[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]
INFORMATION TECHNOLOGY--ESSENTIAL YET VULNERABLE: HOW PREPARED ARE WE
FOR ATTACKS?
=======================================================================
HEARING
before the
SUBCOMMITTEE ON GOVERNMENT EFFICIENCY,
FINANCIAL MANAGEMENT AND
INTERGOVERNMENTAL RELATIONS
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
FIRST SESSION
__________
SEPTEMBER 26, 2001
__________
Serial No. 107-78
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
U.S. GOVERNMENT PRINTING OFFICE
80-481 WASHINGTON : 2002
________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON GOVERNMENT REFORM
DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut MAJOR R. OWENS, New York
ILEANA ROS-LEHTINEN, Florida EDOLPHUS TOWNS, New York
JOHN M. McHUGH, New York PAUL E. KANJORSKI, Pennsylvania
STEPHEN HORN, California PATSY T. MINK, Hawaii
JOHN L. MICA, Florida CAROLYN B. MALONEY, New York
THOMAS M. DAVIS, Virginia ELEANOR HOLMES NORTON, Washington,
MARK E. SOUDER, Indiana DC
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
BOB BARR, Georgia DENNIS J. KUCINICH, Ohio
DAN MILLER, Florida ROD R. BLAGOJEVICH, Illinois
DOUG OSE, California DANNY K. DAVIS, Illinois
RON LEWIS, Kentucky JOHN F. TIERNEY, Massachusetts
JO ANN DAVIS, Virginia JIM TURNER, Texas
TODD RUSSELL PLATTS, Pennsylvania THOMAS H. ALLEN, Maine
DAVE WELDON, Florida JANICE D. SCHAKOWSKY, Illinois
CHRIS CANNON, Utah WM. LACY CLAY, Missouri
ADAM H. PUTNAM, Florida DIANE E. WATSON, California
C.L. ``BUTCH'' OTTER, Idaho ------ ------
EDWARD L. SCHROCK, Virginia ------
JOHN J. DUNCAN, Jr., Tennessee BERNARD SANDERS, Vermont
------ ------ (Independent)
Kevin Binger, Staff Director
Daniel R. Moll, Deputy Staff Director
James C. Wilson, Chief Counsel
Robert A. Briggs, Chief Clerk
Phil Schiliro, Minority Staff Director
Subcommittee on Government Efficiency, Financial Management and
Intergovernmental Relations
STEPHEN HORN, California, Chairman
RON LEWIS, Kentucky JANICE D. SCHAKOWSKY, Illinois
DAN MILLER, Florida MAJOR R. OWENS, New York
DOUG OSE, California PAUL E. KANJORSKI, Pennsylvania
ADAM H. PUTNAM, Florida CAROLYN B. MALONEY, New York
Ex Officio
DAN BURTON, Indiana HENRY A. WAXMAN, California
J. Russell George, Staff Director and Chief Counsel
Robert Alloway, Professional Staff Member
Scott R. Fagan, Clerk
Mark Stephenson, Minority Professional Staff Member
C O N T E N T S
----------
Page
Hearing held on September 26, 2001............................... 1
Statement of:
Dick, Ronald, Director, National Infrastructure Protection
Center, Federal Bureau of Investigation.................... 130
Miller, Harris, president, Information Technology Association
of America................................................. 150
Pethia, Richard D., director, Cert Centers, Software
Engineering Institute, Carnegie Mellon University.......... 46
Seetin, Mark, vice president, governmental affairs, New York
Mercantile Exchange........................................ 137
Vatis, Michael, director, Institute for Security Technology
Studies, Dartmouth College................................. 86
Willemssen, Joel C., Managing Director, Information
Technology Issues, U.S. General Accounting Office.......... 5
Letters, statements, etc., submitted for the record by:
Dick, Ronald, Director, National Infrastructure Protection
Center, Federal Bureau of Investigation, prepared statement
of......................................................... 133
Horn, Hon. Stephen, a Representative in Congress from the
State of California, prepared statement of................. 3
Miller, Harris, president, Information Technology Association
of America, prepared statement of.......................... 154
Pethia, Richard D., director, Cert Centers, Software
Engineering Institute, Carnegie Mellon University, prepared
statement of............................................... 49
Seetin, Mark, vice president, governmental affairs, New York
Mercantile Exchange, prepared statement of................. 145
Vatis, Michael, director, Institute for Security Technology
Studies, Dartmouth College, prepared statement of.......... 89
Willemssen, Joel C., Managing Director, Information
Technology Issues, U.S. General Accounting Office:
Information concerning e-mail bombing.................... 164
Prepared statement of.................................... 7
INFORMATION TECHNOLOGY--ESSENTIAL YET VULNERABLE: HOW PREPARED ARE WE
FOR ATTACKS?
----------
WEDNESDAY, SEPTEMBER 26, 2001
House of Representatives,
Subcommittee on Government Efficiency, Financial
Management and Intergovernmental Relations,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., in
room 2154, Rayburn House Office Building, Hon. Stephen Horn
(chairman of the subcommittee) presiding.
Present: Representatives Horn and Maloney.
Staff present: J. Russell George, staff director/chief
counsel; Elizabeth Johnston, GAO detailee; Darin Chidsey and
Matt Phillips, professional staff members; Mark Johnson, clerk;
Jim Holmes, intern; David McMillen, minority professional staff
member; and Jean Gosa, minority clerk.
Mr. Horn. A quorum being present, the hearing of this
Subcommittee on Government Efficiency, Financial Management and
Intergovernmental Relations will come to order.
The horrific events of September 11 were a wake-up call
that all too clearly illustrates this Nation's vulnerability to
attack. We have known for a long time that airport security was
lax, and we did nothing to fix the problem. Intruders took
advantage of that vulnerability in ways that for all of us were
unimaginable.
We must learn from this experience. But will we? We have
known for several years that our government's critical computer
systems are as vulnerable as airport security. In 1997, the
General Accounting Office placed the security of the executive
branch of the government's computers on its high-risk list. In
1998, the Federal Bureau of Investigation formed its National
Infrastructure Protection Center to gather information on
computer threats and issue timely warnings about those threats.
It is now 2001 and the executive branch has made little
progress in addressing computer security issues. Are we going
to wait until these vital systems are compromised--or worse?
During the crisis in New York and Washington, we found that
the Nation's communication systems were not as strong as they
needed to be. Cellular telephones stopped working. City leaders
were unable to communicate with other officials at all levels.
In the immediate aftermath in New York, broadcast television
services were interrupted. But imagine the repercussions if
attacks on the Federal Government's critical computers were
equally successful. National defense, communications,
transportation, public health, and emergency response services
across the Nation could be crippled instantly.
In addition to the threat of physical assault, the Nation's
information technology systems are already under cyber-assault.
Following the terrorist attacks on New York and Washington, the
``Nimda'' worm attacked computer systems around the world.
Nimda shut down banks in Japan, multinational corporations, and
some government systems in the United States, such as Fairfax
County. On Monday, a new worm was unleashed on computer
systems. This worm is capable of wiping out a computer's basic
system files. These attacks are increasing in intensity,
sophistication, and potential damage. Is the Nation ready for
this type of terrorism? Will its basic communications and
computer infrastructure withstand a major assault?
Today, we want to examine these critical issues. We welcome
our witnesses and particularly this panel. You had to come from
a number of places, and we know at the last minute it is tough.
We thank you very much and we will have a very good discussion
of these computer threats and the measures that must be taken
to protect this Nation--its economy, its States, its cities and
institutions of higher learning and research--besides Federal
departments States and counties--we will be getting into that
later this year.
[The prepared statement of Hon. Stephen Horn follows:]
[GRAPHIC] [TIFF OMITTED] T0481.001
[GRAPHIC] [TIFF OMITTED] T0481.002
Mr. Horn. So we will now start with the witnesses. And as
we've done many times before, we will start with the
representative of the U.S. General Accounting Office, Joel C.
Willemssen, Managing Director, Information Technology issues.
We have all witnesses accept the oath and I will start with
everybody at this point and we'll just go down the line. So if
you'll raise your right hand--and also have your assistants
which might give you paper and all that--let's do it all at one
time. The oath states do you have the full truth of your
testimony you're about to give for this and the questions, and
if we ask you to do it 2 weeks from now in terms of a
particular thing you want in the book, all of this is under
oath.
[Witnesses sworn.]
Mr. Horn. Thank you very much. When we introduce you, your
full written statement automatically goes in the record, so you
don't have to ask us to do so. We would like you to, in 5 or 7
minutes, to give a summary of your testimony. We give a
little--let's see, we've got plenty of time here so we could
make it 10 minutes. But we want to get into dialog among you as
well as those members expected to be here.
So Joel C. Willemssen, Managing Director, Information
Technology Issues, U.S. General Accounting Office, which is
presided over by the Comptroller General of the United States,
and it's part of the legislative branch. Mr. Willemssen, it's
always good to see you.
STATEMENT OF JOEL C. WILLEMSSEN, MANAGING DIRECTOR, INFORMATION
TECHNOLOGY ISSUES, U.S. GENERAL ACCOUNTING OFFICE
Mr. Willemssen. Thank you, Mr. Chairman. It's an honor to
appear again before you today and, as requested, I'll briefly
summarize our statement on the challenges involved in
protecting government and privately controlled systems from
computer-based attacks.
Overall, our work continues to show that Federal agencies
have serious and widespread computer security weaknesses. These
weaknesses present substantial risks to Federal operations,
assets, and confidentiality. Because virtually all Federal
operations are supported by automated systems and electronic
data, the risks are very high and the breadth of the potential
impact is very wide. The risks cover areas as diverse as
taxpayer records, law enforcement, national defense, and a wide
range of benefit programs, and they cover all major areas of
required controls such as access controls in ensuring service
continuity in the face of disasters.
The September 11 tragedies demonstrated just how essential
it is for government and business to be able to continue
critical operations and services during emergency situations.
News reports indicate that business continuity and contingency
planning has been a critical factor in restoring operations for
New York's financial district with some specifically
attributing companies' preparedness to the contingency planning
efforts associated with the year 2000 challenge.
At the same time, however, our reviews still reveal
shortcomings in Federal agency business continuity planning.
Examples of common weaknesses include incomplete plans and
plans that have not been fully tested. While a number of
factors have contributed to these weaknesses, and overall weak
Federal information security, we believe the key underlying
problem is ineffective security program management.
Computer security legislation enacted last year can go a
long way to addressing this underlying problem. The legislation
requires that both agency management and inspector's general
annually evaluate information security programs. This new
annual evaluation and reporting process is an important
mechanism previously missing for holding agencies accountable
for the effectiveness of their security programs.
Beyond the risks with Federal agency systems, the Federal
Government has begun to address the threat of attacks on our
Nation's computer-dependent critical infrastructures such as
electric power. A prior Presidential Directive known as PDD63
outlined a governmentwide strategy to address this. However,
progress in implementing this directive has been limited. For
example, while outreach by numerous Federal entities to
establish cooperative relationships with private organizations
in key infrastructure sectors has raised an awareness and
prompted some information sharing, efforts to perform analyses
of sector and cross-sector vulnerabilities have been limited.
In addition, a key element of this strategy was establishing
the FBI's National Infrastructure Protection Center [NIPC], as
a focal point for gathering information on threats and
facilitating the Federal Government's response to computer
based incidents. As we reported earlier this year, the NIPC has
initiated various efforts to carry out this responsibility.
However, we also found that the analytical and information
sharing capabilities that were intended had not yet been
achieved. A major impediment to implementing the strategy
outlined in PDD63 is the lack of a comprehensive national plan
that clearly delineates the roles and responsibilities of
Federal and non-Federal entities and defines interim
objectives. We've therefore recommended that the assistant to
the President for National Security Affairs ensure a more fully
defined strategy for computer-based threats be developed that
addresses this impediment. It will obviously be important that
this strategy be coordinated with the counterterrorism efforts
undertaken by the newly established Office of Homeland
Security.
Mr. Chairman, that concludes a summary of my statement, and
after the panel is done I'd be pleased to address any questions
you may have. Thank you.
Mr. Horn. Well, thank you.
[The prepared statement of Mr. Willemssen follows:]
[GRAPHIC] [TIFF OMITTED] T0481.003
[GRAPHIC] [TIFF OMITTED] T0481.004
[GRAPHIC] [TIFF OMITTED] T0481.005
[GRAPHIC] [TIFF OMITTED] T0481.006
[GRAPHIC] [TIFF OMITTED] T0481.007
[GRAPHIC] [TIFF OMITTED] T0481.008
[GRAPHIC] [TIFF OMITTED] T0481.009
[GRAPHIC] [TIFF OMITTED] T0481.010
[GRAPHIC] [TIFF OMITTED] T0481.011
[GRAPHIC] [TIFF OMITTED] T0481.012
[GRAPHIC] [TIFF OMITTED] T0481.013
[GRAPHIC] [TIFF OMITTED] T0481.014
[GRAPHIC] [TIFF OMITTED] T0481.015
[GRAPHIC] [TIFF OMITTED] T0481.016
[GRAPHIC] [TIFF OMITTED] T0481.017
[GRAPHIC] [TIFF OMITTED] T0481.018
[GRAPHIC] [TIFF OMITTED] T0481.019
[GRAPHIC] [TIFF OMITTED] T0481.020
[GRAPHIC] [TIFF OMITTED] T0481.021
[GRAPHIC] [TIFF OMITTED] T0481.022
[GRAPHIC] [TIFF OMITTED] T0481.023
[GRAPHIC] [TIFF OMITTED] T0481.024
[GRAPHIC] [TIFF OMITTED] T0481.025
[GRAPHIC] [TIFF OMITTED] T0481.026
[GRAPHIC] [TIFF OMITTED] T0481.027
[GRAPHIC] [TIFF OMITTED] T0481.028
[GRAPHIC] [TIFF OMITTED] T0481.029
[GRAPHIC] [TIFF OMITTED] T0481.030
[GRAPHIC] [TIFF OMITTED] T0481.031
[GRAPHIC] [TIFF OMITTED] T0481.032
[GRAPHIC] [TIFF OMITTED] T0481.033
[GRAPHIC] [TIFF OMITTED] T0481.034
[GRAPHIC] [TIFF OMITTED] T0481.035
[GRAPHIC] [TIFF OMITTED] T0481.036
[GRAPHIC] [TIFF OMITTED] T0481.037
[GRAPHIC] [TIFF OMITTED] T0481.038
[GRAPHIC] [TIFF OMITTED] T0481.039
[GRAPHIC] [TIFF OMITTED] T0481.040
[GRAPHIC] [TIFF OMITTED] T0481.041
Mr. Horn. And we will now move to Mr. Richard Pethia, the
director of the CERT Centers, Software Engineering Institute at
Carnegie Mellon University.
STATEMENT OF RICHARD D. PETHIA, DIRECTOR, CERT CENTERS,
SOFTWARE ENGINEERING INSTITUTE, CARNEGIE MELLON UNIVERSITY .
Mr. Pethia. Mr. Chairman, thank you for the opportunity to
testify on information infrastructure security and our
preparedness for attacks. My perspective comes from the work
that we do at the CERT Coordination Center where we're
chartered to deal with security emergencies on the Internet and
to work with both technology producers and technology users to
facilitate responses to security problems. Since 1988, we've
handled over 63,000 separate incidents and have analyzed more
than 3,700 computer vulnerabilities.
I'll use a recent attack to illustrate what I think are
some of the critical issues. On September 18, the Internet
community at large was attacked with an automated attack that
has been called the W32 Nimda worm or Nimda. This worm had the
following characteristics: It used multiple means to spread
from computer to computer, from desktop to desktop, via
electronic mail; from desktop to desktop via shared files; from
Web server to desktop by a browsing of compromised Web servers;
from desktop to Web server via active scanning for various
vulnerabilities; and from desktop to Web server via scanning
for back doors left behind by earlier worms Code Red and S-
Admin. It modified Web documents and certain executable files
on the infected machines, and it focused on infecting machines
on local networks, thus clogging those networks with scanning
traffic and disrupting operations.
Nimda was the first worm or virus that we've seen that
attacks computers that act as servers as well as desktop
computers. As many reports indicated, Nimda spread like
wildfire. The first reports of scanning activity came at about
8:30, between 8:30 and 9 a.m. Within an hour, many
organizations reported that they were paralyzed by the scanning
activity, and by mid-afternoon over 100,000 machines were
infected.
The response community reacted immediately but were
hampered by lack of a source code and by the complexity of the
worm. Warnings were sent to the community in the morning with
updates as analysis progressed through the day. Analysts
quickly obtained the binary code and began the reverse
engineering process but needed several hours to complete it. By
mid-afternoon, antivirus vendors began making detection
software available. Heavy worm activity was reported through
the remainder of the day and all of the 19th. On the 20th the
reports continued but at a much lower rate.
We will continue to see periodic ongoing recurrences of
this worm over the next several months, gradually tapering off
in impact.
What are the factors that allow attacks like this to be
successful? Vulnerable software. Today's commercial off-the-
shelf technology is riddled with holes. In calendar year 2000
we received reports of over 1,090 new vulnerabilities in our
existing information technology. At the current reporting rate,
this year we expect over 2,000 new reports by the end of the
year.
The software design practices in use do not yield software
that is resistant to attack. Software implementation practices
do not remove programming flaws that result in vulnerabilities.
And default software configuration shipped to the customers
leave security doors open and explicit user action must be
taken to close them. Technology users are not able to keep up
with the pace of vulnerability fixes. The sheer number of
vulnerabilities is overwhelming organizations. The upgrade
process is difficult and time-consuming and it often takes
months or even years for users to patch their systems across
the broad Internet community.
Today we still receive reports of recurrences of the
Melissa virus, a virus that exploited vulnerabilities that were
discovered 2 years ago. At the same time, attack technology are
growing increasingly sophisticated and automated. Exploit
scripts are quickly written by the intruder community for newly
found vulnerabilities. They are combined with other forms of
software to form very powerful automated attack tools.
Compromised systems are harnessed together to attack others,
and automation allows these attacks to proceed at lightning
speed. Our reactive solutions are reaching the limits of their
effectiveness. Only the best resourced organizations can keep
up with vulnerability fixes.
With over 109 million computers, and growing, on the
Internet there are always hundreds of thousands, if not
millions, of computers that are vulnerable; and automated
attacks can now cause major damage before they're even
detected. The complexity of the attack is challenging software
analysts who try to fix them, and we will continue to see major
damage within even the best response cycle times that we can
hope to achieve.
What are the answers? First and foremost, higher quality
software products. Known design techniques can dramatically
reduce the virus problem. Viruses spread because systems allow
the unconstrained execution of imported code. Yet we've known
for decades how to build hardware and software that constrains
this code execution. Using this technique would dramatically
reduce the virus problem.
In addition, implementation errors, bugs in the software,
cause over 80 percent of the other problems that we see on the
Internet. Known software engineering techniques can reduce
these bugs by a factor of at least 10, and typically more than
100.
Also, it's important that we begin to ship high-security
configurations as the default. It's no longer realistic, given
this huge user population, to expect today's average computer-
user and system administrator to have the technical skills
needed to securely configure their software systems. We must
build and ship products that are safe for use by today's
average administrator and user. That's the near-term solution.
Longer term, we will continue to see more sophisticated
attacks. Better design and implementations will solve much of
what we see today, but as we get more sophisticated attacks, we
must develop new software engineering techniques, integrated
frameworks for information assurance and analysis design, and
these frameworks must lead to engineering methods and
technologies that yield systems that are resistant to attack
but also able to survive those attacks even if they are
partially penetrated.
More research into survivable systems is needed for the
future. Increased support for information assurance degree
programs is also needed. Today there is a critical shortage of
technical security specialists. The recent government programs
on the security Centers of Excellence is a step in the right
direction, but it's only a start. More is needed to meet the
growing demand in both government and industry for these
technical specialists.
And finally, awareness and training for all users. This is
not just a problem for technical specialists. It's a problem
for executives, for middle managers, for commercial users as
well as for home users. We need to support the development of
programs that allow awareness and training for all of those
individuals, and we also must provide programs for elementary
and secondary school teachers to allow them to begin training
their students on acceptable and unacceptable behavior and
basic security practices.
In conclusion, attacks like Nimda will occur again, and
they will have great impact unless and until substantial
changes are made. Most important now is higher-quality software
that uses known design and implementation practices to reduce
vulnerabilities. A 100fold improvement is needed. In the
future, threats will be even more sophisticated; and so while
we deal with today's problems, we also must expand our research
and education activities to deal with the problems that we'll
see within the next 5 years. Thank you.
Mr. Horn. Thank you.
[The prepared statement of Mr. Pethia follows:]
[GRAPHIC] [TIFF OMITTED] T0481.042
[GRAPHIC] [TIFF OMITTED] T0481.043
[GRAPHIC] [TIFF OMITTED] T0481.044
[GRAPHIC] [TIFF OMITTED] T0481.045
[GRAPHIC] [TIFF OMITTED] T0481.046
[GRAPHIC] [TIFF OMITTED] T0481.047
[GRAPHIC] [TIFF OMITTED] T0481.048
[GRAPHIC] [TIFF OMITTED] T0481.049
[GRAPHIC] [TIFF OMITTED] T0481.050
[GRAPHIC] [TIFF OMITTED] T0481.051
[GRAPHIC] [TIFF OMITTED] T0481.052
[GRAPHIC] [TIFF OMITTED] T0481.053
[GRAPHIC] [TIFF OMITTED] T0481.054
[GRAPHIC] [TIFF OMITTED] T0481.055
[GRAPHIC] [TIFF OMITTED] T0481.056
[GRAPHIC] [TIFF OMITTED] T0481.057
[GRAPHIC] [TIFF OMITTED] T0481.058
[GRAPHIC] [TIFF OMITTED] T0481.059
[GRAPHIC] [TIFF OMITTED] T0481.060
[GRAPHIC] [TIFF OMITTED] T0481.061
[GRAPHIC] [TIFF OMITTED] T0481.062
[GRAPHIC] [TIFF OMITTED] T0481.063
[GRAPHIC] [TIFF OMITTED] T0481.064
[GRAPHIC] [TIFF OMITTED] T0481.065
[GRAPHIC] [TIFF OMITTED] T0481.066
[GRAPHIC] [TIFF OMITTED] T0481.067
[GRAPHIC] [TIFF OMITTED] T0481.068
[GRAPHIC] [TIFF OMITTED] T0481.069
[GRAPHIC] [TIFF OMITTED] T0481.070
[GRAPHIC] [TIFF OMITTED] T0481.071
[GRAPHIC] [TIFF OMITTED] T0481.072
[GRAPHIC] [TIFF OMITTED] T0481.073
[GRAPHIC] [TIFF OMITTED] T0481.074
[GRAPHIC] [TIFF OMITTED] T0481.075
[GRAPHIC] [TIFF OMITTED] T0481.076
[GRAPHIC] [TIFF OMITTED] T0481.077
[GRAPHIC] [TIFF OMITTED] T0481.078
Mr. Horn. Our next presenter is Michael Vatis, the
Director, institute for Security Technology Studies at
Dartmouth College.
STATEMENT OF MICHAEL VATIS, DIRECTOR, INSTITUTE FOR SECURITY
TECHNOLOGY STUDIES, DARTMOUTH COLLEGE
Mr. Vatis. Thank you, Mr. Chairman. I would like to commend
you for holding this hearing today, because in the wake of the
horrible terrorist attacks that occurred on our country on
September 11, it would be very easy for Members of Congress to
focus all of their attention on the types of attacks that
occurred on that day and to focus on what needs to be done to
prevent their reoccurrence. But I think it is equally important
at least that we pay attention to the other types of threats to
our Nation's security that are just as significant today as
they were before September 11. And among those threats are
potential cyber attacks against our information infrastructure.
Indeed, for the reasons that I've given in my prepared
statement, I believe that this threat is even greater today
than it was before September 11. And so, again, I'd like to
commend the subcommittee for bringing attention to this
critical issue when it would have been very easy to focus on
other things.
I would like to devote my discussion today to two things.
One is to provide a summary of our threat assessment of the
possible attacks that could take place on our information
infrastructure during the war on terrorism; and second, to talk
about the importance of research and development to the overall
cause of securing our Nation's computer networks. It is my
belief that what is needed today is essentially a ``Manhattan
Project'' for counterterrorism technology, so that America's
leading scientists in industry, academia, and government can
work together to use one of this Nation's greatest strengths,
our technical prowess, to design tools and technology to secure
the information infrastructure that provides the foundation for
our economy and our national security.
Turning to our threat assessment, we started by examining
several recent political conflicts over the last few years that
have led to attacks on cyber-systems, including the recent
clashes between India and Pakistan, between Israel and the
Palestinians, between NATO and Serbia in Kosovo, and also the
tensions between the United States and China after the
collision between a Chinese fighter plane and an American
surveillance plane. From these case studies we concluded that
cyber attacks immediately follow physical attacks within the
circumstances of these political conflicts.
It is also the case that politically motivated cyber
attacks are increasing in volume, sophistication, and
coordination. For instance, after the collision between the
Chinese fighter plane and the American surveillance plane,
approximately 1,200 U.S. sites, including those belonging to
the White House and other government agencies, were reportedly
subject to distributed denial of service attacks or defaced
with pro-Chinese images in just 1 week.
And finally, cyber attackers are attracted to high-value
targets. They have attacked the Web sites of financial
institutions and also government communication infrastructures.
As the next step in our analysis, we looked at general
trends in cyber attacks, including those lacking any apparent
political motivation. And there, as my colleague, Rich Pethia
has talked about, it is clear that cyber attacks are growing in
their destructiveness and in their sophistication. And
attackers are increasingly taking advantage of the
vulnerabilities that persist throughout our networks. In
addition, the wide and rapid dissemination of automated scripts
has made it possible even for the unsophisticated hacker to
take advantage of these advanced techniques. And so in recent
years, and again in recent weeks, we have seen a proliferation
in destructive worms such as Code Red and Nimda. We've seen a
proliferation of distributed denial of service techniques that
can be used to carry out automated attacks on victim networks,
and we've seen a growth in the sophistication of unauthorized
intrusions which can allow an attacker to get into government
networks or private sector networks for the purpose of
absconding with sensitive information, with money, with credit
cards, or carrying out a destructive attack on the network
itself.
So the question, then, is, during the war on terrorism,
what types of groups or individuals might engage in cyber
attacks against our information infrastructure? Well, clearly
the terrorists themselves are a concern. While it is not clear
whether Osama bin Laden's al Qaeda organization has developed
cyber attack capabilities, it is clear that members of his
network have utilized information technology to communicate
securely, to raise funds, and to formulate their plans.
For instance, Ramzi Yousef, who was the mastermind of the
first attack on the World Trade Center in 1993, had details of
future terrorist plots, including the planned bombing of 11
U.S. airliners in the Pacific, stored on encrypted files on his
laptop computer. At the same time, the September 11 attacks
themselves show that terrorists are not merely focused on
causing deaths, but also on causing damage to our critical
infrastructures, with all of the attendant financial
consequences and economic consequences that has.
Another group to be concerned about is targeted nation
states. Several nations could be targets in our military
retaliation for the September 11 attacks, including not only
Afghanistan, but possibly some states that have been designated
as supporters of terrorism. And among those U.S. designated
states are countries such as Iraq and Libya, which are reported
to have developed information warfare capabilities.
So as we engage in this war on terrorism, we need to be
cognizant of the risk of possible counterattacks on our
information infrastructure by countries such as that. The most
likely source of attack, though, are the sympathizers of
terrorists around the world or those with general anti-U.S. or
anti-ally sentiments. These are the people who have engaged in
attacks before, whether it's Web site defacements or denial of
service attacks. And they include people who could perceive the
war on terrorism as an anti-Muslim crusade. And it also could
include other people such as those who are against
globalization and capitalism in general and have engaged in
these sorts of attacks before.
And the last category is thrillseekers who might just use
this situation as an opportunity to gain bragging rights for
breaking into systems while the world's media are focused on
the problem. And the types of targets that these attackers
could go after include not only Web sites, but also more high-
value targets such as domain name servers, communication
systems, routers, and critical infrastructures. There could
also be the possibility of compound attacks on many of these
infrastructures using many different techniques and possibly
combined with physical attacks as well.
Mr. Chairman, my prepared statement has a number of very
specific recommendations that we offer for system
administrators throughout the government and in the private
sector to take to protect themselves against these sorts of
attacks. And we believe that if those steps are taken, people
can minimize the chance of being hit. But over the long-term,
the importance of research and development is great. And we can
never really get ahead of the problem through patches and
through updating our antivirus software, unless we can design
systems, from the ground up, that are secure, and unless we
make the Internet a safe place to engage in commerce and to
communicate securely. Thank you, Mr. Chairman.
Mr. Horn. Thank you. That's a very helpful presentation and
in the dialog there's a lot of things we can take advantage of.
[The prepared statement of Mr. Vadis follows:]
[GRAPHIC] [TIFF OMITTED] T0481.079
[GRAPHIC] [TIFF OMITTED] T0481.080
[GRAPHIC] [TIFF OMITTED] T0481.081
[GRAPHIC] [TIFF OMITTED] T0481.082
[GRAPHIC] [TIFF OMITTED] T0481.083
[GRAPHIC] [TIFF OMITTED] T0481.084
[GRAPHIC] [TIFF OMITTED] T0481.085
[GRAPHIC] [TIFF OMITTED] T0481.086
[GRAPHIC] [TIFF OMITTED] T0481.087
[GRAPHIC] [TIFF OMITTED] T0481.088
[GRAPHIC] [TIFF OMITTED] T0481.089
[GRAPHIC] [TIFF OMITTED] T0481.090
[GRAPHIC] [TIFF OMITTED] T0481.091
[GRAPHIC] [TIFF OMITTED] T0481.092
[GRAPHIC] [TIFF OMITTED] T0481.093
[GRAPHIC] [TIFF OMITTED] T0481.094
[GRAPHIC] [TIFF OMITTED] T0481.095
[GRAPHIC] [TIFF OMITTED] T0481.096
[GRAPHIC] [TIFF OMITTED] T0481.097
[GRAPHIC] [TIFF OMITTED] T0481.098
[GRAPHIC] [TIFF OMITTED] T0481.099
[GRAPHIC] [TIFF OMITTED] T0481.100
[GRAPHIC] [TIFF OMITTED] T0481.101
[GRAPHIC] [TIFF OMITTED] T0481.102
[GRAPHIC] [TIFF OMITTED] T0481.103
[GRAPHIC] [TIFF OMITTED] T0481.104
[GRAPHIC] [TIFF OMITTED] T0481.105
[GRAPHIC] [TIFF OMITTED] T0481.106
[GRAPHIC] [TIFF OMITTED] T0481.107
[GRAPHIC] [TIFF OMITTED] T0481.108
[GRAPHIC] [TIFF OMITTED] T0481.109
[GRAPHIC] [TIFF OMITTED] T0481.110
[GRAPHIC] [TIFF OMITTED] T0481.111
[GRAPHIC] [TIFF OMITTED] T0481.112
[GRAPHIC] [TIFF OMITTED] T0481.113
[GRAPHIC] [TIFF OMITTED] T0481.114
[GRAPHIC] [TIFF OMITTED] T0481.115
[GRAPHIC] [TIFF OMITTED] T0481.116
[GRAPHIC] [TIFF OMITTED] T0481.117
[GRAPHIC] [TIFF OMITTED] T0481.118
[GRAPHIC] [TIFF OMITTED] T0481.119
Mr. Horn. And I'm delighted now to have the presentation of
the Honorable Ronald Dick, the Director of the National
Infrastructure Protection Center for the Federal Bureau of
Investigations. I want to say great thanks on behalf of the
subcommittee that the FBI has been this early in the game--they
have worked very close with the committee. Thanks to their
generosity; we've had a lot of individuals throughout the world
that have been helpful with them bringing them here, and they
can take advantage of those individuals and so can the
subcommittee. So thank you very much for what you've been
doing.
STATEMENT OF RONALD DICK, DIRECTOR, NATIONAL INFRASTRUCTURE
PROTECTION CENTER, FEDERAL BUREAU OF INVESTIGATION
Mr. Dick. Thank you, Mr. Chairman. Particularly, thank you
for the opportunity to discuss our government's important and
continuing challenges with respect to information technology.
As several of the panel members have said in the face of the
tragedies 2 weeks ago, I come before you today to relay a
strong sense of optimism. We, the men and women of the NIPC and
our thousands of partners throughout the country and the world,
including my colleagues on this panel, have heard the call and
I believe have stepped forward.
While the terrorists were building their network, so too
were we. For the past 3 years, while others were thinking of
ways to defeat us, the NIPC was working tirelessly to build the
broad partnerships we have today, to mobilize great talent, to
break down the old ways of doing business, and to forge ahead
with the united sense of government and private sector purpose.
There is more work to be done. There always will be. But
there should be no doubt about our progress, about our
persistence, about our pledge to the American people. Acting as
one, the Federal, State and local governments, the private
sector and the international partners eagerly accept President
Bush's challenge which was referred to as the ``challenge of
our time.''
For the past 3 years, we have cultivated a number of
initiatives, each focused on simultaneously developing the
NIPC, the capacity to warn, to respond and to build
partnerships. The NIPC built InfraGard into the largest
government/private sector joint partnership for infrastructure
protection in the world, with over 2,000 members nationwide.
The NIPC Web site takes advantage of the Internet's long reach
to provide significant cyber-alerts as well as the ability to
report computer attacks and intrusions on line. The NIPC has
built systems or has provided systems administrators and home
users with roughly 100 warnings about cyber-threats and
vulnerabilities.
Just last week, we provided information systems security
advice through our Web site, through InfraGard, and through our
trusted partners to better protect the public from the Nimda
worm. In fact, based on our prior responsiveness and
coordination with the private sector concerning Code Red, we
believe that the Nimda impact was significantly reduced. The
NIPC's Watch Center operates around the clock and communicates
daily with the Department of Defense. Major General Dave Bryan,
Commander of the Joint Task Force for Computer Network
Operations, recently remarked that the NIPC and JTF-CNO have
established an outstanding working relationship. We have become
interdependent, with each realizing that neither can totally
achieve its mission without the other. And I couldn't agree
more. The Center's ability to fulfill the expectations and
needs of its Department of Defense components is achieved by
the interagency nature of the NIPC, which includes the Center's
Deputy Director, James Plehal, a two-star Navy Rear Admiral.
This example of the Center staffing demonstrates our collective
commitment to achieve meaningful ownership and coordination
across the law enforcement, the intelligence, and military
communities as well as other agencies.
We are strongly partnered with FedCIRC, to enhance the
security of our government technology systems and services. We
team up regularly with the CIA and the NSA to work on matters
of common interest. In fact, the head of our Analysis and
Warning Section is a senior CIA officer and the head of the
section's Analysis and Information Sharing unit is a senior
manager from NSA. In total, the Center has full-time
representatives from a dozen Federal and three foreign
government agencies, led in number by the FBI and the
Department of Defense.
We're continuing to take advantage of the FBI's global
presence through its legal attaches in 44 nations around the
word. Our multiagency team works with information sharing and
analysis centers throughout the country and provides threat
briefings to the critical infrastructure sector, including
financial services electrical power, telecommunications, water,
oil and gas, aviation and railroad. We are connected with
18,000 police departments and sheriffs departments which
bravely serve our Nation daily and in times of crisis.
Our strong ties with the private sector, State and local
first responders places us at the Center in the unique position
to answer the President's call for homeland security. In this
regard, we're also leveraging our key asset initiative by
leading the creation of a comprehensive data base to identify
the Nation's critical infrastructure components.
Equally significant, the NIPC manages the computer
intrusion investigations nationwide for the FBI, both on the
criminal and national security side. Our integration with the
FBI continues to provide the NIPC with access to law
enforcement, intelligence, counterintelligence and open source
information that for privacy and civil rights reasons is
unavailable in its aggregate to any other Federal agency.
The Center has been providing critical technical assistance
to the PENTTBOM investigation in aid of what is certain to be a
joint and long-term law enforcement intelligence and military
response. During the past 2 weeks the center has provided
detailed information--or provided detailed information used to
brief the National Command Authority about how the terrorist
cells of September 11 used technology to further their
murderous acts. We developed an interagency coordination cell
to deconflict investigations and provide relevant information
on those agencies--or to those agencies that have not been able
to provide full-time support to the center.
At the moment, the interagency coordination cell has taken
a leadership role in the ongoing PENTTBOM efforts. It is
staffed with 43 individuals from 15 agencies and every entity
that needs information to conduct its part of this most
critical mission gets it.
In short, the Center is coordinating its incident
deterrence prevention, warning and response mission with strong
multiagency support. That, in brief, is a look at the NIPC. Our
responsibilities, as you can see, are broad and we are rising
to the challenge. We are united so that the benefits of
technology flourish while the risk of the technology are
reduced, provided resource issues identified in the GAO April
2001 report are resolved. We will continue to witness the ever
better results. We are eager to take on this important work
that surely lies ahead, and on behalf of the Center I would
like to thank you for your continuing support in our efforts in
this significant issue.
Mr. Horn. Thank you. That's very helpful and we'll be
working with you on the next phase of what we're going to be
going to; which will be pretty much throughout the United
States.
[The prepared statement of Mr. Dick follows:]
[GRAPHIC] [TIFF OMITTED] T0481.120
[GRAPHIC] [TIFF OMITTED] T0481.121
[GRAPHIC] [TIFF OMITTED] T0481.122
[GRAPHIC] [TIFF OMITTED] T0481.123
Mr. Horn. We now have Mark Seetin, who's the vice
president, governmental affairs, New York Mercantile Exchange.
STATEMENT OF MARK SEETIN, VICE PRESIDENT, GOVERNMENTAL AFFAIRS,
NEW YORK MERCANTILE EXCHANGE
Mr. Seetin. Thank you, Mr. Chairman. My name is Mark
Seetin. I am vice president for government affairs for the New
York Mercantile Exchange. I want to thank you and all the
members of this subcommittee for inviting us here today to
speak on this important issue.
Before I begin, I would like to take just a brief moment to
honor the memories of the 18 fallen comrades in our company and
the thousands of innocent people who had their lives taken from
them in that horrendous attacks. For the most part, their only
political act was being a husband, a wife, mother, father,
friend. Their only crime was to show up for work. We----
Mr. Horn. Where was your location at the time?
Mr. Seetin. Actually, it's up on the map. I can show you.
Actually this is for context, basically. I want to give credit
to USA Today. This is a graphic from there. Our location, you
can see--I'm trying to get my pointer to work here. Four World
Trade Center is right there. But you can see the two towers.
That's the point where we were before, when the bomb attack in
1993--which I'm going to be addressing. In 1997, we moved into
this new building on One North End Avenue, which is located
right there on the bank of the Hudson River. Critically, you
will notice that right next to us is the Merrill Lynch
building, and beyond that is the American Express building.
You've heard those buildings mentioned.
The shielding effect that they provided during the
horrendous collapse kept us from having great structural damage
to our building. We didn't lose windows. We had a lot of
debris. The other critical part that's going to be evolving in
my testimony is right up there, 22 Courtland Street, which was
the back-up center for our computer systems. That was basically
taken out in the collapse as well, and that was our back-up
system as I said.
With that, as I go through, just to put this all in
perspective, you can see this is about 16 acres in size. These
are all very, very confined and small areas. Also note here
from the standpoint of what had to happen right after that
attack. Right after the first plane hit the North Tower, our
building was evacuated immediately. Our people were moved out
into this plaza. This is the World Financial Center, right here
where my marker is right now. They were moved into this plaza,
and because the roads were cutoff, the only escape really was
from the water. And for that, it was a little bit like a mini-
Dunkirk; because boats, police boats, everybody who had a boat,
was coming in and picking up people and evacuating them. And
they were in the process of doing that.
We still had thousands of people on that plaza when the
second plane hit. It virtually flew over our people en route to
crashing into building No. 2. So that kind of lays the
background for the horror at the beginning of this.
First, a little bit of explanation of who we are. We are a
global energy marketplace. We're the world's largest energy
futures exchange. We on a daily basis entertain the trading of
3 to 5 times world oil production, 5 to 7 times North American
natural gas production. We are the window to the marketplace.
The Exchange is a regulated entity, regulated by the
Commodity Futures Trading Commission. Our job is to provide
open, competitive, fair pricing for those vital energy
commodities. We have been designated--in fact, one of the
reasons we probably got so much assistance and, I will give
great credit to those authorities that provided that, was
because we were recognized as a critical asset, we're a little
bit like if you lose the radio and television when a tornado is
on the way, it doesn't do you much good not to hear about it
because it's still going to happen.
And that's why energy pricing is so critical. The September
11 attack hit the World Financial Center. We had debris raining
down on us. Our building was within yards of that. We were the
first exchange in New York to reopen for trading. In 1993, the
attack was on a Friday. We were in No. 4 World Trade Center,
right next to building No. 2, which is now a pile of ash and
rubble. We were able to start trading the Monday following
that. Again, we lost utilities. We lost power. The lessons we
learned from that did help us in this, but from our standpoint,
I must say the scope of this attack was unbelievably greater
than the bomb of 1993.
Through work and through cooperation and through
innovation, we were able to launch our electronic trading
system which normally operates at night. We have trading in our
trading ring. The trading pits where you see the people yelling
and screaming at each other occurs from 9 to 3 p.m. At 4 p.m.,
we switch to our electronic trading system, known as eACCESS,
which trades throughout the night and goes until 9 o'clock the
next morning. So we virtually have nearly a 24-hour trading
day. The energy markets are global and our customers are around
the world, so they demand that.
Were we prepared for this? Frankly, I don't know anybody
who could possibly be prepared for an attack of this scope. You
know, there's no one who could tell me they had prepared for
something like this. Yes, we tried to be prepared, given our
experience in the 1993 bombing, and we knew that there were
some critical things that you had to have. You had to have an
emergency plan. You had to have a back-up facility.
Well, because our computers had been located in 22
Courtland Street, which I showed you earlier, we had leasing on
those. We thought, well, this would be an adequate back-up
system. Obviously, our experience with the bomb was far more
localized.
Mr. Horn. How many floors were there at 22 Courtland
Street? I'm looking at it and it sort of has two surrounding
buildings.
Mr. Seetin. I believe it's about 40 stories, if I'm not
mistaken.
Mr. Horn. Really?
Mr. Seetin. Rough guess. I believe it's about 40 floors.
And our systems were located in the 20th through the 25th on
that building. The building itself structurally stands, but
it's been so heavily damaged that it's basically unusable.
Frankly, if we had to get in there, we probably could have. We
could have rescued the hard-drives which would have held the
data had we lost them in our primary trading facility, or a
back-up site that we had offsite in New Jersey. Fortunately, we
didn't have to do that.
One of the other things that we learned when we built our
new building in 1997, was that we put back-up generators on the
16th floor for the eventuality of potentially losing power. In
our business, of course, in information technology, as these
gentlemen say, the loss of power for us is tragedy. I mean it
is the end of the world from the trading standpoint, because
you have to have that continuous flow.
So we had generators installed. In fact, when we lost
power, immediately after the building collapsed, our generators
kicked in in spite of the fact that no human beings were around
at that time. I was able, at that time, to communicate
throughout the day with our e-mail systems. They were on the
back-up system.
Basic necessities. What do you have to have? Well, the
first thing, the most valuable--and people fought over it in
our crisis center--is this emergency contact list. You'll see
it's dated as August 2001. Little did we know. We update it
periodically. This list has all contact information for all of
the board members; home, cell, everyplace they can be
contacted. The same thing with critical staff, because we were
dispersed. I mean, it was chaotic. People were just driven out
of the building. We didn't know where anybody was. So we had to
use this to begin.
Within 3 hours after the attack, our chairman, Vincent
Viola, began the first of a series of conference calls,
emergency board meetings, because we had to figure out, first
of all, how we were going to approach this. Obviously you have
to do damage assessment and recovery. I mean, that's No. 1
right on the list, is how do we get back into business?
Mr. Horn. I take it the line to your computers in New
Jersey did hold up?
Mr. Seetin. Some did, some did not. We had--actually, we
have two services--oh, in New Jersey. Of course.
Mr. Horn. Right.
Mr. Seetin. That was not a problem. But I must say that the
communications problem in New York was great, and it wasn't
limited to that area. We eventually relocated to 50th Street
and Madison Avenue as our crisis center. We setup telephone
systems there to provide support for our traders.
We also used our Web site as really the contact point for
the staff and for everybody else to contact us. But,
fortunately, when we were running our trading system from 2:30
to 6 on Friday night, we didn't have a problem. But by about
7:30 Friday night, something went wrong in the switching
system. Again, a lot of this is related to the attack area that
we lost incoming traffic on our phone systems. All of a sudden
the phones went dead, and we were sitting there saying this is
not right. We could call out. But when people would call into
us, they would either get a busy signal or their call would
die.
So we had to get the Verizon folks in very quickly. We
virtually changed our exchange numbers right then, which, you
know in the midst of a crisis, of course, what you're doing is
exchanging information and telephone numbers with people to
have to go back and replicate that and tell them now the number
that they had before is--you know, is no longer useful. That
takes an enormous amount of time that you really ought to be
spending in getting to the things that you have to do.
As I said earlier, our board decided, first of all, two
stages of recovery. We did a quick assessment and we could
migrate our computerized trading system, because we had offsite
capabilities in New Jersey. We would migrate that to do an
extraordinary daytime trading system, because in fact the
energy markets, as you well know, within 2 hours after that
attack, rose something in the order of $2 a barrel. Nobody was
there. We weren't there to provide that window. It was
critical. We really felt the pressure, and frankly we got
pressure from the White House and everybody else to get back-
up. We didn't need that. We felt that ourselves. But in
essence, we decided to convert to this daytime trading system.
We had obstacles as we migrated. The telephones were one,
because we were really managing it from a hotel, but the system
itself was away offsite. The critical part was getting people
back into our building. As you well know, that whole area was
shut down. Nobody could get in there. The only way you could
get in there was with a police escort. So we had to work very
closely with the police and the Federal authorities to get our
people in, first of all, to do the assessment as to what we
needed. Really the critical computer functions in our building
that we needed were for clearing, because we guarantee all of
the trades. Those trades have to be processed after they're
done. If you can't process them, it's a very, very difficult
situation.
So we used our Web site as a contact. We migrated to the
electronic system. Simultaneous with that was our effort,
really, to resume physical trading. For that, we had to go in
and do an assessment both environmentally, structurally, fire,
security, all of those issues; because sitting where we were,
and obviously, from our experience before, we viewed ourselves
as a potential target even in recovery. So the authorities were
tremendous in providing us very, very intense and expansive
security to allow our people into the building where we
assessed what we needed.
And then really the Herculean part of our effort began.
Nobody was getting any sleep before, but we certainly didn't
once we started the process of moving people in and out. We
called, because some of the operations were done out of the
White House, we had to call at 2 a.m. to arrange police boats
to pick our people up at 7:30, because the only way to get into
the building, again, was by water on the Hudson River. That's
the only way. We were lucky in that we did have dock and pier
facilities right adjacent to the building. We were able to do
that. We got our people in and began the assessment of what we
needed at that stage to begin physical trading.
After that assessment, the board decided, again given just
enormous pressure from around the world and our client base,
that we would begin physical trading at 11 a.m. on Monday. Our
normal starting time with our metals trading, the gold, silver
and copper, starts at 8:30 traditionally. That was our regular
starting time. Our energies begin in a staggered start about
9:35, and they start in 5-minute increments after that, the
reason being the energy products are related.
Price of crude oil is related to heating oil and to
gasoline, so you can't start one without the other. They have a
relationship. That compounds the problem that I'll talk about
in future recovery plans. Our chairman, Vincent Viola, our
president, Phil Collins, basically had backbones of steel, and
didn't get any sleep. We had to do a lot of things ourselves.
We quickly gathered--my role--I started down here quickly, I
got on a train, got to the crisis center, and because the
communication--again, we learned this--has to be centralized.
Well, we were trying to coordinate a lot of the governmental
contacts down here. When you're not in that frenetic activity,
when you're not in that centralized place, one does not know a
lot of the context of what's going on. So I had to be there
because I had to know when these guys were having trouble with
FEMA or these guys were having trouble with OEM--the OEM is the
Office of Emergency Management, which is the State and city
setup. Which, by the way, itself was a complicating factor.
Remember, they were in the World Trade Center. The OEM was
wiped out, the very same blast that kicked us out of our
building. And their responsibility, of course, is to help
people like us and all of the people that were affected.
And I must say, Mayor Giuliani did something that I don't
even believe. A lot of people said we don't believe you guys
got up yourself and traded by Friday, within 2 days. The first
day they had a number for us to call. They had people to
contact. I had my contact, Bill Gross, who was the mayor's
assistant. I could call him anytime, and I did. He will say
that. I will tell you that, you know, any time of the day or
night; the guy did not get any sleep. But they were there. And
they migrated their number. They told us what the new number
was. It went through without a slip.
How they did that, you know--and actually the performance
of the OEM was just remarkable. The State and the city were
almost seamless, with just a few exceptions.
Mr. Horn. That's the city emergency management group.
Mr. Seetin. Yes, the city office.
Mr. Horn. Was the State also involved?
Mr. Seetin. The State was also involved. The State was very
tightly linked with the city. I mean, in fact, we could do a
lot of the same calls. The same people were talking to each
other who were State authorities and city authorities. I will
say the only complication we had, and I guess in retrospect,
you know, you can smile about it a little bit, but we had a
group of telephone technicians. Now, remember, we had two
different systems in our building. We found out we had AT&T and
Verizon, because we have tenants who are trading tenants who
basically operate their own businesses, and they all had the
Verizon system which had its own series of problems. So we were
trying to get these people in Thursday night, Friday night,
Saturday night--in to get the phone lines up and running. We
had ours fairly well up by late Friday night inside of the
building.
But one of the problems I had--we got a call back from the
AT&T people that said we got three trucks with technicians that
are stuck at the checkpoint on Canal Street, because that's
where the stop point was for basically everybody. That was
where you were held up. And these people had police escorts
with them. And this was the night that the National Guard had
been dispatched, so you know, it was a situation where the
National Guard troops, even though we had a police escort, were
not letting us in there. So it took me 3 hours to get through
to the Governor's office to get down through the guards. You
know, this is the way things operate.
Once that got through, you know, again, that operated
smoothly. But those are some of the glitches when you have
Federal, State, and military authorities coming in. It is
critical that they communicate with each other, because, you
know, those of us that are trying to get up and running, we
have enough complications without having to try to go and get
these guys to talk with each other. That was a very minor
problem. And I don't want to overemphasize it, because in fact
it worked. It worked out very well. I will never criticize any
one of those people for what they did.
So we were getting all the support that we could. Several
hurdles that we had to overcome were, of course, if we began
trading with our thousands of people, and we have up to 5,000
people in our building when we're up and running trading. There
was no way for them to get to the building over land, by the
surface. We are certainly not going to have NYPD bringing these
guys in in police cars. It's not going to happen. So we had to
find an alternative route.
And while we were all doing this, another of our directors
was tasked with the fact of working with the New York
Waterways. New York Waterways did dedicate then, because we
didn't really want to use the police boats. The police were
great about ferrying us, but we also knew there were a lot of
other people that needed this as well. So we met, got the ferry
boat and we got authority then from the officials to basically
use that to finalize it for Monday. We basically had a series
of ferrys that we leased, that we rented. And we put together
about 14 sites where our people could gather on the dock, load
onto the ferry, and they would be transported to our facility
on Monday morning. That's one of the reasons why we had an 11
o'clock opening, because logistically it's a very very tough
task. We were doing all of this.
Of course, at the same time, we had to get our building
cleaned, according to--and fit for EPA inspection. Obviously
the asbestos--you saw the dust. You saw the horrendous
materials there. And I must tell you, my own experience down
there, if hell has a smell, that was it. The most horrendous,
acrid smell of burning and death and everything else on top of
everything else that you have to do. We were struggling with
that. The authorities were working very hard with us, because
we had to have fire inspection, we had to have the building
cleaned. We had to have structural engineers, OK it. And we had
to work with Con Edison as well because we were off.
The electrical grid was down there, basically, and it was
not such that they could flip a couple of switches and put us
back on the system. The problem there was that the broader base
to turn us on, to put us onto the grid, means that they would
have a whole chunk of Tribeca, and it would be a tremendous
drain on their resources given the fact that on the other side
of the island the New York Stock Exchange was working just as
hard as we were to get up and running and they were in just as
much need.
So we tried to work with Con Ed, and we needed back-ups to
our back-up, because we were really now at the situation where
our back-up generators were our sole source of power. So all of
that going into play, we needed to have a certificate--in
essence, a certificate of occupancy, a letter from the OEM
Authorities, the city authorities, that our building was OK to
occupy.
We were going ahead with our plans. I finally got that
letter at 4 o'clock Sunday afternoon. At that time then we
really began to formalize the final plans for our opening. We
locked in the ferries. We had already been on the Web site and
we had an 800 number to call in our Web site, which really was
the critical point of contact, the 800 number. And we----
Mr. Horn. Hopefully, we are going to have staff sit down
with you and other people that have had similar situations
and--because we just can't do all of the things this morning.
But I think we want to get them.
First of all, I am fascinated by the telephone situation
where you couldn't get communications in the one direction but
you could get it in the other.
Mr. Seetin. Yes. And cell phones were another issue.
Because there were certain relay stations taken out, there was
a period when cell phone communication was very, very
difficult. In a crisis like this, that is a very, very
important thing, as you know.
It seems like when have you a crisis like this everything
happens at once.
After an exhausting week, Saturday night we were feeling
pretty good about it. I was up in my hotel room finally after
about 2 hours of sleep for the last 4 days. At 11:30, the phone
rang as I came out of the shower; and our chairman was yelling
at me to get down there because, of all things, one of our
back-up generators had sprung a leak in the fuel-line and
diesel fuel was spewing on the 16th floor of our building, the
same building that we were trying to recover from.
So I called Inspector Pat Bradley. Now this is the guy who
is in charge of all of the police in lower Manhattan, another
guy who has had less sleep than any of us. He darn near had an
accident while I was talking to him, but within 20 minutes he
had a police car to our building.
Our chairman went down with two technicians to begin the
rehab process; at the same time called the White House, who
relayed to Con Edison the essential need to get back-up
generators.
Before dawn we had one back-up generator onsite. And these
are not the little kind that you have in the back of your car.
These are huge. They are semi-size units. And the Con Ed people
had to basically--it is not a plug-and-play system, either.
They had to cut the system apart and actually weld the
interface in, and they did that.
By the end of the day, we had another back-up system; and
Con Ed has been tremendous with that.
The difficulty is, of course, the refueling. Because we
went from our system where our back-up generators were refueled
every 4 days to 12-hour increments.
Anyway, to cut to the chase, basically we are up and
running. We have back-ups to our back-ups. By next Monday we
will have a fully redundant back-up of our computerized trade
system, and it will be some distance away. It will not be
located in the New York City area, and we will be able to
basically flip a switch for a seamless move-in there. God
forbid the power loss is that large. If the power loss is as
large as takes that out, then we are all in trouble.
So I think I am going to try to summarize. I know that
there are many people here that have things to say.
The critical thing we learned, first of all, is that
communication is tantamount. The first thing you need in your
crisis plan are the names, numbers, and ability to get together
in the same site, because you all have to be there. You all
have to be there to implement, because things are chaotic.
There is no order to the system. I mean, we were up and running
on Friday, and it sounds like a miracle. But it is a little bit
like the old saying about laws and sausages. Those interested
in laws and sausage should not witness the making of either. We
got the sausage of our electronic trading system on Friday, but
it wasn't a clean operation.
But we were there. We all had to work together. And the
Federal and State authorities, the police, the firemen--I can't
say enough. We needed it, and they were there.
And I see Mrs. Maloney there, too.
Mr. Horn. Yes. She is going to ask you a question, and then
we will go to Mr. Miller because she has to leave.
Mr. Seetin. I just want to close and say one thing that she
did that was so critical. On Monday morning, after all of this,
we are about to open at 11, and I bothered Carolyn's poor
husband--poor guy was in bed. She was out working already. And
Carolyn called me back and said, you know, do you guys have--
are you all set with grief counselors? And I said, well, you
know, I could use one myself. But, you know, I really wasn't
aware of that. And I said, well, you know, I will have to talk
to you about that later.
As soon as I got to the building--I got into the building
at about 5:30 on Monday morning. Our H.R. person comes to me
and says, we can't get any grief counselors. There is nobody
available. I called Carolyn. In 2 hours we had four grief
counselors onsite. And, you know, that is the type of
cooperation that we got, for which we will be eternally
grateful.
[The prepared statement of Mr. Seetin follows:]
[GRAPHIC] [TIFF OMITTED] T0481.124
[GRAPHIC] [TIFF OMITTED] T0481.125
[GRAPHIC] [TIFF OMITTED] T0481.126
[GRAPHIC] [TIFF OMITTED] T0481.127
Mr. Horn. Well, she always gets things done right, early
and often.
Mrs. Maloney. Thank you, Mr. Chairman; and, as a point of
personal privilege, I welcome all of the panelists today, but
particularly Mark Seetin. He is a constituent and a friend as
vice president of government affairs for the New York
Mercantile Exchange. We have worked together closely over the
years.
We are all very proud of the Exchange. It is an important
exchange to our city, to our country. I was personally there,
Mr. Chairman, at the miracle, at the reopening of the New York
Mercantile Exchange along with the Governor, the mayor and many
other New Yorkers; and I believe that the reopening of the
Exchange was symbolic of the efforts up and down Wall Street
and throughout our city and our country.
At the NYMEX, the staff and senior executives worked around
the clock to reopen. They overcame terrible logistical
problems, interruptions in power supplies, and the grieving
that is natural when so many of our industry colleagues
perished in the World Trade Center. The Exchange lost 18 of
their employees and many, many probably hundreds, thousands of
their friends in this horrible accident.
It was impossible to get at the Exchange over the land. It
was roped off. The recovery was taking place. The fire, the
police were all there. And the Exchange literally, probably to
this day, brought in their employees by boat.
Are you still using the boats to bring them in?
Mr. Seetin. Yes, we still have to use the boats.
Mrs. Maloney. I think that shows the tremendous spirit of
American free enterprise, of overcoming many, many obstacles to
get open, to get back to work. And even with their great grief
and their great loss, opening up the Exchange, going back. I
still don't understand how they do it, all of that screaming
and yelling, but you are out there making these exchanges,
making these trades and really investing in the American
economy.
I just want to say briefly, very briefly, in this crime
against humanity, I am so shaken I can hardly believe it. I
think all of us are, who have been to ground zero, who have
seen it, who have met the families, who know the tremendous
personal loss in so, so many areas.
But to see the spirit come back. The terrorists wanted our
markets to fail. Our markets succeeded. And they wanted our
planes down. Our planes are flying. It is a symbol of our
American spirit. And it is really a way that we can be
patriots, to invest in the market. It is something that we can
control as individuals, our own faith in our own economy.
Mr. Seetin and his whole team at the New York Mercantile
Exchange are part of that success story that we are doing right
now, building back America even more strong and determined.
Believe me, I have never seen Congress so determined in my
entire life or so united; and we will be there on Monday,
touring--many members are coming on Monday to tour ground zero,
and we will see if we can stop by and meet with you and your
many devoted employees who are working as we speak to keep our
economy strong.
Thank you for your testimony, all of your hard work; and my
condolences on the great loss of many of your friends and
colleagues.
Mr. Seetin. Thank you very much, Congresswoman. We very
much appreciate your help and all of the members of the New
York delegation who were so helpful to us.
Mrs. Maloney. Just so you understand, Mr. Seetin and
others, we are in a hearing on the insurance industry in
Financial Services. It is the first one on how they are paying
the claims, reacting to the crisis of the individuals; and I
need to get back to that. But I thank you for your testimony,
all of you.
Mr. Seetin. I should be there, too.
Mr. Horn. Well, we thank Mrs. Maloney, the ranking member
here over the years. She is very eloquent, and she speaks for
the Congress.
Mrs. Maloney. Thank you, Mr. Horn. I have enjoyed working
with you so many times. I regret that you have made a decision
to retire after this term. I think it is a great loss to
Congress, to the constituents you represent. I hope you will
reconsider.
Mr. Horn. Well, we will be busy, Carolyn, for the rest of
this year and all of next year. I really appreciate it.
Some of the things you have said, as I say, I want the
staff to go up to New York and talk to some of the similar
types of situations. Because that does worry me on that
telephone situation, and we have got to figure out a way to do
it.
A number of us sent a letter to Chairman Powell of the FCC,
and we have asked, on a 911 situation, where you can have an
extended system in some way or an isolated--has various ways to
do it, either on an underground or overground--because--we need
to have these options coming up in the satellite or whatever.
Mr. Seetin. Those are very important.
One other thing--and I must say it is very important and
was mentioned here--about the scope of the attack and whether
computer systems are being scanned. I must say that we had that
experience as we were beta-testing to get up and running. I
think that anybody who is in this business, in information,
technology needs to be aware that there are lots of bad people
out there, and whether or not they are coordinated really
doesn't matter. Because things like that are going on. We
experienced it as we were trying to recover.
Mr. Horn. Well, thank you very much.
We now go to the last presenter.
Harris Miller is president of the Information Technology
Association of America. He has been a long-time witness with
this subcommittee, and we are very grateful to him. He has a
professional, wonderful group; and he can reach out throughout
America to give us witnesses and everything else. So, Mr.
Miller, thanks for all you have done. We now get to you.
STATEMENT OF HARRIS MILLER, PRESIDENT, INFORMATION TECHNOLOGY
ASSOCIATION OF AMERICA
Mr. Miller. Well, thank you, Chairman Horn.
I fear what I have to say following Mr. Seetin's very
dramatic form of testifying may seem somewhat banal, but I
still will proceed; and I also want to echo Congresswoman
Maloney's comments about our regrets about your decision to
leave Congress at the end of your term. You have been a great
friend to the IT community and a great overseer on issues like
Y2K and information security. But, knowing you as I do, I know
you will work right up through January 3, 2003, to the end of
your term on all of these issues. So I am sure we will be
seeing a lot more of each other.
In terms of the issues today, I would like to focus on the
importance of IT generally to what happened on September 11th
and subsequent events. I would like to offer insights regarding
both disaster recovery and critical infrastructure protection.
The United States has made a huge investment in information
technology in dollars, intellectual capital and in public
confidence. Even before the fearful dust cloud settled over
lower Manhattan, the Pentagon, and the field in southwestern
Pennsylvania, our national investment began to payoff.
That is my main message to you this morning. Allow me to
reiterate it. The Nation's IT investment paidoff.
In the midst of disaster, the IT industry, a complex web of
people, technology, products and services, responded
brilliantly. The IT industry and the customers it supports
absorbed the blow and came back strong. Voice data and video
communications have been critically important in helping us to
understand the scope of the disaster, directing relief efforts
and locating missing people.
The Internet provided literally millions of people with an
alternative route around clogged or destroyed New York
circuits, providing a frantic public with critical services for
finding loved ones, services like e-mail, instant messaging,
and voice-over-the-Internet phone calls.
According to a public opinion poll conducted by Harris
Interactive just after the World Trade Center bombing, 64
percent of people on-line used the Internet as a source of
information.
As a political scientist, Mr. Chairman, you understand how
important communications are to maintaining the fabric of
society; and clearly the Internet helped to strengthen the
fabric of the American community during some of the most
critical hours in our Nation's history.
While the recovery operations at ground zero and the
Pentagon made us all proud, a less visible but very important
series of activities has taken place to sustain the operational
integrity of businesses damaged in the attacks. Many well-
managed companies built themselves up a safety net by
contacting disaster recovery firms for data back-up and remote
operations support.
In fact, business continuity planning may be the bright
line between companies that emerge from disasters with a future
and those that do that. A business continuity plan identifies
the mission-critical processes and applications of the company
as well as its interdependencies, both inside and outside of
the enterprise, necessary to support such functions.
As you know quite well, Mr. Chairman, from your work under
Y2K, much of the contingency planning that prepared
organizations to face Y2K apparently helped them to survive
this latest disaster.
The IT industry has also demonstrated its heart in the
aftermath of these horrendous attacks. For instance, several
leading companies responded to the attacks by creating
www.libertyunites.com, a Web site committed to providing
convenient access to philanthropic organizations helping
America recover from this tragedy.
Libertyunite.com, which President Bush mentioned in his
eloquent address to the Nation last week, has collected well
over $80 million in public contributions to date to help the
victims and to help in the recovery process. This is just one
example of the creativity and generosity of IT companies and
the utility of the Internet in aggregating support and building
community, an example of the on-line community at its best.
But, going forward, we dare not let down our guard to
terrorism ever again. So what do we do?
Well, homeland defense is a phrase which we are just
beginning to understand. Many people are unsure about what it
means and how they can participate. To focus just on the
cyberaspects, I would like to suggest an immediate action. We
need to safeguard U.S. computer assets by adopting much more
widely sound information security practices.
We have heard from Mr. Willemssen the shortcomings that
continue to exist in the government systems. And,
unfortunately, we know the private sector also has its own
shortcomings. Practicing information security as part of
homeland defense will pay massive dividends in the future.
In my written statement I have identified a series of
information security steps for home users, small businesses and
larger firms.
I would also like to talk for a minute about a silver
lining part of the Nimda worm that you heard about earlier from
the other witnesses. While we are far from a perfect system, I
would like to report to the subcommittee that both under the
Code Red and under the Nimda there was a massive coming
together of government, not-for-profit organizations and for-
profit companies to try to deal with the attack.
I particularly want to pay tribute to National Security
Council official Marjorie Gilbert, who pulled together massive
numbers of people on interminable, it seems, conference calls
last week involving all of the organizations of the government,
the NIPC, Defense Department, the Central Intelligence Agency,
the Energy Department, organizations like Mr. Pethia's
organization, CERT, many of the leading anti-virus companies,
many of my member companies, other industries, the IT, ISAC--
the financial services ISAC, and a massive undertaking to
understand and deal with it.
Was it a perfect system? No. But, for the first time, I
think we are finally seeing what true government private sector
cooperation means. We learned some lessons last week, and Ms.
Gilbert and the other people working on that are now coming up
with better systems to be able to respond even more effectively
under the next attacks. Because Mr. Vatis is certainly correct.
We have not seen the last of these attacks, and being able to
prepare is right.
But I think, Mr. Chairman, you should be proud that we are
moving forward. I would be glad to brief your staff at some
point on my impressions of how we saw some major progress the
last few weeks, and I think we are going to see even more
progress going forward.
Let me talk about a couple of things that I hope will not
happen in response to the attacks we have seen. There has been
some discussion about rolling back the policy on encryption. I
think that would be a mistake, and I hope that we will not do
it.
I also believe we must move ahead quickly with the efforts
that are already under way to better coordinate within the
government. As you know, Mr. Chairman, under the leadership of
Dr. Rice, the National Security Council has been developing a
revised Executive order to better coordinate cybersecurity
within the government. The exact status of that is unclear with
the announcement of Governor Ridge's appointment. But, whatever
happens, we need to move forward with that coordination in a
very rapid fashion.
We also must stay the course on our technology agenda. For
example, we need to continue to focus on the issue of
broadband. Telecommunications and broadband service were very
important during the actual response to this crisis. They will
become even more important moving forward.
Finally, Mr. Chairman, I want to object in the strongest
possible terms to some allegations made in a Washington Post
op-ed piece by John Podesta, the former Clinton White House
chief of staff, last week where he said that the IT community
does not understand the importance of societal safety and
security. As one who worked personally with President Clinton
and Attorney General Reno and others under the Clinton
administration, I know that is not true. The IT community
focuses very clearly on safety and security.
I worked very closely with Mr. Vatis, for example, when he
headed the NIPC.
If anything, the relationship between the IT community and
the government has even strengthened during this crisis that we
face, first with the Code Red virus and, of course, the
horrible physical attacks that occurred on the World Trade
Center and the Pentagon and southwestern Pennsylvania.
So I say that close collaboration is under way. We are
doing it much more every day. The IT community stands ready to
work closely with our law enforcement community, our national
security community to not only try to head off any kind of
cyber attacks, to help deal with physical threats, but also,
when these attacks occur, to make sure that the perpetrators
are tracked down.
On September 11th, we all learned an important lesson about
the capacity of terrorists to practice evil. In the aftermath
we learned an important lesson about this Nation's incredible
ability to pull together in the face of adversity. For those
listening closely enough during this truly terrible time,
another lesson still, the IT industry works.
Thank you very much, Mr. Chairman.
Mr. Horn. Thank you for that very fine overlook.
[The prepared statement of Mr. Miller follows:]
[GRAPHIC] [TIFF OMITTED] T0481.128
[GRAPHIC] [TIFF OMITTED] T0481.129
[GRAPHIC] [TIFF OMITTED] T0481.130
[GRAPHIC] [TIFF OMITTED] T0481.131
[GRAPHIC] [TIFF OMITTED] T0481.132
[GRAPHIC] [TIFF OMITTED] T0481.133
[GRAPHIC] [TIFF OMITTED] T0481.134
[GRAPHIC] [TIFF OMITTED] T0481.135
[GRAPHIC] [TIFF OMITTED] T0481.136
Mr. Horn. I wanted to start in on just a couple of items,
and then we will get to a dialog.
Mr. Willemssen, being the very thorough type that he is, he
has a long series here of some of these groups that have acted;
and I just want to clarify one thing.
On page 4 you say, the Russian Hacker Association offered
over the Internet an e-mail bombing system that would destroy a
person's Web enemy for a fee, and that the source is the United
Kingdom Ministry of Defense Joint Security Coordination Center.
I just wonder is there any relation to the Russian Government,
or is this just some group of people with Halloween night or
something?
Mr. Willemssen. I believe it is the latter, Mr. Chairman.
But to be precise on the answer to that question, I would
prefer to answer it for the record. If I could followup on that
and get you the specific answer, I will do that.
Mr. Horn. Good. I appreciate that. At this point in the
record, without objection.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T0481.137
Mr. Willemssen. Also, Mr. Chairman, in following up on
that, I believe there was an NIPC report on that particular
incident that we will be able to identify and get back to you
on.
Mr. Horn. Yes. Because that is serious business. If it is
with the Russian Government, we need to confront them on that
in a quiet way and get this--see what they are doing on it.
I want to next go to Presidential Directive 63. What I am
interested in is, when that was developed, was GAO asked on it?
Was the CERT group asked to take a look at that? And did the
FBI have an opportunity to look at that and--as a matter of
just getting the best you can in a Presidential directive.
So how did that work? Did anybody get with the White House,
say, hey, you guys know a lot of this, what do you think?
Mr. Dick. From my standpoint, PDD63 was already in
existence before I became a part of the Center. However, my
esteemed colleague here, Mr. Vatis, who I worked for for a
period of time, I think was part of the commission that was in
the development of that. So I am going to defer to him.
Mr. Horn. Mr. Vatis.
Mr. Vatis. The history of PDD63 was that it stemmed from a
Presidential commission composed of both government
representatives as well as representatives from the private
sector who issued a report in 1997, I believe, looking at the
vulnerabilities of the Nation's critical infrastructures to
both physical and cyber attacks. PDD63 then was pulled together
by an interagency working group led by the National Security
Council.
So there were representatives from the Department of
Justice, from the FBI, from the Department of Defense, all of
the intelligence community, as well as all of the other
civilian Federal agencies involved.
There was not a great deal of private sector involvement in
the development of that Presidential directive. There was
private sector development, though, in the followup development
of a national plan for information system protection.
Mr. Horn. Well, as you look at it now, going back about 5
years or so, does that need expansion, and were things not put
in there that should have been put in there?
Mr. Vatis. Mr. Chairman, my personal view on the PDD was
that it actually did set forth a good structure--not the be-all
and end-all structure, but certainly an excellent start. My
principal problem with the PDD, though, was the lack of
enforcement of its terms about various agencies'
responsibilities and the lack of resources to support the
various responsibilities that were created.
The NIPC is a perfect example of an entity that was given
massive responsibilities and only a drop in the bucket of the
resources that were required to do the job. I can say that more
freely now that I am no longer in the government. But I don't
suspect anybody would disagree with me.
And that is only an example. Many agencies that were given
responsibilities under that directive considered those
responsibilities to be basically unfunded mandates, because
they were not given new resources to perform those new
responsibilities. And that is a continuing problem. You can
have the greatest plan in the world, but if the resources
aren't allocated to perform the responsibilities under that
plan, nothing much will get done.
Mr. Horn. To whom should that budget allocation go?
Mr. Vatis. Do you mean, sir, who is responsible for making
these allocations?
Mr. Horn. Right. You are saying it is a mandate, and
usually over the years we have worried about that. If, say, it
is a mandate to the State or a mandate to the cities or
whatever, through HUD--so where do you think we are missing
the----
Mr. Vatis. I think it has to start with the executive
branch, and the President's budget submission each year I think
needs to have resources allocated to meet all of the directives
that have been given to the various government agencies. Then
Congress can, in turn, examine those proposals and respond
accordingly with appropriations. But it must start, I believe,
with the President's budget submission.
Mr. Pethia. The CERT coordination center also worked
closely with the Presidential commission prior to PDD63 and
also afterwards with the implementation plan.
The other thing I would like to mention is that in the
original work of the commission and hinted at in the PDD63 was
the call for increased research in the area of information
assurance.
The problem that we are struggling with today are real
struggles. I personally think we are getting farther behind
than we are ahead. But I think that we are going to have even
bigger problems in the future.
So as we put immediate near-term solutions in place, we
also have to look down the road 8 to 10 years to begin to think
about the kinds of threats that we will see then, and the
research community and the technology community is going to
struggle to meet these needs without an expanded research
agenda.
Mr. Horn. Well, is that because, Mr. Vatis, I believe, said
on the software, and others have said the same thing, if you
are thinking 10, 15 years out when you have got--almost every
day something new comes in Silicon Valley, all over the
country, and how do we deal with that then? Do we have a
constant team that looks at this and says, hey, this can also
be mischief. So how would you go about it?
Mr. Pethia. Today an awful lot of what we do with
recognizing attacks and dealing with them are done by people,
people who are watching the systems. I believe we can work
toward new generations of technology that are much more aware
of what is going on, whether or not they are being attacked;
and we need the engineering framework that will support the
construction of these kinds of systems.
Today, information assurance is very much an ad hoc art,
and we need to turn it into an engineering discipline like
civil engineering. So that is area that I propose where we can
build the basic frameworks and mechanisms and methods that will
allow us to build systems that will adapt over time to meet the
new threats.
Mr. Dick. A couple of quick comments.
The main mission of the Center or the impact of the Center
is to reduce threats to our critical infrastructures. The goal
is to detect and deter and prevent those attacks before they
occur.
One of the things that was highlighted, and rightly so, in
the GAO report was our need to improve our strategic analysis.
And one of the things that we are doing through Mr. Vatis and
Dartmouth is a project to kind of look over the horizon and
what the technologies will be in the future, to identify those
kind of vulnerabilities associated with that so that we can
better prepare the critical infrastructures from a technology
standpoint as to what those vulnerabilities are and what the
appropriate response mechanism should be.
So it's a multi-faceted approach, insofar as information
assurance is concerned, from the ability to detect, assist, and
warn of those vulnerabilities. It is a huge effort that is
going to be built upon a partnership between the private
sector, academia and the government; and I think we are
building that trust up, which 3, 4, years ago was in its
infancy, but I think it is growing. And Harris is right. We
have come a long way from where we were in the ability to
communicate with each other.
Mr. Miller. I would just like to add that--the sort of the
third leg of the stool, to confirm what Mr. Pethia was saying
about the need for more research money. The fact of the matter
is, Mr. Chairman, that in most corporations which do spend tons
of money on research--but, really, it is mostly short-term
development and short-term. What we really need is a long-
term--frankly, it is going to have to be a government-funded
research agenda.
Following the distributed denial of service attacks in
February 2000, the Clinton administration proposed a $50
million supplemental appropriation to create a new research and
development center. Because it was an election year and all
kinds of other reasons, that proposal never got very far,
though. I do believe that Mr. Vatis' center has gotten a small
amount of funding for kind of a micro version of this.
But I know the IT community feels very strongly and
certainly echos what Mr. Dick said and Mr. Pethia has said,
that there needs to be government-funded research focused on
long-term information security challenges. And also the
subsidiary benefit of that, as you and I have discussed before,
Mr. Chairman, that also helps another problem which Mr. Pethia
outlined, which is it provides more funding for graduate
student assistance and research, which gets more computer
scientists trained as information security specialists, which
is another challenge that we have.
So I think that this R&D topic is very, very important
going forward. It doesn't help us today or tomorrow, but in the
long-term it helps to protect our IT infrastructure.
Mr. Horn. Well, we certainly have a number of people here
that are already working on that, Mr. Dick and the FBI. Are you
thinking of a section in NIPCs which I think there is a section
on the patent operation and so forth in the Department of
Commerce. What role would you see for them?
Mr. Miller. We think that NIPCs plays an important role.
Following the proposal, Mr. Chairman, made by the Clinton
administration, there were a series of meetings chaired by then
director of the Office of Science and Technology Policy, Dr.
Lane, and Dick Clark, from the National Security Council, where
you brought industry and government and academia together to
discuss the best structure of this.
And, no, no final conclusion came out of it. There was a
sense that it should not be totally centered within NIST, that
would be a mistake. Now, NIST needs to be a part of this. But
you need to have a role so that industry and academia also have
leadership. Because if it simply becomes another government
grant program where government officials sit there and respond
one on one to specific research requests coming from the
universities or other not-for-profit organizations, it won't
really meet its mission.
We felt from the industry standpoint that, for example, a
structure that we could have a director of this operation from
NIST, but the deputy director would come from industry, for
example. So you would have a tremendous amount of industry
input to make sure that the government-funded dollars didn't go
to duplicative research that was already done being done by the
corporate sector.
The challenge, Mr. Chairman, is--as you can appreciate is
industry wants to make sure that research being done with these
government taxpayer dollars is simply not duplicating what has
already been done in the labs of IBM or Microsoft or Network
Associates or all these companies that specialize in these
areas.
That is the challenge that we face. But we do believe that
it can be overcome, and we believe that we can resurrect the
conversations that took place in 2000 and move quickly if
Congress decides to fund such a larger center at a larger scale
which we believe is necessary.
Mr. Horn. Certainly Mr. Pethia's group, the Software
Engineering Institute at Carnegie Mellon, they certainly have a
long track record on this; and we certainly depended on them. I
think that is where the thought came about the software.
Would you like to elaborate on that, how we can build into
the software so that some of these worms and all of the rest
can't get in there? And why isn't Silicon Valley doing some of
that? Because they would make billions of dollars if they could
be assured that a complex hardware and all--so I just wonder
what you see on the horizon right now?
Mr. Pethia. A couple of points I would like to make.
One of them is, the roots of much of the technology that we
have today didn't come from the Internet, per se. The Internet
infrastructure itself was originally a Dartmouth-funded
research project. It was installed as a demonstration of how to
build large-scale, robust and reliable networks that would
withstand attacks, and I think the Internet infrastructure has
done that.
Over time, we began to use it for different purposes for
which it wasn't designed. At the same time, one of the major
early operating systems on the Internet was the UNIX operating
system, which again came from a university research
environment. It was developed primarily to allow software
practitioners ease of development of software, not necessarily
ease of use or secure use.
Much of what we have on our desktop computers today really
came from the personal computer world of years ago where
personal computers were intended to be just that, personal, not
connected to anything else and therefore not subject to attack
from the outside. What we have done is we have taken these
older technologies and we have networked them together into
something that now doesn't have the security characteristics
that we need.
But since we have this huge installed base we now have all
of this legacy software that we have to deal with, so we can't
change it quickly. However, we do know from our software
engineering work that there are techniques that can build
systems that are much more robust, much more secure, and have
many fewer errors than what we typically see today. And there I
think it is a matter of recognizing that we won't get there
quickly. We have got to give industry time to make the
transition from one to another but also help the industry
understand that there is a common belief in industry that many
of these techniques require extra cost, slow downtime to market
and hamper features. That is not the case. We have plenty of
data now to demonstrate that.
But it is a learning curve for industry to recognize that
they can't put new practices and processes in place without
having the negative side effects that they necessarily might
think that they would have.
There will be an initial upfront cost as organizations go
through this learning curve and change the way that they
engineer their systems. There will be for the short-term--very
short-term--a slowdown in productivity and a lengthening of
development process. But as they become more proficient using
these new techniques, in fact, they get benefits in terms of
being able to produce software more cost effectively and
actually improve their delivery schedules.
Mr. Horn. Under the current legislation, the Office of
Management and Budget is really responsible for overseeing
computer security in the Federal Government. They have put
various types of surveys out. We haven't seen them yet. But I
think we have found in this hearing that there is a lot of--
numerous deficiencies that government computer networks ought
to be working on.
I think in the last week or so, where we have the Office of
Homeland Security headed by Governor Ridge of Pennsylvania--and
I certainly remember when we were on the Y2K bit that Governor
Ridge was the Governor in the country that was doing the most
on Y2K within the Commonwealth of Pennsylvania. What do you
think about having the Office of Homeland Security have this
responsibility within the executive branch? And if not that--
because the problem with OMB, they have got too much to do, and
this isn't going to be done unless somebody has it done.
This certainly relates to Governor Ridge, for whom I have a
high respect. And I think if you were in the Chamber, as were
all Members of Congress, when the President made that
announcement, it was absolute thunder in the 400 or so of us
that were there that night.
If not, what other things do you see that we ought to have
that will pull these things together and not have to have a
congressional committee sort of goad it, which is what we did
from 1996 to 2000 as most of you know, and eventually the
President did something about it. But, we need that on a
constant, steady, sensible basis.
Mr. Miller. Mr. Chairman, I continue to advocate very
strongly the creation of a position of information security
czar within the government. You and I have discussed this at
previous hearings at which you have allowed me to testify.
Whether Governor Ridge wants to take on the responsibility
obviously is his decision. But I agree with you there are some
excellent people at OMB. But they simply have too many other
things on their plate right now.
I think that having one person in charge who plays the same
role as Mr. Koskinen played so brilliantly during Y2K, not with
a big budget, not have a big staff, but having the ear of the
President and the Vice President, therefore being able to be a
very persuasive person for government officials is absolutely
essential if we are going to make the progress.
That along with the other issue that Mr. Vatis addressed,
which is a sufficient budget resource for the agencies and
departments, again, not to buildup a big bureaucracy for this
czar but to make sure that the individual CIOs and other people
have a budget.
Without those two elements, Mr. Willemssen is going to be
back here giving you the same report year after year after
year.
Mr. Horn. Well, it is always a pleasure.
Speaking of that, you are going to check that Russian
hacker thing.
Mr. Willemssen. Yes, sir.
Mr. Horn. Mr. Dick, will you check that, too?
OK, I have wound that up now. So we are going to get back
to a few things just for the record.
Now why haven't some Federal agencies even succeeded in
identifying their most critical systems--under that
Presidential Directive 63--which required that they do it by
December 2000, and they haven't really done it.
So do you have any feelings on that, Mr. Willemssen?
Mr. Willemssen. Well, I think it is instructive to go back
to an issue that you raised previously and also Mr. Miller
raised, and that is going back to Y2K. We know that when
agencies started in earnest on that particular effort they also
did not have a good handle on their computing infrastructure,
that over time they did gain a much better understanding of
what they had and how it contributed to their various lines of
business.
One of the issues that you and I have chatted about shortly
after Y2K was over was the concern that the momentum would be
lost that had been started by this--much better management of
IT in Federal agencies overall, better understanding of what
they had and how it contributed to their missions.
That is what will be very useful to see the upcoming agency
reports that will be submitted on information security, to see
if indeed that momentum was lost and some agencies are now
having to go back and do reassessments that they already had in
place but they didn't continually update.
So there is a potential for almost a reinventing the wheel
syndrome, which, if that is the case, that would be very
unfortunate that we lost that sense of urgency and didn't
continue down that path of improved IT management.
Mr. Horn. Well, in the next few months we will know whether
we are getting the kind of information we need to go through
this or not. Maybe they are just playing the same games that
the previous administration did, but I would like to think that
they have a chance to just say, hey, it wasn't our situation.
But, here, we just got everybody moving on this, and I haven't
seen that at this point.
Mr. Pethia, as a person with extensive knowledge of Federal
operations, what actions do you think are the most important to
improve the computer security at Federal agencies?
Mr. Pethia. I think what you mentioned earlier--the need
for the agencies to identify their critical assets, their
critical information assets, and then to put in place within
each agency----
Mr. Horn. Is that really an inventory idea?
Mr. Pethia. It is an inventory idea, but it is not a simple
inventory. We have had a lot of experience in helping agencies,
also helping organizations in the private sector do exactly
this. And what we discover in both cases is that, very often,
since information infrastructures and functions sort of buildup
over time, if you look inside any organization there is no
focal point anymore, no one any longer remembers what all of
these pieces are and how they interconnect.
So there is an analysis process that you have to go through
to understand, first of all, the mission of the organization,
the critical functions it provides, and then map that onto the
information infrastructure.
So it is not just looking at the hardware, it is looking at
the functions of the organization. I think that is the start,
to identify where the critical needs are and, based on that, to
be able to form a protection strategy that focuses on meeting
those critical assets.
What we saw too often is people trying to let me say peanut
butter information security technology across their entire
infrastructure. By doing that, they very often miss the
critical components and also end up in some cases spending much
more money than they need to because they are protecting things
that are, in fact, not that critical.
Mr. Dick. Mr. Chairman, there is one thing that I would
like to comment on. It was mentioned by Harris and Mr.
Willemssen both. One of the things that we can do now--it is
going to take time for research and development to modify the
software and tools that are out there now. But something that
we can do now that both of them mentioned was putting in place
policies and procedures that actually implement a practice of
information security.
Many of the--we work very closely within the NIPC with CERT
and SANDS and ITAA and the private sector to identify the, if
you will, the top 10 common vulnerabilities that are out there
and for which there are patches for to repair the systems. What
we have determined is that a high number of the intrusions and
problems that we have experienced could have been eliminated if
systems administrators in the industry had just downloaded the
patch and repaired their systems. I mean, probably 80 percent
of the issues that I see in the NIPC wouldn't be issues because
the vulnerability wouldn't continue to exist.
For example, I think one of the reasons that the Nimda
issue was minimized as quickly as it was is that we had gone
through Code Red, we went to a high visibility on explaining
what the vulnerability was, because in both of those issues the
patch was available prior to the spread of the worm. It was
just a matter of systems administrators didn't repair these
systems.
But it is even more of a problem today, because not only do
you have to, with the advent of Internet connections and DSL
connections, we have to get--reach the home user to implement
these kind of patches, too.
But I think if we could develop and teach people good
information security, good information assurance practices we
could see some substantial results.
Mr. Horn. Let me ask all of you, how vulnerable is the
Internet itself to terrorist attacks and what would it take to
bring it down and what would it take to not bring it down?
Mr. Vatis. If I could address that just briefly.
The analysis that we did over this past weekend of the
possibility of attacks by terrorists, their sympathizers, state
sponsors of terrorism or others shows that the possibility is
there to take down significant portions of the Internet and the
critical infrastructures that rely on the Internet.
Many of the vulnerabilities are ones that have been there
for a long time. But things like routers and domain name
servers and the like, which are critical to the functioning of
the Internet and the communications across it, are vulnerable
attacks that can have wide-scale consequences.
The problem is, as Mr. Dick alluded to, that a lot of these
problems are well known, yet they are not being addressed
because of a lack of resources or lack of prioritization from
the top. We can have system administrators in a company, in a
government agency, who are very well-intentioned, doing the
best that they can, but if the CEO or if the secretary of an
agency doesn't really care about security, then the system
administrator is not going to get the resources and the
attention that it needs to really implement a program,
policies, procedures, technology and people to get the job
done. So all of those things are critical.
But the bottom line answer to your question is, we are
extremely vulnerable and will continue to be until these sorts
of problems are addressed in a systematic way.
Mr. Pethia. Building on what Mr. Vatis says, I think the
good piece of the news is that much of the Internet is very
resilient and very robust and able to recover from attack. But
there are those few key points like the domain name servers
that don't have enough redundancy, don't have enough ability to
quickly recover from attacks that are successful. I think if we
focused in on those key points we could make a great deal of
progress in a short period of time.
Mr. Horn. As I remember, a few years ago, Mr. Willemssen, I
had asked the General Accounting Office to take a look at the
aging of both hardware and the software in the executive
branch. I don't know how much we ever got of that or whether
OMB took it over. But if you are coming up to a congressional
group, we ought to have some good facts that we could say this
is why you should invest in this infrastructure. I know you
have wonderful studies over there, and I look at all of them,
and I don't know if that one sort of just went to GSA or
whoever. But, we need to sort of get a partial analysis maybe
and/or take a couple of agencies that we really look and see
what is there and what isn't there.
Mr. Willemssen. Well, we recently briefed your staff on the
results of that, the information that we were able to acquire
from a variety of sources, including OMB.
Of course, the state of computing and data centers has
dramatically changed through the 1990's as you are less able to
get strictly at computing capacity because of the advent of
connectivity and networking. So it is not always the best
measure of computer capacity.
Among the things that we looked at in that particular study
relating to information security, I think that it is fairly
instructive and connects to some of the points made by the
other panelists. The data that agencies are reporting on the
extent of expenditures on information security varies
dramatically across the Federal Government. Several agencies
stated they are spending a good percentage, 15, 20, 25 percent
of their IT funding on security; other agencies reporting they
are spending very little.
That kind of data I think is very useful in understanding,
at least based on what agencies are reporting, what kind of
priority they are placing on information security and what that
means in terms of how they are addressing the risks and threats
that they face.
Mr. Horn. Mr. Dick, why it is so difficult to apprehend
these perpetrators of viruses like Code Reds, its variants and
Nimda? Will they ever be apprehended?
Mr. Dick. Yes, and we have had some successes. I mean, in
the Melissa virus we have been able to determine who did that.
And the Love Letter virus, we were able to determine who the
preparator was of that.
Now obviously there are a whole lot of obstacles associated
with that. For example, in the Love Letter virus, even though
we were able to identify who we believe did that, the country
in which that individual lived or resided didn't have the
appropriate laws perhaps to deal with that.
We are working through the State Department and with our
international partners to try to resolve these issues. As you
know, in the Philippines they have since taken corrective
action. So, you know, I don't like to paint the picture that it
is an insurmountable obstacle to identify and arrest these
individuals. For example, even on the Leech virus, we have
identified a subject in--that we have brought to the bar of
justice in another country. The big obstacle is that, like the
Internet, it is a very global issue.
You know, even if we have--as I talked about in Australia,
a month ago, you know, the United States and Canada and
Australia could, you know, implement all of the appropriate
procedures for firewalls and patch our systems. But because of
the way the Internet works and the interconnectivity of the
various businesses, if it is not a global solution and a global
response to it, we are still vulnerable.
So it makes it very, very difficult but not an
insurmountable problem. My glass is always half full.
Mr. Horn. Well, mine, too. Do you think we have enough laws
to give you guidance within the domain of the United States or
are we missing something? And, if not, should we be putting it
in? This is the time of year where you can stick a lot of
things on an omnibus appropriation. You can also put language
to help people in other areas. And, if so, let's hear it.
Mr. Dick. There are a number of legislative issues that we
are working with the Department of Justice on. You know, some
of which are issues like, for example, if we did an
investigation, in each one of the judicial districts we have to
go and get an order or subpoena or some kind of official
document to followup and retrieve information from Internet
service providers and so forth. It would be helpful--in this
arena time is of the essence, because the evidence is fleeting,
since it is digital. The idea of being able to have a one-stop
shopping, if you will, to be able to get an order that allows
us to go to multiple jurisdictions to get that and not have to
go in each district to get these things.
But there are a number of other proposals like that I would
be happy to provide to you that are in discussion with the
Department of Justice.
Mr. Horn. Mr. Miller.
Mr. Miller. I would just like to comment on your earlier
question about the vulnerability of the Internet. Because I
know there is a lot of media here, and I am afraid of the
headline tomorrow, Internet very vulnerable. I think that would
be inaccurate.
I think that the Internet, as Mr. Pethia mentioned, was
developed by DARPA to have a lot of redundancy in it. Yes, Mr.
Vatis is correct. There are actually physical risks. The domain
name servers that he mentioned are very important. But the
companies that manage those, Verizon Network Solutions, is very
aware of these vulnerabilities; builds a lot of physical
redundancy in their systems. I am sure that they would be glad
to brief your staff in great detail about that.
Again, as Mr. Seetin said earlier, nothing is totally
invulnerable, as he said very eloquently during his statement.
But I don't want you or the people who read the stories
tomorrow to somehow get the idea that the Internet is about to
be brought down.
I would also like to mention something that I think
indirectly came up in Mr. Seetin's statement but we haven't
addressed directly, which is we all believe that, as part of
business continuity planning, we have to have redundancy. But
if your redundant system is in your same building or if your
redundant telephone lines are going in and out of the same
entrance and exit points of the building, do you truly have
redundancy?
And I think what we learned quite dramatically with these
events at the World Trade Center, particularly in the area
around the World Trade Center, which is probably the highest
area of telecommunications density in the world, is that having
redundancy located in the same building or telecommunications
lines going in and out of the same pipes really isn't
redundancy.
So I think it is going to force a lot of companies to
rethink this. I think the government is going to need to
rethink it.
For example, when they build buildings or lease buildings,
the government may need to start asking questions. Where in
this building is the back-up system? Is it in exactly the same
building or right across the street? Do we really, truly have
redundancy? And I think it is something that the subcommittee
may want to take a further look at, because we did find that
was a bit of a problem.
Again, Mr. Seetin may want to address this in more detail.
Mr. Seetin. Yes, thank you very much.
In fact, that is the case. The redundancy that we had
planned on really was a result--because we had that facility at
least already because our space in Four World Trade was
inadequate to actually provide the computer space that we
needed.
To the extent that our experience with the 1993 bombing
still didn't give an indication of the potential scope of an
attack--and I must say this--I don't know that anybody would
have predicted the scope of this type of attack. We did learn
the lesson in that the back-up system which was halfway across
the island from us happened to be the one that was affected by
the attack in addition to us. And we have already taken steps
now. In fact, as I said before, on Monday, as of Monday next
week, you know, we are--our back-up system is very far away.
It's at a completely different utility telenetwork. So,
unfortunately, yes, we learned our lesson the hard way. It
didn't cost us in terms of our ability to get up and running.
It could have. But,
Mr. Horn. Any other thoughts, Mr. Miller, on that? And
anybody else on the panel in terms of giving some advice to the
government that we could prepare our systems for catastrophe,
from what we know now. We're going to have the staff up in New
York and they'll talk to a lot of the people with your
guidance, Mr. Seetin.
Yes, Mr. Willemssen.
Mr. Willemssen. Just going to add, Mr. Chairman, to the
extent that agencies have business continuity and contingency
plans now, it's a good point--if they haven't already--to take
a look at them, reassess the threat and reassess the likelihood
of the threat and the impact it might have, and then put in the
appropriate contingencies in the event it occurs. I don't know
that's happened universally yet. I think in light of recent
events it's a good opportunity to do that.
And I would concur with some of the comments made earlier
about the critical importance of communications from an
emergency response and preparedness perspective.
Mr. Pethia. Yeah. Also I'd like to comment on your earlier
statements and questions about the need for Homeland Defense
and the possible role that Tom Ridge might take. I think it is
important, and I agree with what Mr. Miller said, that we do
need to have the function of an IT czar. And I also think it's
important that it be under one agency coordinated with other
kinds of infrastructure activities. I think one of the lessons
we're all learning is just how interdependent all of these
infrastructures are. And this time we were only attacked from
one dimension, but I can easily imagine in future attacks that
while we're dealing with one problem, we'll see one in yet
another part of our infrastructure, and we need to be able to
coordinate responses to all of those at one time.
You know, I would hate to think of what would have happened
on September 11 if at the same time we were struggling with
what happened from--by the terrorists, we were also dealing
with things like Nimda and other kinds of information
infrastructure attacks. It would have hurt us severely.
Mr. Horn. We mentioned the software developers and a number
of you mentioned that. How difficult is it for the industry to
get some of these software developers into the products before
they're released? I mean, are these great difficulties by them?
Or--you go to all the professional groups in the country, Mr.
Miller; what do you hear?
Mr. Miller. Well, I guess my starting point diverges a
little bit from Mr. Pethia. We've disagreed publicly before, so
this isn't the first time. We do believe that our companies do
put forth maximum effort to first of all create systems that
have as little security flaws as possible. And second, many of
them go out of their way to try to do--but I do agree with him
that they should have the highest possible security
configurations preset.
The difficulty is that in software engineering, as well as
engineering on automobiles or building or airplanes, there are
still going to be flaws. No design is going to be perfect. Yes,
it can be better; but no design is going to be perfect. And so
there are going to be these followup challenges. And those
followup challenges are dealt with by patches. And, as Mr. Dick
said, the problem isn't that the patches weren't out there. The
problem was that in many cases the patches simply were not
implemented.
I would also say that the companies are trying to build
into their systems the highest configuration security setting.
But what the companies tell me is when they go back to their
customers, they find that this is a problem as to what the
customers actually do.
For example--this now goes back a year and half to a
meeting at the White House with President Clinton--but one of
the major companies there, a well-known computer services firm,
said that when they went back and visited their customers 90
days after installing systems, on the average, two-thirds of
companies had turned off all the security features. Or when
they went in and checked as to what the passwords were for some
of the major customers, the password was ``password.''
So it is a bit of a challenge. And the question is, even if
the best software, designed with the best engineering, is set,
if the customer refuses to use it, then you get into a problem.
So how do we get this kind of acceptance? Just like how do you
convince people to use seatbelts or how do you convince people
when they get American Express or travelers checks not to put
the numbers of the American Express checks in the same wallet?
And that really is a problem of communication. It's not
that the product itself is flawed or that the principle is
flawed. It's getting broader buy-in. I don't have a simple
answer. I think a lot of it goes back to the point Mr. Dick was
making. It's education. And we at ITAA, the Partnership for
Critical Information Security--which is ITAA--and many other
industries have been discussing with the government whether
this might be a good time for a massive public service campaign
to try to get more customers aware of the need to practice good
cyber-hygiene. And frankly, we're internally divided about
whether to move forward or not, Mr. Chair.
There is some concern this will look like somehow, next to
what's happened at the World Trade Center and the physical
security threats, that this will simply get lost in the message
and it won't really be effective. But other people believe that
this is very timely, because particularly with the Code Red
worm, the Nimda virus--and, as Mr. Pethia said, had they
occurred at the same time as the attacks, the physical attacks,
who knows what would have happened?
So we're pursuing this as an option right now. And again,
it's a collaboration between industry and government if we do
roll this out. But somehow we've got to get into the heads of
the customers, No. 1, no matter how well we design the
software, there's going to be flaws subsequently. You've got to
install the patches.
No. 2, take advantage of those security features.
And No. 3, it's not just the technology. It's the people
and the processes. And if you have great technology software
and you don't install it, or you use ``password'' as your
password, you might as well forget about it. You're just not
playing the game the right way.
Mr. Pethia. As Harris said, we have a tradition of
disagreeing on certain points. I agree wholeheartedly that we
need better security administration. We need people to adopt
practices. But there is a big difference between bulletproof
software and where we are today. Things like the top 10 list or
the top 20 list are useful, but they can only be created with
hindsight. The top 10 or the top 20 are things that we know are
problems because we've already been attacked with those 10 or
20.
When system administrators are faced with 2,000 new
vulnerabilities a year, which 10 do they focus on? It's not a
matter of 10's and 20's. It's a matter of getting from 2,000
down to 10 or 20, so that they only have to deal with those and
not the thousands of others.
Mr. Horn. Mr. Vatis, you're at Dartmouth, and a lot of
their graduates go to Madison Avenue in New York and have the
best--have the best type of communications in ads and
everything else. And maybe some of this, with the damage we've
seen in New York, we could get some public service ads where we
would educate from lap computers to all the big ones and try to
get the attitude changed. And I would think there's enough
examples that are seen in the New York situation where maybe
this is the time it'll cut through to people that, hey, we're
not doing it the right way.
So I would hope that your professional group there, Mr.
Miller, might use that as a project. And I remember when we
talked about a ``good housekeeping seal of approval,'' and it
seems to me people wouldn't want--I would think the average
citizen might say, well, we don't want all these bugs running
around, worms running around, if I put my data base on it. I
don't really have any feeling that you can't really hurt--you
can hurt it. And you've spent a couple of thousand dollars. And
I would think that those people in the various different
manufacturing would say, hey, this is a good thing that we can
now use this. And it seems to me that a lot of people in--a lot
of professional people ought to be working that feel--and
again, New York is certainly why we should be doing this.
Mr. Vatis. Mr. Chairman, if I could just offer a slightly
different perspective on that. I think education is very
important, but I don't think it's going to be a panacea. There
have already been many efforts to educate people about safe
practices in cyberspace. And Mr. Miller's organization, with
the Department of Justice, sponsored such an education program
over the last year and a half or so.
You started out this hearing by saying that you hope that
recent events would offer a wake-up call to America. I'm afraid
that we've had so many wake-up calls that people are just
repeatedly pushing the snooze button. One would have thought
that the I Love You virus, the Melissa virus, the distributed
denial of service attacks, Code Red, Nimda--the list goes on
and on--each one of those should have offered a wake-up call,
and yet we still see the persistent vulnerabilities.
At the same time, I think while industry is focused, as Mr.
Miller said, on improving security within software, I think,
again, their focus is in the short term on getting products to
market quickly, with the state-of-the-art of security that
exists today. But part of the problem is the state-of-the-art
of security today, as Mr. Pethia has alluded to, is not good
enough. And so even if customers don't turn off all of the
security that's available in software, they're still vulnerable
to attack. And if they are turning a lot of the security
functions off, to my mind, that suggests a problem with some of
those security functions potentially, because they may limit
the functionality of the software. And so a customer might make
the determination that it's simply not worth it. Or they're
simply too difficult.
One example of that is encryption. Encryption is available
today for people to use to preserve the confidentiality of
their communications and their stored data. But it's not widely
used because it is considered a hassle by many people and,
again, not simply worth it. One solution to that is to try to
design an encryption technology that is easier to use, so that
people can, with the click of a mouse or the push of one key on
the keyboard, ensure confidentiality.
So the answer again, to me, over the long-term, is research
and development to design technology that is easy to use and
that offers broader and deeper assurance of security than the
current technology allows. And again, as I think several of the
panelists have said, the private sector is important on that.
But they are naturally going to be thinking about near-term
profitmaking ventures. That is their mission in life, and
appropriately so. But government funded research and
development is critical to look at the long-term developments
that can really help us secure the information base.
Mr. Horn. I would think that a manufacturer--now, I look at
these Dell ads, etc., and that's changed a lot of things in the
market. And I would think that the one that is able to say
we're reacting to both the foreign hackers, domestic hackers
and all the rest, and we have a good housing, and keeping it
going and having some sort of--you talk about their monetary
interests and they could put it to good interest.
So--and I think people would go and want to buy it now,
because it's just too complex to have all this machinery going
down the drain, with all these people coming in from various
things. And I guess, Mr. Dick, besides the incoming ones in the
United States so far, has your Center found that foreign
hackers have come into the United States? Or how difficult is
that to decide it and to see it?
Mr. Dick. If you will, the doors of the Internet have made
all kinds of illicit contact on the Internet available to the
globe. And yes, I mean, we're seeing a number of intrusions
into U.S. systems by foreign subjects and organizations. Here
recently, we had a series of intrusions into e-commerce
businesses, the focus of which was emanating from Eastern
Europe. We were able to identify who those individuals were,
and have brought several of them to prosecution here in the
United States.
So because of the borderless nature of the Internet,
criminals and terrorists and any of the threats that you can
identify just don't emanate from the United States. It's a
global issue which I've referred to before.
Mr. Horn. Mr. Seetin noted that the Web site was a critical
point of contact, since the cell phone relays went out. I'd
just say for both of you, did the Nimda virus scanning have an
impact on the availability of your site?
Mr. Seetin. Thank you, Mr. Chairman. No. In fact, our
technology folks had been well aware of that and were
operating, you know, with great caution. Our system uses what--
commonly used encryption systems by the financial industry,
because obviously we face the same issues as they do in terms
of potential threat. So we went in using that. We did not face
those types of problems with our Web site. Not to say that we
wouldn't, you know. And I agree with the other panelists here
that, indeed, looking forward, I think the only thing we can
anticipate is that the bad guys are going to get smarter and
they're going to get badder, and so we have to stay ahead of
them to the degree that we can.
Mr. Horn. Any other thoughts on that? We're going to be
closing this down in a few minutes and we won't keep you here
forever. Anything that should have been said that we didn't ask
about? We're going to have the majority and minority staff go
over the questions, that I just have said you can only use so
many, and we'd appreciate any thoughts you might have, and
they'll write you.
And is there anything that some of your colleagues said
that we didn't ask and you think it's important?
OK. What I'm going to do is have a closing statement. I
thank you all for coming down here, and we can't predict what
lies ahead anymore. We weren't able to anticipate the horrible
events of September 11, but the Nation has now been placed on
alert. Let's hope we can keep that sense of alert to get
something done.
Protecting our information infrastructure and our critical
government computer systems must become our highest priority.
The administration is taking an aggressive step, as I
mentioned, with the creation of the Office of Homeland Security
under Governor Ridge. The Office of Management and Budget must
also play a key role. And I note that the Director of OMB has a
representative taking notes here. So hopefully it'll be moved
through the bureaucracy down there.
I look forward to working with all of you as we focus on
this vitally important issue. And I want to thank the staff:
the minority staff, David McMillen, Jean Gosa; and with the
majority staff we have J. Russell George, behind me, staff
director/chief counsel. He grew up right near some of those
towers, and so he knows New York well.
Elizabeth Johnston, on my left, your right, is on loan to
us from the General Accounting Office, and we're delighted to
have her working on this particular hearing. Then Darin Chidsey
and Matt Phillips, professional staff. Mark Johnson is our very
able clerk, and Jim Holmes is the intern this week. And the
court reporters are Christina Smith and Mark Stuart.
We thank you all for what you've done here, and we'll try
to get this hearing out as fast as we can. We are adjourned.
[Whereupon, at 12:15 p.m., the subcommittee was adjourned.]
-
�