[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]



 
 INFORMATION TECHNOLOGY--ESSENTIAL YET VULNERABLE: HOW PREPARED ARE WE 
                              FOR ATTACKS?
=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON GOVERNMENT EFFICIENCY,
                        FINANCIAL MANAGEMENT AND
                      INTERGOVERNMENTAL RELATIONS

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED SEVENTH CONGRESS

                             FIRST SESSION

                               __________

                           SEPTEMBER 26, 2001
                               __________

                           Serial No. 107-78
                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform




                     U.S. GOVERNMENT PRINTING OFFICE
80-481                       WASHINGTON : 2002
________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001






                     COMMITTEE ON GOVERNMENT REFORM

                     DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland       TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut       MAJOR R. OWENS, New York
ILEANA ROS-LEHTINEN, Florida         EDOLPHUS TOWNS, New York
JOHN M. McHUGH, New York             PAUL E. KANJORSKI, Pennsylvania
STEPHEN HORN, California             PATSY T. MINK, Hawaii
JOHN L. MICA, Florida                CAROLYN B. MALONEY, New York
THOMAS M. DAVIS, Virginia            ELEANOR HOLMES NORTON, Washington, 
MARK E. SOUDER, Indiana                  DC
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
BOB BARR, Georgia                    DENNIS J. KUCINICH, Ohio
DAN MILLER, Florida                  ROD R. BLAGOJEVICH, Illinois
DOUG OSE, California                 DANNY K. DAVIS, Illinois
RON LEWIS, Kentucky                  JOHN F. TIERNEY, Massachusetts
JO ANN DAVIS, Virginia               JIM TURNER, Texas
TODD RUSSELL PLATTS, Pennsylvania    THOMAS H. ALLEN, Maine
DAVE WELDON, Florida                 JANICE D. SCHAKOWSKY, Illinois
CHRIS CANNON, Utah                   WM. LACY CLAY, Missouri
ADAM H. PUTNAM, Florida              DIANE E. WATSON, California
C.L. ``BUTCH'' OTTER, Idaho          ------ ------
EDWARD L. SCHROCK, Virginia                      ------
JOHN J. DUNCAN, Jr., Tennessee       BERNARD SANDERS, Vermont 
------ ------                            (Independent)


                      Kevin Binger, Staff Director
                 Daniel R. Moll, Deputy Staff Director
                     James C. Wilson, Chief Counsel
                     Robert A. Briggs, Chief Clerk
                 Phil Schiliro, Minority Staff Director

    Subcommittee on Government Efficiency, Financial Management and 
                      Intergovernmental Relations

                   STEPHEN HORN, California, Chairman
RON LEWIS, Kentucky                  JANICE D. SCHAKOWSKY, Illinois
DAN MILLER, Florida                  MAJOR R. OWENS, New York
DOUG OSE, California                 PAUL E. KANJORSKI, Pennsylvania
ADAM H. PUTNAM, Florida              CAROLYN B. MALONEY, New York

                               Ex Officio

DAN BURTON, Indiana                  HENRY A. WAXMAN, California
          J. Russell George, Staff Director and Chief Counsel
               Robert Alloway, Professional Staff Member
                         Scott R. Fagan, Clerk
          Mark Stephenson, Minority Professional Staff Member









                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on September 26, 2001...............................     1
Statement of:
    Dick, Ronald, Director, National Infrastructure Protection 
      Center, Federal Bureau of Investigation....................   130
    Miller, Harris, president, Information Technology Association 
      of America.................................................   150
    Pethia, Richard D., director, Cert Centers, Software 
      Engineering Institute, Carnegie Mellon University..........    46
    Seetin, Mark, vice president, governmental affairs, New York 
      Mercantile Exchange........................................   137
    Vatis, Michael, director, Institute for Security Technology 
      Studies, Dartmouth College.................................    86
    Willemssen, Joel C., Managing Director, Information 
      Technology Issues, U.S. General Accounting Office..........     5
Letters, statements, etc., submitted for the record by:
    Dick, Ronald, Director, National Infrastructure Protection 
      Center, Federal Bureau of Investigation, prepared statement 
      of.........................................................   133
    Horn, Hon. Stephen, a Representative in Congress from the 
      State of California, prepared statement of.................     3
    Miller, Harris, president, Information Technology Association 
      of America, prepared statement of..........................   154
    Pethia, Richard D., director, Cert Centers, Software 
      Engineering Institute, Carnegie Mellon University, prepared 
      statement of...............................................    49
    Seetin, Mark, vice president, governmental affairs, New York 
      Mercantile Exchange, prepared statement of.................   145
    Vatis, Michael, director, Institute for Security Technology 
      Studies, Dartmouth College, prepared statement of..........    89
    Willemssen, Joel C., Managing Director, Information 
      Technology Issues, U.S. General Accounting Office:
        Information concerning e-mail bombing....................   164
        Prepared statement of....................................     7













 INFORMATION TECHNOLOGY--ESSENTIAL YET VULNERABLE: HOW PREPARED ARE WE 
                              FOR ATTACKS?

                              ----------                              


                     WEDNESDAY, SEPTEMBER 26, 2001

                  House of Representatives,
  Subcommittee on Government Efficiency, Financial 
        Management and Intergovernmental Relations,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10 a.m., in 
room 2154, Rayburn House Office Building, Hon. Stephen Horn 
(chairman of the subcommittee) presiding.
    Present: Representatives Horn and Maloney.
    Staff present: J. Russell George, staff director/chief 
counsel; Elizabeth Johnston, GAO detailee; Darin Chidsey and 
Matt Phillips, professional staff members; Mark Johnson, clerk; 
Jim Holmes, intern; David McMillen, minority professional staff 
member; and Jean Gosa, minority clerk.
    Mr. Horn. A quorum being present, the hearing of this 
Subcommittee on Government Efficiency, Financial Management and 
Intergovernmental Relations will come to order.
    The horrific events of September 11 were a wake-up call 
that all too clearly illustrates this Nation's vulnerability to 
attack. We have known for a long time that airport security was 
lax, and we did nothing to fix the problem. Intruders took 
advantage of that vulnerability in ways that for all of us were 
unimaginable.
    We must learn from this experience. But will we? We have 
known for several years that our government's critical computer 
systems are as vulnerable as airport security. In 1997, the 
General Accounting Office placed the security of the executive 
branch of the government's computers on its high-risk list. In 
1998, the Federal Bureau of Investigation formed its National 
Infrastructure Protection Center to gather information on 
computer threats and issue timely warnings about those threats. 
It is now 2001 and the executive branch has made little 
progress in addressing computer security issues. Are we going 
to wait until these vital systems are compromised--or worse?
    During the crisis in New York and Washington, we found that 
the Nation's communication systems were not as strong as they 
needed to be. Cellular telephones stopped working. City leaders 
were unable to communicate with other officials at all levels. 
In the immediate aftermath in New York, broadcast television 
services were interrupted. But imagine the repercussions if 
attacks on the Federal Government's critical computers were 
equally successful. National defense, communications, 
transportation, public health, and emergency response services 
across the Nation could be crippled instantly.
    In addition to the threat of physical assault, the Nation's 
information technology systems are already under cyber-assault. 
Following the terrorist attacks on New York and Washington, the 
``Nimda'' worm attacked computer systems around the world. 
Nimda shut down banks in Japan, multinational corporations, and 
some government systems in the United States, such as Fairfax 
County. On Monday, a new worm was unleashed on computer 
systems. This worm is capable of wiping out a computer's basic 
system files. These attacks are increasing in intensity, 
sophistication, and potential damage. Is the Nation ready for 
this type of terrorism? Will its basic communications and 
computer infrastructure withstand a major assault?
    Today, we want to examine these critical issues. We welcome 
our witnesses and particularly this panel. You had to come from 
a number of places, and we know at the last minute it is tough. 
We thank you very much and we will have a very good discussion 
of these computer threats and the measures that must be taken 
to protect this Nation--its economy, its States, its cities and 
institutions of higher learning and research--besides Federal 
departments States and counties--we will be getting into that 
later this year.
    [The prepared statement of Hon. Stephen Horn follows:]
    [GRAPHIC] [TIFF OMITTED] T0481.001
    
    [GRAPHIC] [TIFF OMITTED] T0481.002
    
    Mr. Horn. So we will now start with the witnesses. And as 
we've done many times before, we will start with the 
representative of the U.S. General Accounting Office, Joel C. 
Willemssen, Managing Director, Information Technology issues.
    We have all witnesses accept the oath and I will start with 
everybody at this point and we'll just go down the line. So if 
you'll raise your right hand--and also have your assistants 
which might give you paper and all that--let's do it all at one 
time. The oath states do you have the full truth of your 
testimony you're about to give for this and the questions, and 
if we ask you to do it 2 weeks from now in terms of a 
particular thing you want in the book, all of this is under 
oath.
    [Witnesses sworn.]
    Mr. Horn. Thank you very much. When we introduce you, your 
full written statement automatically goes in the record, so you 
don't have to ask us to do so. We would like you to, in 5 or 7 
minutes, to give a summary of your testimony. We give a 
little--let's see, we've got plenty of time here so we could 
make it 10 minutes. But we want to get into dialog among you as 
well as those members expected to be here.
    So Joel C. Willemssen, Managing Director, Information 
Technology Issues, U.S. General Accounting Office, which is 
presided over by the Comptroller General of the United States, 
and it's part of the legislative branch. Mr. Willemssen, it's 
always good to see you.

STATEMENT OF JOEL C. WILLEMSSEN, MANAGING DIRECTOR, INFORMATION 
       TECHNOLOGY ISSUES, U.S. GENERAL ACCOUNTING OFFICE

    Mr. Willemssen. Thank you, Mr. Chairman. It's an honor to 
appear again before you today and, as requested, I'll briefly 
summarize our statement on the challenges involved in 
protecting government and privately controlled systems from 
computer-based attacks.
    Overall, our work continues to show that Federal agencies 
have serious and widespread computer security weaknesses. These 
weaknesses present substantial risks to Federal operations, 
assets, and confidentiality. Because virtually all Federal 
operations are supported by automated systems and electronic 
data, the risks are very high and the breadth of the potential 
impact is very wide. The risks cover areas as diverse as 
taxpayer records, law enforcement, national defense, and a wide 
range of benefit programs, and they cover all major areas of 
required controls such as access controls in ensuring service 
continuity in the face of disasters.
    The September 11 tragedies demonstrated just how essential 
it is for government and business to be able to continue 
critical operations and services during emergency situations. 
News reports indicate that business continuity and contingency 
planning has been a critical factor in restoring operations for 
New York's financial district with some specifically 
attributing companies' preparedness to the contingency planning 
efforts associated with the year 2000 challenge.
    At the same time, however, our reviews still reveal 
shortcomings in Federal agency business continuity planning. 
Examples of common weaknesses include incomplete plans and 
plans that have not been fully tested. While a number of 
factors have contributed to these weaknesses, and overall weak 
Federal information security, we believe the key underlying 
problem is ineffective security program management.
    Computer security legislation enacted last year can go a 
long way to addressing this underlying problem. The legislation 
requires that both agency management and inspector's general 
annually evaluate information security programs. This new 
annual evaluation and reporting process is an important 
mechanism previously missing for holding agencies accountable 
for the effectiveness of their security programs.
    Beyond the risks with Federal agency systems, the Federal 
Government has begun to address the threat of attacks on our 
Nation's computer-dependent critical infrastructures such as 
electric power. A prior Presidential Directive known as PDD63 
outlined a governmentwide strategy to address this. However, 
progress in implementing this directive has been limited. For 
example, while outreach by numerous Federal entities to 
establish cooperative relationships with private organizations 
in key infrastructure sectors has raised an awareness and 
prompted some information sharing, efforts to perform analyses 
of sector and cross-sector vulnerabilities have been limited. 
In addition, a key element of this strategy was establishing 
the FBI's National Infrastructure Protection Center [NIPC], as 
a focal point for gathering information on threats and 
facilitating the Federal Government's response to computer 
based incidents. As we reported earlier this year, the NIPC has 
initiated various efforts to carry out this responsibility.
    However, we also found that the analytical and information 
sharing capabilities that were intended had not yet been 
achieved. A major impediment to implementing the strategy 
outlined in PDD63 is the lack of a comprehensive national plan 
that clearly delineates the roles and responsibilities of 
Federal and non-Federal entities and defines interim 
objectives. We've therefore recommended that the assistant to 
the President for National Security Affairs ensure a more fully 
defined strategy for computer-based threats be developed that 
addresses this impediment. It will obviously be important that 
this strategy be coordinated with the counterterrorism efforts 
undertaken by the newly established Office of Homeland 
Security.
    Mr. Chairman, that concludes a summary of my statement, and 
after the panel is done I'd be pleased to address any questions 
you may have. Thank you.
    Mr. Horn. Well, thank you.
    [The prepared statement of Mr. Willemssen follows:]
    [GRAPHIC] [TIFF OMITTED] T0481.003
    
    [GRAPHIC] [TIFF OMITTED] T0481.004
    
    [GRAPHIC] [TIFF OMITTED] T0481.005
    
    [GRAPHIC] [TIFF OMITTED] T0481.006
    
    [GRAPHIC] [TIFF OMITTED] T0481.007
    
    [GRAPHIC] [TIFF OMITTED] T0481.008
    
    [GRAPHIC] [TIFF OMITTED] T0481.009
    
    [GRAPHIC] [TIFF OMITTED] T0481.010
    
    [GRAPHIC] [TIFF OMITTED] T0481.011
    
    [GRAPHIC] [TIFF OMITTED] T0481.012
    
    [GRAPHIC] [TIFF OMITTED] T0481.013
    
    [GRAPHIC] [TIFF OMITTED] T0481.014
    
    [GRAPHIC] [TIFF OMITTED] T0481.015
    
    [GRAPHIC] [TIFF OMITTED] T0481.016
    
    [GRAPHIC] [TIFF OMITTED] T0481.017
    
    [GRAPHIC] [TIFF OMITTED] T0481.018
    
    [GRAPHIC] [TIFF OMITTED] T0481.019
    
    [GRAPHIC] [TIFF OMITTED] T0481.020
    
    [GRAPHIC] [TIFF OMITTED] T0481.021
    
    [GRAPHIC] [TIFF OMITTED] T0481.022
    
    [GRAPHIC] [TIFF OMITTED] T0481.023
    
    [GRAPHIC] [TIFF OMITTED] T0481.024
    
    [GRAPHIC] [TIFF OMITTED] T0481.025
    
    [GRAPHIC] [TIFF OMITTED] T0481.026
    
    [GRAPHIC] [TIFF OMITTED] T0481.027
    
    [GRAPHIC] [TIFF OMITTED] T0481.028
    
    [GRAPHIC] [TIFF OMITTED] T0481.029
    
    [GRAPHIC] [TIFF OMITTED] T0481.030
    
    [GRAPHIC] [TIFF OMITTED] T0481.031
    
    [GRAPHIC] [TIFF OMITTED] T0481.032
    
    [GRAPHIC] [TIFF OMITTED] T0481.033
    
    [GRAPHIC] [TIFF OMITTED] T0481.034
    
    [GRAPHIC] [TIFF OMITTED] T0481.035
    
    [GRAPHIC] [TIFF OMITTED] T0481.036
    
    [GRAPHIC] [TIFF OMITTED] T0481.037
    
    [GRAPHIC] [TIFF OMITTED] T0481.038
    
    [GRAPHIC] [TIFF OMITTED] T0481.039
    
    [GRAPHIC] [TIFF OMITTED] T0481.040
    
    [GRAPHIC] [TIFF OMITTED] T0481.041
    
    Mr. Horn. And we will now move to Mr. Richard Pethia, the 
director of the CERT Centers, Software Engineering Institute at 
Carnegie Mellon University.

    STATEMENT OF RICHARD D. PETHIA, DIRECTOR, CERT CENTERS, 
  SOFTWARE ENGINEERING INSTITUTE, CARNEGIE MELLON UNIVERSITY .

    Mr. Pethia. Mr. Chairman, thank you for the opportunity to 
testify on information infrastructure security and our 
preparedness for attacks. My perspective comes from the work 
that we do at the CERT Coordination Center where we're 
chartered to deal with security emergencies on the Internet and 
to work with both technology producers and technology users to 
facilitate responses to security problems. Since 1988, we've 
handled over 63,000 separate incidents and have analyzed more 
than 3,700 computer vulnerabilities.
    I'll use a recent attack to illustrate what I think are 
some of the critical issues. On September 18, the Internet 
community at large was attacked with an automated attack that 
has been called the W32 Nimda worm or Nimda. This worm had the 
following characteristics: It used multiple means to spread 
from computer to computer, from desktop to desktop, via 
electronic mail; from desktop to desktop via shared files; from 
Web server to desktop by a browsing of compromised Web servers; 
from desktop to Web server via active scanning for various 
vulnerabilities; and from desktop to Web server via scanning 
for back doors left behind by earlier worms Code Red and S-
Admin. It modified Web documents and certain executable files 
on the infected machines, and it focused on infecting machines 
on local networks, thus clogging those networks with scanning 
traffic and disrupting operations.
    Nimda was the first worm or virus that we've seen that 
attacks computers that act as servers as well as desktop 
computers. As many reports indicated, Nimda spread like 
wildfire. The first reports of scanning activity came at about 
8:30, between 8:30 and 9 a.m. Within an hour, many 
organizations reported that they were paralyzed by the scanning 
activity, and by mid-afternoon over 100,000 machines were 
infected.
    The response community reacted immediately but were 
hampered by lack of a source code and by the complexity of the 
worm. Warnings were sent to the community in the morning with 
updates as analysis progressed through the day. Analysts 
quickly obtained the binary code and began the reverse 
engineering process but needed several hours to complete it. By 
mid-afternoon, antivirus vendors began making detection 
software available. Heavy worm activity was reported through 
the remainder of the day and all of the 19th. On the 20th the 
reports continued but at a much lower rate.
    We will continue to see periodic ongoing recurrences of 
this worm over the next several months, gradually tapering off 
in impact.
    What are the factors that allow attacks like this to be 
successful? Vulnerable software. Today's commercial off-the-
shelf technology is riddled with holes. In calendar year 2000 
we received reports of over 1,090 new vulnerabilities in our 
existing information technology. At the current reporting rate, 
this year we expect over 2,000 new reports by the end of the 
year.
    The software design practices in use do not yield software 
that is resistant to attack. Software implementation practices 
do not remove programming flaws that result in vulnerabilities. 
And default software configuration shipped to the customers 
leave security doors open and explicit user action must be 
taken to close them. Technology users are not able to keep up 
with the pace of vulnerability fixes. The sheer number of 
vulnerabilities is overwhelming organizations. The upgrade 
process is difficult and time-consuming and it often takes 
months or even years for users to patch their systems across 
the broad Internet community.
    Today we still receive reports of recurrences of the 
Melissa virus, a virus that exploited vulnerabilities that were 
discovered 2 years ago. At the same time, attack technology are 
growing increasingly sophisticated and automated. Exploit 
scripts are quickly written by the intruder community for newly 
found vulnerabilities. They are combined with other forms of 
software to form very powerful automated attack tools. 
Compromised systems are harnessed together to attack others, 
and automation allows these attacks to proceed at lightning 
speed. Our reactive solutions are reaching the limits of their 
effectiveness. Only the best resourced organizations can keep 
up with vulnerability fixes.
    With over 109 million computers, and growing, on the 
Internet there are always hundreds of thousands, if not 
millions, of computers that are vulnerable; and automated 
attacks can now cause major damage before they're even 
detected. The complexity of the attack is challenging software 
analysts who try to fix them, and we will continue to see major 
damage within even the best response cycle times that we can 
hope to achieve.
    What are the answers? First and foremost, higher quality 
software products. Known design techniques can dramatically 
reduce the virus problem. Viruses spread because systems allow 
the unconstrained execution of imported code. Yet we've known 
for decades how to build hardware and software that constrains 
this code execution. Using this technique would dramatically 
reduce the virus problem.
    In addition, implementation errors, bugs in the software, 
cause over 80 percent of the other problems that we see on the 
Internet. Known software engineering techniques can reduce 
these bugs by a factor of at least 10, and typically more than 
100.
    Also, it's important that we begin to ship high-security 
configurations as the default. It's no longer realistic, given 
this huge user population, to expect today's average computer-
user and system administrator to have the technical skills 
needed to securely configure their software systems. We must 
build and ship products that are safe for use by today's 
average administrator and user. That's the near-term solution.
    Longer term, we will continue to see more sophisticated 
attacks. Better design and implementations will solve much of 
what we see today, but as we get more sophisticated attacks, we 
must develop new software engineering techniques, integrated 
frameworks for information assurance and analysis design, and 
these frameworks must lead to engineering methods and 
technologies that yield systems that are resistant to attack 
but also able to survive those attacks even if they are 
partially penetrated.
    More research into survivable systems is needed for the 
future. Increased support for information assurance degree 
programs is also needed. Today there is a critical shortage of 
technical security specialists. The recent government programs 
on the security Centers of Excellence is a step in the right 
direction, but it's only a start. More is needed to meet the 
growing demand in both government and industry for these 
technical specialists.
    And finally, awareness and training for all users. This is 
not just a problem for technical specialists. It's a problem 
for executives, for middle managers, for commercial users as 
well as for home users. We need to support the development of 
programs that allow awareness and training for all of those 
individuals, and we also must provide programs for elementary 
and secondary school teachers to allow them to begin training 
their students on acceptable and unacceptable behavior and 
basic security practices.
    In conclusion, attacks like Nimda will occur again, and 
they will have great impact unless and until substantial 
changes are made. Most important now is higher-quality software 
that uses known design and implementation practices to reduce 
vulnerabilities. A 100fold improvement is needed. In the 
future, threats will be even more sophisticated; and so while 
we deal with today's problems, we also must expand our research 
and education activities to deal with the problems that we'll 
see within the next 5 years. Thank you.
    Mr. Horn. Thank you.
    [The prepared statement of Mr. Pethia follows:]
    [GRAPHIC] [TIFF OMITTED] T0481.042
    
    [GRAPHIC] [TIFF OMITTED] T0481.043
    
    [GRAPHIC] [TIFF OMITTED] T0481.044
    
    [GRAPHIC] [TIFF OMITTED] T0481.045
    
    [GRAPHIC] [TIFF OMITTED] T0481.046
    
    [GRAPHIC] [TIFF OMITTED] T0481.047
    
    [GRAPHIC] [TIFF OMITTED] T0481.048
    
    [GRAPHIC] [TIFF OMITTED] T0481.049
    
    [GRAPHIC] [TIFF OMITTED] T0481.050
    
    [GRAPHIC] [TIFF OMITTED] T0481.051
    
    [GRAPHIC] [TIFF OMITTED] T0481.052
    
    [GRAPHIC] [TIFF OMITTED] T0481.053
    
    [GRAPHIC] [TIFF OMITTED] T0481.054
    
    [GRAPHIC] [TIFF OMITTED] T0481.055
    
    [GRAPHIC] [TIFF OMITTED] T0481.056
    
    [GRAPHIC] [TIFF OMITTED] T0481.057
    
    [GRAPHIC] [TIFF OMITTED] T0481.058
    
    [GRAPHIC] [TIFF OMITTED] T0481.059
    
    [GRAPHIC] [TIFF OMITTED] T0481.060
    
    [GRAPHIC] [TIFF OMITTED] T0481.061
    
    [GRAPHIC] [TIFF OMITTED] T0481.062
    
    [GRAPHIC] [TIFF OMITTED] T0481.063
    
    [GRAPHIC] [TIFF OMITTED] T0481.064
    
    [GRAPHIC] [TIFF OMITTED] T0481.065
    
    [GRAPHIC] [TIFF OMITTED] T0481.066
    
    [GRAPHIC] [TIFF OMITTED] T0481.067
    
    [GRAPHIC] [TIFF OMITTED] T0481.068
    
    [GRAPHIC] [TIFF OMITTED] T0481.069
    
    [GRAPHIC] [TIFF OMITTED] T0481.070
    
    [GRAPHIC] [TIFF OMITTED] T0481.071
    
    [GRAPHIC] [TIFF OMITTED] T0481.072
    
    [GRAPHIC] [TIFF OMITTED] T0481.073
    
    [GRAPHIC] [TIFF OMITTED] T0481.074
    
    [GRAPHIC] [TIFF OMITTED] T0481.075
    
    [GRAPHIC] [TIFF OMITTED] T0481.076
    
    [GRAPHIC] [TIFF OMITTED] T0481.077
    
    [GRAPHIC] [TIFF OMITTED] T0481.078
    
    Mr. Horn. Our next presenter is Michael Vatis, the 
Director, institute for Security Technology Studies at 
Dartmouth College.

 STATEMENT OF MICHAEL VATIS, DIRECTOR, INSTITUTE FOR SECURITY 
             TECHNOLOGY STUDIES, DARTMOUTH COLLEGE

    Mr. Vatis. Thank you, Mr. Chairman. I would like to commend 
you for holding this hearing today, because in the wake of the 
horrible terrorist attacks that occurred on our country on 
September 11, it would be very easy for Members of Congress to 
focus all of their attention on the types of attacks that 
occurred on that day and to focus on what needs to be done to 
prevent their reoccurrence. But I think it is equally important 
at least that we pay attention to the other types of threats to 
our Nation's security that are just as significant today as 
they were before September 11. And among those threats are 
potential cyber attacks against our information infrastructure. 
Indeed, for the reasons that I've given in my prepared 
statement, I believe that this threat is even greater today 
than it was before September 11. And so, again, I'd like to 
commend the subcommittee for bringing attention to this 
critical issue when it would have been very easy to focus on 
other things.
    I would like to devote my discussion today to two things. 
One is to provide a summary of our threat assessment of the 
possible attacks that could take place on our information 
infrastructure during the war on terrorism; and second, to talk 
about the importance of research and development to the overall 
cause of securing our Nation's computer networks. It is my 
belief that what is needed today is essentially a ``Manhattan 
Project'' for counterterrorism technology, so that America's 
leading scientists in industry, academia, and government can 
work together to use one of this Nation's greatest strengths, 
our technical prowess, to design tools and technology to secure 
the information infrastructure that provides the foundation for 
our economy and our national security.
    Turning to our threat assessment, we started by examining 
several recent political conflicts over the last few years that 
have led to attacks on cyber-systems, including the recent 
clashes between India and Pakistan, between Israel and the 
Palestinians, between NATO and Serbia in Kosovo, and also the 
tensions between the United States and China after the 
collision between a Chinese fighter plane and an American 
surveillance plane. From these case studies we concluded that 
cyber attacks immediately follow physical attacks within the 
circumstances of these political conflicts.
    It is also the case that politically motivated cyber 
attacks are increasing in volume, sophistication, and 
coordination. For instance, after the collision between the 
Chinese fighter plane and the American surveillance plane, 
approximately 1,200 U.S. sites, including those belonging to 
the White House and other government agencies, were reportedly 
subject to distributed denial of service attacks or defaced 
with pro-Chinese images in just 1 week.
    And finally, cyber attackers are attracted to high-value 
targets. They have attacked the Web sites of financial 
institutions and also government communication infrastructures.
    As the next step in our analysis, we looked at general 
trends in cyber attacks, including those lacking any apparent 
political motivation. And there, as my colleague, Rich Pethia 
has talked about, it is clear that cyber attacks are growing in 
their destructiveness and in their sophistication. And 
attackers are increasingly taking advantage of the 
vulnerabilities that persist throughout our networks. In 
addition, the wide and rapid dissemination of automated scripts 
has made it possible even for the unsophisticated hacker to 
take advantage of these advanced techniques. And so in recent 
years, and again in recent weeks, we have seen a proliferation 
in destructive worms such as Code Red and Nimda. We've seen a 
proliferation of distributed denial of service techniques that 
can be used to carry out automated attacks on victim networks, 
and we've seen a growth in the sophistication of unauthorized 
intrusions which can allow an attacker to get into government 
networks or private sector networks for the purpose of 
absconding with sensitive information, with money, with credit 
cards, or carrying out a destructive attack on the network 
itself.
    So the question, then, is, during the war on terrorism, 
what types of groups or individuals might engage in cyber 
attacks against our information infrastructure? Well, clearly 
the terrorists themselves are a concern. While it is not clear 
whether Osama bin Laden's al Qaeda organization has developed 
cyber attack capabilities, it is clear that members of his 
network have utilized information technology to communicate 
securely, to raise funds, and to formulate their plans.
    For instance, Ramzi Yousef, who was the mastermind of the 
first attack on the World Trade Center in 1993, had details of 
future terrorist plots, including the planned bombing of 11 
U.S. airliners in the Pacific, stored on encrypted files on his 
laptop computer. At the same time, the September 11 attacks 
themselves show that terrorists are not merely focused on 
causing deaths, but also on causing damage to our critical 
infrastructures, with all of the attendant financial 
consequences and economic consequences that has.
    Another group to be concerned about is targeted nation 
states. Several nations could be targets in our military 
retaliation for the September 11 attacks, including not only 
Afghanistan, but possibly some states that have been designated 
as supporters of terrorism. And among those U.S. designated 
states are countries such as Iraq and Libya, which are reported 
to have developed information warfare capabilities.
    So as we engage in this war on terrorism, we need to be 
cognizant of the risk of possible counterattacks on our 
information infrastructure by countries such as that. The most 
likely source of attack, though, are the sympathizers of 
terrorists around the world or those with general anti-U.S. or 
anti-ally sentiments. These are the people who have engaged in 
attacks before, whether it's Web site defacements or denial of 
service attacks. And they include people who could perceive the 
war on terrorism as an anti-Muslim crusade. And it also could 
include other people such as those who are against 
globalization and capitalism in general and have engaged in 
these sorts of attacks before.
    And the last category is thrillseekers who might just use 
this situation as an opportunity to gain bragging rights for 
breaking into systems while the world's media are focused on 
the problem. And the types of targets that these attackers 
could go after include not only Web sites, but also more high-
value targets such as domain name servers, communication 
systems, routers, and critical infrastructures. There could 
also be the possibility of compound attacks on many of these 
infrastructures using many different techniques and possibly 
combined with physical attacks as well.
    Mr. Chairman, my prepared statement has a number of very 
specific recommendations that we offer for system 
administrators throughout the government and in the private 
sector to take to protect themselves against these sorts of 
attacks. And we believe that if those steps are taken, people 
can minimize the chance of being hit. But over the long-term, 
the importance of research and development is great. And we can 
never really get ahead of the problem through patches and 
through updating our antivirus software, unless we can design 
systems, from the ground up, that are secure, and unless we 
make the Internet a safe place to engage in commerce and to 
communicate securely. Thank you, Mr. Chairman.
    Mr. Horn. Thank you. That's a very helpful presentation and 
in the dialog there's a lot of things we can take advantage of.
    [The prepared statement of Mr. Vadis follows:]
    [GRAPHIC] [TIFF OMITTED] T0481.079
    
    [GRAPHIC] [TIFF OMITTED] T0481.080
    
    [GRAPHIC] [TIFF OMITTED] T0481.081
    
    [GRAPHIC] [TIFF OMITTED] T0481.082
    
    [GRAPHIC] [TIFF OMITTED] T0481.083
    
    [GRAPHIC] [TIFF OMITTED] T0481.084
    
    [GRAPHIC] [TIFF OMITTED] T0481.085
    
    [GRAPHIC] [TIFF OMITTED] T0481.086
    
    [GRAPHIC] [TIFF OMITTED] T0481.087
    
    [GRAPHIC] [TIFF OMITTED] T0481.088
    
    [GRAPHIC] [TIFF OMITTED] T0481.089
    
    [GRAPHIC] [TIFF OMITTED] T0481.090
    
    [GRAPHIC] [TIFF OMITTED] T0481.091
    
    [GRAPHIC] [TIFF OMITTED] T0481.092
    
    [GRAPHIC] [TIFF OMITTED] T0481.093
    
    [GRAPHIC] [TIFF OMITTED] T0481.094
    
    [GRAPHIC] [TIFF OMITTED] T0481.095
    
    [GRAPHIC] [TIFF OMITTED] T0481.096
    
    [GRAPHIC] [TIFF OMITTED] T0481.097
    
    [GRAPHIC] [TIFF OMITTED] T0481.098
    
    [GRAPHIC] [TIFF OMITTED] T0481.099
    
    [GRAPHIC] [TIFF OMITTED] T0481.100
    
    [GRAPHIC] [TIFF OMITTED] T0481.101
    
    [GRAPHIC] [TIFF OMITTED] T0481.102
    
    [GRAPHIC] [TIFF OMITTED] T0481.103
    
    [GRAPHIC] [TIFF OMITTED] T0481.104
    
    [GRAPHIC] [TIFF OMITTED] T0481.105
    
    [GRAPHIC] [TIFF OMITTED] T0481.106
    
    [GRAPHIC] [TIFF OMITTED] T0481.107
    
    [GRAPHIC] [TIFF OMITTED] T0481.108
    
    [GRAPHIC] [TIFF OMITTED] T0481.109
    
    [GRAPHIC] [TIFF OMITTED] T0481.110
    
    [GRAPHIC] [TIFF OMITTED] T0481.111
    
    [GRAPHIC] [TIFF OMITTED] T0481.112
    
    [GRAPHIC] [TIFF OMITTED] T0481.113
    
    [GRAPHIC] [TIFF OMITTED] T0481.114
    
    [GRAPHIC] [TIFF OMITTED] T0481.115
    
    [GRAPHIC] [TIFF OMITTED] T0481.116
    
    [GRAPHIC] [TIFF OMITTED] T0481.117
    
    [GRAPHIC] [TIFF OMITTED] T0481.118
    
    [GRAPHIC] [TIFF OMITTED] T0481.119
    
    Mr. Horn. And I'm delighted now to have the presentation of 
the Honorable Ronald Dick, the Director of the National 
Infrastructure Protection Center for the Federal Bureau of 
Investigations. I want to say great thanks on behalf of the 
subcommittee that the FBI has been this early in the game--they 
have worked very close with the committee. Thanks to their 
generosity; we've had a lot of individuals throughout the world 
that have been helpful with them bringing them here, and they 
can take advantage of those individuals and so can the 
subcommittee. So thank you very much for what you've been 
doing.

  STATEMENT OF RONALD DICK, DIRECTOR, NATIONAL INFRASTRUCTURE 
       PROTECTION CENTER, FEDERAL BUREAU OF INVESTIGATION

    Mr. Dick. Thank you, Mr. Chairman. Particularly, thank you 
for the opportunity to discuss our government's important and 
continuing challenges with respect to information technology. 
As several of the panel members have said in the face of the 
tragedies 2 weeks ago, I come before you today to relay a 
strong sense of optimism. We, the men and women of the NIPC and 
our thousands of partners throughout the country and the world, 
including my colleagues on this panel, have heard the call and 
I believe have stepped forward.
    While the terrorists were building their network, so too 
were we. For the past 3 years, while others were thinking of 
ways to defeat us, the NIPC was working tirelessly to build the 
broad partnerships we have today, to mobilize great talent, to 
break down the old ways of doing business, and to forge ahead 
with the united sense of government and private sector purpose.
    There is more work to be done. There always will be. But 
there should be no doubt about our progress, about our 
persistence, about our pledge to the American people. Acting as 
one, the Federal, State and local governments, the private 
sector and the international partners eagerly accept President 
Bush's challenge which was referred to as the ``challenge of 
our time.''
    For the past 3 years, we have cultivated a number of 
initiatives, each focused on simultaneously developing the 
NIPC, the capacity to warn, to respond and to build 
partnerships. The NIPC built InfraGard into the largest 
government/private sector joint partnership for infrastructure 
protection in the world, with over 2,000 members nationwide. 
The NIPC Web site takes advantage of the Internet's long reach 
to provide significant cyber-alerts as well as the ability to 
report computer attacks and intrusions on line. The NIPC has 
built systems or has provided systems administrators and home 
users with roughly 100 warnings about cyber-threats and 
vulnerabilities.
    Just last week, we provided information systems security 
advice through our Web site, through InfraGard, and through our 
trusted partners to better protect the public from the Nimda 
worm. In fact, based on our prior responsiveness and 
coordination with the private sector concerning Code Red, we 
believe that the Nimda impact was significantly reduced. The 
NIPC's Watch Center operates around the clock and communicates 
daily with the Department of Defense. Major General Dave Bryan, 
Commander of the Joint Task Force for Computer Network 
Operations, recently remarked that the NIPC and JTF-CNO have 
established an outstanding working relationship. We have become 
interdependent, with each realizing that neither can totally 
achieve its mission without the other. And I couldn't agree 
more. The Center's ability to fulfill the expectations and 
needs of its Department of Defense components is achieved by 
the interagency nature of the NIPC, which includes the Center's 
Deputy Director, James Plehal, a two-star Navy Rear Admiral. 
This example of the Center staffing demonstrates our collective 
commitment to achieve meaningful ownership and coordination 
across the law enforcement, the intelligence, and military 
communities as well as other agencies.
    We are strongly partnered with FedCIRC, to enhance the 
security of our government technology systems and services. We 
team up regularly with the CIA and the NSA to work on matters 
of common interest. In fact, the head of our Analysis and 
Warning Section is a senior CIA officer and the head of the 
section's Analysis and Information Sharing unit is a senior 
manager from NSA. In total, the Center has full-time 
representatives from a dozen Federal and three foreign 
government agencies, led in number by the FBI and the 
Department of Defense.
    We're continuing to take advantage of the FBI's global 
presence through its legal attaches in 44 nations around the 
word. Our multiagency team works with information sharing and 
analysis centers throughout the country and provides threat 
briefings to the critical infrastructure sector, including 
financial services electrical power, telecommunications, water, 
oil and gas, aviation and railroad. We are connected with 
18,000 police departments and sheriffs departments which 
bravely serve our Nation daily and in times of crisis.
    Our strong ties with the private sector, State and local 
first responders places us at the Center in the unique position 
to answer the President's call for homeland security. In this 
regard, we're also leveraging our key asset initiative by 
leading the creation of a comprehensive data base to identify 
the Nation's critical infrastructure components.
    Equally significant, the NIPC manages the computer 
intrusion investigations nationwide for the FBI, both on the 
criminal and national security side. Our integration with the 
FBI continues to provide the NIPC with access to law 
enforcement, intelligence, counterintelligence and open source 
information that for privacy and civil rights reasons is 
unavailable in its aggregate to any other Federal agency.
    The Center has been providing critical technical assistance 
to the PENTTBOM investigation in aid of what is certain to be a 
joint and long-term law enforcement intelligence and military 
response. During the past 2 weeks the center has provided 
detailed information--or provided detailed information used to 
brief the National Command Authority about how the terrorist 
cells of September 11 used technology to further their 
murderous acts. We developed an interagency coordination cell 
to deconflict investigations and provide relevant information 
on those agencies--or to those agencies that have not been able 
to provide full-time support to the center.
    At the moment, the interagency coordination cell has taken 
a leadership role in the ongoing PENTTBOM efforts. It is 
staffed with 43 individuals from 15 agencies and every entity 
that needs information to conduct its part of this most 
critical mission gets it.
    In short, the Center is coordinating its incident 
deterrence prevention, warning and response mission with strong 
multiagency support. That, in brief, is a look at the NIPC. Our 
responsibilities, as you can see, are broad and we are rising 
to the challenge. We are united so that the benefits of 
technology flourish while the risk of the technology are 
reduced, provided resource issues identified in the GAO April 
2001 report are resolved. We will continue to witness the ever 
better results. We are eager to take on this important work 
that surely lies ahead, and on behalf of the Center I would 
like to thank you for your continuing support in our efforts in 
this significant issue.
    Mr. Horn. Thank you. That's very helpful and we'll be 
working with you on the next phase of what we're going to be 
going to; which will be pretty much throughout the United 
States.
    [The prepared statement of Mr. Dick follows:]
    [GRAPHIC] [TIFF OMITTED] T0481.120
    
    [GRAPHIC] [TIFF OMITTED] T0481.121
    
    [GRAPHIC] [TIFF OMITTED] T0481.122
    
    [GRAPHIC] [TIFF OMITTED] T0481.123
    
    Mr. Horn. We now have Mark Seetin, who's the vice 
president, governmental affairs, New York Mercantile Exchange.

STATEMENT OF MARK SEETIN, VICE PRESIDENT, GOVERNMENTAL AFFAIRS, 
                  NEW YORK MERCANTILE EXCHANGE

    Mr. Seetin. Thank you, Mr. Chairman. My name is Mark 
Seetin. I am vice president for government affairs for the New 
York Mercantile Exchange. I want to thank you and all the 
members of this subcommittee for inviting us here today to 
speak on this important issue.
    Before I begin, I would like to take just a brief moment to 
honor the memories of the 18 fallen comrades in our company and 
the thousands of innocent people who had their lives taken from 
them in that horrendous attacks. For the most part, their only 
political act was being a husband, a wife, mother, father, 
friend. Their only crime was to show up for work. We----
    Mr. Horn. Where was your location at the time?
    Mr. Seetin. Actually, it's up on the map. I can show you. 
Actually this is for context, basically. I want to give credit 
to USA Today. This is a graphic from there. Our location, you 
can see--I'm trying to get my pointer to work here. Four World 
Trade Center is right there. But you can see the two towers. 
That's the point where we were before, when the bomb attack in 
1993--which I'm going to be addressing. In 1997, we moved into 
this new building on One North End Avenue, which is located 
right there on the bank of the Hudson River. Critically, you 
will notice that right next to us is the Merrill Lynch 
building, and beyond that is the American Express building. 
You've heard those buildings mentioned.
    The shielding effect that they provided during the 
horrendous collapse kept us from having great structural damage 
to our building. We didn't lose windows. We had a lot of 
debris. The other critical part that's going to be evolving in 
my testimony is right up there, 22 Courtland Street, which was 
the back-up center for our computer systems. That was basically 
taken out in the collapse as well, and that was our back-up 
system as I said.
    With that, as I go through, just to put this all in 
perspective, you can see this is about 16 acres in size. These 
are all very, very confined and small areas. Also note here 
from the standpoint of what had to happen right after that 
attack. Right after the first plane hit the North Tower, our 
building was evacuated immediately. Our people were moved out 
into this plaza. This is the World Financial Center, right here 
where my marker is right now. They were moved into this plaza, 
and because the roads were cutoff, the only escape really was 
from the water. And for that, it was a little bit like a mini-
Dunkirk; because boats, police boats, everybody who had a boat, 
was coming in and picking up people and evacuating them. And 
they were in the process of doing that.
    We still had thousands of people on that plaza when the 
second plane hit. It virtually flew over our people en route to 
crashing into building No. 2. So that kind of lays the 
background for the horror at the beginning of this.
    First, a little bit of explanation of who we are. We are a 
global energy marketplace. We're the world's largest energy 
futures exchange. We on a daily basis entertain the trading of 
3 to 5 times world oil production, 5 to 7 times North American 
natural gas production. We are the window to the marketplace.
    The Exchange is a regulated entity, regulated by the 
Commodity Futures Trading Commission. Our job is to provide 
open, competitive, fair pricing for those vital energy 
commodities. We have been designated--in fact, one of the 
reasons we probably got so much assistance and, I will give 
great credit to those authorities that provided that, was 
because we were recognized as a critical asset, we're a little 
bit like if you lose the radio and television when a tornado is 
on the way, it doesn't do you much good not to hear about it 
because it's still going to happen.
    And that's why energy pricing is so critical. The September 
11 attack hit the World Financial Center. We had debris raining 
down on us. Our building was within yards of that. We were the 
first exchange in New York to reopen for trading. In 1993, the 
attack was on a Friday. We were in No. 4 World Trade Center, 
right next to building No. 2, which is now a pile of ash and 
rubble. We were able to start trading the Monday following 
that. Again, we lost utilities. We lost power. The lessons we 
learned from that did help us in this, but from our standpoint, 
I must say the scope of this attack was unbelievably greater 
than the bomb of 1993.
    Through work and through cooperation and through 
innovation, we were able to launch our electronic trading 
system which normally operates at night. We have trading in our 
trading ring. The trading pits where you see the people yelling 
and screaming at each other occurs from 9 to 3 p.m. At 4 p.m., 
we switch to our electronic trading system, known as eACCESS, 
which trades throughout the night and goes until 9 o'clock the 
next morning. So we virtually have nearly a 24-hour trading 
day. The energy markets are global and our customers are around 
the world, so they demand that.
    Were we prepared for this? Frankly, I don't know anybody 
who could possibly be prepared for an attack of this scope. You 
know, there's no one who could tell me they had prepared for 
something like this. Yes, we tried to be prepared, given our 
experience in the 1993 bombing, and we knew that there were 
some critical things that you had to have. You had to have an 
emergency plan. You had to have a back-up facility.
    Well, because our computers had been located in 22 
Courtland Street, which I showed you earlier, we had leasing on 
those. We thought, well, this would be an adequate back-up 
system. Obviously, our experience with the bomb was far more 
localized.
    Mr. Horn. How many floors were there at 22 Courtland 
Street? I'm looking at it and it sort of has two surrounding 
buildings.
    Mr. Seetin. I believe it's about 40 stories, if I'm not 
mistaken.
    Mr. Horn. Really?
    Mr. Seetin. Rough guess. I believe it's about 40 floors. 
And our systems were located in the 20th through the 25th on 
that building. The building itself structurally stands, but 
it's been so heavily damaged that it's basically unusable. 
Frankly, if we had to get in there, we probably could have. We 
could have rescued the hard-drives which would have held the 
data had we lost them in our primary trading facility, or a 
back-up site that we had offsite in New Jersey. Fortunately, we 
didn't have to do that.
    One of the other things that we learned when we built our 
new building in 1997, was that we put back-up generators on the 
16th floor for the eventuality of potentially losing power. In 
our business, of course, in information technology, as these 
gentlemen say, the loss of power for us is tragedy. I mean it 
is the end of the world from the trading standpoint, because 
you have to have that continuous flow.
    So we had generators installed. In fact, when we lost 
power, immediately after the building collapsed, our generators 
kicked in in spite of the fact that no human beings were around 
at that time. I was able, at that time, to communicate 
throughout the day with our e-mail systems. They were on the 
back-up system.
    Basic necessities. What do you have to have? Well, the 
first thing, the most valuable--and people fought over it in 
our crisis center--is this emergency contact list. You'll see 
it's dated as August 2001. Little did we know. We update it 
periodically. This list has all contact information for all of 
the board members; home, cell, everyplace they can be 
contacted. The same thing with critical staff, because we were 
dispersed. I mean, it was chaotic. People were just driven out 
of the building. We didn't know where anybody was. So we had to 
use this to begin.
    Within 3 hours after the attack, our chairman, Vincent 
Viola, began the first of a series of conference calls, 
emergency board meetings, because we had to figure out, first 
of all, how we were going to approach this. Obviously you have 
to do damage assessment and recovery. I mean, that's No. 1 
right on the list, is how do we get back into business?
    Mr. Horn. I take it the line to your computers in New 
Jersey did hold up?
    Mr. Seetin. Some did, some did not. We had--actually, we 
have two services--oh, in New Jersey. Of course.
    Mr. Horn. Right.
    Mr. Seetin. That was not a problem. But I must say that the 
communications problem in New York was great, and it wasn't 
limited to that area. We eventually relocated to 50th Street 
and Madison Avenue as our crisis center. We setup telephone 
systems there to provide support for our traders.
    We also used our Web site as really the contact point for 
the staff and for everybody else to contact us. But, 
fortunately, when we were running our trading system from 2:30 
to 6 on Friday night, we didn't have a problem. But by about 
7:30 Friday night, something went wrong in the switching 
system. Again, a lot of this is related to the attack area that 
we lost incoming traffic on our phone systems. All of a sudden 
the phones went dead, and we were sitting there saying this is 
not right. We could call out. But when people would call into 
us, they would either get a busy signal or their call would 
die.
    So we had to get the Verizon folks in very quickly. We 
virtually changed our exchange numbers right then, which, you 
know in the midst of a crisis, of course, what you're doing is 
exchanging information and telephone numbers with people to 
have to go back and replicate that and tell them now the number 
that they had before is--you know, is no longer useful. That 
takes an enormous amount of time that you really ought to be 
spending in getting to the things that you have to do.
    As I said earlier, our board decided, first of all, two 
stages of recovery. We did a quick assessment and we could 
migrate our computerized trading system, because we had offsite 
capabilities in New Jersey. We would migrate that to do an 
extraordinary daytime trading system, because in fact the 
energy markets, as you well know, within 2 hours after that 
attack, rose something in the order of $2 a barrel. Nobody was 
there. We weren't there to provide that window. It was 
critical. We really felt the pressure, and frankly we got 
pressure from the White House and everybody else to get back-
up. We didn't need that. We felt that ourselves. But in 
essence, we decided to convert to this daytime trading system.
    We had obstacles as we migrated. The telephones were one, 
because we were really managing it from a hotel, but the system 
itself was away offsite. The critical part was getting people 
back into our building. As you well know, that whole area was 
shut down. Nobody could get in there. The only way you could 
get in there was with a police escort. So we had to work very 
closely with the police and the Federal authorities to get our 
people in, first of all, to do the assessment as to what we 
needed. Really the critical computer functions in our building 
that we needed were for clearing, because we guarantee all of 
the trades. Those trades have to be processed after they're 
done. If you can't process them, it's a very, very difficult 
situation.
    So we used our Web site as a contact. We migrated to the 
electronic system. Simultaneous with that was our effort, 
really, to resume physical trading. For that, we had to go in 
and do an assessment both environmentally, structurally, fire, 
security, all of those issues; because sitting where we were, 
and obviously, from our experience before, we viewed ourselves 
as a potential target even in recovery. So the authorities were 
tremendous in providing us very, very intense and expansive 
security to allow our people into the building where we 
assessed what we needed.
    And then really the Herculean part of our effort began. 
Nobody was getting any sleep before, but we certainly didn't 
once we started the process of moving people in and out. We 
called, because some of the operations were done out of the 
White House, we had to call at 2 a.m. to arrange police boats 
to pick our people up at 7:30, because the only way to get into 
the building, again, was by water on the Hudson River. That's 
the only way. We were lucky in that we did have dock and pier 
facilities right adjacent to the building. We were able to do 
that. We got our people in and began the assessment of what we 
needed at that stage to begin physical trading.
    After that assessment, the board decided, again given just 
enormous pressure from around the world and our client base, 
that we would begin physical trading at 11 a.m. on Monday. Our 
normal starting time with our metals trading, the gold, silver 
and copper, starts at 8:30 traditionally. That was our regular 
starting time. Our energies begin in a staggered start about 
9:35, and they start in 5-minute increments after that, the 
reason being the energy products are related.
    Price of crude oil is related to heating oil and to 
gasoline, so you can't start one without the other. They have a 
relationship. That compounds the problem that I'll talk about 
in future recovery plans. Our chairman, Vincent Viola, our 
president, Phil Collins, basically had backbones of steel, and 
didn't get any sleep. We had to do a lot of things ourselves. 
We quickly gathered--my role--I started down here quickly, I 
got on a train, got to the crisis center, and because the 
communication--again, we learned this--has to be centralized. 
Well, we were trying to coordinate a lot of the governmental 
contacts down here. When you're not in that frenetic activity, 
when you're not in that centralized place, one does not know a 
lot of the context of what's going on. So I had to be there 
because I had to know when these guys were having trouble with 
FEMA or these guys were having trouble with OEM--the OEM is the 
Office of Emergency Management, which is the State and city 
setup. Which, by the way, itself was a complicating factor. 
Remember, they were in the World Trade Center. The OEM was 
wiped out, the very same blast that kicked us out of our 
building. And their responsibility, of course, is to help 
people like us and all of the people that were affected.
    And I must say, Mayor Giuliani did something that I don't 
even believe. A lot of people said we don't believe you guys 
got up yourself and traded by Friday, within 2 days. The first 
day they had a number for us to call. They had people to 
contact. I had my contact, Bill Gross, who was the mayor's 
assistant. I could call him anytime, and I did. He will say 
that. I will tell you that, you know, any time of the day or 
night; the guy did not get any sleep. But they were there. And 
they migrated their number. They told us what the new number 
was. It went through without a slip.
    How they did that, you know--and actually the performance 
of the OEM was just remarkable. The State and the city were 
almost seamless, with just a few exceptions.
    Mr. Horn. That's the city emergency management group.
    Mr. Seetin. Yes, the city office.
    Mr. Horn. Was the State also involved?
    Mr. Seetin. The State was also involved. The State was very 
tightly linked with the city. I mean, in fact, we could do a 
lot of the same calls. The same people were talking to each 
other who were State authorities and city authorities. I will 
say the only complication we had, and I guess in retrospect, 
you know, you can smile about it a little bit, but we had a 
group of telephone technicians. Now, remember, we had two 
different systems in our building. We found out we had AT&T and 
Verizon, because we have tenants who are trading tenants who 
basically operate their own businesses, and they all had the 
Verizon system which had its own series of problems. So we were 
trying to get these people in Thursday night, Friday night, 
Saturday night--in to get the phone lines up and running. We 
had ours fairly well up by late Friday night inside of the 
building.
    But one of the problems I had--we got a call back from the 
AT&T people that said we got three trucks with technicians that 
are stuck at the checkpoint on Canal Street, because that's 
where the stop point was for basically everybody. That was 
where you were held up. And these people had police escorts 
with them. And this was the night that the National Guard had 
been dispatched, so you know, it was a situation where the 
National Guard troops, even though we had a police escort, were 
not letting us in there. So it took me 3 hours to get through 
to the Governor's office to get down through the guards. You 
know, this is the way things operate.
    Once that got through, you know, again, that operated 
smoothly. But those are some of the glitches when you have 
Federal, State, and military authorities coming in. It is 
critical that they communicate with each other, because, you 
know, those of us that are trying to get up and running, we 
have enough complications without having to try to go and get 
these guys to talk with each other. That was a very minor 
problem. And I don't want to overemphasize it, because in fact 
it worked. It worked out very well. I will never criticize any 
one of those people for what they did.
    So we were getting all the support that we could. Several 
hurdles that we had to overcome were, of course, if we began 
trading with our thousands of people, and we have up to 5,000 
people in our building when we're up and running trading. There 
was no way for them to get to the building over land, by the 
surface. We are certainly not going to have NYPD bringing these 
guys in in police cars. It's not going to happen. So we had to 
find an alternative route.
    And while we were all doing this, another of our directors 
was tasked with the fact of working with the New York 
Waterways. New York Waterways did dedicate then, because we 
didn't really want to use the police boats. The police were 
great about ferrying us, but we also knew there were a lot of 
other people that needed this as well. So we met, got the ferry 
boat and we got authority then from the officials to basically 
use that to finalize it for Monday. We basically had a series 
of ferrys that we leased, that we rented. And we put together 
about 14 sites where our people could gather on the dock, load 
onto the ferry, and they would be transported to our facility 
on Monday morning. That's one of the reasons why we had an 11 
o'clock opening, because logistically it's a very very tough 
task. We were doing all of this.
    Of course, at the same time, we had to get our building 
cleaned, according to--and fit for EPA inspection. Obviously 
the asbestos--you saw the dust. You saw the horrendous 
materials there. And I must tell you, my own experience down 
there, if hell has a smell, that was it. The most horrendous, 
acrid smell of burning and death and everything else on top of 
everything else that you have to do. We were struggling with 
that. The authorities were working very hard with us, because 
we had to have fire inspection, we had to have the building 
cleaned. We had to have structural engineers, OK it. And we had 
to work with Con Edison as well because we were off.
    The electrical grid was down there, basically, and it was 
not such that they could flip a couple of switches and put us 
back on the system. The problem there was that the broader base 
to turn us on, to put us onto the grid, means that they would 
have a whole chunk of Tribeca, and it would be a tremendous 
drain on their resources given the fact that on the other side 
of the island the New York Stock Exchange was working just as 
hard as we were to get up and running and they were in just as 
much need.
    So we tried to work with Con Ed, and we needed back-ups to 
our back-up, because we were really now at the situation where 
our back-up generators were our sole source of power. So all of 
that going into play, we needed to have a certificate--in 
essence, a certificate of occupancy, a letter from the OEM 
Authorities, the city authorities, that our building was OK to 
occupy.
    We were going ahead with our plans. I finally got that 
letter at 4 o'clock Sunday afternoon. At that time then we 
really began to formalize the final plans for our opening. We 
locked in the ferries. We had already been on the Web site and 
we had an 800 number to call in our Web site, which really was 
the critical point of contact, the 800 number. And we----
    Mr. Horn. Hopefully, we are going to have staff sit down 
with you and other people that have had similar situations 
and--because we just can't do all of the things this morning. 
But I think we want to get them.
    First of all, I am fascinated by the telephone situation 
where you couldn't get communications in the one direction but 
you could get it in the other.
    Mr. Seetin. Yes. And cell phones were another issue. 
Because there were certain relay stations taken out, there was 
a period when cell phone communication was very, very 
difficult. In a crisis like this, that is a very, very 
important thing, as you know.
    It seems like when have you a crisis like this everything 
happens at once.
    After an exhausting week, Saturday night we were feeling 
pretty good about it. I was up in my hotel room finally after 
about 2 hours of sleep for the last 4 days. At 11:30, the phone 
rang as I came out of the shower; and our chairman was yelling 
at me to get down there because, of all things, one of our 
back-up generators had sprung a leak in the fuel-line and 
diesel fuel was spewing on the 16th floor of our building, the 
same building that we were trying to recover from.
    So I called Inspector Pat Bradley. Now this is the guy who 
is in charge of all of the police in lower Manhattan, another 
guy who has had less sleep than any of us. He darn near had an 
accident while I was talking to him, but within 20 minutes he 
had a police car to our building.
    Our chairman went down with two technicians to begin the 
rehab process; at the same time called the White House, who 
relayed to Con Edison the essential need to get back-up 
generators.
    Before dawn we had one back-up generator onsite. And these 
are not the little kind that you have in the back of your car. 
These are huge. They are semi-size units. And the Con Ed people 
had to basically--it is not a plug-and-play system, either. 
They had to cut the system apart and actually weld the 
interface in, and they did that.
    By the end of the day, we had another back-up system; and 
Con Ed has been tremendous with that.
    The difficulty is, of course, the refueling. Because we 
went from our system where our back-up generators were refueled 
every 4 days to 12-hour increments.
    Anyway, to cut to the chase, basically we are up and 
running. We have back-ups to our back-ups. By next Monday we 
will have a fully redundant back-up of our computerized trade 
system, and it will be some distance away. It will not be 
located in the New York City area, and we will be able to 
basically flip a switch for a seamless move-in there. God 
forbid the power loss is that large. If the power loss is as 
large as takes that out, then we are all in trouble.
    So I think I am going to try to summarize. I know that 
there are many people here that have things to say.
    The critical thing we learned, first of all, is that 
communication is tantamount. The first thing you need in your 
crisis plan are the names, numbers, and ability to get together 
in the same site, because you all have to be there. You all 
have to be there to implement, because things are chaotic. 
There is no order to the system. I mean, we were up and running 
on Friday, and it sounds like a miracle. But it is a little bit 
like the old saying about laws and sausages. Those interested 
in laws and sausage should not witness the making of either. We 
got the sausage of our electronic trading system on Friday, but 
it wasn't a clean operation.
    But we were there. We all had to work together. And the 
Federal and State authorities, the police, the firemen--I can't 
say enough. We needed it, and they were there.
    And I see Mrs. Maloney there, too.
    Mr. Horn. Yes. She is going to ask you a question, and then 
we will go to Mr. Miller because she has to leave.
    Mr. Seetin. I just want to close and say one thing that she 
did that was so critical. On Monday morning, after all of this, 
we are about to open at 11, and I bothered Carolyn's poor 
husband--poor guy was in bed. She was out working already. And 
Carolyn called me back and said, you know, do you guys have--
are you all set with grief counselors? And I said, well, you 
know, I could use one myself. But, you know, I really wasn't 
aware of that. And I said, well, you know, I will have to talk 
to you about that later.
    As soon as I got to the building--I got into the building 
at about 5:30 on Monday morning. Our H.R. person comes to me 
and says, we can't get any grief counselors. There is nobody 
available. I called Carolyn. In 2 hours we had four grief 
counselors onsite. And, you know, that is the type of 
cooperation that we got, for which we will be eternally 
grateful.
    [The prepared statement of Mr. Seetin follows:]
    [GRAPHIC] [TIFF OMITTED] T0481.124
    
    [GRAPHIC] [TIFF OMITTED] T0481.125
    
    [GRAPHIC] [TIFF OMITTED] T0481.126
    
    [GRAPHIC] [TIFF OMITTED] T0481.127
    
    Mr. Horn. Well, she always gets things done right, early 
and often.
    Mrs. Maloney. Thank you, Mr. Chairman; and, as a point of 
personal privilege, I welcome all of the panelists today, but 
particularly Mark Seetin. He is a constituent and a friend as 
vice president of government affairs for the New York 
Mercantile Exchange. We have worked together closely over the 
years.
    We are all very proud of the Exchange. It is an important 
exchange to our city, to our country. I was personally there, 
Mr. Chairman, at the miracle, at the reopening of the New York 
Mercantile Exchange along with the Governor, the mayor and many 
other New Yorkers; and I believe that the reopening of the 
Exchange was symbolic of the efforts up and down Wall Street 
and throughout our city and our country.
    At the NYMEX, the staff and senior executives worked around 
the clock to reopen. They overcame terrible logistical 
problems, interruptions in power supplies, and the grieving 
that is natural when so many of our industry colleagues 
perished in the World Trade Center. The Exchange lost 18 of 
their employees and many, many probably hundreds, thousands of 
their friends in this horrible accident.
    It was impossible to get at the Exchange over the land. It 
was roped off. The recovery was taking place. The fire, the 
police were all there. And the Exchange literally, probably to 
this day, brought in their employees by boat.
    Are you still using the boats to bring them in?
    Mr. Seetin. Yes, we still have to use the boats.
    Mrs. Maloney. I think that shows the tremendous spirit of 
American free enterprise, of overcoming many, many obstacles to 
get open, to get back to work. And even with their great grief 
and their great loss, opening up the Exchange, going back. I 
still don't understand how they do it, all of that screaming 
and yelling, but you are out there making these exchanges, 
making these trades and really investing in the American 
economy.
    I just want to say briefly, very briefly, in this crime 
against humanity, I am so shaken I can hardly believe it. I 
think all of us are, who have been to ground zero, who have 
seen it, who have met the families, who know the tremendous 
personal loss in so, so many areas.
    But to see the spirit come back. The terrorists wanted our 
markets to fail. Our markets succeeded. And they wanted our 
planes down. Our planes are flying. It is a symbol of our 
American spirit. And it is really a way that we can be 
patriots, to invest in the market. It is something that we can 
control as individuals, our own faith in our own economy.
    Mr. Seetin and his whole team at the New York Mercantile 
Exchange are part of that success story that we are doing right 
now, building back America even more strong and determined.
    Believe me, I have never seen Congress so determined in my 
entire life or so united; and we will be there on Monday, 
touring--many members are coming on Monday to tour ground zero, 
and we will see if we can stop by and meet with you and your 
many devoted employees who are working as we speak to keep our 
economy strong.
    Thank you for your testimony, all of your hard work; and my 
condolences on the great loss of many of your friends and 
colleagues.
    Mr. Seetin. Thank you very much, Congresswoman. We very 
much appreciate your help and all of the members of the New 
York delegation who were so helpful to us.
    Mrs. Maloney. Just so you understand, Mr. Seetin and 
others, we are in a hearing on the insurance industry in 
Financial Services. It is the first one on how they are paying 
the claims, reacting to the crisis of the individuals; and I 
need to get back to that. But I thank you for your testimony, 
all of you.
    Mr. Seetin. I should be there, too.
    Mr. Horn. Well, we thank Mrs. Maloney, the ranking member 
here over the years. She is very eloquent, and she speaks for 
the Congress.
    Mrs. Maloney. Thank you, Mr. Horn. I have enjoyed working 
with you so many times. I regret that you have made a decision 
to retire after this term. I think it is a great loss to 
Congress, to the constituents you represent. I hope you will 
reconsider.
    Mr. Horn. Well, we will be busy, Carolyn, for the rest of 
this year and all of next year. I really appreciate it.
    Some of the things you have said, as I say, I want the 
staff to go up to New York and talk to some of the similar 
types of situations. Because that does worry me on that 
telephone situation, and we have got to figure out a way to do 
it.
    A number of us sent a letter to Chairman Powell of the FCC, 
and we have asked, on a 911 situation, where you can have an 
extended system in some way or an isolated--has various ways to 
do it, either on an underground or overground--because--we need 
to have these options coming up in the satellite or whatever.
    Mr. Seetin. Those are very important.
    One other thing--and I must say it is very important and 
was mentioned here--about the scope of the attack and whether 
computer systems are being scanned. I must say that we had that 
experience as we were beta-testing to get up and running. I 
think that anybody who is in this business, in information, 
technology needs to be aware that there are lots of bad people 
out there, and whether or not they are coordinated really 
doesn't matter. Because things like that are going on. We 
experienced it as we were trying to recover.
    Mr. Horn. Well, thank you very much.
    We now go to the last presenter.
    Harris Miller is president of the Information Technology 
Association of America. He has been a long-time witness with 
this subcommittee, and we are very grateful to him. He has a 
professional, wonderful group; and he can reach out throughout 
America to give us witnesses and everything else. So, Mr. 
Miller, thanks for all you have done. We now get to you.

 STATEMENT OF HARRIS MILLER, PRESIDENT, INFORMATION TECHNOLOGY 
                     ASSOCIATION OF AMERICA

    Mr. Miller. Well, thank you, Chairman Horn.
    I fear what I have to say following Mr. Seetin's very 
dramatic form of testifying may seem somewhat banal, but I 
still will proceed; and I also want to echo Congresswoman 
Maloney's comments about our regrets about your decision to 
leave Congress at the end of your term. You have been a great 
friend to the IT community and a great overseer on issues like 
Y2K and information security. But, knowing you as I do, I know 
you will work right up through January 3, 2003, to the end of 
your term on all of these issues. So I am sure we will be 
seeing a lot more of each other.
    In terms of the issues today, I would like to focus on the 
importance of IT generally to what happened on September 11th 
and subsequent events. I would like to offer insights regarding 
both disaster recovery and critical infrastructure protection.
    The United States has made a huge investment in information 
technology in dollars, intellectual capital and in public 
confidence. Even before the fearful dust cloud settled over 
lower Manhattan, the Pentagon, and the field in southwestern 
Pennsylvania, our national investment began to payoff.
    That is my main message to you this morning. Allow me to 
reiterate it. The Nation's IT investment paidoff.
    In the midst of disaster, the IT industry, a complex web of 
people, technology, products and services, responded 
brilliantly. The IT industry and the customers it supports 
absorbed the blow and came back strong. Voice data and video 
communications have been critically important in helping us to 
understand the scope of the disaster, directing relief efforts 
and locating missing people.
    The Internet provided literally millions of people with an 
alternative route around clogged or destroyed New York 
circuits, providing a frantic public with critical services for 
finding loved ones, services like e-mail, instant messaging, 
and voice-over-the-Internet phone calls.
    According to a public opinion poll conducted by Harris 
Interactive just after the World Trade Center bombing, 64 
percent of people on-line used the Internet as a source of 
information.
    As a political scientist, Mr. Chairman, you understand how 
important communications are to maintaining the fabric of 
society; and clearly the Internet helped to strengthen the 
fabric of the American community during some of the most 
critical hours in our Nation's history.
    While the recovery operations at ground zero and the 
Pentagon made us all proud, a less visible but very important 
series of activities has taken place to sustain the operational 
integrity of businesses damaged in the attacks. Many well-
managed companies built themselves up a safety net by 
contacting disaster recovery firms for data back-up and remote 
operations support.
    In fact, business continuity planning may be the bright 
line between companies that emerge from disasters with a future 
and those that do that. A business continuity plan identifies 
the mission-critical processes and applications of the company 
as well as its interdependencies, both inside and outside of 
the enterprise, necessary to support such functions.
    As you know quite well, Mr. Chairman, from your work under 
Y2K, much of the contingency planning that prepared 
organizations to face Y2K apparently helped them to survive 
this latest disaster.
    The IT industry has also demonstrated its heart in the 
aftermath of these horrendous attacks. For instance, several 
leading companies responded to the attacks by creating 
www.libertyunites.com, a Web site committed to providing 
convenient access to philanthropic organizations helping 
America recover from this tragedy.
    Libertyunite.com, which President Bush mentioned in his 
eloquent address to the Nation last week, has collected well 
over $80 million in public contributions to date to help the 
victims and to help in the recovery process. This is just one 
example of the creativity and generosity of IT companies and 
the utility of the Internet in aggregating support and building 
community, an example of the on-line community at its best.
    But, going forward, we dare not let down our guard to 
terrorism ever again. So what do we do?
    Well, homeland defense is a phrase which we are just 
beginning to understand. Many people are unsure about what it 
means and how they can participate. To focus just on the 
cyberaspects, I would like to suggest an immediate action. We 
need to safeguard U.S. computer assets by adopting much more 
widely sound information security practices.
    We have heard from Mr. Willemssen the shortcomings that 
continue to exist in the government systems. And, 
unfortunately, we know the private sector also has its own 
shortcomings. Practicing information security as part of 
homeland defense will pay massive dividends in the future.
    In my written statement I have identified a series of 
information security steps for home users, small businesses and 
larger firms.
    I would also like to talk for a minute about a silver 
lining part of the Nimda worm that you heard about earlier from 
the other witnesses. While we are far from a perfect system, I 
would like to report to the subcommittee that both under the 
Code Red and under the Nimda there was a massive coming 
together of government, not-for-profit organizations and for-
profit companies to try to deal with the attack.
    I particularly want to pay tribute to National Security 
Council official Marjorie Gilbert, who pulled together massive 
numbers of people on interminable, it seems, conference calls 
last week involving all of the organizations of the government, 
the NIPC, Defense Department, the Central Intelligence Agency, 
the Energy Department, organizations like Mr. Pethia's 
organization, CERT, many of the leading anti-virus companies, 
many of my member companies, other industries, the IT, ISAC--
the financial services ISAC, and a massive undertaking to 
understand and deal with it.
    Was it a perfect system? No. But, for the first time, I 
think we are finally seeing what true government private sector 
cooperation means. We learned some lessons last week, and Ms. 
Gilbert and the other people working on that are now coming up 
with better systems to be able to respond even more effectively 
under the next attacks. Because Mr. Vatis is certainly correct. 
We have not seen the last of these attacks, and being able to 
prepare is right.
    But I think, Mr. Chairman, you should be proud that we are 
moving forward. I would be glad to brief your staff at some 
point on my impressions of how we saw some major progress the 
last few weeks, and I think we are going to see even more 
progress going forward.
    Let me talk about a couple of things that I hope will not 
happen in response to the attacks we have seen. There has been 
some discussion about rolling back the policy on encryption. I 
think that would be a mistake, and I hope that we will not do 
it.
    I also believe we must move ahead quickly with the efforts 
that are already under way to better coordinate within the 
government. As you know, Mr. Chairman, under the leadership of 
Dr. Rice, the National Security Council has been developing a 
revised Executive order to better coordinate cybersecurity 
within the government. The exact status of that is unclear with 
the announcement of Governor Ridge's appointment. But, whatever 
happens, we need to move forward with that coordination in a 
very rapid fashion.
    We also must stay the course on our technology agenda. For 
example, we need to continue to focus on the issue of 
broadband. Telecommunications and broadband service were very 
important during the actual response to this crisis. They will 
become even more important moving forward.
    Finally, Mr. Chairman, I want to object in the strongest 
possible terms to some allegations made in a Washington Post 
op-ed piece by John Podesta, the former Clinton White House 
chief of staff, last week where he said that the IT community 
does not understand the importance of societal safety and 
security. As one who worked personally with President Clinton 
and Attorney General Reno and others under the Clinton 
administration, I know that is not true. The IT community 
focuses very clearly on safety and security.
    I worked very closely with Mr. Vatis, for example, when he 
headed the NIPC.
    If anything, the relationship between the IT community and 
the government has even strengthened during this crisis that we 
face, first with the Code Red virus and, of course, the 
horrible physical attacks that occurred on the World Trade 
Center and the Pentagon and southwestern Pennsylvania.
    So I say that close collaboration is under way. We are 
doing it much more every day. The IT community stands ready to 
work closely with our law enforcement community, our national 
security community to not only try to head off any kind of 
cyber attacks, to help deal with physical threats, but also, 
when these attacks occur, to make sure that the perpetrators 
are tracked down.
    On September 11th, we all learned an important lesson about 
the capacity of terrorists to practice evil. In the aftermath 
we learned an important lesson about this Nation's incredible 
ability to pull together in the face of adversity. For those 
listening closely enough during this truly terrible time, 
another lesson still, the IT industry works.
    Thank you very much, Mr. Chairman.
    Mr. Horn. Thank you for that very fine overlook.
    [The prepared statement of Mr. Miller follows:]
    [GRAPHIC] [TIFF OMITTED] T0481.128
    
    [GRAPHIC] [TIFF OMITTED] T0481.129
    
    [GRAPHIC] [TIFF OMITTED] T0481.130
    
    [GRAPHIC] [TIFF OMITTED] T0481.131
    
    [GRAPHIC] [TIFF OMITTED] T0481.132
    
    [GRAPHIC] [TIFF OMITTED] T0481.133
    
    [GRAPHIC] [TIFF OMITTED] T0481.134
    
    [GRAPHIC] [TIFF OMITTED] T0481.135
    
    [GRAPHIC] [TIFF OMITTED] T0481.136
    
    Mr. Horn. I wanted to start in on just a couple of items, 
and then we will get to a dialog.
    Mr. Willemssen, being the very thorough type that he is, he 
has a long series here of some of these groups that have acted; 
and I just want to clarify one thing.
    On page 4 you say, the Russian Hacker Association offered 
over the Internet an e-mail bombing system that would destroy a 
person's Web enemy for a fee, and that the source is the United 
Kingdom Ministry of Defense Joint Security Coordination Center. 
I just wonder is there any relation to the Russian Government, 
or is this just some group of people with Halloween night or 
something?
    Mr. Willemssen. I believe it is the latter, Mr. Chairman.
    But to be precise on the answer to that question, I would 
prefer to answer it for the record. If I could followup on that 
and get you the specific answer, I will do that.
    Mr. Horn. Good. I appreciate that. At this point in the 
record, without objection.
    [The information referred to follows:]
    [GRAPHIC] [TIFF OMITTED] T0481.137
    
    Mr. Willemssen. Also, Mr. Chairman, in following up on 
that, I believe there was an NIPC report on that particular 
incident that we will be able to identify and get back to you 
on.
    Mr. Horn. Yes. Because that is serious business. If it is 
with the Russian Government, we need to confront them on that 
in a quiet way and get this--see what they are doing on it.
    I want to next go to Presidential Directive 63. What I am 
interested in is, when that was developed, was GAO asked on it? 
Was the CERT group asked to take a look at that? And did the 
FBI have an opportunity to look at that and--as a matter of 
just getting the best you can in a Presidential directive.
    So how did that work? Did anybody get with the White House, 
say, hey, you guys know a lot of this, what do you think?
    Mr. Dick. From my standpoint, PDD63 was already in 
existence before I became a part of the Center. However, my 
esteemed colleague here, Mr. Vatis, who I worked for for a 
period of time, I think was part of the commission that was in 
the development of that. So I am going to defer to him.
    Mr. Horn. Mr. Vatis.
    Mr. Vatis. The history of PDD63 was that it stemmed from a 
Presidential commission composed of both government 
representatives as well as representatives from the private 
sector who issued a report in 1997, I believe, looking at the 
vulnerabilities of the Nation's critical infrastructures to 
both physical and cyber attacks. PDD63 then was pulled together 
by an interagency working group led by the National Security 
Council.
    So there were representatives from the Department of 
Justice, from the FBI, from the Department of Defense, all of 
the intelligence community, as well as all of the other 
civilian Federal agencies involved.
    There was not a great deal of private sector involvement in 
the development of that Presidential directive. There was 
private sector development, though, in the followup development 
of a national plan for information system protection.
    Mr. Horn. Well, as you look at it now, going back about 5 
years or so, does that need expansion, and were things not put 
in there that should have been put in there?
    Mr. Vatis. Mr. Chairman, my personal view on the PDD was 
that it actually did set forth a good structure--not the be-all 
and end-all structure, but certainly an excellent start. My 
principal problem with the PDD, though, was the lack of 
enforcement of its terms about various agencies' 
responsibilities and the lack of resources to support the 
various responsibilities that were created.
    The NIPC is a perfect example of an entity that was given 
massive responsibilities and only a drop in the bucket of the 
resources that were required to do the job. I can say that more 
freely now that I am no longer in the government. But I don't 
suspect anybody would disagree with me.
    And that is only an example. Many agencies that were given 
responsibilities under that directive considered those 
responsibilities to be basically unfunded mandates, because 
they were not given new resources to perform those new 
responsibilities. And that is a continuing problem. You can 
have the greatest plan in the world, but if the resources 
aren't allocated to perform the responsibilities under that 
plan, nothing much will get done.
    Mr. Horn. To whom should that budget allocation go?
    Mr. Vatis. Do you mean, sir, who is responsible for making 
these allocations?
    Mr. Horn. Right. You are saying it is a mandate, and 
usually over the years we have worried about that. If, say, it 
is a mandate to the State or a mandate to the cities or 
whatever, through HUD--so where do you think we are missing 
the----
    Mr. Vatis. I think it has to start with the executive 
branch, and the President's budget submission each year I think 
needs to have resources allocated to meet all of the directives 
that have been given to the various government agencies. Then 
Congress can, in turn, examine those proposals and respond 
accordingly with appropriations. But it must start, I believe, 
with the President's budget submission.
    Mr. Pethia. The CERT coordination center also worked 
closely with the Presidential commission prior to PDD63 and 
also afterwards with the implementation plan.
    The other thing I would like to mention is that in the 
original work of the commission and hinted at in the PDD63 was 
the call for increased research in the area of information 
assurance.
    The problem that we are struggling with today are real 
struggles. I personally think we are getting farther behind 
than we are ahead. But I think that we are going to have even 
bigger problems in the future.
    So as we put immediate near-term solutions in place, we 
also have to look down the road 8 to 10 years to begin to think 
about the kinds of threats that we will see then, and the 
research community and the technology community is going to 
struggle to meet these needs without an expanded research 
agenda.
    Mr. Horn. Well, is that because, Mr. Vatis, I believe, said 
on the software, and others have said the same thing, if you 
are thinking 10, 15 years out when you have got--almost every 
day something new comes in Silicon Valley, all over the 
country, and how do we deal with that then? Do we have a 
constant team that looks at this and says, hey, this can also 
be mischief. So how would you go about it?
    Mr. Pethia. Today an awful lot of what we do with 
recognizing attacks and dealing with them are done by people, 
people who are watching the systems. I believe we can work 
toward new generations of technology that are much more aware 
of what is going on, whether or not they are being attacked; 
and we need the engineering framework that will support the 
construction of these kinds of systems.
    Today, information assurance is very much an ad hoc art, 
and we need to turn it into an engineering discipline like 
civil engineering. So that is area that I propose where we can 
build the basic frameworks and mechanisms and methods that will 
allow us to build systems that will adapt over time to meet the 
new threats.
    Mr. Dick. A couple of quick comments.
    The main mission of the Center or the impact of the Center 
is to reduce threats to our critical infrastructures. The goal 
is to detect and deter and prevent those attacks before they 
occur.
    One of the things that was highlighted, and rightly so, in 
the GAO report was our need to improve our strategic analysis. 
And one of the things that we are doing through Mr. Vatis and 
Dartmouth is a project to kind of look over the horizon and 
what the technologies will be in the future, to identify those 
kind of vulnerabilities associated with that so that we can 
better prepare the critical infrastructures from a technology 
standpoint as to what those vulnerabilities are and what the 
appropriate response mechanism should be.
    So it's a multi-faceted approach, insofar as information 
assurance is concerned, from the ability to detect, assist, and 
warn of those vulnerabilities. It is a huge effort that is 
going to be built upon a partnership between the private 
sector, academia and the government; and I think we are 
building that trust up, which 3, 4, years ago was in its 
infancy, but I think it is growing. And Harris is right. We 
have come a long way from where we were in the ability to 
communicate with each other.
    Mr. Miller. I would just like to add that--the sort of the 
third leg of the stool, to confirm what Mr. Pethia was saying 
about the need for more research money. The fact of the matter 
is, Mr. Chairman, that in most corporations which do spend tons 
of money on research--but, really, it is mostly short-term 
development and short-term. What we really need is a long-
term--frankly, it is going to have to be a government-funded 
research agenda.
    Following the distributed denial of service attacks in 
February 2000, the Clinton administration proposed a $50 
million supplemental appropriation to create a new research and 
development center. Because it was an election year and all 
kinds of other reasons, that proposal never got very far, 
though. I do believe that Mr. Vatis' center has gotten a small 
amount of funding for kind of a micro version of this.
    But I know the IT community feels very strongly and 
certainly echos what Mr. Dick said and Mr. Pethia has said, 
that there needs to be government-funded research focused on 
long-term information security challenges. And also the 
subsidiary benefit of that, as you and I have discussed before, 
Mr. Chairman, that also helps another problem which Mr. Pethia 
outlined, which is it provides more funding for graduate 
student assistance and research, which gets more computer 
scientists trained as information security specialists, which 
is another challenge that we have.
    So I think that this R&D topic is very, very important 
going forward. It doesn't help us today or tomorrow, but in the 
long-term it helps to protect our IT infrastructure.
    Mr. Horn. Well, we certainly have a number of people here 
that are already working on that, Mr. Dick and the FBI. Are you 
thinking of a section in NIPCs which I think there is a section 
on the patent operation and so forth in the Department of 
Commerce. What role would you see for them?
    Mr. Miller. We think that NIPCs plays an important role.
    Following the proposal, Mr. Chairman, made by the Clinton 
administration, there were a series of meetings chaired by then 
director of the Office of Science and Technology Policy, Dr. 
Lane, and Dick Clark, from the National Security Council, where 
you brought industry and government and academia together to 
discuss the best structure of this.
    And, no, no final conclusion came out of it. There was a 
sense that it should not be totally centered within NIST, that 
would be a mistake. Now, NIST needs to be a part of this. But 
you need to have a role so that industry and academia also have 
leadership. Because if it simply becomes another government 
grant program where government officials sit there and respond 
one on one to specific research requests coming from the 
universities or other not-for-profit organizations, it won't 
really meet its mission.
    We felt from the industry standpoint that, for example, a 
structure that we could have a director of this operation from 
NIST, but the deputy director would come from industry, for 
example. So you would have a tremendous amount of industry 
input to make sure that the government-funded dollars didn't go 
to duplicative research that was already done being done by the 
corporate sector.
    The challenge, Mr. Chairman, is--as you can appreciate is 
industry wants to make sure that research being done with these 
government taxpayer dollars is simply not duplicating what has 
already been done in the labs of IBM or Microsoft or Network 
Associates or all these companies that specialize in these 
areas.
    That is the challenge that we face. But we do believe that 
it can be overcome, and we believe that we can resurrect the 
conversations that took place in 2000 and move quickly if 
Congress decides to fund such a larger center at a larger scale 
which we believe is necessary.
    Mr. Horn. Certainly Mr. Pethia's group, the Software 
Engineering Institute at Carnegie Mellon, they certainly have a 
long track record on this; and we certainly depended on them. I 
think that is where the thought came about the software.
    Would you like to elaborate on that, how we can build into 
the software so that some of these worms and all of the rest 
can't get in there? And why isn't Silicon Valley doing some of 
that? Because they would make billions of dollars if they could 
be assured that a complex hardware and all--so I just wonder 
what you see on the horizon right now?
    Mr. Pethia. A couple of points I would like to make.
    One of them is, the roots of much of the technology that we 
have today didn't come from the Internet, per se. The Internet 
infrastructure itself was originally a Dartmouth-funded 
research project. It was installed as a demonstration of how to 
build large-scale, robust and reliable networks that would 
withstand attacks, and I think the Internet infrastructure has 
done that.
    Over time, we began to use it for different purposes for 
which it wasn't designed. At the same time, one of the major 
early operating systems on the Internet was the UNIX operating 
system, which again came from a university research 
environment. It was developed primarily to allow software 
practitioners ease of development of software, not necessarily 
ease of use or secure use.
    Much of what we have on our desktop computers today really 
came from the personal computer world of years ago where 
personal computers were intended to be just that, personal, not 
connected to anything else and therefore not subject to attack 
from the outside. What we have done is we have taken these 
older technologies and we have networked them together into 
something that now doesn't have the security characteristics 
that we need.
    But since we have this huge installed base we now have all 
of this legacy software that we have to deal with, so we can't 
change it quickly. However, we do know from our software 
engineering work that there are techniques that can build 
systems that are much more robust, much more secure, and have 
many fewer errors than what we typically see today. And there I 
think it is a matter of recognizing that we won't get there 
quickly. We have got to give industry time to make the 
transition from one to another but also help the industry 
understand that there is a common belief in industry that many 
of these techniques require extra cost, slow downtime to market 
and hamper features. That is not the case. We have plenty of 
data now to demonstrate that.
    But it is a learning curve for industry to recognize that 
they can't put new practices and processes in place without 
having the negative side effects that they necessarily might 
think that they would have.
    There will be an initial upfront cost as organizations go 
through this learning curve and change the way that they 
engineer their systems. There will be for the short-term--very 
short-term--a slowdown in productivity and a lengthening of 
development process. But as they become more proficient using 
these new techniques, in fact, they get benefits in terms of 
being able to produce software more cost effectively and 
actually improve their delivery schedules.
    Mr. Horn. Under the current legislation, the Office of 
Management and Budget is really responsible for overseeing 
computer security in the Federal Government. They have put 
various types of surveys out. We haven't seen them yet. But I 
think we have found in this hearing that there is a lot of--
numerous deficiencies that government computer networks ought 
to be working on.
    I think in the last week or so, where we have the Office of 
Homeland Security headed by Governor Ridge of Pennsylvania--and 
I certainly remember when we were on the Y2K bit that Governor 
Ridge was the Governor in the country that was doing the most 
on Y2K within the Commonwealth of Pennsylvania. What do you 
think about having the Office of Homeland Security have this 
responsibility within the executive branch? And if not that--
because the problem with OMB, they have got too much to do, and 
this isn't going to be done unless somebody has it done.
    This certainly relates to Governor Ridge, for whom I have a 
high respect. And I think if you were in the Chamber, as were 
all Members of Congress, when the President made that 
announcement, it was absolute thunder in the 400 or so of us 
that were there that night.
    If not, what other things do you see that we ought to have 
that will pull these things together and not have to have a 
congressional committee sort of goad it, which is what we did 
from 1996 to 2000 as most of you know, and eventually the 
President did something about it. But, we need that on a 
constant, steady, sensible basis.
    Mr. Miller. Mr. Chairman, I continue to advocate very 
strongly the creation of a position of information security 
czar within the government. You and I have discussed this at 
previous hearings at which you have allowed me to testify. 
Whether Governor Ridge wants to take on the responsibility 
obviously is his decision. But I agree with you there are some 
excellent people at OMB. But they simply have too many other 
things on their plate right now.
    I think that having one person in charge who plays the same 
role as Mr. Koskinen played so brilliantly during Y2K, not with 
a big budget, not have a big staff, but having the ear of the 
President and the Vice President, therefore being able to be a 
very persuasive person for government officials is absolutely 
essential if we are going to make the progress.
    That along with the other issue that Mr. Vatis addressed, 
which is a sufficient budget resource for the agencies and 
departments, again, not to buildup a big bureaucracy for this 
czar but to make sure that the individual CIOs and other people 
have a budget.
    Without those two elements, Mr. Willemssen is going to be 
back here giving you the same report year after year after 
year.
    Mr. Horn. Well, it is always a pleasure.
    Speaking of that, you are going to check that Russian 
hacker thing.
    Mr. Willemssen. Yes, sir.
    Mr. Horn. Mr. Dick, will you check that, too?
    OK, I have wound that up now. So we are going to get back 
to a few things just for the record.
    Now why haven't some Federal agencies even succeeded in 
identifying their most critical systems--under that 
Presidential Directive 63--which required that they do it by 
December 2000, and they haven't really done it.
    So do you have any feelings on that, Mr. Willemssen?
    Mr. Willemssen. Well, I think it is instructive to go back 
to an issue that you raised previously and also Mr. Miller 
raised, and that is going back to Y2K. We know that when 
agencies started in earnest on that particular effort they also 
did not have a good handle on their computing infrastructure, 
that over time they did gain a much better understanding of 
what they had and how it contributed to their various lines of 
business.
    One of the issues that you and I have chatted about shortly 
after Y2K was over was the concern that the momentum would be 
lost that had been started by this--much better management of 
IT in Federal agencies overall, better understanding of what 
they had and how it contributed to their missions.
    That is what will be very useful to see the upcoming agency 
reports that will be submitted on information security, to see 
if indeed that momentum was lost and some agencies are now 
having to go back and do reassessments that they already had in 
place but they didn't continually update.
    So there is a potential for almost a reinventing the wheel 
syndrome, which, if that is the case, that would be very 
unfortunate that we lost that sense of urgency and didn't 
continue down that path of improved IT management.
    Mr. Horn. Well, in the next few months we will know whether 
we are getting the kind of information we need to go through 
this or not. Maybe they are just playing the same games that 
the previous administration did, but I would like to think that 
they have a chance to just say, hey, it wasn't our situation. 
But, here, we just got everybody moving on this, and I haven't 
seen that at this point.
    Mr. Pethia, as a person with extensive knowledge of Federal 
operations, what actions do you think are the most important to 
improve the computer security at Federal agencies?
    Mr. Pethia. I think what you mentioned earlier--the need 
for the agencies to identify their critical assets, their 
critical information assets, and then to put in place within 
each agency----
    Mr. Horn. Is that really an inventory idea?
    Mr. Pethia. It is an inventory idea, but it is not a simple 
inventory. We have had a lot of experience in helping agencies, 
also helping organizations in the private sector do exactly 
this. And what we discover in both cases is that, very often, 
since information infrastructures and functions sort of buildup 
over time, if you look inside any organization there is no 
focal point anymore, no one any longer remembers what all of 
these pieces are and how they interconnect.
    So there is an analysis process that you have to go through 
to understand, first of all, the mission of the organization, 
the critical functions it provides, and then map that onto the 
information infrastructure.
    So it is not just looking at the hardware, it is looking at 
the functions of the organization. I think that is the start, 
to identify where the critical needs are and, based on that, to 
be able to form a protection strategy that focuses on meeting 
those critical assets.
    What we saw too often is people trying to let me say peanut 
butter information security technology across their entire 
infrastructure. By doing that, they very often miss the 
critical components and also end up in some cases spending much 
more money than they need to because they are protecting things 
that are, in fact, not that critical.
    Mr. Dick. Mr. Chairman, there is one thing that I would 
like to comment on. It was mentioned by Harris and Mr. 
Willemssen both. One of the things that we can do now--it is 
going to take time for research and development to modify the 
software and tools that are out there now. But something that 
we can do now that both of them mentioned was putting in place 
policies and procedures that actually implement a practice of 
information security.
    Many of the--we work very closely within the NIPC with CERT 
and SANDS and ITAA and the private sector to identify the, if 
you will, the top 10 common vulnerabilities that are out there 
and for which there are patches for to repair the systems. What 
we have determined is that a high number of the intrusions and 
problems that we have experienced could have been eliminated if 
systems administrators in the industry had just downloaded the 
patch and repaired their systems. I mean, probably 80 percent 
of the issues that I see in the NIPC wouldn't be issues because 
the vulnerability wouldn't continue to exist.
    For example, I think one of the reasons that the Nimda 
issue was minimized as quickly as it was is that we had gone 
through Code Red, we went to a high visibility on explaining 
what the vulnerability was, because in both of those issues the 
patch was available prior to the spread of the worm. It was 
just a matter of systems administrators didn't repair these 
systems.
    But it is even more of a problem today, because not only do 
you have to, with the advent of Internet connections and DSL 
connections, we have to get--reach the home user to implement 
these kind of patches, too.
    But I think if we could develop and teach people good 
information security, good information assurance practices we 
could see some substantial results.
    Mr. Horn. Let me ask all of you, how vulnerable is the 
Internet itself to terrorist attacks and what would it take to 
bring it down and what would it take to not bring it down?
    Mr. Vatis. If I could address that just briefly.
    The analysis that we did over this past weekend of the 
possibility of attacks by terrorists, their sympathizers, state 
sponsors of terrorism or others shows that the possibility is 
there to take down significant portions of the Internet and the 
critical infrastructures that rely on the Internet.
    Many of the vulnerabilities are ones that have been there 
for a long time. But things like routers and domain name 
servers and the like, which are critical to the functioning of 
the Internet and the communications across it, are vulnerable 
attacks that can have wide-scale consequences.
    The problem is, as Mr. Dick alluded to, that a lot of these 
problems are well known, yet they are not being addressed 
because of a lack of resources or lack of prioritization from 
the top. We can have system administrators in a company, in a 
government agency, who are very well-intentioned, doing the 
best that they can, but if the CEO or if the secretary of an 
agency doesn't really care about security, then the system 
administrator is not going to get the resources and the 
attention that it needs to really implement a program, 
policies, procedures, technology and people to get the job 
done. So all of those things are critical.
    But the bottom line answer to your question is, we are 
extremely vulnerable and will continue to be until these sorts 
of problems are addressed in a systematic way.
    Mr. Pethia. Building on what Mr. Vatis says, I think the 
good piece of the news is that much of the Internet is very 
resilient and very robust and able to recover from attack. But 
there are those few key points like the domain name servers 
that don't have enough redundancy, don't have enough ability to 
quickly recover from attacks that are successful. I think if we 
focused in on those key points we could make a great deal of 
progress in a short period of time.
    Mr. Horn. As I remember, a few years ago, Mr. Willemssen, I 
had asked the General Accounting Office to take a look at the 
aging of both hardware and the software in the executive 
branch. I don't know how much we ever got of that or whether 
OMB took it over. But if you are coming up to a congressional 
group, we ought to have some good facts that we could say this 
is why you should invest in this infrastructure. I know you 
have wonderful studies over there, and I look at all of them, 
and I don't know if that one sort of just went to GSA or 
whoever. But, we need to sort of get a partial analysis maybe 
and/or take a couple of agencies that we really look and see 
what is there and what isn't there.
    Mr. Willemssen. Well, we recently briefed your staff on the 
results of that, the information that we were able to acquire 
from a variety of sources, including OMB.
    Of course, the state of computing and data centers has 
dramatically changed through the 1990's as you are less able to 
get strictly at computing capacity because of the advent of 
connectivity and networking. So it is not always the best 
measure of computer capacity.
    Among the things that we looked at in that particular study 
relating to information security, I think that it is fairly 
instructive and connects to some of the points made by the 
other panelists. The data that agencies are reporting on the 
extent of expenditures on information security varies 
dramatically across the Federal Government. Several agencies 
stated they are spending a good percentage, 15, 20, 25 percent 
of their IT funding on security; other agencies reporting they 
are spending very little.
    That kind of data I think is very useful in understanding, 
at least based on what agencies are reporting, what kind of 
priority they are placing on information security and what that 
means in terms of how they are addressing the risks and threats 
that they face.
    Mr. Horn. Mr. Dick, why it is so difficult to apprehend 
these perpetrators of viruses like Code Reds, its variants and 
Nimda? Will they ever be apprehended?
    Mr. Dick. Yes, and we have had some successes. I mean, in 
the Melissa virus we have been able to determine who did that. 
And the Love Letter virus, we were able to determine who the 
preparator was of that.
    Now obviously there are a whole lot of obstacles associated 
with that. For example, in the Love Letter virus, even though 
we were able to identify who we believe did that, the country 
in which that individual lived or resided didn't have the 
appropriate laws perhaps to deal with that.
    We are working through the State Department and with our 
international partners to try to resolve these issues. As you 
know, in the Philippines they have since taken corrective 
action. So, you know, I don't like to paint the picture that it 
is an insurmountable obstacle to identify and arrest these 
individuals. For example, even on the Leech virus, we have 
identified a subject in--that we have brought to the bar of 
justice in another country. The big obstacle is that, like the 
Internet, it is a very global issue.
    You know, even if we have--as I talked about in Australia, 
a month ago, you know, the United States and Canada and 
Australia could, you know, implement all of the appropriate 
procedures for firewalls and patch our systems. But because of 
the way the Internet works and the interconnectivity of the 
various businesses, if it is not a global solution and a global 
response to it, we are still vulnerable.
    So it makes it very, very difficult but not an 
insurmountable problem. My glass is always half full.
    Mr. Horn. Well, mine, too. Do you think we have enough laws 
to give you guidance within the domain of the United States or 
are we missing something? And, if not, should we be putting it 
in? This is the time of year where you can stick a lot of 
things on an omnibus appropriation. You can also put language 
to help people in other areas. And, if so, let's hear it.
    Mr. Dick. There are a number of legislative issues that we 
are working with the Department of Justice on. You know, some 
of which are issues like, for example, if we did an 
investigation, in each one of the judicial districts we have to 
go and get an order or subpoena or some kind of official 
document to followup and retrieve information from Internet 
service providers and so forth. It would be helpful--in this 
arena time is of the essence, because the evidence is fleeting, 
since it is digital. The idea of being able to have a one-stop 
shopping, if you will, to be able to get an order that allows 
us to go to multiple jurisdictions to get that and not have to 
go in each district to get these things.
    But there are a number of other proposals like that I would 
be happy to provide to you that are in discussion with the 
Department of Justice.
    Mr. Horn. Mr. Miller.
    Mr. Miller. I would just like to comment on your earlier 
question about the vulnerability of the Internet. Because I 
know there is a lot of media here, and I am afraid of the 
headline tomorrow, Internet very vulnerable. I think that would 
be inaccurate.
    I think that the Internet, as Mr. Pethia mentioned, was 
developed by DARPA to have a lot of redundancy in it. Yes, Mr. 
Vatis is correct. There are actually physical risks. The domain 
name servers that he mentioned are very important. But the 
companies that manage those, Verizon Network Solutions, is very 
aware of these vulnerabilities; builds a lot of physical 
redundancy in their systems. I am sure that they would be glad 
to brief your staff in great detail about that.
    Again, as Mr. Seetin said earlier, nothing is totally 
invulnerable, as he said very eloquently during his statement. 
But I don't want you or the people who read the stories 
tomorrow to somehow get the idea that the Internet is about to 
be brought down.
    I would also like to mention something that I think 
indirectly came up in Mr. Seetin's statement but we haven't 
addressed directly, which is we all believe that, as part of 
business continuity planning, we have to have redundancy. But 
if your redundant system is in your same building or if your 
redundant telephone lines are going in and out of the same 
entrance and exit points of the building, do you truly have 
redundancy?
    And I think what we learned quite dramatically with these 
events at the World Trade Center, particularly in the area 
around the World Trade Center, which is probably the highest 
area of telecommunications density in the world, is that having 
redundancy located in the same building or telecommunications 
lines going in and out of the same pipes really isn't 
redundancy.
    So I think it is going to force a lot of companies to 
rethink this. I think the government is going to need to 
rethink it.
    For example, when they build buildings or lease buildings, 
the government may need to start asking questions. Where in 
this building is the back-up system? Is it in exactly the same 
building or right across the street? Do we really, truly have 
redundancy? And I think it is something that the subcommittee 
may want to take a further look at, because we did find that 
was a bit of a problem.
    Again, Mr. Seetin may want to address this in more detail.
    Mr. Seetin. Yes, thank you very much.
    In fact, that is the case. The redundancy that we had 
planned on really was a result--because we had that facility at 
least already because our space in Four World Trade was 
inadequate to actually provide the computer space that we 
needed.
    To the extent that our experience with the 1993 bombing 
still didn't give an indication of the potential scope of an 
attack--and I must say this--I don't know that anybody would 
have predicted the scope of this type of attack. We did learn 
the lesson in that the back-up system which was halfway across 
the island from us happened to be the one that was affected by 
the attack in addition to us. And we have already taken steps 
now. In fact, as I said before, on Monday, as of Monday next 
week, you know, we are--our back-up system is very far away. 
It's at a completely different utility telenetwork. So, 
unfortunately, yes, we learned our lesson the hard way. It 
didn't cost us in terms of our ability to get up and running. 
It could have. But,
    Mr. Horn. Any other thoughts, Mr. Miller, on that? And 
anybody else on the panel in terms of giving some advice to the 
government that we could prepare our systems for catastrophe, 
from what we know now. We're going to have the staff up in New 
York and they'll talk to a lot of the people with your 
guidance, Mr. Seetin.
    Yes, Mr. Willemssen.
    Mr. Willemssen. Just going to add, Mr. Chairman, to the 
extent that agencies have business continuity and contingency 
plans now, it's a good point--if they haven't already--to take 
a look at them, reassess the threat and reassess the likelihood 
of the threat and the impact it might have, and then put in the 
appropriate contingencies in the event it occurs. I don't know 
that's happened universally yet. I think in light of recent 
events it's a good opportunity to do that.
    And I would concur with some of the comments made earlier 
about the critical importance of communications from an 
emergency response and preparedness perspective.
    Mr. Pethia. Yeah. Also I'd like to comment on your earlier 
statements and questions about the need for Homeland Defense 
and the possible role that Tom Ridge might take. I think it is 
important, and I agree with what Mr. Miller said, that we do 
need to have the function of an IT czar. And I also think it's 
important that it be under one agency coordinated with other 
kinds of infrastructure activities. I think one of the lessons 
we're all learning is just how interdependent all of these 
infrastructures are. And this time we were only attacked from 
one dimension, but I can easily imagine in future attacks that 
while we're dealing with one problem, we'll see one in yet 
another part of our infrastructure, and we need to be able to 
coordinate responses to all of those at one time.
    You know, I would hate to think of what would have happened 
on September 11 if at the same time we were struggling with 
what happened from--by the terrorists, we were also dealing 
with things like Nimda and other kinds of information 
infrastructure attacks. It would have hurt us severely.
    Mr. Horn. We mentioned the software developers and a number 
of you mentioned that. How difficult is it for the industry to 
get some of these software developers into the products before 
they're released? I mean, are these great difficulties by them? 
Or--you go to all the professional groups in the country, Mr. 
Miller; what do you hear?
    Mr. Miller. Well, I guess my starting point diverges a 
little bit from Mr. Pethia. We've disagreed publicly before, so 
this isn't the first time. We do believe that our companies do 
put forth maximum effort to first of all create systems that 
have as little security flaws as possible. And second, many of 
them go out of their way to try to do--but I do agree with him 
that they should have the highest possible security 
configurations preset.
    The difficulty is that in software engineering, as well as 
engineering on automobiles or building or airplanes, there are 
still going to be flaws. No design is going to be perfect. Yes, 
it can be better; but no design is going to be perfect. And so 
there are going to be these followup challenges. And those 
followup challenges are dealt with by patches. And, as Mr. Dick 
said, the problem isn't that the patches weren't out there. The 
problem was that in many cases the patches simply were not 
implemented.
    I would also say that the companies are trying to build 
into their systems the highest configuration security setting. 
But what the companies tell me is when they go back to their 
customers, they find that this is a problem as to what the 
customers actually do.
    For example--this now goes back a year and half to a 
meeting at the White House with President Clinton--but one of 
the major companies there, a well-known computer services firm, 
said that when they went back and visited their customers 90 
days after installing systems, on the average, two-thirds of 
companies had turned off all the security features. Or when 
they went in and checked as to what the passwords were for some 
of the major customers, the password was ``password.''
    So it is a bit of a challenge. And the question is, even if 
the best software, designed with the best engineering, is set, 
if the customer refuses to use it, then you get into a problem. 
So how do we get this kind of acceptance? Just like how do you 
convince people to use seatbelts or how do you convince people 
when they get American Express or travelers checks not to put 
the numbers of the American Express checks in the same wallet?
    And that really is a problem of communication. It's not 
that the product itself is flawed or that the principle is 
flawed. It's getting broader buy-in. I don't have a simple 
answer. I think a lot of it goes back to the point Mr. Dick was 
making. It's education. And we at ITAA, the Partnership for 
Critical Information Security--which is ITAA--and many other 
industries have been discussing with the government whether 
this might be a good time for a massive public service campaign 
to try to get more customers aware of the need to practice good 
cyber-hygiene. And frankly, we're internally divided about 
whether to move forward or not, Mr. Chair.
    There is some concern this will look like somehow, next to 
what's happened at the World Trade Center and the physical 
security threats, that this will simply get lost in the message 
and it won't really be effective. But other people believe that 
this is very timely, because particularly with the Code Red 
worm, the Nimda virus--and, as Mr. Pethia said, had they 
occurred at the same time as the attacks, the physical attacks, 
who knows what would have happened?
    So we're pursuing this as an option right now. And again, 
it's a collaboration between industry and government if we do 
roll this out. But somehow we've got to get into the heads of 
the customers, No. 1, no matter how well we design the 
software, there's going to be flaws subsequently. You've got to 
install the patches.
    No. 2, take advantage of those security features.
    And No. 3, it's not just the technology. It's the people 
and the processes. And if you have great technology software 
and you don't install it, or you use ``password'' as your 
password, you might as well forget about it. You're just not 
playing the game the right way.
    Mr. Pethia. As Harris said, we have a tradition of 
disagreeing on certain points. I agree wholeheartedly that we 
need better security administration. We need people to adopt 
practices. But there is a big difference between bulletproof 
software and where we are today. Things like the top 10 list or 
the top 20 list are useful, but they can only be created with 
hindsight. The top 10 or the top 20 are things that we know are 
problems because we've already been attacked with those 10 or 
20.
    When system administrators are faced with 2,000 new 
vulnerabilities a year, which 10 do they focus on? It's not a 
matter of 10's and 20's. It's a matter of getting from 2,000 
down to 10 or 20, so that they only have to deal with those and 
not the thousands of others.
    Mr. Horn. Mr. Vatis, you're at Dartmouth, and a lot of 
their graduates go to Madison Avenue in New York and have the 
best--have the best type of communications in ads and 
everything else. And maybe some of this, with the damage we've 
seen in New York, we could get some public service ads where we 
would educate from lap computers to all the big ones and try to 
get the attitude changed. And I would think there's enough 
examples that are seen in the New York situation where maybe 
this is the time it'll cut through to people that, hey, we're 
not doing it the right way.
    So I would hope that your professional group there, Mr. 
Miller, might use that as a project. And I remember when we 
talked about a ``good housekeeping seal of approval,'' and it 
seems to me people wouldn't want--I would think the average 
citizen might say, well, we don't want all these bugs running 
around, worms running around, if I put my data base on it. I 
don't really have any feeling that you can't really hurt--you 
can hurt it. And you've spent a couple of thousand dollars. And 
I would think that those people in the various different 
manufacturing would say, hey, this is a good thing that we can 
now use this. And it seems to me that a lot of people in--a lot 
of professional people ought to be working that feel--and 
again, New York is certainly why we should be doing this.
    Mr. Vatis. Mr. Chairman, if I could just offer a slightly 
different perspective on that. I think education is very 
important, but I don't think it's going to be a panacea. There 
have already been many efforts to educate people about safe 
practices in cyberspace. And Mr. Miller's organization, with 
the Department of Justice, sponsored such an education program 
over the last year and a half or so.
    You started out this hearing by saying that you hope that 
recent events would offer a wake-up call to America. I'm afraid 
that we've had so many wake-up calls that people are just 
repeatedly pushing the snooze button. One would have thought 
that the I Love You virus, the Melissa virus, the distributed 
denial of service attacks, Code Red, Nimda--the list goes on 
and on--each one of those should have offered a wake-up call, 
and yet we still see the persistent vulnerabilities.
    At the same time, I think while industry is focused, as Mr. 
Miller said, on improving security within software, I think, 
again, their focus is in the short term on getting products to 
market quickly, with the state-of-the-art of security that 
exists today. But part of the problem is the state-of-the-art 
of security today, as Mr. Pethia has alluded to, is not good 
enough. And so even if customers don't turn off all of the 
security that's available in software, they're still vulnerable 
to attack. And if they are turning a lot of the security 
functions off, to my mind, that suggests a problem with some of 
those security functions potentially, because they may limit 
the functionality of the software. And so a customer might make 
the determination that it's simply not worth it. Or they're 
simply too difficult.
    One example of that is encryption. Encryption is available 
today for people to use to preserve the confidentiality of 
their communications and their stored data. But it's not widely 
used because it is considered a hassle by many people and, 
again, not simply worth it. One solution to that is to try to 
design an encryption technology that is easier to use, so that 
people can, with the click of a mouse or the push of one key on 
the keyboard, ensure confidentiality.
    So the answer again, to me, over the long-term, is research 
and development to design technology that is easy to use and 
that offers broader and deeper assurance of security than the 
current technology allows. And again, as I think several of the 
panelists have said, the private sector is important on that. 
But they are naturally going to be thinking about near-term 
profitmaking ventures. That is their mission in life, and 
appropriately so. But government funded research and 
development is critical to look at the long-term developments 
that can really help us secure the information base.
    Mr. Horn. I would think that a manufacturer--now, I look at 
these Dell ads, etc., and that's changed a lot of things in the 
market. And I would think that the one that is able to say 
we're reacting to both the foreign hackers, domestic hackers 
and all the rest, and we have a good housing, and keeping it 
going and having some sort of--you talk about their monetary 
interests and they could put it to good interest.
    So--and I think people would go and want to buy it now, 
because it's just too complex to have all this machinery going 
down the drain, with all these people coming in from various 
things. And I guess, Mr. Dick, besides the incoming ones in the 
United States so far, has your Center found that foreign 
hackers have come into the United States? Or how difficult is 
that to decide it and to see it?
    Mr. Dick. If you will, the doors of the Internet have made 
all kinds of illicit contact on the Internet available to the 
globe. And yes, I mean, we're seeing a number of intrusions 
into U.S. systems by foreign subjects and organizations. Here 
recently, we had a series of intrusions into e-commerce 
businesses, the focus of which was emanating from Eastern 
Europe. We were able to identify who those individuals were, 
and have brought several of them to prosecution here in the 
United States.
    So because of the borderless nature of the Internet, 
criminals and terrorists and any of the threats that you can 
identify just don't emanate from the United States. It's a 
global issue which I've referred to before.
    Mr. Horn. Mr. Seetin noted that the Web site was a critical 
point of contact, since the cell phone relays went out. I'd 
just say for both of you, did the Nimda virus scanning have an 
impact on the availability of your site?
    Mr. Seetin. Thank you, Mr. Chairman. No. In fact, our 
technology folks had been well aware of that and were 
operating, you know, with great caution. Our system uses what--
commonly used encryption systems by the financial industry, 
because obviously we face the same issues as they do in terms 
of potential threat. So we went in using that. We did not face 
those types of problems with our Web site. Not to say that we 
wouldn't, you know. And I agree with the other panelists here 
that, indeed, looking forward, I think the only thing we can 
anticipate is that the bad guys are going to get smarter and 
they're going to get badder, and so we have to stay ahead of 
them to the degree that we can.
    Mr. Horn. Any other thoughts on that? We're going to be 
closing this down in a few minutes and we won't keep you here 
forever. Anything that should have been said that we didn't ask 
about? We're going to have the majority and minority staff go 
over the questions, that I just have said you can only use so 
many, and we'd appreciate any thoughts you might have, and 
they'll write you.
    And is there anything that some of your colleagues said 
that we didn't ask and you think it's important?
    OK. What I'm going to do is have a closing statement. I 
thank you all for coming down here, and we can't predict what 
lies ahead anymore. We weren't able to anticipate the horrible 
events of September 11, but the Nation has now been placed on 
alert. Let's hope we can keep that sense of alert to get 
something done.
    Protecting our information infrastructure and our critical 
government computer systems must become our highest priority. 
The administration is taking an aggressive step, as I 
mentioned, with the creation of the Office of Homeland Security 
under Governor Ridge. The Office of Management and Budget must 
also play a key role. And I note that the Director of OMB has a 
representative taking notes here. So hopefully it'll be moved 
through the bureaucracy down there.
    I look forward to working with all of you as we focus on 
this vitally important issue. And I want to thank the staff: 
the minority staff, David McMillen, Jean Gosa; and with the 
majority staff we have J. Russell George, behind me, staff 
director/chief counsel. He grew up right near some of those 
towers, and so he knows New York well.
    Elizabeth Johnston, on my left, your right, is on loan to 
us from the General Accounting Office, and we're delighted to 
have her working on this particular hearing. Then Darin Chidsey 
and Matt Phillips, professional staff. Mark Johnson is our very 
able clerk, and Jim Holmes is the intern this week. And the 
court reporters are Christina Smith and Mark Stuart.
    We thank you all for what you've done here, and we'll try 
to get this hearing out as fast as we can. We are adjourned.
    [Whereupon, at 12:15 p.m., the subcommittee was adjourned.]

                                   - 
