blame for the vulnerabilities in operating systems would
lie on the developers of those products; wouldn't you agree?
Mr. Noonan. Not entirely, but partially, yes; because the
Internet standard, PCPIP, which we use all over the world, is
open by design, and this is the fundamental challenge.
Ms. DeGette. In fact, Microsoft says customers want
openness, not closed doors, correct?
Mr. Noonan. Absolutely. So the conundrum is how do you
secure the integrity of the system when it is based on an open
design.
Ms. DeGette. Do you have any ideas how to do that?
Mr. Noonan. Absolutely. I absolutely do.
Ms. DeGette. Would you share one?
Mr. Noonan. I believe we are entering an age where
everything is going to be microprocessor driven, not just our
computers, but the Internet will be the base foundation for
command and control systems for distribution tracking systems,
for satellite tracking systems, for everything that we do that
needs information. The only way that we are going to secure
these systems out into the future is if each individual system
on the network has its own capability to intelligently monitor
itself and discern between good and bad behavior.
Ms. DeGette. Thank you. I have one last question, and that
is to Ms. McDonald. I assume that is your chart behind you?
Ms. McDonald. Yes. It is based upon our data.
Ms. DeGette. My question to you is of the route compromises
on that chart which are in red, it says a route compromise
means that the intruder has gained full administrative or route
privileges over the targeted system, meaning that any
information or capability of the system is totally owned and is
controllable by the intruder.
Ms. McDonald. That's correct.
Ms. DeGette. How many of those route compromises have been
to confidential or secret data?
Ms. McDonald. To my knowledge, none.
Ms. DeGette. Thank you.
Mr. Chairman, I can see that we have a lot more work to do.
I want to thank this excellent panel and the previous one.
Mr. Greenwood. The Chair is going to recognize himself for
a second round of questions, and I turn to you first, Ms.
McDonald.
Of the 586 incidents reported in 2000, is it true that at
least several of those are known to have resulted in the
compromise of sensitive agency information; and if so, can you
give us some sense of the type of information that was
compromised?
Ms. McDonald. Every Federal civilian agency, as we have
heard this morning, maintains very sensitive information on
American citizens. I can tell you that most of the increases
that we have seen, and most of the incidents in the year 2000
had to do with scientific research and environmentally involved
agencies. Again, because this is an area that FedCIRC needs to
develop the trust of the agencies that we work with, I could
not go into identifying which particular agencies and what
systems.
But generally the scientific area is--as Mr. Noonan alluded
to, the whole Internet is very open. And it was developed by
the scientific area and they, as part of their research, are a
very open community.
Mr. Greenwood. Your testimony notes there has been a rise
in reconnaissance activities, scans of government computers by
foreign sources over the past year, up from 60 percent in 1999
to 75 percent in 2000. Are we talking about terrorism
activities, teenage hackers from abroad, espionage, or a
combination of these; and how does FedCIRC determine if a scan
is by a foreign source, and what information are these foreign
sources trying to gain access to?
Ms. McDonald. Well, we can determine whether it's a foreign
address where these scans are coming from. If with working with
the agency we feel that it is a nation-state then we work with
Mr. Dick's area or the NSA and transfer that information over
to them. We do not investigate incidents. Our job is to report
incidents, assist agencies to recover from incidents, and to
give agencies the tools that they need in order to protect
themselves.
Mr. Greenwood. Mr. Dick, according to a Washington Post
article dated March 21 of this year, your current assessment of
computer security at Federal facilities is that they are
extremely vulnerable to potentially crippling cyberattacks. Is
that an accurate assessment of your view; and if so, what is
that view based on?
Mr. Dick. It is an accurate assessment of my view of not
only government systems but private sector systems as has been
demonstrated in this committee today. There are numerous tools
out there for which to exploit the vulnerabilities in those
systems; and unless there is due diligence on the part of
systems administrators, CEOs and executive managements of
government agencies, as well as the private sector as a whole,
you're going to have vulnerabilities and that includes due
diligence not only in the implementation of firewalls and
intrusion detection software, but as has been pointed out
earlier, continually updating and correcting your systems.
For example, we are conducting an investigation currently,
or several investigations, regarding known vulnerabilities to
certain operating systems. These intruders are going in, as I
alluded to earlier, and taking credit card numbers and then
extorting the businesses. In December of this year we issued a
warning based upon our investigative efforts to the public
saying that these are the known vulnerabilities in this
operating system which need to be repaired because of this. We
got very little play.
In March we became much more public after coordinating with
the information sharing and analysis centers and our other
partners and came out with a very--a much more public
announcement and beat the drum louder, if you will, to try and
get these vulnerabilities fixed because there are known patches
that can prevent this. Because of that, one of the information
sharing and analysis centers indicated that we were able to
prevent over 1,600 attempts.
So the point is that it is continual vigilance and
implementation in security; and unless you do that, you are
vulnerable.
Mr. Greenwood. GSA told this committee--told our staff that
in excess of 95 percent of the intrusions into Federal
computers could have been prevented had well-known
vulnerabilities been patched with existing remedies. What does
that say about the state of our computer security and
vigilance, Ms. McDonald?
Ms. McDonald. It doesn't say a lot.
Mr. Greenwood. Actually, it does say a lot.
Ms. McDonald. Well, yes it does; but not what I would like
to say about it. One of the things that we're doing in the Fed
service area, recognizing this being an issue, is working with
a number of companies to see what capabilities they have to
offer the Federal Government for a patch distribution system so
that we can profile the agency systems to determine where--what
type systems they have, where they stand on their patches, and
then, as patches come out, feed them down to the agencies in a
hope that that will encourage them to apply the patches and
therefore allow them to recover from----
Mr. Greenwood. Well, you're hoping that it will encourage
them, but are they required? If you do an advisory indicating a
vulnerability in a known patch and you distribute that to the
Federal agency, is the Federal agency required----
Ms. McDonald. No.
Mr. Greenwood. [continuing] under any----
Ms. McDonald. No. This would only allow us the knowledge
that the patch was delivered to them, and we can establish the
system so that we can see if they actually took the patch; but
they're under no requirement to apply the patch.
Mr. Greenwood. Do you keep records of to what extent your
encouragement works in the patches?
Ms. McDonald. We will, once we implement the system.
Mr. Greenwood. Okay. The Chair thanks all three of our
witnesses for their superb testimony and you are excused. And I
would call the second panel, consisting of Mr. Robert Dacey,
director of information security systems at the U.S. General
Accounting Office, and Mr. John S. Tritak, director of Critical
Infrastructure Assurance Office of the U.S. Department of
Commerce.
I'm going to do what I failed to do in the last panel and
that is remind you this committee is holding an investigative
hearing and when doing so it has had the practice of taking
testimony under oath. Do either of you have any objection to
testify under oath?
Mr. Dacey. No.
Mr. Tritak. Not at all.
Mr. Greenwood. You're also then advised that under the
rules of the House and under the rules of the committee you're
entitled to be advised by counsel. Do you desire to be advised
by counsel during your testimony?
Mr. Dacey. I do not.
Mr. Tritak. I do not.
Mr. Greenwood. In that case, will you rise and raise your
right hand and I will swear you in.
[Witnesses sworn.]
Thank you. Please be seated.
We will recognize Mr. Dacey for his testimony for 5
minutes.
TESTIMONY OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY
ISSUES, U.S. GENERAL ACCOUNTING OFFICE; AND JOHN S. TRITAK,
DIRECTOR, CRITICAL INFRASTRUCTURE ASSURANCE OFFICE, U.S.
DEPARTMENT OF COMMERCE
Mr. Dacey. Mr. Chairman, I am pleased to be here this
afternoon to discuss information security in the Federal
Government. Evaluations by GAO and the Inspectors General
continue to show that computer security over the government's
unclassified systems are fraught with serious and widespread
weaknesses. The risk associated with these weaknesses as has
been discussed earlier are heightened by the increasing
interconnectivity of our systems, as well as the use of the
Internet. While the government cannot estimate the actual
damage and loss, principally because many incidents are either
not identified or not reported, I'd like to provide several
examples that illustrate the effect that can happen to Federal
agencies.
First, there can be theft or misuse of Federal Government
resources. For example, one individual embezzled over $435,000
at the Department of Defense. At EPA, a hacker chat room was
surreptitiously installed on an agency server. An EPA system
was used by hackers to launch attacks against others, and
numerous Federal Web sites have been reportedly defaced.
Ineffective security can also result in inappropriate
disclosure or misuse of sensitive personal and proprietary
business information. For example, sensitive information was
reported stolen by the Department of Defense. IRS employees
have browsed taxpayer records and used information obtained to
commit financial and other crimes. Social security information
has been sold to facilitate identity theft.
Another effect is potential disruption of business
operations. For example, operations at several agencies were
disrupted by the ``I love you'' virus. Also, users were locked
out of EPA systems using some of the techniques we saw
demonstrated earlier today.
And third, DOE stood down its Internet connections on
several occasions. The last can result in modification or
destruction of programs or data. For example, sensitive
information was corrupted and malicious software installed at
the Department of Defense.
While agencies' operations and risks vary, the types of
weaknesses reported are strikingly similar. In general, systems
did not have adequate controls to prevent and detect
unauthorized changes to systems software, to prevent or detect
unauthorized access to facilities, systems, programs and data,
and to ensure the continuity of business operations.
We and the Inspectors General made scores of
recommendations to improve security, and in 2001 we again
reported information security as a high-risk area, as we have
in 1997 and 1999.
I would like to point out that GAO employs similar tests to
those that were demonstrated this morning and would like to add
that even though those generally result in our ability to gain
root access or other access to systems, we sometimes are just
as successful in guessing passwords and using social
engineering to gain access to those systems.
Even if agencies do implement the corrective actions that
have been identified, all too often subsequent reviews have
uncovered the same types of vulnerabilities. As we've reported
in the past, these weaknesses continue to exist principally
because agencies have not established effective computer
security management programs. Effective programs would allow
for processes and procedures to assess risks, to ensure that
controls are adequately put in place to address those risks, to
have a regular process of raising awareness by the employees,
and last, to have a process to monitor the effectiveness of
security on an ongoing basis.
While we have seen that some agencies have implemented
policies and procedures and have established risk awareness
programs, little has been done by most agencies to actively
monitor the effectiveness of the controls, unlike what was
demonstrated today by the Department of Energy.
The Congress has expressed concern about the serious and
pervasive nature of computer security and recently passed
legislation that would require some additional reporting and
work to be done. Specifically, the legislation requires that
agencies establish computer security management programs over
all operations and assets of the agency.
Second, the legislation requires both agency and Inspector
General annual reviews to be performed, and the information
from those reviews could be very helpful in oversight and
monitoring of agencies' progress.
Other actions have been initiated across government,
including several agencies that have taken important steps to
improve computer security. The Federal Chief Information
Officers Council has issued a guide for measuring agency
progress, which we assisted in developing; and the prior
administration has issued a national plan for information
systems protection as well as the current administration
issuing the first annual update on the status of critical
infrastructure.
It is important to maintain the momentum of these efforts
and ensure that the activities currently underway are
coordinated under a comprehensive strategy and that the roles
and responsibilities of the numerous organizations with central
responsibilities for computer security are clearly defined.
Mr. Chairman, that concludes our statement. I would be
pleased to answer any questions that you or the members of the
subcommittee may have.
[The prepared statement of Robert F. Dacey follows:]
Prepared Statement of Robert F. Dacey, Director, Information Security
Issues, General Accounting Office
Mr. Chairman and Members of the Subcommittee: I am pleased to be
here today to discuss our analysis of information security audits at
federal agencies. As with other large organizations, federal agencies
rely extensively on computerized systems and electronic data to support
their missions. Accordingly, the security of these systems and data is
essential to avoiding disruptions in critical operations, data
tampering, fraud, and inappropriate disclosure of sensitive
information.
Today, I will summarize the results of our analysis of information
security audits performed by us and by agency inspectors general since
July 1999 at 24 major federal departments and agencies. In summarizing
these results, I will discuss the types of pervasive weaknesses that we
and agency inspectors general have identified. I will then describe the
serious risks that these weaknesses pose at selected individual
agencies of particular interest to this subcommittee, and the major
common weaknesses that agencies need to address. Finally, I will
describe the management improvements that are needed to resolve these
weaknesses and the significant challenges that remain.
BACKGROUND
Dramatic increases in computer interconnectivity, especially in the
use of the Internet, are revolutionizing the way our government, our
nation, and much of the world communicate and conduct business. The
benefits have been enormous. Vast amounts of information are now
literally at our fingertips, facilitating research on virtually every
topic imaginable; financial and other business transactions can be
executed almost instantaneously, often on a 24-hour-a-day basis; and
electronic mail, Internet web sites, and computer bulletin boards allow
us to communicate quickly and easily with a virtually unlimited number
of individuals and groups.
In addition to such benefits, however, this widespread
interconnectivity poses significant risks to our computer systems and,
more important, to the critical operations and infrastructures they
support. For example, telecommunications, power distribution, water
supply, public health services, and national defense--including the
military's warfighting capability--law enforcement, government
services, and emergency services all depend on the security of their
computer operations. The speed and accessibility that create the
enormous benefits of the computer age likewise, if not properly
controlled, allow individuals and organizations to inexpensively
eavesdrop on or interfere with these operations from remote locations
for mischievous or malicious purposes, including fraud or sabotage.
Reports of attacks and disruptions abound. The March 2001 report of
the ``Computer Crime and Security Survey,'' conducted by the Computer
Security Institute and the Federal Bureau of Investigation's San
Francisco Computer Intrusion Squad, showed that 85 percent of
respondents (primarily large corporations and government agencies) had
detected computer security breaches within the last 12 months.
Disruptions caused by virus attacks, such as the ILOVEYOU virus in May
2000 and 1999's Melissa virus, have illustrated the potential for
damage that such attacks hold.\1\ A sampling of reports summarized in
Daily Reports by the FBI's National Infrastructure Protection Center
\2\ during two recent weeks in March illustrates the problem further:
---------------------------------------------------------------------------
\1\ Critical Infrastructure Protection: ``ILOVEYOU'' Computer Virus
Highlights Need for Improved Alert and Coordination Capabilities (GAO/
T-AIMD-00-181, May 18, 2000); Information Security: ``ILOVEYOU''
Computer Virus Emphasizes Critical Need for Agency and Governmentwide
Improvements (GAO/T-AIMD-00-171, May 10, 2000); Information Security:
The Melissa Computer Virus Demonstrates Urgent Need for Stronger
Protection Over Systems and Sensitive Data (GAO/T-AIMD-99-146, April
15, 1999).
\2\ In its Daily Reports, the National Infrastructure Protection
Center states that these summaries are for information purposes only
and do not constitute any verification of the information contained in
the reports or endorsement by the FBI.
Hackers suspected of having links to a foreign government
successfully broke into the Sandia National Laboratory's
computer system and were able to access sensitive classified
information. (Source: Washington Times, March 16, 2001.)
A hacker group by the name of ``PoizonB0x'' defaced numerous
government web sites, including those of the Department of
Transportation, the Administrative Office of the U.S. Courts,
the National Science Foundation, the National Oceanic and
Atmospheric Administration, the Princeton Plasma Physics
Laboratory, the General Services Administration, the U.S.
Geological Survey, the Bureau of Land Management, and the
Office of Science & Technology Policy. (Source: Attrition.org.,
March 19, 2001.)
The ``Russian Hacker Association'' is offering over the
Internet an e-mail bombing system that will destroy a persons
``web enemy'' for a fee. (Source: UK Ministry of Defense Joint
Security Coordination Center)
Two San Diego men allegedly crashed a company's computer
system by rerouting tens of thousands of unsolicited e-mails
through its servers. (Source: ZDNet News, March 18, 2001.)
Government officials are increasingly concerned about attacks from
individuals and groups with malicious intent, such as crime, terrorism,
foreign intelligence gathering, and acts of war. According to the FBI,
terrorists, transnational criminals, and intelligence services are
quickly becoming aware of and using information exploitation tools such
as computer viruses, Trojan horses, worms, logic bombs, and
eavesdropping sniffers that can destroy, intercept, or degrade the
integrity of and deny access to data. As greater amounts of money are
transferred through computer systems, as more sensitive economic and
commercial information is exchanged electronically, and as the nation's
defense and intelligence communities increasingly rely on commercially
available information technology, the likelihood that information
attacks will threaten vital national interests increases. In addition,
the disgruntled organization insider is a significant threat, since
such individuals often have knowledge that allows them to gain
unrestricted access and inflict damage or steal assets without a great
deal of knowledge about computer intrusions.
Since 1996, our analyses of information security at major federal
agencies have shown that federal systems were not being adequately
protected from these threats, even though these systems process, store,
and transmit enormous amounts of sensitive data and are indispensable
to many federal agency operations. In September 1996, we reported that
serious weaknesses had been found at 10 of the 15 largest federal
agencies, and we concluded that poor information security was a
widespread federal problem with potentially devastating
consequences.\3\ In 1998 and in 2000, we analyzed audit results for 24
of the largest federal agencies: both analyses found that all 24
agencies had significant information security weaknesses.\4\ As a
result of these analyses, we have identified information security as a
high-risk issue in reports to the Congress since 1997-most recently in
January 2001.\5\
---------------------------------------------------------------------------
\3\ Information Security: Opportunities for Improved OMB Oversight
of Agency Practices (GAO/AIMD-96-110, September 24, 1996).
\4\ Information Security: Serious Weaknesses Place Critical Fedearl
Operations and Assets at Risk (GAO/AIMD-98-92, September 23, 1998);
Information Security: Serious and Widespread Weaknesses Persist at
Federal Agencies (GAO/AIMD-00-295, September 6, 2000).
\5\ High-Risk Series: Information Management and Technology (GAO/
HR-97-9, February 1, 1997); High-Risk Series: An Update (GAO/HR-99-1,
January 1999); High Risk Series: An Update (GAO-01-263, January 2001).
---------------------------------------------------------------------------
WEAKNESSES REMAIN PERVASIVE
Evaluations published since July 1999 show that federal computer
systems are riddled with weaknesses that continue to put critical
operations and assets at risk. Significant weaknesses have been
identified in each of the 24 agencies covered by our review. These
weaknesses covered all six major areas of general controls--the
policies, procedures, and technical controls that apply to all or a
large segment of an entity's information systems and help ensure their
proper operation. These six areas are (1) security program management,
which provides the framework for ensuring that risks are understood and
that effective controls are selected and implemented, (2) access
controls, which ensure that only authorized individuals can read,
alter, or delete data, (3) software development and change controls,
which ensure that only authorized software programs are implemented,
(4) segregation of duties, which reduces the risk that one individual
can independently perform inappropriate actions without detection, (5)
operating systems controls, which protect sensitive programs that
support multiple applications from tampering and misuse, and (6)
service continuity, which ensures that computer-dependent operations
experience no significant disruptions.
Weaknesses in these areas placed a broad range of critical
operations and assets at risk for fraud, misuse, and disruption. In
addition, they placed an enormous amount of highly sensitive data--much
of it pertaining to individual taxpayers and beneficiaries--at risk of
inappropriate disclosure.
The scope of audit work performed has continued to expand to more
fully cover all six major areas of general controls at each agency. Not
surprisingly, this has led to the identification of additional areas of
weakness at some agencies. While these increases in reported weaknesses
are disturbing, they do not necessarily mean that information security
at federal agencies is getting worse. They more likely indicate that
information security weaknesses are becoming more fully understood-an
important step toward addressing the overall problem. Nevertheless, our
analysis leaves no doubt that serious, pervasive weaknesses persist. As
auditors increase their proficiency and the body of audit evidence
expands, it is probable that additional significant deficiencies will
be identified.
Most of the audits covered in our analysis were performed as part
of financial statement audits. At some agencies with primarily
financial missions, such as the Department of the Treasury and the
Social Security Administration, these audits covered the bulk of
mission-related operations. However, at agencies whose missions are
primarily nonfinancial, such as the Departments of Defense and Justice,
the audits may provide a less complete picture of the agency's overall
security posture because the audit objectives focused on the financial
statements and did not include evaluations of systems supporting
nonfinancial operations.
In response to congressional interest, during fiscal years 1999 and
2000, we expanded our audit focus to cover a wider range of
nonfinancial operations. We expect this trend to continue.
RISKS TO FEDERAL OPERATIONS, ASSETS, AND CONFIDENTIALITY ARE
SUBSTANTIAL
To fully understand the significance of the weaknesses we
identified, it is necessary to link them to the risks they present to
federal operations and assets. Virtually all federal operations are
supported by automated systems and electronic data, and agencies would
find it difficult, if not impossible, to carry out their missions and
account for their resources without these information assets. Hence,
the degree of risk caused by security weaknesses is extremely high.
The weaknesses identified place a broad array of federal operations
and assets at risk of fraud, misuse, and disruption. For example,
weaknesses at the Department of the Treasury increase the risk of fraud
associated with billions of dollars of federal payments and
collections, and weaknesses at the Department of Defense increase the
vulnerability of various military operations. Further, information
security weaknesses place enormous amounts of confidential data,
ranging from personal and tax data to proprietary business information,
at risk of inappropriate disclosure. For example, in 1999, a Social
Security Administration employee pled guilty to unauthorized access to
the administration's systems. The related investigation determined that
the employee had made many unauthorized queries, including obtaining
earnings information for members of the local business community.
Such risks, if inadequately addressed, may limit government's
ability to take advantage of new technology and improve federal
services through electronic means. For example, this past February, we
reported on serious control weaknesses in the Internal Revenue
Service's (IRS) electronic filing system, noting that failure to
maintain adequate security could erode public confidence in electronic
filing, jeopardize the Service's ability to meet its goal of 80 percent
of returns being filed electronically by 2007, and deprive it of
financial and other anticipated benefits. Specifically, we found that,
during the 2000 tax filing season, IRS did not adequately secure access
to its electronic filing systems or to the electronically transmitted
tax return data those systems contained. We demonstrated that
unauthorized individuals, both internal and external to IRS, could have
gained access to these systems and viewed, copied, modified, or deleted
taxpayer data. In addition, the weaknesses we identified jeopardized
the security of the sensitive business, financial, and taxpayer data on
other critical IRS systems that were connected to the electonic filing
systems. The IRS Commissioner has stated that, in response to
recommendations we made, IRS has completed corrective action for all of
the critical access control vulnerabilities we identified and that, as
a result, the electronic filing systems now satisfactorily meet
critical federal security requirements to protect the taxpayer.\6\ As
part of our audit follow up activities, we plan to evaluate the
effectiveness of IRS's corrective actions.
---------------------------------------------------------------------------
\6\ Information Security: IRS Electronic Filing Systems (GAO-01-
306, February 16, 2001).
---------------------------------------------------------------------------
I would now like to describe the risks associated with specific
recent audit findings at agencies of particular interest to this
subcommittee.
Information technology is essential to the Department of
Energy's (DOE) scientific research mission, which is supported by a
large and diverse set of computing systems, including very powerful
supercomputers located at DOE laboratories across the nation. In June
2000, we reported that computer systems at DOE laboratories supporting
civilian research had become a popular target of the hacker community,
with the result that the threat of attacks had grown dramatically in
recent years.\7\ Further, because of security breaches, several
laboratories had been forced to temporarily disconnect their networks
from the Internet, disrupting the laboratories' ability to do
scientific research for up to a full week on at least two occasions. In
February 2001, the DOE's Inspector General reported network
vulnerabilities and access control weaknesses in unclassified systems
that increased the risk that malicious destruction or alteration of
data or the processing of unauthorized operations could occur.\8\
---------------------------------------------------------------------------
\7\ Information Security: Vulnerabilities in DOE's Systems for
Unclassified Civilian Research (GAO/AIMD-00-140, June 9, 2000).
\8\ Report on the Department of Energy's Consolidated Financial
Statements, DOE/IG-FS-01-01, February 16, 2001.
---------------------------------------------------------------------------
In February, the Department of Health and Human Services'
Inspector General again reported serious control weaknesses affecting
the integrity, confidentiality, and availability of data maintained by
the department.\9\ Most significant were weaknesses associated with the
department's Health Care Financing Administration, which was
responsible, during fiscal year 2000, for processing more than $200
billion in medicare expenditures. HCFA relies on extensive data
processing operations at its central office to maintain administrative
data, such as Medicare enrollment, eligibility, and paid claims data,
and to process all payments for managed care. HCFA also relies on
Medicare contractors, who use multiple shared systems to collect and
process personal health, financial, and medical data associated with
Medicare claims. Significant weaknesses were also reported for the Food
and Drug Administration and the department's Division of Financial
Operations.
---------------------------------------------------------------------------
\9\ Report on the Financial Statement Audit of the Department of
Health and Human Services for Fiscal Year 2000, A-17-00-00014, February
26, 2001.
---------------------------------------------------------------------------
The Environmental Protection Agency (EPA) relies on its
computer systems to collect and maintain a wealth of environmental data
under various statutory and regulatory requirements. EPA makes much of
its information available to the public through Internet access in
order to encourage public awareness of and participation in managing
human health and environmental risks and to meet statutory
requirements. EPA also maintains confidential data from private
businesses, data of varying sensitivity on human health and
environmental risks, financial and contract data, and personal
information on its employees. Consequently, EPA's information security
program must accommodate the often competing goals of making much of
its environmental information widely accessible while maintaining data
integrity, availability, and appropriate confidentiality. In July 2000,
we reported serious and pervasive problems that essentially rendered
EPA's agencywide information security program ineffective.\10\ Our
tests of computer-based controls concluded that the computer operating
systems and agencywide computer network that support most of EPA's
mission-related and financial operations were riddled with security
weaknesses.
---------------------------------------------------------------------------
\10\ Information Security: Fundamental Weaknesses Place EPA Data
and Operations at Risk (GAO/AIMD-00-215 July 6, 2000).
---------------------------------------------------------------------------
In addition, EPA's records showed that its vulnerabilities had been
exploited by both external and internal sources, as illustrated by the
following examples.
--In June 1998, EPA was notified that one of its computers was used by
a remote intruder as a means of gaining unauthorized access to
a state university's computers. The problem report stated that
vendor-supplied software updates were available to correct the
vulnerability, but EPA had not installed them.
--In July 1999, a chat room was set up on a network server at one of
EPA's regional financial management centers for hackers to post
notes and, in effect, conduct on-line electronic conversations.
--In February 1999, a sophisticated penetration affected three of EPA's
computers. EPA was unaware of this penetration until notified
by the FBI.
--In June 1999, an intruder penetrated an Internet web server at EPA's
National Computer Center by exploiting a control weakness
specifically identified by EPA about 3 years earlier during a
previous penetration of a different system. The vulnerability
continued to exist because EPA had not implemented vendor
software updates (patches), some of which had been available
since 1996.
--On two occasions during 1998, extraordinarily large volumes of
network traffic--synonymous with a commonly used denial-of-
service hacker technique--affected computers at one of EPA's
field offices. In one case, an Internet user significantly
slowed EPA's network activity and interrupted network service
for over 450 EPA computer users. In a second case, an intruder
used EPA computers to successfully launch a denial-of-service
attack against an Internet service provider.
--In September 1999, an individual gained access to an EPA computer and
altered the computer's access controls, thereby blocking
authorized EPA employees from accessing files. This individual
was no longer officially affiliated with EPA at the time of the
intrusion, indicating a serious weakness in EPA's process for
applying changes in personnel status to computer accounts.
Of particular concern was that many of the most serious weaknesses
we identified-those related to inadequate protection from intrusions
through the Internet and poor security planning-had been previously
reported to EPA management in 1997 by EPA's inspector general.\11\ The
negative effects of such weaknesses are illustrated by EPA's own
records, which show several serious computer security incidents since
early 1998 that have resulted in damage and disruption to agency
operations. As a result of these weaknesses, EPA's computer systems and
the operations that rely on them were highly vulnerable to tampering,
disruption, and misuse from both internal and external sources.
---------------------------------------------------------------------------
\11\ EPA's Internet Connectivity Controls, Office of Inspector
General Report Audit (Redacted Version), September 5, 1997.
---------------------------------------------------------------------------
EPA management has developed and begun to implement a detailed
action plan to address reported weaknesses. However, the agency does
not expect to complete these corrective actions until 2002 and
continued to report a material weakness in this area in its fiscal year
2000 report on internal controls under the Federal Managers' Financial
Integrity Act of 1982.\12\
---------------------------------------------------------------------------
\12\ Audit Rewport on EPA's Fiscal 2000 Financial Statements,
Office of the Inspector General Audit Report 2001-1-00107, February 28,
2001.
---------------------------------------------------------------------------
The Department of Commerce is responsible for systems that
the department has designated as critical for national security,
national economic security, and public health and safety. Its member
bureaus include the National Oceanic and Atmospheric Administration,
the Patent and Trademark Office, the Bureau of the Census, and the
International Trade Administration. During December 2000 and January
2001, Commerce 's inspector general reported significant computer
security weaknesses in several of the department's bureaus and, last
month, reported multiple material information security weaknesses
affecting the department's ability to produce accurate data for
financial statements. These included a lack of formal, current security
plans and weaknesses in controls over access to systems and over
software development and changes.\13\ At the request of the full
committee, we are currently evaluating information security controls at
selected other Commerce bureaus.
---------------------------------------------------------------------------
\13\ Department of Commerce's Fiscal year 2000 Consolidated
Financial Statements, Inspector General Audit Report No. FSD-12849-1-
0001.
---------------------------------------------------------------------------
WHILE NATURE OF RISK VARIES, CONTROL WEAKNESSES ACROSS AGENCIES ARE
STRIKINGLY SIMILAR
The nature of agency operations and their related risks vary.
However, striking similarities remain in the specific types of general
control weaknesses reported and in their serious negative impact on an
agency's ability to ensure the integrity, availability, and appropriate
confidentiality of its computerized operations--and therefore on what
corrective actions they must take. The sections that follow describe
the six areas of general controls and the specific weaknesses that were
most widespread at the agencies covered by our analysis.
Security Program Management
Each organization needs a set of management procedures and an
organizational framework for identifying and assessing risks, deciding
what policies and controls are needed, periodically evaluating the
effectiveness of these policies and controls, and acting to address any
identified weaknesses. These are the fundamental activities that allow
an organization to manage its information security risks cost
effectively, rather than react to individual problems in an ad-hoc
manner only after a violation has been detected or an audit finding
reported.
Despite the importance of this aspect of an information security
program, poor security program management continues to be a widespread
problem. Virtually all of the agencies for which this aspect of
security was reviewed had deficiencies. Specifically, many had not
developed security plans for major systems based on risk, had not
documented security policies, and had not implemented a program for
testing and evaluating the effectiveness of the controls they relied
on. As a result, agencies
were not fully aware of the information security risks to
their operations,
had accepted an unknown level of risk by default rather than
consciously deciding what level of risk was tolerable,
had a false sense of security because they were relying on
controls that were not effective, and
could not make informed judgments as to whether they were
spending too little or too much of their resources on security.
With the October 2000 enactment of the government information
security reform provisions of the fiscal year 2001 National Defense
Authorization Act, agencies are now required by law to adopt the
practices described above, including annual management evaluations of
agency security.
Access Controls
Access controls limit or detect inappropriate access to computer
resources (data, equipment, and facilities), thereby protecting these
resources against unauthorized modification, loss, and disclosure.
Access controls include physical protections--such as gates and
guards--as well as logical controls, which are controls built into
software that require users to authenticate themselves through the use
of secret passwords or other identifiers and limit the files and other
resources that an authenticated user can access and the actions that he
or she can execute. Without adequate access controls, unauthorized
individuals, including outside intruders and terminated employees, can
surreptitiously read and copy sensitive data and make undetected
changes or deletions for malicious purposes or personal gain. Even
authorized users can unintentionally modify or delete data or execute
changes that are outside their span of authority.
For access controls to be effective, they must be properly
implemented and maintained. First, an organization must analyze the
responsibilities of individual computer users to determine what type of
access (e.g., read, modify, delete) they need to fulfill their
responsibilities. Then, specific control techniques, such as
specialized access control software, must be implemented to restrict
access to these authorized functions. Such software can be used to
limit a user's activities associated with specific systems or files and
to keep records of individual users' actions on the computer. Finally,
access authorizations and related controls must be maintained and
adjusted on an ongoing basis to accommodate new and terminated
employees, and changes in users' responsibilities and related access
needs.
Significant access control weaknesses were reported for all of the
agencies covered by our analysis, as evidenced by the following
examples:
Accounts and passwords for individuals no longer associated
with the agency were not deleted or disabled; neither were they
adjusted for those whose responsibilities, and thus need to
access certain files, changed. At one agency, as a result,
former employees and contractors could and in many cases did
still read, modify, copy, or delete data. At this same agency,
even after 160 days of inactivity, 7,500 out of 30,000 users'
accounts had not been deactivated.
Users were not required to periodically change their
passwords.
Managers did not precisely identify and document access needs
for individual users or groups of users. Instead, they provided
overly broad access privileges to very large groups of users.
As a result, far more individuals than necessary had the
ability to browse and, sometimes, modify or delete sensitive or
critical information. At one agency, all 1,100 users were
granted access to sensitive system directories and settings. At
another agency, 20,000 users had been provided access to one
system without written authorization.
Use of default, easily guessed, and unencrypted passwords
significantly increased the risk of unauthorized access. During
testing at one agency, we were able to guess many passwords
based on our knowledge of commonly used passwords and were able
to observe computer users' keying in passwords and then use
those passwords to obtain ``high level'' system administration
privileges.
Software access controls were improperly implemented,
resulting in unintended access or gaps in access-control
coverage. At one agency data center, all users, including
programmers and computer operators, had the capability to read
sensitive production data, increasing the risk that such
sensitive information could be disclosed to unauthorized
individuals. Also at this agency, certain users had the
unrestricted ability to transfer system files across the
network, increasing the risk that unauthorized individuals
could gain access to the sensitive data or programs.
To illustrate the risks associated with poor authentication and
access controls, in recent years we have begun to incorporate network
vulnerability testing into our audits of information security. Such
tests involve attempting--with agency cooperation--to gain unauthorized
access to sensitive files and data by searching for ways to circumvent
existing controls, often from remote locations. Our auditors have been
successful, in almost every test, in readily gaining unauthorized
access that would allow intruders to read, modify, or delete data for
whatever purpose they had in mind. Further, user activity was
inadequately monitored. At one agency, much of the activity associated
with our intrusion testing was not recognized and recorded, and the
problem reports that were recorded did not recognize the magnitude of
our activity or the severity of the security breaches we initiated.
Application Software Development and Change Controls
Application software development and change controls prevent
unauthorized software programs or modifications to programs from being
implemented. Key aspects of such controls are ensuring that (1)
software changes are properly authorized by the managers responsible
for the agency program or operations that the application supports, (2)
new and modified software programs are tested and approved prior to
their implementation, and (3) approved software programs are maintained
in carefully controlled libraries to protect them from unauthorized
changes and to ensure that different versions are not misidentified.
Such controls can prevent both errors in software programming as
well as malicious efforts to insert unauthorized computer program code.
Without adequate controls, incompletely tested or unapproved software
can result in erroneous data processing that, depending on the
application, could lead to losses or faulty outcomes. In addition,
individuals could surreptitiously modify software programs to include
processing steps or features that could later be exploited for personal
gain or sabotage.
Weaknesses in software program change controls were identified for
almost all of the agencies where such controls were evaluated. Examples
of weaknesses in this area included the following:
Testing procedures were undisciplined and did not ensure that
implemented software operated as intended. For example, at one
agency, senior officials authorized some systems for processing
without testing access controls to ensure that they had been
implemented and were operating effectively. At another,
documentation was not retained to demonstrate user testing and
acceptance.
Implementation procedures did not ensure that only authorized
software was used. In particular, procedures did not ensure
that emergency changes were subsequently tested and formally
approved for continued use and that implementation of ``locally
developed'' (unauthorized) software programs was prevented or
detected.
Agencies' policies and procedures frequently did not address
the maintenance and protection of program libraries.
Segregation of Duties
Segregation of duties refers to the policies, procedures, and
organizational structure that help ensure that one individual cannot
independently control all key aspects of a process or computer-related
operation and thereby conduct unauthorized actions or gain unauthorized
access to assets or records without detection. For example, one
computer programmer should not be allowed to independently write, test,
and approve program changes.
Although segregation of duties alone will not ensure that only
authorized activities occur, inadequate segregation of duties increases
the risk that erroneous or fraudulent transactions could be processed,
improper program changes implemented, and computer resources damaged or
destroyed. For example,
an individual who was independently responsible for
authorizing, processing, and reviewing payroll transactions
could inappropriately increase payments to selected individuals
without detection; or
a computer programmer responsible for authorizing, writing,
testing, and distributing program modifications could either
inadvertently or deliberately implement computer programs that
did not process transactions in accordance with management's
policies or that included malicious code.
Controls to ensure appropriate segregation of duties consist mainly
of documenting, communicating, and enforcing policies on group and
individual responsibilities. Enforcement can be accomplished by a
combination of physical and logical access controls and by effective
supervisory review.
Segregation of duties weaknesses were identified at most of the
agencies covered by our analysis. Common problems involved computer
programmers and operators who were authorized to perform a variety of
duties, thus providing them the ability to independently modify,
circumvent, and disable system security features. For example, at one
data center, a single individual could independently develop, test,
review, and approve software changes for implementation.
Segregation of duties problems were also identified related to
transaction processing. For example, at one agency, 11 staff members
involved with procurement had system access privileges that allowed
them to individually request, approve, and record the receipt of
purchased items. In addition, 9 of the 11 had system access privileges
that allowed them to edit the vendor file, which could result in
fictitious vendors being added to the file for fraudulent purposes. For
fiscal year 1999, we identified 60 purchases, totaling about $300,000,
that were requested, approved, and receipt-recorded by the same
individual.
Operating System Controls
Operating system software controls limit and monitor access to the
powerful programs and sensitive files associated with the computer
systems operation. Generally, one set of system software is used to
support and control a variety of applications that may run on the same
computer hardware. System software helps control and coordinate the
input, processing, output, and data storage associated with all of the
applications that run on the system. Some system software can change
data and program code on files without leaving an audit trail or can be
used to modify or delete audit trails. Examples of system software
include the operating system, system utilities, program library
systems, file maintenance software, security software, data
communications systems, and database management systems.
Controls over access to and modification of system software are
essential in providing reasonable assurance that operating system-based
security controls are not compromised and that the system will not be
impaired. If controls in this area are inadequate, unauthorized
individuals might use system software to circumvent security controls
to read, modify, or delete critical or sensitive information and
programs. Also, authorized users of the system may gain unauthorized
privileges to conduct unauthorized actions or to circumvent edits and
other controls built into application programs. Such weaknesses
seriously diminish the reliability of information produced by all of
the applications supported by the computer system and increase the risk
of fraud, sabotage, and inappropriate disclosure. Further, system
software programmers are often more technically proficient than other
data processing personnel and, thus, have a greater ability to perform
unauthorized actions if controls in this area are weak.
The control concerns for system software are similar to the access
control issues and software program change control issues discussed
earlier. However, because of the high level of risk associated with
system software activities, most entities have a separate set of
control procedures that apply to them.
Weaknesses were identified at each of the agencies for which
operating system controls were reviewed. A common type of problem
reported was insufficiently restricted access that made it possible for
knowledgeable individuals to disable or circumvent controls in a
variety of ways. For example, at one agency, system support personnel
had the ability to change data in the system audit log. As a result,
they could have engaged in a wide array of inappropriate and
unauthorized activity and could have subsequently deleted related
segments of the audit log, thus diminishing the likelihood that their
actions would be detected.
Further, pervasive vulnerabilities in network configuration exposed
agency systems to attack. These vulnerabilities stemmed from agencies'
failure to (1) install and maintain effective perimeter security, such
as firewalls and screening routers, (2) implement current software
patches, and (3) protect against commonly known methods of attack.
Service Continuity
Finally, service continuity controls ensure that when unexpected
events occur, critical operations will continue without undue
interruption and that crucial, sensitive data are protected. For this
reason, an agency should have (1) procedures in place to protect
information resources and minimize the risk of unplanned interruptions
and (2) a plan to recover critical operations, should interruptions
occur. These plans should consider the activities performed at general
support facilities, such as data processing centers, as well as the
activities performed by users of specific applications. To determine
whether recovery plans will work as intended, they should be tested
periodically in disaster simulation exercises.
Losing the capability to process, retrieve, and protect information
maintained electronically can significantly affect an agency's ability
to accomplish its mission. If controls are inadequate, even relatively
minor interruptions can result in lost or incorrectly processed data,
which can cause financial losses, expensive recovery efforts, and
inaccurate or incomplete financial or management information. Controls
to ensure service continuity should address the entire range of
potential disruptions. These may include relatively minor
interruptions, such as temporary power failures or accidental loss or
erasure of files, as well as major disasters, such as fires or natural
disasters that would require reestablishing operations at a remote
location.
Service continuity controls include (1) taking steps, such as
routinely making backup copies of files, to prevent and minimize
potential damage and interruption, (2) developing and documenting a
comprehensive contingency plan, and (3) periodically testing the
contingency plan and adjusting it as appropriate.
Service continuity control weaknesses were reported for most of the
agencies covered by our analysis. Examples of weaknesses included the
following:
Plans were incomplete because operations and supporting
resources had not been fully analyzed to determine which were
the most critical and would need to be resumed as soon as
possible should a disruption occur.
Disaster recovery plans were not fully tested to identify
their weaknesses. At one agency, periodic walkthroughs or
unannounced tests of the disaster recovery plan had not been
performed. Conducting these types of tests provides a scenario
more likely to be encountered in the event of an actual
disaster.
IMPROVED SECURITY PROGRAM MANAGEMENT IS ESSENTIAL
The audit reports cited in this statement and in our prior
information security reports include many recommendations to individual
agencies that address specific weaknesses in the areas I have just
described. It is each individual agency's responsibility to ensure that
these recommendations are implemented. Agencies have taken steps to
address problems and many have good remedial efforts underway. However,
these efforts will not be fully effective and lasting unless they are
supported by a strong agencywide security management framework.
Establishing such a management framework requires that agencies
take a comprehensive approach that involves both (1) senior agency
program managers who understand which aspects of their missions are the
most critical and sensitive and (2) technical experts who know the
agencies' systems and can suggest appropriate technical security
control techniques. We studied the practices of organizations with
superior security programs and summarized our findings in a May 1998
executive guide entitled Information Security Management: Learning From
Leading Organizations (GAO/AIMD-98-68). Our study found that these
organizations managed their information security risks through a cycle
of risk management activities that included
assessing risks and determining protection needs,
selecting and implementing cost-effective policies and
controls to meet these needs,
promoting awareness of policies and controls and of the risks
that prompted their adoption among those responsible for
complying with them, and
implementing a program of routine tests and examinations for
evaluating the effectiveness of policies and related controls
and reporting the resulting conclusions to those who can take
appropriate corrective action.
In addition, a strong, centralized focal point can help ensure that
the major elements of the risk management cycle are carried out and
serve as a communications link among organizational units. Such
coordination is especially important in today's highly networked
computing environments. This cycle of risk management activities is
depicted below.
This cycle of activity, as described in our May 1998 executive
guide, is consistent with guidance on information security program
management provided to agencies by the Office of Management and Budget
(OMB) and by NIST. In addition, the guide has been endorsed by the
federal Chief Information Officers (CIO) Council as a useful resource
for agency managers. We believe that implementing such a cycle of
activity is the key to ensuring that information security risks are
adequately considered and addressed on an ongoing basis.
While instituting this framework is essential, there are several
steps that agencies can take immediately. Specifically, they can (1)
increase awareness, (2) ensure that existing controls are operating
effectively, (3) ensure that software patches are up-to-date, (4) use
automated scanning and testing tools to quickly identify problems, (5)
propagate their best practices, and (6) ensure that their most common
vulnerabilities are addressed. None of these actions alone will ensure
good security. However, they take advantage of readily available
information and tools and, thus, do not involve significant new
resources. As a result, they are steps that can be made without delay.
NEW LEGAL REQUIREMENTS PROVIDE BASIS FOR IMPROVED MANAGEMENT AND
OVERSIGHT
Due to concerns about the repeated reports of computer security
weaknesses at federal agencies, in 2000, the Congress passed government
information security reform provisions require agencies to implement
the activities I have just described. These provisions were enacted in
late 2000 as part of the fiscal year 2001 NationalDefense Authorization
Act. In addition to requiring these management improvements, the new
provisions require annual evaluations of agency information security
programs by both management and agency inspectors general. The results
of these reviews, which are initially scheduled to become available in
late 2001, will provide a more complete picture of the status of
federal information security than currently exists, thereby providing
the Congress and OMB an improved means of overseeing agency progress
and identifying areas needing improvement.
IMPROVEMENT EFFORTS ARE UNDERWAY, BUT MANY CHALLENGES REMAIN
During the last two years, a number of improvement efforts have
been initiated. Several agencies have taken significant steps to
redesign and strengthen their information security programs; the
Federal Chief Information Officers Council has issued a guide for
measuring agency progress, which we assisted in developing; and the
President issued a National Plan for Information Systems Protection and
designated the related goals of computer security and critical
infrastructure protection as a priority management objective in his
fiscal year 2001 budget. These actions are laudable. However, recent
reports and events indicate that they are not keeping pace with the
growing threats and that critical operations and assets continue to be
highly vulnerable to computer-based attacks.
While OMB, the Chief Information Officers Council, and the various
federal entities involved in critical infrastructure protection have
expanded their efforts, it will be important to maintain the momentum.
As we have noted in previous reports and testimonies, there are actions
that can be taken on a governmentwide basis to enhance agencies'
abilities to implement effective information security.
First, it is important that the federal strategy delineate the
roles and responsibilities of the numerous entities involved in federal
information security and related aspects of critical infrastructure
protection. Under current law, OMB is responsible for overseeing and
coordinating federal agency security; and NIST, with assistance from
the National Security Agency (NSA), is responsible for establishing
related standards. In addition, interagency bodies, such as the CIO
Council and the entities created under Presidential Decision Directive
63 on critical infrastructure protection are attempting to coordinate
agency initiatives. While these organizations have developed
fundamentally sound policies and guidance and have undertaken
potentially useful initiatives, effective improvements are not taking
place, and it is unclear how the activities of these many organizations
interrelate, who should be held accountable for their success or
failure, and whether they will effectively and efficiently support
national goals.
Second, more specific guidance to agencies on the controls that
they need to implement could help ensure adequate protection. Currently
agencies have wide discretion in deciding what computer security
controls to implement and the level of rigor with which they enforce
these controls. In theory, this is appropriate since, as OMB and NIST
guidance states, the level of protection that agencies provide should
be commensurate with the risk to agency operations and assets. In
essence, one set of specific controls will not be appropriate for all
types of systems and data.
However, our studies of best practices at leading organizations
have shown that more specific guidance is important. In particular,
specific mandatory standards for varying risk levels can clarify
expectations for information protection, including audit criteria;
provide a standard framework for assessing information security risk;
and help ensure that shared data are appropriately protected.
Implementing such standards for federal agencies would require
developing a single set of information classification categories for
use by all agencies to define the criticality and sensitivity of the
various types of information they maintain. It would also necessitate
establishing minimum mandatory requirements for protecting information
in each classification category.
Third, routine periodic audits, such as those required in the
government information security reforms recently enacted, would allow
for more meaningful performance measurement. Ensuring effective
implementation of agency information security and critical
infrastructure protection plans will require monitoring to determine if
milestones are being met and testing to determine if policies and
controls are operating as intended.
Fourth, the Congress and the executive branch can use of audit
results to monitor agency performance and take whatever action is
deemed advisable to remedy identified problems. Such oversight is
essential to holding agencies accountable for their performance as was
demonstrated by the OMB and congressional efforts to oversee the year
2000 computer challenge.
Fifth, it is important for agencies to have the technical expertise
they need to select, implement, and maintain controls that protect
their computer systems. Similarly, the federal government must maximize
the value of its technical staff by sharing expertise and information.
As the year 2000 challenge showed, the availability of adequate
technical expertise has been a continuing concern to agencies.
Sixth, agencies can allocate resources sufficient to support their
computer security and infrastructure protection activities. Funding for
security is already embedded to some extent in agency budgets for
computer system development efforts and routine network and system
management and maintenance. However, some additional amounts are likely
to be needed to address specific weaknesses and new tasks. OMB and
congressional oversight of future spending on computer security will be
important to ensuring that agencies are not using the funds they
receive to continue ad hoc, piecemeal security fixes not supported by a
strong agency risk management framework.
Mr. Chairman, this concludes my statement. I would be pleased to
answer any questions that you or other members of the Subcommittee may
have at this time.
Mr. Greenwood. Thank you, Mr. Dacey.
Mr. Tritak.
TESTIMONY OF JOHN S. TRITAK
Mr. Tritak. Thank you, Mr. Chairman. I welcome the
opportunity to appear before this subcommittee to discuss
internal Federal Government efforts in securing its critical
infrastructures. I ask that my written statement be introduced
into the record at this time.
Mr. Greenwood. It will be.
Mr. Tritak. My opening remarks will focus primarily on
those efforts through the end of the Clinton administration. A
detailed discussion of those efforts are provided in the
President's report to the Congress which was published in
January and was prepared both by the National Security Council
and my office, the Critical Infrastructure Assurance Office, in
coordination with Federal Governments and agencies that
actually reported on their activities.
Mr. Chairman, as you know, the administration is currently
conducting a thorough review of its critical infrastructure
protection policy. While the results of that review are still
several weeks away, several things we already know, which I
think should be discussed here.
First, President Bush himself has indicated that critical
infrastructure protection is important to U.S. Economic and
national security and will be a priority of his administration.
Second, and the point goes to remarks made by Congressman
Tauzin, National Security Adviser Rice has recently stated with
regard to government agency organizations that on the one hand
no single government agency can handle all of the critical
infrastructure assurance problems for the Federal Government.
All agencies are stakeholders and have a role in the solution.
That said, however, coordination among governments naturally
occurring stovepipes must take place and must take place better
than it has in the past. Moreover there must be a common point
of contact that is accessible both to private industry and the
government, Federal Government, the Congress, and the American
people in addressing this issue.
A third point was also made by Dr. Rice. She stated that
the Federal Government bears a direct responsibility to ensure
that it can deliver essential services and perform critical
functions necessary for the Nation's defense, the health and
welfare and safety of its citizens. I think this statement
deserves a little explanation because it makes a very important
point about critical infrastructure policy.
In the first instance, critical infrastructure protection
is about assured delivery of vital services that are provided
by key sectors of government and the economy, including
electric power, oil and gas, telecommunications, banking and
finance, transportation, water, health and emergency services.
To the extent these infrastructures depend on computer systems
and networks to deliver those vital services, and increasingly
they do, to that extent critical infrastructure policy must be
concerned with computer security and information assurance.
Now, under Presidential directive 63 the previous
administration established as one of its goals the achievement
of the ability to protect the Nation's critical infrastructures
from deliberate attacks. That could significantly diminish the
government's ability to perform national security missions and
ensure the public health and safety of the American people.
When I first took office, this office, I often asked how
are we going to know when we've achieved this goal and what
does it take to achieve it. I had more than a passing interest
in the question because one of the mandates under PDD-63 for my
office is to assist Federal agencies in assessing their
dependence on critical infrastructures.
Ultimately, our response was to develop what we call
``project matrix.'' That decision came out of a sense of
frustration both within our own office as well as some
government agencies asking the question how do we go about
doing this, managing this very large problem.
Now project matrix basically takes a systems-analysis
approach to the critical infrastructure problem. It starts by
asking each participating department and agency what services
do you provide that are necessary to the Nation's defense, the
orderly functioning of the economy, or the health, welfare and
safety of Americans. More importantly, of those services, which
if disrupted even for short periods of time could have a
significant and immediate impact on the public.
You will note, Mr. Chairman, that there's a time-
sensitivity element that is important to our analysis. I have
to explain why. We believe that those types of services, those
types of critical and time-sensitive services, and the systems
that are necessary for their delivery, are at the greatest risk
if attacked and therefore deserve priority attention in terms
of security. Let me give you an example.
Timely hurricane warnings would be deemed under our
approach as a critical service; and, therefore, NOAA's national
hurricane warning center would be deemed a critical asset. This
is because disruption of timely warnings of hurricanes during a
hurricane season could have absolutely catastrophic effects on
the public.
The matrix approach requires agencies also to think
functionally rather than bureaucratically. It is not enough in
the case of the national hurricane warning center to determine
whether it alone is secure. So, too, must all the other
government and private sector entities necessary to the
performance of the center's warning operations be secure as
well. In many instances, vital functions performed by one
agency depend on services provided by another. Assured delivery
of critical services are only as good as the weakest link in
the delivery chain.
Having essentially mapped a critical government service
across government agencies and between government and the
private sector, we are now--agencies are better able then to
direct their efforts toward determining whether or not that
service is vulnerable to disruption and immediate disruption.
Among other things, this sort of approach also helps
rationalize the budgetary process and prioritizing your
security activities within an agency.
Let me say in conclusion, Mr. Chairman, a number of things.
First, critical infrastructure policy is inherently a risk-
management problem. A number of people here today have all
indicated there's no such thing as perfect security. We need to
know what is at risk however; and we need to decide how to
manage those risks, balancing costs and consequences.
Also, critical infrastructure protection is concerned with
computer security, but it is not synonymous with it. There are
very good reasons for having good computer security besides
those in support of critical infrastructure policy. We've heard
about many. Privacy of data bases that have information about
citizens is critical, whether or not it would meet the standard
of creating an immediate impact and harm on the public in some
broader sense. Protecting classified systems is important
regardless of what is contained in them.
Now, how we decide to allocate resources for all computer
security demands within the Federal Government is essentially a
public-policy choice, a choice the administration is currently
weighing in its review. That said, if securing critical
government services are to be a priority, particularly time-
sensitive ones, then going through a process along the lines
I've just described is required. In addition, having identified
government--critical government assets essential to delivery of
critical services, priority must also be given to assessing
their vulnerabilities and developing and implementing
remediation plans in those instances where vulnerabilities
exist. And I can't overemphasize that last point. Just because
a government asset is critical doesn't necessarily mean it's
vulnerable to cyberattacks. If it is not connected to the
Internet, if it is not connected to any part of the world, it
by definition would not be vulnerable to outside attack,
putting aside the internal problems you may have with
disgruntled employees, which we all acknowledge is a problem.
For example, I use the hurricane warning center as an
example of how we go through the analytic process. I didn't by
any means want to imply it is necessarily vulnerable to attack.
In fact, from what I know, it's quite secure. What is the
point, however, and what I wish to leave you with is that
unless you know how the government's crown jewels function and
how having identified those elements all other relevant
government assets and private assets that are essential to the
functioning of those crown jewels you don't know whether you're
vulnerable or not; and, therefore, you don't know whether
you're secure or not against cyber-based attacks.
That concludes my remarks, Mr. Chairman; and I welcome any
questions you may have.
[The prepared statement of John S. Tritak follows:]
Prepared Statement of John S. Tritak, Director, Critical Infrastructure
Assurance Office
Mr. Chairman, members of the Subcommittee, it is an honor to appear
before you today to discuss the status, as of the time that the Bush
Administration took office, of Federal government efforts to secure
internal critical systems and infrastructure within Departments and
Agencies. These efforts are described in some detail in the Report of
the President of the United States on the Status of Federal Critical
Infrastructure Protection Activities, January 2001.
This Subcommittee has shown exceptional leadership on a broad range
of national and economic security issues and I am grateful for the
opportunity to work closely with you and the Congress to find ways to
advance infrastructure assurance for all Americans. As you know, the
Bush Administration currently is conducting a thorough review of our
critical infrastructure protection policy. We expect the results of
that review over the next couple of months. President Bush has
indicated already, however, that securing our nation's critical
infrastructures will be a priority of his Administration. Your decision
to hold this hearing could not be more timely. We all recognize that no
viable solutions will be developed or implemented without the executive
and legislative branches working together.
I believe the work of your subcommittee, along with that of others,
will make an important contribution to establishing a new consensus on
safeguarding critical government services against cyber attacks.
BACKGROUND
America has long depended on a complex of systems--or critical
infrastructures--to assure the delivery of services vital to its
national defense, economic prosperity, and social well-being. These
infrastructures include telecommunications, water supplies, electric
power, oil and gas delivery and storage, banking and finance,
transportation, and vital human and government services.
The Information Age has fundamentally altered the nature and extent
of our dependency on these infrastructures. Increasingly, our
government, economy, and society are being connected together into an
ever expanding and interdependent digital nervous system of computers
and information systems. With this interdependence come new
vulnerabilities. One person with a computer, a modem, and a telephone
line anywhere in the world potentially can break into sensitive
government files, shut down an airport's air traffic control system, or
cause a power outage in an entire region.
Events such as the 1995 bombing of the Murrah Federal Building in
Oklahoma City demonstrated that the Federal government needed to
address new types of threats and vulnerabilities, many of which the
nation was unprepared to defend against. In response to the Murrah
Building tragedy and other events, an inter-agency working group was
formed to examine the nature of the threat, our vulnerabilities, and
possible long-term solutions for this aspect of our national security.
The National Security Council's Critical Infrastructure Working Group
(CIWG) included representatives from the defense, intelligence, law
enforcement and national security communities. The working group
identified both physical and cyber threats and recommended formation of
a Presidential Commission to address more thoroughly many of these
growing concerns.
In July 1996 the President's Commission on Critical Infrastructure
Protection (PCCIP) was established by Executive Order 13010. The
bipartisan PCCIP included senior representatives from private industry,
government, and academia; its Advisory Committee consisted of industry
leaders who provided counsel to the Commission.
After examining infrastructure issues for over a year, the
Commission issued its report, Critical Foundations: Protecting
America's Infrastructures. The Report reached four significant
conclusions:
First, critical infrastructure protection is central to our
national defense, including national security and national
economic power;
Second, growing complexity and interdependence between
critical infrastructures may create the increased risk that
rather minor and routine disturbances can cascade into national
security emergencies;
Third, vulnerabilities are increasing steadily and the means
to exploit weaknesses are readily available; practical measures
and mechanisms, the Commission argued, must be urgently
undertaken before we are confronted with a national crisis; and
Fourth, laying a foundation for security will depend on new
forms of cooperation with the private sector, which owns and
operates a majority of these critical infrastructure
facilities.
PDD-63
On May 22, 1998, Presidential Decision Directive 63 (PDD-63) was
issued to achieve and maintain the capability to protect our nation's
critical infrastructures from acts that would significantly diminish
the abilities of:
The Federal government to perform essential national security
missions and to ensure the general public health and safety;
State and local governments to maintain order and to deliver
minimum essential public services; and
The private sector to ensure the orderly functioning of the
economy and the delivery of essential telecommunications,
energy, financial, and transportation services.
To achieve these ends, PDD-63 articulates a strategy of:
Creating a public-private partnership to address the problem
of information technology security;
Raising awareness of the importance of cyber security in the
government and in the private sector;
Stimulating market forces to increase the demand for cyber
security and to create standards or best practices;
funding or facilitating research into new information
technology systems with improved security inherent in their
design;
Working with educational facilities to increase the number of
students specializing in cyber security; and
Helping to prevent, mitigate, or respond to major cyber
attacks by building an information sharing system among
government agencies, among corporations, and between government
and industry.
The Federal government's basic approach to critical infrastructure
protection, as reflected in PDD-63, has been built around a strong
policy preference for consensus-building and voluntary cooperation
rather than regulatory actions. In an economy as complex as ours, and
with technology changing as quickly as it is, cooperation offers the
best and surest way to achieve our shared goals in this emerging area.
However, the government's approach also recognizes the need for
coordinated actions to improve its internal defenses and the nation's
overall posture against these new threats.
PDD-63 called for the Federal government to produce a detailed plan
to protect and defend the nation against cyber disruptions. Version 1
of this effort, entitled The National Plan for Information Systems
Protection, was released in January 2000, and represents the first
attempt by a national government to design a comprehensive approach to
protect its critical infrastructures. This initial version of the plan
focused mainly on domestic efforts being undertaken by the Federal
government to protect the nation's critical cyber-based
infrastructures. The next version of the plan, due out this summer,
will focus on the efforts of the infrastructure owners and operators,
as well as the risk management and broader business community.
Under PDD-63, Federal Agencies have a number of distinct
responsibilities:
All agencies are required to protect their own internal
critical infrastructures, especially their cyber systems.
Some agencies with special expertise or functional
responsibilities are tasked with providing services to the
government as a whole.
A number of agencies also are charged with developing
partnerships with private industry in their sectors of the
economy.
I will focus the remainder of my remarks on the first
responsibility--securing internal critical systems. Specifically, I
will discuss the work of my office, the Critical Infrastructure
Assurance Office, in assisting agencies to identify and prioritize
these systems. I also will discuss briefly Federal Government efforts
to formulate security and best practices standards that apply to
information, security, and critical infrastructure assets.
Time constraints prevent me from fully describing the internal
efforts of each federal agency to secure their critical systems. I urge
the subcommittee to review the status reports of each Department and
Agency provided in Section III of the President's January Report.
Likewise, I strongly recommend that the subcommittee study the
agencies' sector partnership efforts described in Section II of the
Report. These efforts are as important to overall national critical
infrastructure assurance as the internal activities that have been
undertaken within the Federal government. I would welcome the
opportunity to brief the sub-committee on another occasion on the work
of the CIAO and the federal lead agencies (Commerce, Energy, Treasury,
Transportation, Justice, Health and Human Services, EPA and Defense) in
promoting meaningful public-private partnerships.
IDENTIFYING CRITICAL FEDERAL INFRASTRUCTURES AND SYSTEMS: PROJECT
MATRIX
In response to PDD 63, my office established Project Matrix last
year to ``coordinate analyses of the U.S. Government's own dependencies
on critical infrastructures.''
This is a government-wide issue. Federal Departments and Agencies
do not operate independently of one another. Due to significant
advances in information technology, the public and private sectors have
become inextricably intertwined. As a result, there is limited utility
in each Federal Department and Agency viewing physical and cyber
security only in the context of its own organization. Project Matrix
provides each Federal Department and Agency an expanded, more
comprehensive, realistic, and useful view of the world within which it
actually functions. The Administration, Congress, and private sector
providers of the nation's critical infrastructures will require such
information to implement cost efficient and effective physical and
cyber security enhancement measures in the future. Project Matrix
provides a common methodology and approach and allows the government to
develop a clearer picture of cross-agency interdependencies.
Participating in Project Matrix helps each Federal Department and
Agency identify the assets, nodes and networks, and associated
infrastructure dependencies and interdependencies that are required for
it to fulfill its national security, economic stability, and critical
public health and safety responsibilities to the American people. A
number of Departments and Agencies refer to Project Matrix in their
reports.
Project Matrix also helps each participating Federal Department and
Agency:
Identify the nodes and networks that should receive robust
cyber and physical vulnerability assessments;
Conduct near-term risk management assessments;
Justify funding requests for high-priority security
enhancement measures in the areas of physical security,
information system security, industrial security, emergency
preparedness, counter-intelligence, counter-terrorism; and
Review actual business processes to better understand and
improve the efficiencies of its organization's functions and
information technology architectures.
Project Matrix involves a three-step process. In Step 1, the
Project Matrix team identifies and prioritizes each Federal
Department's and Agency's PDD 63 relevant assets. In Step 2, the team
provides a business process topology on, and identifies significant
points of failure associated with, each Department's or Agency's most
critical assets. In Step 3, the team identifies the infrastructure
dependencies associated with select assets identified in Step 1 and
analyzed in-depth in Step 2.
In FY 2001, the Project Matrix team will complete the documentation
of its entire analytical process for use throughout the public and
private sectors, improve its Step One automated data collection tool,
and develop compatible automated Step Two and Three tools.
integrating security into the capital planning and budget processes
In February 2000, OMB issued important new guidance to the agencies
on incorporating and funding security in information technology
investments. In brief, this policy states that funding will not be
provided for agency requests that fail to demonstrate how security is
built into and funded as part of each system.
This policy carries through on the requirements of the Clinger-
Cohen Act of 1996 and emphasizes that security must be incorporated in
and practiced throughout the life cycle of each agency's system and
program. To accomplish this, beginning with the FY 2002 budget, each
agency budget request to OMB for information technology funding must,
among other things:
Demonstrate life cycle security costs for each system;
Include a security plan that complies with applicable policy;
Show specific methods used to ensure that risks are
understood, continually assessed, and effectively controlled;
and
Demonstrate that security is an integral part of the agency's
enterprise architecture including interdependencies and
interrelationships.
THE GOVERNMENT INFORMATION SECURITY REFORM ACT
On October 30, 2000 the President signed into law the FY 2001
Defense Authorization Act (P.L. 106398) including Title X, subtitle G,
``Government Information Security Reform (Security Act).'' The security
provision amends the Paperwork Reduction Act of 1995 (44 U.S.C. Chapter
35) and primarily addresses the program management and program
evaluation aspects of security.
In concert with OMB policy, the Security Act requires agencies to
incorporate and practice risk-based and cost-effective security
throughout the life cycle of each agency system and thus firmly ties
security to the agencies' capital planning and budget processes.
The Security Act also requires on an annual basis:
Agency program reviews;
Inspector General evaluations of agency security programs;
Agency reports to OMB; and
An OMB report to Congress.
The annual review and reporting requirements will promote
consistent, ongoing assessments of government security performance.
Recently a uniform method for agency program reviews has been
developed.
THE CIO AND CFO COUNCILS: STANDARDS AND BEST PRACTICES
Standardizing the security controls for government systems has a
conceptual appeal because it can reduce the complexity and expense of
developing, implementing, and monitoring security on a system-by-system
basis. This is increasingly important given the government's shortage
of expert information security personnel. Government computer security
almost certainly would improve if specific standards were prescribed
and implemented for each government information system.
However, specific standards for all systems--a ``one-size-fits-
all'' security approach--may not accommodate the vastly different
operational requirements of each information system and could
unnecessarily impede business operations. Executive branch agencies
operate more than 26,000 major information systems, many of which
directly interact with the public, industry, or State and local
governments. Just as each system has its own unique operational
requirements, so too are its security requirements unique.
The CIO Council and the CFO Council recognize both the benefits and
potential problems with standardized security approaches. They have
undertaken the following important initiatives:
Securing Electronic Government Transactions to the Public--Resource
Guide: The CIO Council, the CFO Council, and the Information Technology
Association of America are working together to develop a benchmark for
risk-based, cost-effective security for three types of electronic
government services:
Web-based information services;
Government procurement; and
Financial transactions with the public.
A resource guide for securing electronic transactions with the
public will be released in 2001 to assist agency CIOs in promoting
electronic government initiatives within their agencies. Together with
the CFO Council initiative for agency financial systems, this effort
may prove to be an effective pilot for establishing similar benchmarks
for other discrete classes of programs and information systems.
Best Security Practices: The CIO Council, led by the U.S. Agency
for International Development and NIST, has developed a web-based
repository of sound Federal agency security practices that have worked
in the real world. The CIO Council's Best Security Practices initiative
collects, documents, and disseminates these practices to help agencies
reduce the cost of developing and testing new security controls,
improve the speed of implementation, and increase the quality of their
security programs.
The goal is to populate the repository with more than 100 practices
by mid 2001 and continually expand offerings from then on. In their
guidance to the agencies on implementing the Government Information
Security Reform Act, OMB has instructed agencies to use the CIO
Council's best practices initiative to fulfill the new act's
requirement to share best practices.
Measuring Performance--Federal Information Technology Security
Assessment Framework: Over the past year, the CIO Council, working with
NIST, OMB, and the GAO, developed the Federal Information Technology
Security Assessment Framework. The framework, issued in December 2000,
provides agencies with a self-assessment methodology to determine the
current status of their security programs and, where necessary,
establish a target for improvement. In developing the framework, the
CIO Council recognizes that the security needs for the tens of
thousands of Federal information systems differ and must be addressed
in different ways.
The framework comprises five levels to guide agency self
assessments and to assist them in prioritizing efforts for improvement:
Level 1 reflects a documented security policy;
Level 2 shows documented procedures and controls to implement
the policy;
Level 3 indicates that the procedures and controls have in
fact been implemented;
Level 4 shows that the procedures and controls are continually
tested and reviewed; and
Level 5 demonstrates that procedures and controls are fully
integrated into a comprehensive program.
Each level represents a more complete and effective security
program. Agencies should bring all systems and programs to level 4 and
ultimately level 5. OMB and the CIO Council have alerted agencies that
when individual systems do not meet the framework's level 4
requirements, the system may not meet OMB's security funding criteria.
As mentioned earlier, the new Government Information Security
Reform Act emphasizes the importance of assessing security
effectiveness and requires annual agency reporting to OMB of the
results of the agency security reviews. OMB has instructed agencies to
use the framework to fulfill their assessment and reporting obligations
under the Security Act.
CONCLUSION
While much has been accomplished in recent years, much more needs
to be done to ensure our critical government systems are adequately
protected from cyber attack. I look forward to working with members of
this subcommittee, and the entire Congress, as we address the
challenges ahead. I look forward to your questions.
Mr. Greenwood. Thank you. Appreciate your testimony.
I will direct some questions to Mr. Dacey, if I may.
Overall, if you had to give the Federal agencies the GAO has
reviewed a collective grade A through F, i.e., passing or
failing, how would you rate them as a group?
Mr. Dacey. I think overall the types of weaknesses we've
seen, again, are pervasive. In terms of a grade, I'll leave
that to Chairman Horn. He's given grades last year, and I am
not sure they've changed a whole lot since then.
Mr. Greenwood. Would this grade be different for defense
versus military agencies than civilian agencies? How would you
compare them?
Mr. Dacey. I just wanted to clarify, the main part of the
work that's been done has been on unclassified systems. So with
respect to those, we're finding similar types of
vulnerabilities in both.
Mr. Greenwood. The committee's reviews of computer security
at various Federal agencies has largely found that security has
been mostly a paperwork exercise up to now. Do you agree with
that?
Mr. Dacey. There are certain areas, I guess, in terms of a
paperwork exercise, that there are documented policies in many
cases that aren't carried through in terms of execution. Also,
there are many places where the policies aren't even
documented. One of the areas that we look at is, again, whether
the agencies have a process such as Energy to really determine
what the effectiveness of their controls are. We've many times
identified vulnerabilities for the first time to agencies; and
although they have been generally very responsive, it's a
process that we think ought to take place in the management
role, not as an audit function. So that is, I guess, how I'd
answer that question.
Mr. Greenwood. It's safe to say that every agency ought to
be constantly testing its own security systems; isn't that a
fair statement?
Mr. Dacey. I think there needs to be a regular process for
that type of testing. Part of that is called for in the new
legislation. The reports on that new legislation will be due
out in the fall to Congress, and those should illustrate some
of the issues and also indicate whether, in fact, that testing
is being done. I believe in your opening statement you referred
to the fact, based on evidence you obtained, that that wasn't
being done. That is consistent with our--what we have seen
actually. We've seen very little done by most agencies to
assess the effectiveness of their security.
Mr. Greenwood. You mentioned in your testimony some
examples of unauthorized access, security breaches, compromised
networks and data from GAO's body of work across Federal
agencies. These are not just hypothetical, are they?
Mr. Dacey. No. We have seen incidents where that has
actually occurred, which I gave in my oral statement. The
question really too is some of these vulnerabilities are, or
were, sensitive when we found them, at least could have led to
all kinds of other things that weren't detected. I would agree
based upon the comments earlier that a large number of
incidents that are occurring are probably not detected and
reported. That is an area where we really need to get better
systems because you can't protect the systems a hundred
percent, as was discussed earlier; but you need to do the best
you can to really implement known patches and address known
vulnerabilities. Many of the tools and Web sites that were
referred to earlier that provide evidence of ways in which
systems can be hacked can also be used by agencies to identify
those same types of weaknesses in their system and fix them. So
I think that is an important area that needs to be addressed.
Mr. Greenwood. It seems to me, as I think Ms. McDonald
said, they encourage the use of patches; but there's no
requirement that the patches be used, and perhaps we ought to
consider a mechanism to make them mandatory.
Mr. Tritak, could you describe for the committee a worst-
case scenario for a cyberattack or information-warfare attack
on one of our Nation's critical infrastructures, just to make
us all feel good?
Mr. Tritak. Yeah, make me feel real good. If I may a little
bit, sir, sort of qualify my remarks by saying the following:
I've heard conversations earlier talk about cyberterrorism,
information warfare; and that is a shorthand that we all use in
describing certain types of threats. I think I prefer when I
address these things is to turn around a little bit and not
using cyberadjectives to modify traditional nouns but to say in
a sense, for example, instead of cyberterrorism, I refer to it
as terrorist activities that attempt to exploit cyberspace to
achieve certain terrorist goals and objectives. Okay. And in an
information warfare context, I think if we're using the term
properly, we're in a state of war in which a country is
utilizing or exploiting the cyberspace and vulnerabilities in
the cyberspace to achieve certain goals and certain objectives.
Now let me give you an idea of the kinds of things I think
would be played out in that context. Let's pretend we go back,
and we have to, God forbid, have to deal with Iraq again in a
way that we had to deal with Iraq before. I think Iraq and the
leadership of Iraq probably would prefer not to have to go toe
to toe with the Americans the way it had to go toe to toe the
first time around. One of the things it probably would attempt
to do if it could--and I'm not saying any of this they can
actually achieve, because I think it is very difficult to do
this, but let's just suppose the intent would be to disrupt the
deployment--mobilization and deployment of U.S. Forces in the
United States and project them overseas and then also the
logistics efforts going from Europe points of demarcation in
Europe finally to the Middle East. To the extent they could
achieve something like that, it could have strategic
implications. So I think we need to look at it in that sense.
Now if you're talking about in the case of a war where in a
sense they would attempt to achieve through cyberattacks what
bombers used to achieve, for example, then you would think of
things that could cause mass problems, disruptions of 911,
introduction of biological chemical weapons at the same time,
the possibility of trying to hack into dams and potentially
open floodgates, anything that would cause the kind of hysteria
and potential loss of life that we tried to do in World War II
or whatever.
That is the kind of thing I think we all have to be
concerned about because I think that is the sort of thing
people would be thinking about if they were going to war with
us and they wanted to exploit the cyberspace in order to
achieve their military and political objectives. I want to also
emphasize it's not clear that they could achieve that; and in
fact, this the beauty of now as well as the curse of today is
the fact that we haven't seen the worst because the worst that
can be done over cyberspace is a function of interconnectivity
and being hooked in. And we're still in the fairly early stages
of doing this. Our society, our government, our economy are
being transformed by information technologies; and increasingly
we're going to be depending on wireless technologies in
addition to the online versions.
So I think that over time the potential for serious
problems conducted over cyberspace will go up. That is why I
applaud the efforts that you're trying to do now. Let's not
wait for that eventuality. Let's take aggressive action now and
perhaps preempt the problem altogether.
Mr. Greenwood. Well, while these worst-case scenarios are
theoretical, the fact of the matter is would you agree with us
that the only thing that stands between us and the worst-case
scenario is the extent to which the Federal agencies involved
utilize the billions of dollars that we've appropriated to them
and the tools, the technological tools that are available to
protect against those scenarios?
Mr. Tritak. Yes. I think that to the extent that Federal
agencies are increasingly relying on information technology to
do key services in national defense and to the extent that
those services are linked into the ever-expanding digital
nervous system that is spanning the country and the globe, you
are exposing yourself to a risk that you have never had before;
and if you are not safeguarding yourself against that, the
potential for the kinds of concerns that you have, I think,
can't be ignored.
Mr. Greenwood. The means will always be there; the
motivation will always be there. The only protection is the
security systems, and the only long-range protection against
those scenarios is constant vigilance, constant testing of our
systems to protect us.
Mr. Tritak. Yes.
Mr. Greenwood. Okay. A recent report by a committee of
Inspectors General issued just last week found PDD-63
implementation to be progressing very slowly at most Federal
agencies. They surveyed 15 Federal agencies including some key
ones for PDD-63 purposes and found that quote ``many agency
infrastructure plans were incomplete,'' that quote ``most
agencies had not identified their critical assets yet and that
almost none of the agencies had completed vulnerability
assessments of those assets or developed remediation plans.''
Do you concur, Mr. Tritak, with this assessment, and why are we
so far in the hole on this?
Mr. Tritak. Well, a couple things. I think that there's
some truth to what you have said. I can't articulate for you in
full to what extent that is the case in each agency situation.
What I can tell you is in the case of the work that we're doing
with agencies under the project matrix all efforts that have
been done so far are in the area of identifying the assets.
I just want to qualify one piece about that because some of
these assets may have been assessed for vulnerabilities during
Y2K, for example, and for other reasons--and we can't
necessarily assume that nothing has been done--but I think one
of the points I am trying to get across to this committee is
unless you understand the full--the way the systems operate in
critical services and you have addressed every single aspect of
that service for vulnerabilities, you don't know whether that
service is assured or not. I think in that regard we have a
long way to go, a real long way to go.
Mr. Greenwood. Okay. We thank you both for your testimony.
The Chair seeks unanimous consent that documents that have been
agreed to by the staff majority and minority be admitted into
the record and that the record remain open for 30 days for
additional statements and materials. With that, this committee
thanks all of its witnesses and adjourns.
[Whereupon, at 12:15 p.m., the subcommittee was adjourned.]
[Additional material submitted for the record follows:]
CRYPTEK
Secure Communications, LLC
April 5, 2001
The Honorable W.J. ``Billy'' Tauzin
Chairman
House Energy and Commerce Committee
2125 Rayburn House Office Building
Washington, DC 20515-6115
Dear Mr. Chairman, I am submitting the following testimony and
presentation for the record at the suggestion of Mr. Gary A. Dionne, a
member of your Committee's professional staff. My firm is the developer
and manufacturer of a network security product known as DiamondTEK.
TM DiamondTEK is the only network security component to ever
successfully complete the National Security Agency's (NSA) B2 level
evaluation. What this means is that DiamondTEK is approved by the NSA
to handle data of multiple levels of classification on a single
workstation over a single network connection. This can translate in
significant cost savings for government users who must worry about
keeping data of various classification levels separate and secure.
This technology is also invaluable to users of sensitive, valuable
data in the commercial marketplace. An example that comes immediately
to mind is ensuring the confidentiality of patient medical records.
Another industry that could benefit from such technology is the
financial services industries and any organization involved with funds
transfer. One misplaced ``byte'' could mean the loss of billions of
dollars.
Cryptek developed DiamondTEK with internal R&D funds to meet
stringent NSA requirements. The company has continued to invest in the
technology, resulting in the worlds most ``trusted'' and secure network
security product. This leading edge capability is available today for
government and commercial users worldwide (Cryptek recently received a
blanket export license from the Department of Commerce to export to any
commercial or government entity in the world with the exception of the
seven terrorist-sponsoring nations).
I wanted to ensure that the Committee was aware that this
technology was available as you consider various encryption and privacy
issues during this Congress. Cryptek stands prepared to brief you,
other Committee Members or staff on our unique products and
capabilities and answer questions you may have.
Thank you for your consideration of this information.
Sincerely,
Jackson Kemper, III
Vice President, Government Affairs6602
[GRAPHIC] [TIFF OMITTED] T2834.001
[GRAPHIC] [TIFF OMITTED] T2834.002
[GRAPHIC] [TIFF OMITTED] T2834.003
[GRAPHIC] [TIFF OMITTED] T2834.003
[GRAPHIC] [TIFF OMITTED] T2834.005
[GRAPHIC] [TIFF OMITTED] T2834.006
[GRAPHIC] [TIFF OMITTED] T2834.007
[GRAPHIC] [TIFF OMITTED] T2834.008
[GRAPHIC] [TIFF OMITTED] T2834.009
[GRAPHIC] [TIFF OMITTED] T2834.010
[GRAPHIC] [TIFF OMITTED] T2834.011
[GRAPHIC] [TIFF OMITTED] T2834.012
[GRAPHIC] [TIFF OMITTED] T2834.013
[GRAPHIC] [TIFF OMITTED] T2834.014
[GRAPHIC] [TIFF OMITTED] T2834.015
[GRAPHIC] [TIFF OMITTED] T2834.016
[GRAPHIC] [TIFF OMITTED] T2834.017
[GRAPHIC] [TIFF OMITTED] T2834.018
[GRAPHIC] [TIFF OMITTED] T2834.019
[GRAPHIC] [TIFF OMITTED] T2834.020
[GRAPHIC] [TIFF OMITTED] T2834.021
[GRAPHIC] [TIFF OMITTED] T2834.022
[GRAPHIC] [TIFF OMITTED] T2834.023
[GRAPHIC] [TIFF OMITTED] T2834.024
[GRAPHIC] [TIFF OMITTED] T2834.025
[GRAPHIC] [TIFF OMITTED] T2834.026
[GRAPHIC] [TIFF OMITTED] T2834.027
[GRAPHIC] [TIFF OMITTED] T2834.028
[GRAPHIC] [TIFF OMITTED] T2834.029
[GRAPHIC] [TIFF OMITTED] T2834.030
[GRAPHIC] [TIFF OMITTED] T2834.031
[GRAPHIC] [TIFF OMITTED] T2834.032
[GRAPHIC] [TIFF OMITTED] T2834.033
[GRAPHIC] [TIFF OMITTED] T2834.034
[GRAPHIC] [TIFF OMITTED] T2834.035
[GRAPHIC] [TIFF OMITTED] T2834.036
[GRAPHIC] [TIFF OMITTED] T2834.037
[GRAPHIC] [TIFF OMITTED] T2834.038
[GRAPHIC] [TIFF OMITTED] T2834.039
[GRAPHIC] [TIFF OMITTED] T2834.040
[GRAPHIC] [TIFF OMITTED] T2834.041
[GRAPHIC] [TIFF OMITTED] T2834.042
[GRAPHIC] [TIFF OMITTED] T2834.043
[GRAPHIC] [TIFF OMITTED] T2834.044
[GRAPHIC] [TIFF OMITTED] T2834.045
[GRAPHIC] [TIFF OMITTED] T2834.046
[GRAPHIC] [TIFF OMITTED] T2834.047
[GRAPHIC] [TIFF OMITTED] T2834.048
[GRAPHIC] [TIFF OMITTED] T2834.049
[GRAPHIC] [TIFF OMITTED] T2834.050
[GRAPHIC] [TIFF OMITTED] T2834.051
[GRAPHIC] [TIFF OMITTED] T2834.052
[GRAPHIC] [TIFF OMITTED] T2834.053
[GRAPHIC] [TIFF OMITTED] T2834.054
[GRAPHIC] [TIFF OMITTED] T2834.055
[GRAPHIC] [TIFF OMITTED] T2834.056
[GRAPHIC] [TIFF OMITTED] T2834.057
[GRAPHIC] [TIFF OMITTED] T2834.058
[GRAPHIC] [TIFF OMITTED] T2834.059
[GRAPHIC] [TIFF OMITTED] T2834.060
[GRAPHIC] [TIFF OMITTED] T2834.061
[GRAPHIC] [TIFF OMITTED] T2834.062
[GRAPHIC] [TIFF OMITTED] T2834.063
[GRAPHIC] [TIFF OMITTED] T2834.064
[GRAPHIC] [TIFF OMITTED] T2834.065
[GRAPHIC] [TIFF OMITTED] T2834.066
[GRAPHIC] [TIFF OMITTED] T2834.067
[GRAPHIC] [TIFF OMITTED] T2834.068
[GRAPHIC] [TIFF OMITTED] T2834.069
[GRAPHIC] [TIFF OMITTED] T2834.070
[GRAPHIC] [TIFF OMITTED] T2834.071
[GRAPHIC] [TIFF OMITTED] T2834.072
[GRAPHIC] [TIFF OMITTED] T2834.073
[GRAPHIC] [TIFF OMITTED] T2834.074
[GRAPHIC] [TIFF OMITTED] T2834.075
[GRAPHIC] [TIFF OMITTED] T2834.076
[GRAPHIC] [TIFF OMITTED] T2834.077
[GRAPHIC] [TIFF OMITTED] T2834.078
[GRAPHIC] [TIFF OMITTED] T2834.079
[GRAPHIC] [TIFF OMITTED] T2834.080
[GRAPHIC] [TIFF OMITTED] T2834.081
[GRAPHIC] [TIFF OMITTED] T2834.082
[GRAPHIC] [TIFF OMITTED] T2834.083
[GRAPHIC] [TIFF OMITTED] T2834.084
[GRAPHIC] [TIFF OMITTED] T2834.085
[GRAPHIC] [TIFF OMITTED] T2834.086
[GRAPHIC] [TIFF OMITTED] T2834.087
[GRAPHIC] [TIFF OMITTED] T2834.088
[GRAPHIC] [TIFF OMITTED] T2834.089
[GRAPHIC] [TIFF OMITTED] T2834.090
[GRAPHIC] [TIFF OMITTED] T2834.091
[GRAPHIC] [TIFF OMITTED] T2834.092
[GRAPHIC] [TIFF OMITTED] T2834.093
[GRAPHIC] [TIFF OMITTED] T2834.094
[GRAPHIC] [TIFF OMITTED] T2834.095
[GRAPHIC] [TIFF OMITTED] T2834.096
[GRAPHIC] [TIFF OMITTED] T2834.097
[GRAPHIC] [TIFF OMITTED] T2834.098
[GRAPHIC] [TIFF OMITTED] T2834.099
[GRAPHIC] [TIFF OMITTED] T2834.100
[GRAPHIC] [TIFF OMITTED] T2834.101
[GRAPHIC] [TIFF OMITTED] T2834.102
[GRAPHIC] [TIFF OMITTED] T2834.103
[GRAPHIC] [TIFF OMITTED] T2834.104
[GRAPHIC] [TIFF OMITTED] T2834.105
[GRAPHIC] [TIFF OMITTED] T2834.106
[GRAPHIC] [TIFF OMITTED] T2834.107
[GRAPHIC] [TIFF OMITTED] T2834.108
[GRAPHIC] [TIFF OMITTED] T2834.109
[GRAPHIC] [TIFF OMITTED] T2834.110
[GRAPHIC] [TIFF OMITTED] T2834.111
[GRAPHIC] [TIFF OMITTED] T2834.112
[GRAPHIC] [TIFF OMITTED] T2834.113
[GRAPHIC] [TIFF OMITTED] T2834.114
[GRAPHIC] [TIFF OMITTED] T2834.115
[GRAPHIC] [TIFF OMITTED] T2834.116
[GRAPHIC] [TIFF OMITTED] T2834.117
[GRAPHIC] [TIFF OMITTED] T2834.118
[GRAPHIC] [TIFF OMITTED] T2834.119
[GRAPHIC] [TIFF OMITTED] T2834.120
[GRAPHIC] [TIFF OMITTED] T2834.121
[GRAPHIC] [TIFF OMITTED] T2834.122
[GRAPHIC] [TIFF OMITTED] T2834.123
[GRAPHIC] [TIFF OMITTED] T2834.124
[GRAPHIC] [TIFF OMITTED] T2834.125
[GRAPHIC] [TIFF OMITTED] T2834.126
[GRAPHIC] [TIFF OMITTED] T2834.127
[GRAPHIC] [TIFF OMITTED] T2834.128
[GRAPHIC] [TIFF OMITTED] T2834.129
[GRAPHIC] [TIFF OMITTED] T2834.130
[GRAPHIC] [TIFF OMITTED] T2834.131
[GRAPHIC] [TIFF OMITTED] T2834.132
[GRAPHIC] [TIFF OMITTED] T2834.133
[GRAPHIC] [TIFF OMITTED] T2834.134
[GRAPHIC] [TIFF OMITTED] T2834.135
[GRAPHIC] [TIFF OMITTED] T2834.136
[GRAPHIC] [TIFF OMITTED] T2834.137
[GRAPHIC] [TIFF OMITTED] T2834.138
[GRAPHIC] [TIFF OMITTED] T2834.139
[GRAPHIC] [TIFF OMITTED] T2834.140
[GRAPHIC] [TIFF OMITTED] T2834.141
[GRAPHIC] [TIFF OMITTED] T2834.142
[GRAPHIC] [TIFF OMITTED] T2834.143
[GRAPHIC] [TIFF OMITTED] T2834.144
[GRAPHIC] [TIFF OMITTED] T2834.145
[GRAPHIC] [TIFF OMITTED] T2834.146
[GRAPHIC] [TIFF OMITTED] T2834.147
[GRAPHIC] [TIFF OMITTED] T2834.148
[GRAPHIC] [TIFF OMITTED] T2834.149
[GRAPHIC] [TIFF OMITTED] T2834.150
[GRAPHIC] [TIFF OMITTED] T2834.151
[GRAPHIC] [TIFF OMITTED] T2834.152
[GRAPHIC] [TIFF OMITTED] T2834.153
[GRAPHIC] [TIFF OMITTED] T2834.154
�