[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]



 
  CYBERTERRORISM: IS THE NATION'S CRITICAL INFRASTRUCTURE ADEQUATELY 
                               PROTECTED?

=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON GOVERNMENT EFFICIENCY,
                        FINANCIAL MANAGEMENT AND
                      INTERGOVERNMENTAL RELATIONS

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED SEVENTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 24, 2002

                               __________

                           Serial No. 107-217

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                     U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2003

87-387 PDF

For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001



                     COMMITTEE ON GOVERNMENT REFORM

                     DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland       TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut       MAJOR R. OWENS, New York
ILEANA ROS-LEHTINEN, Florida         EDOLPHUS TOWNS, New York
JOHN M. McHUGH, New York             PAUL E. KANJORSKI, Pennsylvania
STEPHEN HORN, California             PATSY T. MINK, Hawaii
JOHN L. MICA, Florida                CAROLYN B. MALONEY, New York
THOMAS M. DAVIS, Virginia            ELEANOR HOLMES NORTON, Washington, 
MARK E. SOUDER, Indiana                  DC
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
BOB BARR, Georgia                    DENNIS J. KUCINICH, Ohio
DAN MILLER, Florida                  ROD R. BLAGOJEVICH, Illinois
DOUG OSE, California                 DANNY K. DAVIS, Illinois
RON LEWIS, Kentucky                  JOHN F. TIERNEY, Massachusetts
JO ANN DAVIS, Virginia               JIM TURNER, Texas
TODD RUSSELL PLATTS, Pennsylvania    THOMAS H. ALLEN, Maine
DAVE WELDON, Florida                 JANICE D. SCHAKOWSKY, Illinois
CHRIS CANNON, Utah                   WM. LACY CLAY, Missouri
ADAM H. PUTNAM, Florida              DIANE E. WATSON, California
C.L. ``BUTCH'' OTTER, Idaho          STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia                      ------
JOHN J. DUNCAN, Jr., Tennessee       BERNARD SANDERS, Vermont 
JOHN SULLIVAN, Oklahoma                  (Independent)


                      Kevin Binger, Staff Director
                 Daniel R. Moll, Deputy Staff Director
                     James C. Wilson, Chief Counsel
                     Robert A. Briggs, Chief Clerk
                 Phil Schiliro, Minority Staff Director

    Subcommittee on Government Efficiency, Financial Management and 
                      Intergovernmental Relations

                   STEPHEN HORN, California, Chairman
RON LEWIS, Kentucky                  JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California                 MAJOR R. OWENS, New York
ADAM H. PUTNAM, Florida              PAUL E. KANJORSKI, Pennsylvania
JOHN SULLIVAN, Oklahoma              CAROLYN B. MALONEY, New York

                               Ex Officio

DAN BURTON, Indiana                  HENRY A. WAXMAN, California
          J. Russell George, Staff Director and Chief Counsel
                  Bonnie Heald, Deputy Staff Director
                        Chris Barkley, Assistant
           David McMillen, Minority Professional Staff Member


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on July 24, 2002....................................     1
Statement of:
    Belcher, Timothy G., chief technology officer, Riptech, Inc..    15
    Charney, Scott, chief security strategist, Microsoft Corp....    31
    Dacey, Robert F., Director, Information Security Issues, U.S. 
      General Accounting Office..................................    70
    Dick, Ronald L., Director, National Infrastructure Protection 
      Center, Federal Bureau of Investigation....................   136
    Jarocki, Stanley R., chairman, Financial Services Information 
      and Analysis Center, and vice president, Morgan Stanley IT 
      Security...................................................   159
    Leffler, Louis G., manager-projects of North American 
      Electric Reliability Council...............................   165
    Maiffret, Marc, chief hacking officer and co-founder, eEye 
      Digital Security...........................................    60
    Paller, Alan, director of research, SANS Institute...........    23
    Thomas, Douglas, associate professor, Annenberg School for 
      Communication, Los Angeles, CA.............................     8
    Tritak, John S., Director, Infrastructure Assurance Office, 
      Department of Commerce.....................................   150
    Weiss, Joseph M., executive consultant, KEMA Consulting......    43
Letters, statements, etc., submitted for the record by:
    Belcher, Timothy G., chief technology officer, Riptech, Inc., 
      prepared statement of......................................    17
    Charney, Scott, chief security strategist, Microsoft Corp., 
      prepared statement of......................................    34
    Dacey, Robert F., Director, Information Security Issues, U.S. 
      General Accounting Office, prepared statement of...........    72
    Dick, Ronald L., Director, National Infrastructure Protection 
      Center, Federal Bureau of Investigation, prepared statement 
      of.........................................................   139
    Jarocki, Stanley R., chairman, Financial Services Information 
      and Analysis Center, and vice president, Morgan Stanley IT 
      Security, prepared statement of............................   161
    Leffler, Louis G., manager-projects of North American 
      Electric Reliability Council, prepared statement of........   167
    Maiffret, Marc, chief hacking officer and co-founder, eEye 
      Digital Security, prepared statement of....................    62
    Paller, Alan, director of research, SANS Institute, prepared 
      statement of...............................................    26
    Shakowsky, Hon. Janice D., a Representative in Congress from 
      the State of Illinois, prepared statement of...............     5
    Thomas, Douglas, associate professor, Annenberg School for 
      Communication, Los Angeles, CA, prepared statement of......    11
    Tritak, John S., Director, Infrastructure Assurance Office, 
      Department of Commerce, prepared statement of..............   152
    Weiss, Joseph M., executive consultant, KEMA Consulting, 
      prepared statement of......................................    45

  CYBERTERRORISM: IS THE NATION'S CRITICAL INFRASTRUCTURE ADEQUATELY 
                               PROTECTED?

                              ----------                              


                        WEDNESDAY, JULY 24, 2002

                  House of Representatives,
  Subcommittee on Government Efficiency, Financial 
        Management and Intergovernmental Relations,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10:05 a.m., in 
room 2154, Rayburn House Office Building, Hon. Stephen Horn 
(chairman of the subcommittee) presiding.
    Present: Representatives Horn and Schakowsky.
    Staff present: J. Russell George, staff director; Bonnie L. 
Heald, deputy staff director; Chris Barkley, assistant to 
subcommittee, Michael Sazonov, professional staff member; 
Sterling Bentley, Joey DiSilvio, Freddie Ephraim, and Yigal 
Kerszenbaum, interns; David McMillen, minority professional 
staff member; and Jean Gosa, minority assistant clerk.
    Mr. Horn. A quorum being present, the Subcommittee on 
Government Efficiency, Financial Management and 
Intergovernmental Relations will come to order.
    In 1998, a 12-year-old boy successfully hacked into 
computer systems that controlled the Roosevelt Dam in Arizona. 
He could have opened the dam's floodgates and dumped nearly 500 
billion gallons of water on the Arizona cities of Mesa and 
Tempe. Fortunately, he did not.
    However, in April 2000, an Australian hacker used his 
laptop computer and a commercially available radio transmitter 
to gain control of a local sewage treatment facility. He 
intentionally released raw sewage into nearby parks and rivers 
on 46 occasions before he was caught.
    It is clear from these and other reports that the Nation's 
water, power, financial markets, and telecommunication systems 
could be similarly attacked. These systems are essential to the 
health and well-being of all Americans, and they are 
fundamental to the continued operation of the government. More 
than 90 percent of the Nation's critical infrastructure is 
owned and operated by the private sector. To protect these 
assets, it is important to understand their vulnerability to 
cyberattacks, which are increasing in intensity and 
sophistication.
    During the first 6 months of this year, the Carnegie-Mellon 
CERT Coordination Center received reports of 43,000 
cyberattacks. In comparison, last year, the Center received 
approximately 53,000 reports of attacks for the entire year.
    In many cases, businesses may not know when a cyber-attack 
is launched and may not gracefully recover from the attack. A 
recent survey of Fortune 500 companies by Ernst & Young found 
that only 40 percent of those companies were confident that 
they could detect an attack on their systems. The same survey 
also revealed that only 53 percent of the companies had 
business continuity plans to recover from an attack.
    To shore up the defense of the Nation's critical 
infrastructure, each industry group has formed its own 
information sharing and analysis center. These centers face 
formidable challenges. The businesses within each sector can 
vary widely in size and complexity and in their ability to 
safeguard their systems.
    For example, the financial service sector includes large 
banking corporations as well as small independent banks. 
Nevertheless, the financial sector center must develop common 
security processes in order to report, respond, and recover 
from a cyber-attack. Each center tends to focus on risks that 
are unique to its industry, even though the sectors are 
increasingly interconnected and interdependent. Damage to one 
can cascade to others. The recovery plans of one sector could 
affect the ability of other sectors to resume operation.
    Today's hearing will examine the roles and limitations of 
the information sharing and analysis centers and will explore 
what actions may be needed to ensure the security of the 
Nation's infrastructure. I welcome today's witnesses, and I 
look forward to working with you on this vital concern.
    Let me administer the oath, and then we will go into 
recess, because I believe we have a vote on the floor. So, if 
you will stand, raise your right hand.
    [Witnesses sworn.]
    Mr. Horn. The clerk will note that all affirmed the oath.
    Please sit down and relax. And we are delighted to have Ms. 
Schakowsky, the ranking member. And she will use her time to 
give her statement to open the hearing, and we will then go in 
recess.
    Ms. Schakowsky. Thank you, Mr. Chairman.
    It is unfortunate that we are having this hearing today. 
The issue before us is an important one that should be given 
due consideration by Congress. But instead, the majority has 
insisted on circumventing regular order and is trying to move 
language on this issue as part of the homeland security bill, 
language that would probably not become law if considered 
separately and openly, and language that is designed not to 
improve public safety but to curry favor with the business 
community.
    There is an attempt on the part of some to exclude from the 
Freedom of Information Act all information submitted 
voluntarily by businesses in the name of critical 
infrastructure protection. One of our witnesses today testified 
before the Senate that the government has the ability under the 
Freedom of Information Act and under almost 30 years of case 
law to protect information submitted voluntarily to the 
government by businesses. He goes on to say that, ``If the 
private sector doesn't think the law is clear, then by 
definition it isn't clear.''
    I am puzzled by that logic. I always thought it was the 
role of the courts and not the private sector to clarify the 
interpretation of the law. By this gentleman's logic, any law 
that businesses disagree with, they only have to claim it as 
unclear and it becomes incumbent on Congress to change that 
law. I wonder if that logic extends to individuals.
    Mr. Chairman, I want to draw on the testimony David Sobel 
will be submitting for the record, and ask unanimous consent 
that his testimony be included in the record.
    Mr. Horn. Without objection, it will be put in the record 
at this point.
    Ms. Schakowsky. I also ask that the letter from Jim Dempsey 
at the Electronic Privacy Information Center be included the 
record.
    Mr. Horn. Without objection, it will be in the record at 
this point.
    Ms. Schakowsky. The fourth exemption to the Freedom of 
Information Act protects information which is a trade secret or 
information which is commercial and privileged or confidential. 
This information is considered confidential if disclosure of 
the information is likely to impair the government's ability to 
obtain the necessary information in the future or to cause 
substantial harm to the competitive position of the business 
from which the information was obtained.
    Let me restate this because it is exactly the point that 
has been ignored by those seeking this exemption. The Freedom 
of Information Act protects information submitted by businesses 
if that information is confidential. That information is 
confidential if the release of the information would make it 
more difficult to obtain that information in the future.
    The language in the Freedom of Information Act is quite 
clear. It doesn't end there. There are even more protections 
for confidential business information. In 1987, President 
Reagan issued Executive Order 12600, which provides notice to a 
business if the agency determines material submitted by that 
business and identified as confidential should be released, the 
business has an opportunity to make its case before the agency 
and before a court of law.
    Furthermore, no proponent of this exclusion from the 
Freedom of Information Act has cited a single example where a 
Federal agency has disclosed voluntarily submitted data against 
the expressed wishes of the industry which had submitted the 
information.
    On the other hand, the damage this exclusion could do is 
legion. The language included in the homeland security bill 
would allow businesses and agency officials to hide lobbying 
activities under this exclusion. Officials from energy 
companies could meet with Federal officials to craft government 
energy policy, and all of those conversations could be hidden 
from public view. This language would shield these companies 
from antitrust law. Even the Attorney General objects to that 
provision.
    Mr. Chairman, we all agree that the government has 
substantial work to do to assure the protection of our critical 
infrastructure. I hope that today's hearing will move us down 
that path. Unfortunately, the language included in the homeland 
security bill does little to improve the security of our 
critical infrastructure, but instead is about hiding 
information from the public.
    Thank you, Mr. Chairman.
    Mr. Horn. Thank you.
    [The prepared statement of Hon. Janice D. Schakowsky 
follows:]
[GRAPHIC] [TIFF OMITTED] T7387.001

[GRAPHIC] [TIFF OMITTED] T7387.002

[GRAPHIC] [TIFF OMITTED] T7387.003

    Mr. Horn. And we are now in recess until 10:30. Thank you.
    [Recess.].
    Mr. Horn. The recess has ended, and we will have peace and 
quiet for about an hour and a half just to get your various 
agendas.
    We will now start with Douglas Thomas, the associate 
professor of Annenberg School for Communication at the 
University of Southern California. We are delighted to have you 
here.

  STATEMENT OF DOUGLAS THOMAS, ASSOCIATE PROFESSOR, ANNENBERG 
           SCHOOL FOR COMMUNICATION, LOS ANGELES, CA

    Mr. Thomas. Thank you. I have a longer statement to submit 
for the record, and I would like to summarize my comments here.
    Mr. Horn. Thank you. Because let me tell all of you, your 
full written view goes right into the record, without even 
having to say it, the minute I give your name and what you are 
now doing.
    So, thank you very much, Mr. Thomas. We all had a chance 
when we got them last night--a little late--but it is a very 
fine job that all of you have done. So, Professor Thomas, if 
you can give a summary of 5 minutes, 8 minutes, something, so 
we can get to questions, we would appreciate it. Thank you.
    Mr. Thomas. Thank you, and particularly for inviting me to 
speak before you today.
    My name is Douglas Thomas, and I am Associate Professor in 
the Annenberg School for Communication at the University of 
Southern California. My research focuses on the social and 
cultural impacts of new media and technology, with particular 
emphasis on the subculture of the computer underground. I have 
recently published a book called Hacker Culture about the 
computer underground, and co-edited another called Cybercrime: 
Law Enforcement, Security and Surveillance in the Information 
Age.
    For the past 7 years I have studied computer hackers in an 
effort to understand who they are, what motivates them, and how 
their culture can be understood in relationship to 
technological innovation. During that time, I have met with, 
spoken to, and interviewed hundreds of computer hackers, and 
I've spent time immersed in their literature and their culture, 
and I feel confident in saying that I understand for the most 
part how they think.
    I would like to start off by answering the broad question: 
What are the risks that a terrorist organization might seek out 
hackers and employ them to carry out attacks on our information 
infrastructure?
    With the vast majority of computer hackers, I would say 
upwards of 99 percent of them, the risk is negligible for the 
simple reason that hackers don't have the skill--those hackers 
don't have the skill or ability to organize or execute an 
attack that would be anything more than a minor inconvenience. 
Of the hackers that remain, my experience suggests that the 
most talented, who may be able to inflict serious damage, are 
neither inclined to do so nor likely to be tempted by financial 
incentives. They tend instead to be the most strongly motivated 
by an ethic which values security, which values information, 
and which puts innovation and learning at the top of those 
priorities. In other words, the idea of engaging in terrorism 
of any sort does not fit their profile.
    In fact, I can think of few perspectives more hostile to 
radical Islamic fundamentalism than the ones that most hackers 
embrace. The typical hacker--and of, course, there are 
exceptions--is motivated by a profound sense of curiosity, by 
openness, by freedom and exploration. Hackers like to know how 
things work, and they like to make things work better or in 
unexpected ways. The hackers of today have a very clear ethic 
that shouldn't be overlooked by the committee. Above all else, 
they too believe in computer securities; and, most important, 
they believe that without constant vigilance, most software 
manufacturers will remain content to leave security as a 
secondary issue. They believe that in most computer software 
use today, security has become an add-on feature rather than a 
design principle; and it is that, above all else, which puts us 
at risk.
    In a new age of corporate responsibility, it may be worth 
taking a few minutes to understand why hackers write programs 
that expose security flaws in computer software. Many hackers 
release public releases of security holes as a result of 
companies refusing to fix or oftentimes even acknowledge 
security flaws in their products primarily because there is no 
regulation for security in software, and, most important, there 
is no liability for software companies when their products 
create risks for consumers or the public.
    At one level, the work that hackers do is not entirely 
unlike the work of a watchdog organization or Consumer Reports. 
Admittedly, the outlook, style, and demeanor are different, but 
the end results are the same. Hackers force computer software 
manufacturers to pay attention to security. We need to be 
careful to focus on the causes of such vulnerabilities and not 
blame the messengers.
    When facing a question as weighty as cyberterrorism, a very 
serious problem that you face is getting the facts. I have yet 
to hear anyone articulate a realistic scenario in which 
computer hackers will be able to effect significant economic or 
physical damage in order to be considered a terrorist threat. 
It is easy to imagine scenarios that sound like terrorism: For 
example, hacking into air traffic control and crashing planes, 
or hacking into the stock exchange and undermining the stock 
market. These things make great Hollywood plots, but there is 
no evidence that any such scenario is possible, much less 
likely. In fact, most of the research I'm familiar with on this 
topic concludes the opposite.
    For the foreseeable future, acts of cyberterrorism like the 
ones usually imagined, will be very difficult to perform, 
unreliable in their impact, and easy to respond to in 
relatively short periods of time. In point of fact, there has 
never been an act of cyberterrorism committed, nor has there 
ever been, to my knowledge, a computer hacking incident that 
has resulted in the loss of life. When these scenarios are 
proffered, I urge you to ask tough questions about them, about 
what additional security measures would have to fail for such 
an attack to take place.
    Finally, I would like to conclude by saying that should a 
terrorist manage to launch a successful attack, it should be 
noted that our country has some of the best resources available 
to deal with it, diffuse, and neutralize such a threat. The 
faculty and students at places like MIT, Berkeley, Stanford, 
Purdue, Carnegie-Mellon, places like CERT and the NCSA, provide 
our best defense against such threats, but these groups only 
provide that advantage as long as the network remains open and 
accessible. Security only gets better through testing, design, 
and redesign. The real threat to security is closing off 
avenues of exploration and examination. The more we know about 
our networks, the better we are able to defend them. It is that 
openness in testing which is essential.
    So, as a result, I would encourage you to think of hackers 
not as the enemy but, instead, as an admittedly difficult-to-
manage resource who may be in the best position to alert us of 
our vulnerabilities before they can be exploited.
    Thank you, and I would be happy to take any questions you 
may have.
    Mr. Horn. Well, we thank you. And we will get to the 
question period once we finish the whole panel.
    [The prepared statement of Mr. Thomas follows:]
    [GRAPHIC] [TIFF OMITTED] T7387.004
    
    [GRAPHIC] [TIFF OMITTED] T7387.005
    
    [GRAPHIC] [TIFF OMITTED] T7387.006
    
    [GRAPHIC] [TIFF OMITTED] T7387.007
    
    Mr. Horn. The next presenter is Timothy G. Belcher, the 
chief technology officer of Riptech, Inc.
    Mr. Belcher.

  STATEMENT OF TIMOTHY G. BELCHER, CHIEF TECHNOLOGY OFFICER, 
                         RIPTECH, INC.

    Mr. Belcher. Chairman Horn and distinguished members of 
this committee, thank you for inviting me to provide my 
thoughts on the issues of cyberterrorism and critical 
information protection. I have already provided you with 
written testimony, and I would like to take a few minutes to 
outline some key points and issues.
    First let me say that the networks that comprise our 
critical infrastructure are undoubtedly at significant risk of 
cyber-attack and compromise. The nature of these networks 
ensure that security is never going to be an absolute, but the 
vulnerabilities will always exist. The level of threat is 
increasing and, in my opinion, will continue to do so. The 
nature, complexity, and motivation of attacks against these 
networks have become and will continue to become more 
sophisticated over time.
    I am the chief technology officer of a computer security 
company called Riptech. We perform two services that would be 
of interest to this committee in terms of experience. We assess 
client organizational networks for vulnerabilities; in effect, 
sometimes can become a hired hacker to test their defenses. 
Second, we provide a monitoring service that provides 24x7 
monitoring of client networks, detecting and analyzing attacks 
for effectiveness and severity.
    First let me talk about our assessment work. We have done 
assessments on over 50 critical infrastructure networks. 
Consistently, we have been able to demonstrate the viability of 
compromise to the most critical components of those networks. 
Those would include connectivity to the most critical 
components of power and energy companies, such as SCADA and EMS 
networks, financial transaction networks, and the inner 
workings of some of our government networks. Those 
organizations consistently had defenses in place, firewalls, 
intrusion detection systems, and our detections consistently 
went, by and large, undetected.
    Second let me talk about our monitoring service and some of 
the information that is providing today. We are providing 
monitoring services for over 500 organizations, or 
approximately 500 organizations throughout the world. Our 
monitoring service is producing real dividends in terms of 
quantifiable numbers of the attacks these organizations are 
facing. All organizations are suffering some level of 
compromise in their attacks, some significant volume of 
increases in the attacks on them. Most notably, power and 
energy companies and financial services appear to be the most 
targeted sectors. Critical infrastructure companies represent 
nearly 20 percent of our clientele and are our fastest growing 
segment.
    With regard to power and energy companies in our client 
base, 70 percent suffered at least some level of compromise 
over the last 6 months, up from 57 percent in the prior 6 
months.
    Again, these companies not only have defenses in place and 
have invested in technologies, but have also invested in 
obtaining an outsourced expert service to analyze the attacks 
against their organizations. They are still suffering. Most 
importantly, we have been able to quantify a reduction in the 
success rates against these organizations over time, given 
proper defense.
    Let me sum up by simply saying that critical infrastructure 
is at significant risk; and, in order to achieve any successful 
and acceptable level of defense, they must establish reliable 
detection and response mechanisms which are unavailable today.
    Thank you for your attention, and I look forward to any 
questions that you may have.
    Mr. Horn. Thank you, Mr. Belcher.
    [The prepared statement of Mr. Belcher follows:]
    [GRAPHIC] [TIFF OMITTED] T7387.008
    
    [GRAPHIC] [TIFF OMITTED] T7387.009
    
    [GRAPHIC] [TIFF OMITTED] T7387.010
    
    [GRAPHIC] [TIFF OMITTED] T7387.011
    
    [GRAPHIC] [TIFF OMITTED] T7387.012
    
    [GRAPHIC] [TIFF OMITTED] T7387.013
    
    Mr. Horn. Our next presenter is Alan Paller, director of 
research at the SANS Institute.

 STATEMENT OF ALAN PALLER, DIRECTOR OF RESEARCH, SANS INSTITUTE

    Mr. Paller. Before I start my remarks, I want to bring 
greetings from Bob Chartrand, first, and also tell you that 
model that you provided to this body, this model of action, the 
model of taking on unpopular causes, what you did in----
    Mr. Horn. Move the mic up. It's very important, what you 
are saying.
    Mr. Paller. You really have set a model, and I hope that 
model will follow you. And you are going to be sorely missed 
around here. One of the actions that I am going to talk about 
today is something that doesn't take more than 6 months; 
meaning, if you want to have something similar to the impact on 
security that you had on Y2k, I think you actually have it in 
your--it would be tough, but you have it in your hands to do 
it. So, let me go on.
    We train the people who are the frontline soldiers in 
security. We have 30,000 of them who have attended SANS 
training and go out and try to protect the computers. So we 
have to clean up after the messes. And right now, as we speak, 
the problem is getting worse. And the reason the problem is 
getting worse is that as all of us are sitting here, 
approximately 7,000, maybe 10,000 new computers will be 
installed and connected to the Internet, and almost every one 
of those will be installed with known vulnerabilities. That 
means almost every one of the machines being sold while we are 
sitting here is going to come in with known vulnerabilities. 
And between 2- and 3,000 computer programs are active on the 
Internet at all times--not people--programs, searching out 
every new address to see if they can take over those machines, 
put a Trojan in there, and be ready for an attack later. That 
is happening while we are sitting there.
    I am happy to be on the first panel, because I think if we 
define the problem right, then the actions we take might 
actually help solve the problem. And so I would like to give 
you the four reasons that I think cause that set of problems to 
exist and the two actions I think you could take that would 
help solve them.
    One is that the vendors actually deliver software that has 
known vulnerabilities. The people who install it trust the 
vendor, so they install it exactly the way the installation 
technique tells them. And, because they are so busy, they don't 
change that. So, most of those machines that are being 
installed unsafely today will still be unsafe in 90 days and 
still be unsafe in 180 days.
    Second--and two of these next three are going to be 
counterintuitive. The risk-based approach that many people say 
is so good, actually is causing part of the problem. While 
people are doing risk analysis and writing reports, all these 
new machines are getting installed. And, worse, they say 
``Let's just fix the ones that are the highest risk.'' But 
since all the machines are connected together, if Tim had given 
you his demonstration of how you actually break into a utility 
company, he would have used the fact that one of the machines 
that had been installed that nobody cared about, was weak, to 
jump off into the other machines.
    So if we are going to solve the problem, we have to start 
by stopping the machines from being vulnerable on the day we 
install them.
    The third cause is that the government--we talk about 
critical infrastructure as if it is industry. The government is 
a part of the critical infrastructure. We care about 
government, and government is doing a not-very-good job of 
being a model for the rest of the critical infrastructure. And 
it turns out in this arena, because technology is transferrable 
so quickly and techniques are transferrable so quickly, it 
turns out that here, if the government actually did some good, 
the problem could roll over very quickly.
    And I think Dick Clarke's announcement last week of 
benchmarks is an example of how that can happen almost 
instantaneously. But the government hasn't been a great model, 
and that has to change quickly if we are going to ask industry 
to change. How can you ask a CEO to ``believe me and trust me'' 
and say to you, ``I'm going to do what you need to help protect 
the infrastructure, when you don't do what you need to help the 
infrastructure?'' It is really hard for a CEO to take you 
seriously.
    And the last one I think is the most counterintuitive. And 
that's that most of the money being spent by Government on 
cyber-security is being wasted, and the money has gone up 
radically in the next--in the last 2 years--at least an order 
of magnitude. Think of that money as having a huge vacuum 
cleaner sucking it out, and that the vacuum cleaner is people 
who like to write reports, and they are taking the money and 
they are writing reports. And the problem is, none of the money 
is left for the people who actually have to secure the systems. 
So you get all that security money out there spent on the 
studies about why you are so bad and it is so easy to find 
fault. And it doesn't take as much skill level to find fault 
than it does to fix it. It is much easier to--you can come out 
of grade school and run one of these penetration testing tools 
and do a pretty good job of delivering the report because the 
vendors make it pretty, but the difficulty is there's nobody 
there to fix it. So you have got $1 billion telling people what 
to do and nothing left fixing it.
    OK, two actions and then I'll quit.
    Action one--and this is the report card that you are the 
father of. Action one is that there are benchmarks, there's 
several of them. And NASA is the one actually that's proven 
this works. This is not a new idea. NASA has actually 
demonstrated beyond a doubt that this approach works. You take 
a set of vulnerabilities that matter, and you systemically make 
sure every single computer in your entire NASA facility all 
across the whole country doesn't have them anymore. And they 
took the vulnerabilities down by 93 percent and they took the 
number of successful attacks down radically, even though the 
number of attempted attacks is up radically.
    Dave Nelson, who is the deputy CIO, can give you the hard 
data on this. But this works. And if you--if you just take what 
they did and apply it to the rest of government over the next 6 
months, we could fix somewhere out in the 70th to 80th 
percentile of the vulnerable machines real quickly.
    The second idea is a little harder. All these consultants 
that are spending money on vulnerability testing ought to be 
asked--and you are the only guy I can think of who could make 
this happen, because OMB doesn't seem to be awake to this. All 
these people who are doing vulnerability tests aren't staying 
to fix the problem. And if they are so smart that they can tell 
you what you are doing wrong, why aren't they staying to make 
sure the problem disappears? So solution 2 is some way of 
getting an amelioration phase into these consulting contracts 
so that the people actually have to fix it, they can't just 
send you a pretty, colorful report and tell you how bad you are 
and then go on to the next guy, would be very helpful. Thank 
you.
    Mr. Horn. Thank you. You have given us numerous months. We 
can take care of your ideas.
    [The prepared statement of Mr. Paller follows:]
    [GRAPHIC] [TIFF OMITTED] T7387.014
    
    [GRAPHIC] [TIFF OMITTED] T7387.015
    
    [GRAPHIC] [TIFF OMITTED] T7387.016
    
    [GRAPHIC] [TIFF OMITTED] T7387.017
    
    [GRAPHIC] [TIFF OMITTED] T7387.018
    
    Mr. Horn. We now go to Scott Charney, the chief security 
strategist of the Microsoft Corp. Mr. Charney.

    STATEMENT OF SCOTT CHARNEY, CHIEF SECURITY STRATEGIST, 
                        MICROSOFT CORP.

    Mr. Charney. Mr. Chairman, thank you for the opportunity to 
appear today at this important hearing on cyberterrorism and 
critical infrastructure protection. My name is Scott Charney, 
and since April 1st, I've been Microsoft's Chief Security 
Strategist.
    Microsoft works with industry leaders and governments 
around the world to identify threats to computer networks, 
share best practices regarding computer security, and prevent 
computer attacks. While we have worked diligently on cyber-
security for several years, this effort accelerated after 
September 11th, and was crystallized for Microsoft when Bill 
Gates launched our Trustworthy Computing initiative in January.
    Today I would like to address IT security issues broadly, 
and then use the Trustworthy Computing initiative as an example 
of how one company can take steps, both on its own and with 
others in industry and government, to address cyber-security. 
And finally, I will propose several things that Congress can do 
to address cyber-attacks.
    By way of background, prior to joining Microsoft I served 
as the Chief of the Computer Crime and Intellectual Property 
Section at the Department of Justice where I helped prosecute 
nearly every major hacker case in the United States, and 
international hacking cases as well, from 1991 to 1999. Based 
on those experiences, Mr. Chairman, I know two things with 
certainty:
    First, operating systems software is one of the most 
complex things we have ever built, and it may always have 
vulnerabilities.
    Second, society has always grappled with a criminal 
element, and this criminal element can be smart and malicious 
and will seek ways to exploit vulnerabilities in software. As a 
result, it is impossible to completely prevent cyber-attacks, 
and it places the IT industry in a perpetual race against 
cyber-criminals to maintain Internet security.
    We take our cyber-security responsibility very seriously, 
and perhaps most importantly, Bill Gates spearheads our 
Trustworthy Computing initiative. This is not a one-time event, 
but rather a change in the way we do business. It has four 
pillars: reliability, security, privacy, and business 
integrity. And those four pillars go to the heart of our 
culture and the way we create products and services.
    Today I want to focus on the security pillar, where we are 
working to create products and services that I call S D3: 
secure by design; secure by default; and secure by deployment.
    Secure-by-design centers on creating products that are 
inherently more secure. To do this, we recently provided 
advanced training for several thousand developers, and 
conducted extensive code reviews and threat modeling. In fact, 
we stopped Windows development for over 2 months to do that.
    Secure-by-default entails shipping products to customers in 
a lockdown position. This means that customers must consciously 
decide to enable features, leaving other unused services off, 
and thereby narrowing the attack surface of a production.
    Secure-by-deployment focuses on making it easier for 
consumers and IT professionals to maintain systems. For 
example, any Windows XP user can be automatically notified when 
critical updates are available for download. In fact, as Allan 
Paller has noted, when people first deploy software, they may 
already be at risk because there is some time from development 
to market. But with this kind of technology, the minute you 
load the software, the first thing you may get is that little 
notification that a patch is ready to be deployed. So we are 
working hard to automate that process.
    But we do not work alone in this effort. For example, the 
announcement last week of a baseline security configuration for 
Windows 2000 demonstrates the positive results that flow from a 
voluntary public/private partnership involving a broad range of 
organizations. Microsoft reviewed the proposed settings, and we 
expect that some Federal CIOs will incorporate these promptly.
    This work stands besides our coordination with entities 
such as the Partnership for Critical Infrastructure Security, 
John Tritak's Critical Infrastructure Assurance Office, the 
National Cyber Security Alliance coordinated by Dick Clarke's 
White House Office of Cyberspace Security, the FBI's National 
Infrastructure Protection Center, and, of course the IT-ISAC, 
which we helped create.
    There is also a strong roll for government in this area, 
and I would like to close by addressing some areas where more 
work can be done. As you consider creating the Department of 
Homeland Security, please know that we support the effort and 
we would like to see a strong cyber-security component in the 
new Department. Our support extends to language that 
facilitates cyber-security information sharing by granting an 
exemption from the Freedom of Information Act.
    We also applaud the House for passing H.R. 3482, the Cyber 
Security Enhancement Act of 2002. We are pleased that this bill 
strengthens law enforcement's ability to deter cyber-crime by 
permitting the U.S. Sentencing Commission to grant Federal 
judges more flexibility in sentencing cyber-criminals.
    There are other steps that Microsoft respectfully suggests 
the government take to help protect our critical 
infrastructures. First, we support the forfeiture of personal 
property such as computer equipment used in the commission of 
cyber-crime.
    Second, we strongly support increased funding for law 
enforcement. These hardworking individuals, many of whom were 
former colleagues of mine when I was at the Justice Department, 
are chronically overworked, understaffed, undertrained, and 
underequipped.
    Third, we support increased funding for cyber-security 
research and development, and we look to the government to lead 
by example in securing its own systems through the use of 
reasonable security practices, an issue that Allan has already 
touched on.
    Fourth, we believe that greater cross-jurisdictional 
cooperation among law enforcement is needed for investigating 
cyber-attacks, since cyber-criminals may reside anywhere.
    In conclusion, Microsoft pledges to remain a leader in 
industry efforts to secure products and services. Americans, 
their government, and the critical infrastructures they depend 
on every day face growing cyber-security challenges. Working 
with our government partners and industry peers, we are 
committed to preempting, catching, and prosecuting cyber-
criminals to protect the computing experiences of our customers 
and the cyber-security of our Nation.
    Thank you.
    Mr. Horn. Thank you. And we will have a lot to ask you 
about, with one more presenter.
    [The prepared statement of Mr. Charney follows:]
    [GRAPHIC] [TIFF OMITTED] T7387.019
    
    [GRAPHIC] [TIFF OMITTED] T7387.020
    
    [GRAPHIC] [TIFF OMITTED] T7387.021
    
    [GRAPHIC] [TIFF OMITTED] T7387.022
    
    [GRAPHIC] [TIFF OMITTED] T7387.023
    
    [GRAPHIC] [TIFF OMITTED] T7387.024
    
    [GRAPHIC] [TIFF OMITTED] T7387.025
    
    [GRAPHIC] [TIFF OMITTED] T7387.026
    
    [GRAPHIC] [TIFF OMITTED] T7387.027
    
    Mr. Horn. And Mr. Weiss, we are delighted to have you here. 
He is an executive consultant at KEMA Consulting. Thank you.

   STATEMENT OF JOSEPH M. WEISS, EXECUTIVE CONSULTANT, KEMA 
                           CONSULTING

    Mr. Weiss. Thank you. Mr. Chairman and committee members, 
thank you for the opportunity to address you about an area I 
consider vitally important to the economic and national 
security of America, the cyber-security of our critical 
infrastructures.
    I am a control system engineer. I have spent the past 2 
years as the technical lead for the electric power industry, 
developing and understanding of what is known, and, more 
importantly, what is not known, about the cyber-security of 
control systems. The control systems I will be referring to are 
supervisory control and data acquisition, commonly known as 
SCADA, distributed controlled systems, DCS, and programmable 
logic controllers, PLCs.
    I have been working with all of the organizations that have 
a role to play in this area including the government, end 
users, equipment suppliers, standards organizations, and all 
other relevant organizations. There are several points I would 
like to make.
    One, control systems are vulnerable to cyber-security 
intrusions, and in fact have been impacted by electronic 
intrusions.
    Two, cyber-security of control systems affects all 
industries, not just the critical infrastructure.
    Three, IT security technology does not protect control 
systems.
    And, finally, cyber-security technology needs to be 
developed for control systems, and we do need immediate 
government funding to make this happen.
    Cyber-security has been viewed as an IT or Internet issue. 
Awareness of control system vulnerabilities is very low. The 
basic design premise inherent in every control system is the 
control system would be a stand-alone system, and all control 
system users would be trusted users. Consequently, these 
systems have been designed inadvertently to be vulnerable to 
cyber-intrusions. As long as the control systems are not 
networked, they are not vulnerable to cyber-intrusions. 
However, in order to make these systems more productive, these 
previously stand-alone systems are being networked, including 
to the Net, making them vulnerable to cyber-intrusions. They 
are not legacy systems anymore.
    Additionally, the vast majority of power plants and 
substations do not have technology to detect electronic 
intrusions. There have been more than 20 documented cases where 
control systems have been electronically impacted either 
intentionally or unintentionally. At least two cases have 
resulted in damage to the industrial system and environment. 
Those are the two you had mentioned.
    There have been several confirmed cases of inadvertent 
denial of service in control systems, including one in a 
nuclear facility. These weaknesses could be exploited by an 
intentional adversary. Existing cyber-monitoring technology has 
not detected any of these cases, and I have had discussions 
with Carnegie-Mellon CERT; they have not detected any of these 
incidents.
    There are only a handful of suppliers of these systems, and 
they supply the primary industrial applications: power, water, 
oil, gas, chemicals, metal refining, paper, pharmaceuticals, 
food, beverages, etc. Not only are the systems common, but so 
are the control system architectures. Consequently, if one 
industry is vulnerable, they all could be.
    Additionally, because you were talking about ISACs, this 
means that the information on control system vulnerabilities 
from the different industries could be of interest to the 
individual industry ISACs. Now, existing cyber-security 
technology has been developed for business functions in the 
Internet. Control systems require a degree of timing and 
reliability not critical for business systems. Because of this, 
employing existing IT security technology in a control system 
can range from lack of protection to actually creating a denial 
of service condition. This has actually occurred in attempting 
to employ encryption in these systems.
    Myself and others working with me have developed an 
understanding of what is needed to make control systems more 
secure from cyber-intrusion, but additionally to also make 
these systems more reliable. Cyber-security technologies need 
to be developed for control system applications. They include 
firewalls, intrusion detection, encryption, event logging, etc. 
They don't apply to control systems. The types of cyber-
security projects at university classes Congress has identified 
to fund, are not applicable to control systems. Understanding a 
business system is different than understanding a control 
system.
    Government funding is needed to establish test beds. DOE 
can help be a lead on this. It also requires extending existing 
NIST-NSA methodology for procurement of desktop computing 
systems' common criteria to industrial control systems. But 
this is a very difficult task. There are a number of entities 
waiting to participate when funding is made available. These 
include DOE, NIST, NSA, several electric utilities control 
systems suppliers, and IT security suppliers. We also need to 
make sure that the transition team from Homeland Security 
addresses control system cyber-security.
    I hope you now have a better understanding of control 
system vulnerabilities and what technologies are needed to make 
them less vulnerable.
    Thank you for your time and interest. And I would be happy 
to answer any questions.
    Mr. Horn. Thank you very much, Mr. Weiss.
    [The prepared statement of Mr. Weiss follows:]
    [GRAPHIC] [TIFF OMITTED] T7387.028
    
    [GRAPHIC] [TIFF OMITTED] T7387.029
    
    [GRAPHIC] [TIFF OMITTED] T7387.030
    
    [GRAPHIC] [TIFF OMITTED] T7387.031
    
    [GRAPHIC] [TIFF OMITTED] T7387.032
    
    [GRAPHIC] [TIFF OMITTED] T7387.033
    
    Mr. Horn. We now will have the questioning of this Panel 
One, and later Panel Two. Mrs. Schakowsky has numerous 
commitments here, and so she can use as much as she wants for 
questioning.
    Ms. Schakowsky. Thank you. I'm sorry that I've been 
erratically here, and I also have to leave in a moment. But I 
wanted to thank you all for your testimony.
    I wanted to ask Mr. Weiss one question before I left. I 
represent a district in Illinois which is the most nuclear 
State in the country; we rely on nuclear power plants more than 
any. Your testimony said that even nuclear power plants have 
had a history of some problem with cyber-security.
    And I am curious, I know that nearly 50 percent of all the 
plants that were tested for mock terrorist attacks failed those 
tests; that they are vulnerable. My understanding is that did 
not even include testing for cyber-security and cyber-terrorism 
that could occur.
    First of all, do you know if that is true? And I am 
wondering if you could elaborate a little bit on the 
vulnerability of nuclear power plants, and what that might mean 
in terms of a terrorist intrusion into such a plant.
    Mr. Weiss. OK. Let me try and answer a number of those 
questions. First of all, the issue with the nuclear facility I 
mentioned was actually in a university reactor. It was one that 
also has the same type of technology as used in commercial 
nuclear plants, and it was a procedural issue. Nuclear plants 
originally were designed to be stand-alone systems. They 
weren't to be connected anywhere else. The non-nuclear safety 
systems are starting to be connected to the corporate networks 
because corporate wants to get information. That is starting to 
make them vulnerable whereas before they were not vulnerable.
    Ms. Schakowsky. That's non-nuclear.
    Mr. Weiss. Pardon?
    Ms. Schakowsky. You said non-nuclear?
    Mr. Weiss. In other words, on the non-safety side of the 
nuclear power plant.
    Ms. Schakowsky. I got you.
    Mr. Weiss. The safety side of a nuclear power plant is 
really not vulnerable, because they are not electronically tied 
to anything. So you are talking about the non-safety portion of 
the nuclear power plant. To the best of my knowledge, there has 
been no cyber-testing of any nuclear plant in the United States 
to date. That is correct.
    Ms. Schakowsky. Thank you.
    Mr. Horn. Thank you very much.
    Let us start with Dr. Thomas of the University of Southern 
California. Do you believe there are any cyber-terrorist threat 
scenarios that are realistic? If so, how do you believe an 
attack would occur under those circumstances?
    Mr. Thomas. I think there are two important aspects to 
that. I think the complexities of a cyber-terrorist attack 
really warrant our attention in that we are not talking about a 
16-year-old kid simply hacking into a secure system. In order 
to make a cyber-attack happen, a lot of other things have to 
happen, too. Other security measures have to fail. Those 
hackers or terrorists need not only to understand how to 
penetrate a computer system, but they also have to understand 
how to work a power plant, how to work air traffic control. 
They need to have a fairly sophisticated understanding of those 
kind of aspects in order to make an attack successful.
    The second thing I would add to that is that our 
vulnerabilities are not simply technological. And, in fact, my 
experience has been, in talking to hackers, that in most cases 
the way a hacker will invade a system is not by getting online 
and not by typing in passwords, but is generally by calling up 
somebody in that organization and conning them out of enough 
information to get access. It is not uncommon for them to call 
up a secretary and say, I can't get onto the network, my 
password isn't working; what is your password? And they give it 
to them, believing that they are a member of the organization.
    There's also reports, in terms of air traffic control, of 
attacks I think in the U.K., which were not cyber-attacks but 
rather people who got radios and were able to broadcast signals 
to planes.
    So I think the question of vulnerability, what hackers 
teach us is we should not just look for the most 
technologically sophisticated way in, but for the easiest way. 
And I believe that our vulnerabilities are really, in terms of 
the design of the system, and what is easy to attack in that 
system is the place where we really need to shore up and make 
sure that we have access barriers and so on.
    So I foresee, if an attack is going to come, that it is not 
going to come through some sophisticated programming technique 
or cyber-attack necessarily, but through a much less 
technologically sophisticated kind of means.
    Mr. Horn. What kind of additional expertise do you believe 
a hacker would need to control a power grid or a financial 
transaction?
    Mr. Thomas. I think in order to do that, they are going to 
have to have some understanding--going to have to have some 
understanding of how that power plant works, how the financial 
systems work. We tend to forget when we are talking about 
cyber-attacks that there are people involved on the other end. 
And when they see things happening that look suspicious or 
wrong, they tend to look at those things and understand that, 
if something is askew, that it needs to be examined more 
carefully.
    There is an example, I think, with SCADA of hackers that 
were in a system for something like 17 days, and one of the 
lessons that they learned from that is that once hackers got 
into this control system for power, they had no idea what to do 
once they were in there. They had the access, but they had no 
kind of knowledge or sophistication about how that system 
worked in order to do anything with it.
    So, I think that becomes another critical question of a 
level of expertise that includes the system they are invading 
as well as the way to get in.
    Mr. Horn. Why do you believe that it is unlikely that a 
hacker could obtain this additional expertise?
    Mr. Thomas. From what I know of the culture itself, hackers 
are much more interested in access than they are in what they 
find once they get into a system. I suppose that there are 
exceptions. But for them, the challenge mainly lies in getting 
in and then moving onto another system and another system and 
another system.
    If they do want something from inside a system, it is 
usually--when we are talking about the culture itself, they 
want evidence they have been there. They want something for 
bragging rights. They want a document. One of the things I 
write about is the fact that while hackers may be pretty smart 
about technology, they tend to make terrible criminals. They 
make a lot of mistakes; they are easily caught. When they do 
things, particularly involving money, they are oftentimes 
tracked down very quickly and prosecuted very severely for the 
crimes that they commit. So I think they tend to not have a 
kind of criminal frame of mind, even though what they are doing 
are crimes.
    Mr. Horn. In your testimony, you indicate that human 
intervention is required to control important operations of the 
Nation's critical infrastructure. Could you provide some 
specific examples of this?
    Mr. Thomas. One of the examples that I think is worth 
thinking about that's often cited is air traffic control. And 
in point of fact, air traffic control information that's passed 
over a network doesn't control anything. It provides 
information to controllers who then speak to pilots. Pilots 
have onboard radar. There are a lot of things that have to go 
wrong in addition to being hacked in order for a plane to 
crash.
    Another example that was cited in the literature was the 
idea that terrorists could hack into a cereal manufacturing 
plant like Kellogg's and dump enormous amounts of iron, for 
example, in children's cereal and poison our children. The 
number of things that would have to go wrong in that scenario 
are myriad. For example, the plant would have to notice--or, 
not notice that they are running out of iron at an incredible 
rate. There would have to be no one doing any kind of quality 
testing to see that the cereal, in fact, tastes like iron. It 
would have to get out on the shelves and not be recalled.
    So those kind of human factors, that kind of testing and 
that kind of observation doesn't necessarily make that kind of 
attack impossible, it just makes it highly unlikely that it 
would succeed or have the kind of impact that people would want 
it to have if they were engaging in terrorism.
    Mr. Horn. Mr. Belcher, you point out the dangers of linking 
all the components of a company's network together under a 
single protocol. Do you believe that it is practical to unlink 
infrastructure control systems from the rest of the company's 
business systems?
    Mr. Belcher. It probably would not be practical, given 
other business considerations. They're linking for synergies 
and deficiencies; they are not linking for security. So, in 
most cases, probably impractical.
    Mr. Horn. In your testimony, you indicate that critical 
infrastructure companies are experiencing attacks that may be 
specifically targeting them. Can you describe the type of 
attacks that they are experiencing?
    Mr. Belcher. The attacks that we monitored over the 6 
months alone, for instance, we quantified about 180,000 attacks 
against the client base and analyzed the characteristics of 
those attacks. There are numerous attacks that appear targeted, 
and we're able to quantify some statistics. Approximately 40 
percent of all attacks appear to be going after an individual 
organization rather than searching the Internet for 
vulnerabilities. It gives a little bit of insight into the 
motivation. The attacks run the gamut of intent. Some are 
inconsequential. Some are done by, obvious, children or other 
miscreants. Some appear to be going after internal networks, 
for instance, to go after financial information, credit card 
numbers, commit fraud, commit theft of property. So they run 
the gamut.
    Mr. Horn. In your testimony, you indicate that critical 
infrastructure companies are experiencing attacks that may be 
specifically targeting them. Can you describe any type of 
these, besides what you had mentioned, quantification?
    Mr. Belcher. Sure. Absolutely. If you look at the profiles 
of attacks coming across the Internet to individual 
organizations--for instance, if you look at the activity coming 
from certain countries within the Middle East, they do by and 
large favor power and energy as an industry. You can read into 
the motivations all you want. All we are simply providing is 
quantifiable numbers in association with those activities.
    Mr. Horn. You state that information on the inner workings 
of the system control and data acquisition is available from 
public sources. Can you describe those sources and what, in 
your opinion, can or should be used to limit the availabilty of 
this data?
    Mr. Belcher. This is relating to some of the questions to 
Dr. Thomas. We have done assessments, as I mentioned, in both 
written and verbal of many power and energy companies, probably 
in the magnitude of 40, assessing their corporate 
infrastructures and their control systems. And while I agree 
with the majority of the testimony by the entire panel, 
anecdotally speaking, showing and demonstrating the viability 
of connecting to these critical networks, sometimes we get 
resistance along the same lines of Dr. Thomas saying that even 
giving access it would be difficult to manipulate the systems, 
and we completely agree.
    In the past we have demonstrated the ability to collect 
open source information on the systems, including their design 
all the way to a protocol level to do analysis. We demonstrated 
the ability to watch the operators in those environments. And 
more importantly, when asking the people that manage those 
environments, if I give you access to a foreign utility could 
you manipulate it, and almost every time they say absolutely. 
Could you manipulate it to cause damage? Absolutely.
    So why would we consider threats against our critical 
infrastructure not at that level of expertise? If you could 
hire a professional service team of information security 
experts to go after an organization and they can demonstrate 
viable access to the most critical components, why would that 
not be our threshold to consider for attacks coming from other 
organizing sponsors?
    When you are talking about cyber terrorism, you're talking 
an absolute sliver of the general volume of attacks that an 
organization is likely to receive, a very, very small 
percentage. You have to consider that their expertise would be 
somewhere in the same range of our expertise.
    Mr. Horn. Mr. Alan Paller of SANS Institute, you have 
identified some of the pressures on commercial software 
developers that impede their ability to produce secure 
software, including their manufacturing and distribution 
processes and their desire to make user friendly products. What 
actions can developers take to eliminate these pressures and 
remain competitive?
    Mr. Paller. Scott Charney of Microsoft, laid out a plan 
that ought to be a model for every one of the software 
companies and the only reason we don't all stand up and cheer 
and say we are done is that it is all prospective. You have to 
buy Microsoft's new systems to get this stuff. So we have maybe 
150 million people who we still have to help. So the question 
is what can they do for the rest of us? And I think the key 
answer came out in an FTC hearing. A person from Sun described 
it and it is actually the right answer, and I think Microsoft 
is doing this with the Defense Department. The key is to have 
all software delivered for agencies that matter, delivered from 
a local server where the server is kept up to date with the 
latest patches. And whenever anyone in that organization needs 
it--that is the way you do externally, too--whenever anyone 
needs the software, they get it off that local server. And if 
they'd set that up so all the rest of the infrastructure could 
use that, we could move quickly. But again, that is 
prospective. We still have 150 million boxes we have to fix.
    Mr. Horn. What are the risks associated with having a 
common security configuration benchmark for all Federal 
systems?
    Mr. Paller. Let me tell you the benefit first and then the 
risk. There were some tests last week--and before that--that 
took a regularly installed system and then ran one of the good 
vulnerabilities testers on it. And they found a certain number 
of high priority, medium priority and low priority 
vulnerabilities. Then it installed the minimum benchmark and 
ran the same tests over again and several tests were run. The 
average was 80 to 88 percent of all those vulnerabilities 
disappeared. So that's why you want to do a minimum benchmark.
    Then the question is what breaks? The answer is that you 
don't want to do is break things. The absolute key is you can't 
install this and cause a critical application to break. And so 
the difficulty is making sure that something doesn't break. And 
the next step in these benchmarks is to set up test beds so all 
application vendors can run their application against the test 
bed and make sure their customers' applications won't break.
    But the answer to your question is the cost is breaking 
applications. We can't let that happen.
    Mr. Horn. You state that so much emphasis has been placed 
on a risk based approach that many organizations fail to make 
any investments in security until a risk assessment is 
completed.
    Mr. Paller. It is true. It is sad. GAO and congressional 
language is so emphatic that you have to do this risk 
assessment that people just get at big meetings and say ``We 
can't do anything until we have done a risk assessment and they 
take a long time and they're buying computers every day. So it 
is not that they're not buying the computers and installing 
them. You've just got this huge consulting contract going on 
and on and on and you are not hardening the boxes you're 
installing today.
    Mr. Horn. What type of security investments do you believe 
should be made prior to completing a risk assessment?
    Mr. Paller. I think it is very much like living in a really 
rough neighborhood. You ought to lock the doors at night and 
maybe all the time when you're in your house and have locks on 
the windows. And there is a certain small set of things that 
every computer should have before we allow it--we as users, 
allow it to be connected to the Internet. If you think of this 
as unsafe cars on the road, that car could hurt all of us, 
there ought to be some little thing you do, and the vendors 
will help. They are coming around and willing to help. But 
before anyone hooks a machine to the Internet, they need to 
just lock the doors and lock the windows.
    Mr. Horn. Well, you give us some very interesting physical 
matters rather than just electronic. Mr. Scott Charney of 
Microsoft might have some ideas on this. Do you have a 
cascading effect that an attack on one sector of the 
infrastructure can affect other sectors? And what are some of 
the challenges in identifying cascading effects across 
industries?
    Mr. Charney. We actually did have such a case when I was at 
the Justice Department involving a juvenile who had the 
telecommunications switch in the Town of Worcester, 
Massachusetts. The switch actually serviced the regional 
airport where the tower was unmanned. As planes were coming in 
they would radio the tower and a signal would be sent 
automatically across the telecommunications network to turn on 
the landing lights on the runway. As the next plane came in and 
radioed the tower, because the telecommunications switch was 
disabled, the landing lights did not go on, the plane was 
diverted and the airport was closed. So we had a transportation 
failure based upon an attack on a telecommunications network.
    The huge challenge is I don't think anyone would say we 
fully understand all the interdependencies between all these 
networks at a granular level. Yes, we all understand if the 
power supply dies a lot of things won't work. If we don't have 
telecommunications a lot of things don't work. But how these 
things actually work in a more granular level where they share 
vulnerabilities is not entirely clear yet, and there are a lot 
of groups like the Partnership for Critical Infrastructure 
Security that are studying that to figure that out.
    Mr. Horn. With regard to cascading, please describe the 
unique problems in recovering from an attack that has cascaded 
into other sectors.
    Mr. Charney. The difficulty, I think, will be in the scope 
of the problem and integrating all the pieces back together and 
making sure that all the relevant pieces are in fact considered 
as we recover from the event. The thought that comes to mind 
was when I was at PricewaterhouseCoopers, you know, after the 
September 11th attacks, there was a lot of concern about when 
the stock markets would be up and operating again. And a lot of 
people were talking to the exchanges, for example, and the 
telecommunications carriers. It turns out no one was talking to 
the exchanges in the back that actually did the actual trading, 
the clearinghouses for the exchanges, and since then they have 
become more involved. But people were focused on the obvious 
visible problem and not some of the substructures that actually 
make it all go. So it is really important to understand how the 
different parts of the infrastructure functions, including the 
parts that are less visible, and make sure they are all 
integrated into the recovery plan.
    Mr. Horn. What challenges has the Information Technology 
Information Sharing and Analysis Center encountered in its 
efforts to coordinate interdependency analysis and recovery 
efforts with other sectors?
    Mr. Charney. I think we have a couple of challenges. One 
is, of course, that sectors have certain commonalities and 
therefore we have divided the ISACs into different sectors, but 
it is important that we not stovepipe the information because 
of these interdependencies. As a result, in fact there is a 
meeting later this week, a cross-ISAC meeting where we are 
starting to coordinate better in that regard. And there are the 
issues I referred to in my example, the FOIA exemption, and 
creating an environment where the ISACs can share information 
far more freely with the government.
    Mr. Horn. You mentioned there are these separate 
organizations and processes to prosecute cyber crimes depending 
on whether they appear to be intelligence related or law 
enforcement related. Can you give us a description of some of 
the differences and how they can affect the outcome of a case?
    Mr. Charney. Yes. And some of this goes back to my years at 
the Justice Department. As you know, historically the 
government has had different organizations with different 
authorities to counter different threats. So if you believe you 
are under attack from a criminal, you launch criminal 
investigative authorities using things like pen registers, trap 
and tracers, and wiretaps. When you believe that say an 
intelligence gathering operation, for example, you have foreign 
counterintelligence authorities and other tools such as FISA, 
the Foreign Surveillance Intelligence Act, which, for example, 
when I was at Justice requires links to an agent of a foreign 
power, some sort of governmental action. And then of course 
when you have war, you have U.N. Charter 51 and you have rules 
for how you engage in warfare.
    The difficulty is that all of those mechanisms and 
procedures depend upon who is attacking you and why. And in an 
Internet attack, what you normally do not know at the outset is 
who is attacking you and why. So there is an issue about what 
kind of response would be appropriate. And let me give you a 
real life example.
    Many years ago when we were gearing up for air strikes 
against Iraq, we found we had a massive penetration coming from 
the Middle East into the U.S. Department of Defense, and there 
was concern this might have been a preemptive strike against 
our information systems to disrupt our military activities in 
the area. Fortunately, the military people involved and the 
Justice involved knew enough to know that where the attack 
looks like it is coming from may not be where the attack is 
coming from. But if you see that kind of attack, the question 
is, is it a foreign state and does it constitute an act of 
information warfare? And if it does, does that mean you can 
drop bombs in response? Is that a proportional response under 
the rules of war?
    Of course we didn't do that. We did investigate the case as 
a criminal matter, and it came back to two juveniles in 
Cloverdale, California who were looping through the Middle East 
and hacking the Department of Defense with help from an 
Israeli.
    So we have this problem in that we set up these processes 
and procedures, but we are in a completely new threat model. 
And I simply think the government has to really start thinking 
about this and figuring out what constitutes the right response 
in an environment where you don't have the facts you need to 
make the traditional decisions.
    Mr. Horn. What lessons learned did Microsoft take away from 
the company's intensive scrutiny and security analysis of 
millions of lines of code?
    Mr. Charney. That we need to do a lot better and we are 
going to do a lot better. You know, I have people who say to me 
now Microsoft is issuing a lot of bulletins about 
vulnerabilities and an awful large number of patches. Well, if 
we looked at our code reviews and threat modeling, I would hope 
that we are issuing a lot of bulletins and patches because we 
are making the systems more secure and what we have learned is 
we have to do this right. And the good thing is that markets 
are now demanding it. National security and public safety 
concerns are now demanding it. There is a confluence of events 
that really rewards, I think, companies that recognize that 
this has to be an industry initiative and a government industry 
initiative.
    Mr. Horn. Thank you very much for enlightening us on that. 
Our last questions will be for Mr. Joe Weiss. And what can the 
Federal Government do to improve the security of the SCADA 
systems and why don't you explain what S-C-A-D-A is?
    Mr. Weiss. SCADA--I think it has been used too much now as 
a euphemism. What I believe we need to worry about are what's 
called control systems. These are the real-time systems that 
control processes, whether they are for a power plant, an 
assembly line, etc. For whatever reason, the term SCADA came 
out early. It stands for supervisory control and data 
acquisition. It's simply a type of control system. It is used 
in certain types of industries. It is usually used where you 
are trying to gather data from very dispersed facilities. You 
are not really trying to do significant calculations.
    If you are in a refinery, a power plant or a steel mill 
where you are more concentrated and you are doing much higher 
levels of calculation, you have things called distributed 
control systems. If you are in a discrete type of a facility 
like an assembly line or a parts manufacturer, you are actually 
using programmable logic controllers. SCADA has been used as a 
term to lump them together.
    Mr. Horn. A lot of it is with inventory movement in the 
Japanese----
    Mr. Weiss. No. If you will, that is really a manufacturing 
execution system. What we are worried about is the physical 
control aspect that occurs in real-time. You want to open or 
close a breaker in a substation. You want to move a valve. You 
can even think of your sprinkler system at home. The purpose of 
a control system is to be able to do that in an automated way. 
It is going to take, for example, a pressure or a temperature 
and to make a change in order to keep my process moving the 
right way.
    What has happened is with the net, it has allowed us to get 
information from so many different places and to use these new, 
mathematical algorithms to make this adjustment of different 
signals better and smarter and quicker. And in a sense that's 
what's opened us up because we can.
    Now to the question you asked originally. We have a problem 
with the chicken and the egg. The chicken and the egg are 
vendors, and not just in electric utilities, but generally the 
control system suppliers aren't producing secure control 
systems because they feel there's no market. It would take 
development--like I say, the technology isn't even there yet 
because they are different. It would take development and it 
would take a lot of other things. So the vendors are not 
supplying that secure control system.
    On the other hand, the end users, be they utilities, oil 
companies, etc., because the vendors don't have one they don't 
even put it in their specs. So what's happening is we are in 
this chicken and egg scenario that we are not moving at all, 
and that is one area of the government can help us is in a 
sense getting this market to occur or the fact that there needs 
to be a market so the technology will even occur.
    The other piece is literally the technology development 
itself. There's an awful lot of technology that's being 
developed in DOD that may have some relevance to us. The 
converse is if you look at a ship, the ship is a power plant 
with a rudder. So there's an awful lot, if you will, of synergy 
in between. But if the government helps, for example, and is 
involved with the test beds, the way it will move this forward 
is to actually have facilities where you can go in and try out 
and test out and find out what happens when I do put this in, 
what is my incremental security benefit, what is my either 
incremental improvement of reliability or possibly decrease in 
reliability. So I have some intelligent way of saying, what 
should I do? We don't have that right now.
    Mr. Horn. What sectors are most vulnerable and why?
    Mr. Weiss. All, because we all have the same control 
systems from the same vendors using the same architectures. The 
vulnerability--I am not talking threat. Again, I am a control 
system engineer talking about the systems. From a vulnerability 
perspective, the same control system from the same vendor is in 
power plants, is in refineries, is in water treatment plants, 
is in steel mills. So in a funny sense, the vulnerability is no 
different. The threat may be different, but the vulnerability 
isn't.
    Mr. Horn. Let me ask this one last question to this panel. 
How available are hacking tools? Mr. Weiss, let's just go down 
the line.
    Mr. Weiss. They are available. What we didn't realize is 
their applicability to a control system. We had originally 
assumed that it wouldn't impact a control system. We are 
starting to find out that they can. But let me just add one 
other thing. In order to impact a control system, you don't 
need a hacking tool. That, to me, is something that's 
different. There are other things that you can use to impact, 
via cyber, the operation of a control system and it doesn't 
have to be a hacking tool.
    Mr. Charney. The tools are widely available. And what that 
means, of course, is that when you're under attack and under an 
attack that appears to be sophisticated, it may not be a 
sophisticated attacker. It may be a novice.
    Mr. Paller. Just to reinforce that, I was the expert 
witness in the Mafia Boy trial where he attacked Yahoo and eBay 
and he used a tool that he got from somebody else. He had no 
clue how the tool worked. And as I said earlier, there are at 
least 2,000 programs running at all times searching on the 
whole Internet. And finally there are Web sites now where you 
can do either of two or three things. You can actually type in 
what you want a virus to do and it will write the virus for 
you. You can type in who you want to attack and it will run the 
attack. Anybody can use those Web sites.
    Mr. Belcher. I think everyone in the panel is going to say 
I think the tools are readily available. I think the concern 
would be that for cyber terrorism issues you are really worried 
about the perpetrator that does not need or does not want the 
tool.
    Mr. Thomas. I would agree that tools are widely available. 
And I may have a different perspective in that I would suggest 
that the availability of tools is not necessarily a bad thing. 
I think it does force software companies to be responsible in 
updating their product, in analyzing their own networks and 
analyzing their own software. And as a result we get better 
security because those tools are out there, not worse.
    Mr. Horn. Well, I want to thank each of you. You have 
educated all of us in many ways, and so thank you very much and 
we will now bring panel two forward. If you would like to stay, 
fine.
    Robert Dacey is the Director U.S. General Accounting 
Office; Ronald Dick, Director, National Infrastructure 
Protection Center, Federal Bureau of Investigation; John S. 
Tritak, Director, Critical Infrastructure Assurance Office, 
Department of Commerce; Stanley Jarocki, Chairman, Financial 
Services Information and Analysis Center, and Vice President, 
Morgan Stanley IT Security. The last part of this is Louis G. 
Leffler, Manager-Projects, North American Electric Reliability 
Council. And as you know, gentlemen, a lot of you have been 
here before. If you have any aides with you just get them to 
take the oath, also. And Mr. Marc Maiffret, we are glad to have 
him here.
    [Witnesses sworn.]
    Mr. Horn. Mark Maiffret will join this panel and there is a 
sign already for him and a chair and we are glad you made it 
here. Chief hacking officer and co-founder of eEye Digital 
Security. And then we will start with you if we might.

   STATEMENT OF MARC MAIFFRET, CHIEF HACKING OFFICER AND CO-
                 FOUNDER, eEYE DIGITAL SECURITY

    Mr. Maiffret. Thank you. Thank you for having me. My name 
is Marc Maiffret, Chief Hacking Officer and Co-Founder of eEye 
Digital Security. We focus on creating computer security 
products, and we are also heavily involved in vulnerability 
research.
    Much debate has been given to the security of our 
infrastructure. Some are peddling doom and gloom. That sounds 
like a script to the next cheesy sci-fi movie. Others, however, 
are ignoring the problem to say it is overhyped. I personally 
believe that it is pointless to debate whether our 
infrastructure is secure or not. At the heart of it all we have 
the basic understanding that as a Nation we wish to be secure. 
If our infrastructure is vulnerable, then we are not secure. 
Therefore, more time needs to be put into creating guidelines 
of how to secure infrastructure rather than debating whether it 
is secure or not. With proper guidelines in place and enforced 
by our government, we will be that much closer to securing our 
infrastructure.
    The current level of security within our infrastructure 
cannot be judged as a whole. There are too many systems run by 
too many organizations, therefore making it very hard to 
quantify how secure or insecure our infrastructure is. The fact 
does remain, though, that there are vulnerable systems within 
our infrastructure. It is also a fact that many of the software 
solutions controlling our infrastructure are vulnerable. This 
includes the various software that controls SCADA systems.
    SCADA systems are probably one of the most vulnerable parts 
of our infrastructure because of the link created between 
software and hardware allowing engineers in infrastructure 
companies to easily manage their systems. A lot of times it is 
possible to gain access to the networks which House SCADA 
systems. Once on these networks, it is entirely possible to 
take control of an infrastructure site and start performing 
functions just as an operator of the site would.
    I will not go into a ton of detail in possible ways of 
taking over SCADA systems as I have done so in my written 
testimony. In the end though, it is entirely possible to take 
control of SCADA systems. Taking control of a SCADA system is 
not something that any two-bit Internet hacker is going to be 
able to do. Hacking SCADA systems should not be equated to 
teenage hackers breaking into Web sites and then mysteriously 
being able to control a power grid. That is not to say that 
technology is not moving to make that type of scenario totally 
unrealistic. However, hacking a SCADA system does take more 
skill than an average teenage hacker will have.
    Security of our Nation's infrastructure is a complex 
problem because of the integrated nature of our systems even 
beyond their technical aspects. It is security meets business, 
meets usability and meets politics, everyone's opinion of how 
things should be. Albert Einstein once wrote that if we have 
the courage to decide ourselves for peace we will have peace. I 
believe the same goes for security. Only when we as a society 
decide we truly wish to be secure and then follow through in 
that decision shall we begin to start to attain security.
    Once again, I suggest that in order for us to start to 
secure our infrastructure, we must create guidelines that 
critical infrastructure companies must follow. These guidelines 
must be enforced by our government. We must move quickly on 
securing our infrastructure for I fear if we do not act soon 
then we will be forced to thrust our infrastructure through 
nihilistic rebirth, as the only means of becoming secure would 
be to start over.
    Thank you.
    [The prepared statement of Mr. Maiffret follows:]
    [GRAPHIC] [TIFF OMITTED] T7387.034
    
    [GRAPHIC] [TIFF OMITTED] T7387.035
    
    [GRAPHIC] [TIFF OMITTED] T7387.036
    
    [GRAPHIC] [TIFF OMITTED] T7387.037
    
    [GRAPHIC] [TIFF OMITTED] T7387.038
    
    [GRAPHIC] [TIFF OMITTED] T7387.039
    
    [GRAPHIC] [TIFF OMITTED] T7387.040
    
    [GRAPHIC] [TIFF OMITTED] T7387.041
    
    Mr. Horn. Thank you. That is very helpful and we go now 
with Robert Dacey, the Director of Information Security, U.S. 
General Accounting Office, which is under the Comptroller 
General of the United States. And we always use GAO in one way 
or the other, beginning or end. You are on the beginning but we 
will probably ask you what did we miss at the end. And so, Bob, 
nice to have you here.

 STATEMENT OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY 
             ISSUES, U.S. GENERAL ACCOUNTING OFFICE

    Mr. Dacey. Mr. Chairman, I am pleased to be here today and 
thank you for your continuing interests and efforts to provide 
oversight over this critical area. Today I would like to 
discuss the challenges that our Nation faces concerning 
critical infrastructure protection, or CIP, and Federal 
information security. As you requested, I will briefly 
summarize my written statement.
    We have made numerous recommendations over the last several 
years concerning CIP and Federal information security 
challenges that need to be addressed. For each of these 
challenges, improvements have been made and continuing efforts 
are in the process, including a number of efforts by other 
members of this panel. However, much more is needed to address 
them. These challenges include, No. 1, developing a national 
CIP strategy. A more complete strategy is needed that will 
address specific roles, responsibilities and relationships for 
all CIP entities, clearly define interim objectives and 
milestones and set timeframes to achieve them and establish 
appropriate performance measures.
    Last week, we issued a report that further highlights the 
importance of coordinating the dozens of Federal entities 
involved in cyber CIP efforts. The President's National 
Strategy for Homeland Security, also released last week, calls 
for interim cyber and physical infrastructure protection plans 
by September of this year to be followed at an unspecified date 
by a comprehensive national infrastructure plan.
    The second major challenge is improving analysis and 
warning capabilities. More robust analysis and warning 
capabilities are still needed to identify threats and provide 
timely warnings. Such capabilities need to address both cyber 
and physical threats. The National Strategy for Homeland 
Security calls for major initiatives to improve our Nation's 
analysis and warning capabilities that include enhancing 
existing capabilities within the FBI and building new 
capabilities at the proposed Department of Homeland Security.
    The third major challenge is improving information sharing 
on threats and vulnerabilities. Information sharing needs to be 
enhanced both within the Federal Government and between the 
Federal Government and the private sector and State and local 
governments. The National Strategy for Homeland Security 
identifies partnering with non-Federal entities as a major 
initiative and discusses the need to integrate information 
sharing within the Federal Government and among the various 
levels of government and the private industry. Information 
sharing and analysis centers, which will be discussed today, 
continue to be a key component of that strategy. The strategy 
also discusses the need to use available public policy tools 
such as grants and regulations.
    The fourth challenge is addressing pervasive weaknesses in 
Federal information security. Despite the importance of 
maintaining the integrity of confidentiality and availability 
of important Federal computer operations, Federal computer 
systems have significant pervasive information security 
weaknesses. A comprehensive strategy for improving Federal 
information security is needed in which roles and 
responsibilities are clearly delineated, appropriate guidance 
is given, regular monitoring is undertaken and security 
information and expertise are shared. As I testified earlier 
this year before this subcommittee, continued authorization of 
government information security reform legislation is essential 
to sustaining agency efforts to identify and correct these 
significant weaknesses.
    The President's draft legislation on the creation of a 
Department of Homeland Security and the National Strategy for 
Homeland Security acknowledge the need to address many of these 
challenges. However, much work remains to effectively respond 
to them. Until a comprehensive and coordinated strategy is 
developed for all CIP efforts, our Nation risks not having an 
appropriate and consistent structure to deal with the growing 
threats of attacks on its critical infrastructures.
    Mr. Chairman, this concludes my oral statement, and I would 
be pleased to answer any questions that you or members of the 
subcommittee might have.
    [The prepared statement of Mr. Dacey follows:]
    [GRAPHIC] [TIFF OMITTED] T7387.042
    
    [GRAPHIC] [TIFF OMITTED] T7387.043
    
    [GRAPHIC] [TIFF OMITTED] T7387.044
    
    [GRAPHIC] [TIFF OMITTED] T7387.045
    
    [GRAPHIC] [TIFF OMITTED] T7387.046
    
    [GRAPHIC] [TIFF OMITTED] T7387.047
    
    [GRAPHIC] [TIFF OMITTED] T7387.048
    
    [GRAPHIC] [TIFF OMITTED] T7387.049
    
    [GRAPHIC] [TIFF OMITTED] T7387.050
    
    [GRAPHIC] [TIFF OMITTED] T7387.051
    
    [GRAPHIC] [TIFF OMITTED] T7387.052
    
    [GRAPHIC] [TIFF OMITTED] T7387.053
    
    [GRAPHIC] [TIFF OMITTED] T7387.054
    
    [GRAPHIC] [TIFF OMITTED] T7387.055
    
    [GRAPHIC] [TIFF OMITTED] T7387.056
    
    [GRAPHIC] [TIFF OMITTED] T7387.057
    
    [GRAPHIC] [TIFF OMITTED] T7387.058
    
    [GRAPHIC] [TIFF OMITTED] T7387.059
    
    [GRAPHIC] [TIFF OMITTED] T7387.060
    
    [GRAPHIC] [TIFF OMITTED] T7387.061
    
    [GRAPHIC] [TIFF OMITTED] T7387.062
    
    [GRAPHIC] [TIFF OMITTED] T7387.063
    
    [GRAPHIC] [TIFF OMITTED] T7387.064
    
    [GRAPHIC] [TIFF OMITTED] T7387.065
    
    [GRAPHIC] [TIFF OMITTED] T7387.066
    
    [GRAPHIC] [TIFF OMITTED] T7387.067
    
    [GRAPHIC] [TIFF OMITTED] T7387.068
    
    [GRAPHIC] [TIFF OMITTED] T7387.069
    
    [GRAPHIC] [TIFF OMITTED] T7387.070
    
    [GRAPHIC] [TIFF OMITTED] T7387.071
    
    [GRAPHIC] [TIFF OMITTED] T7387.072
    
    [GRAPHIC] [TIFF OMITTED] T7387.073
    
    [GRAPHIC] [TIFF OMITTED] T7387.074
    
    [GRAPHIC] [TIFF OMITTED] T7387.075
    
    [GRAPHIC] [TIFF OMITTED] T7387.076
    
    [GRAPHIC] [TIFF OMITTED] T7387.077
    
    [GRAPHIC] [TIFF OMITTED] T7387.078
    
    [GRAPHIC] [TIFF OMITTED] T7387.079
    
    [GRAPHIC] [TIFF OMITTED] T7387.080
    
    [GRAPHIC] [TIFF OMITTED] T7387.081
    
    [GRAPHIC] [TIFF OMITTED] T7387.082
    
    [GRAPHIC] [TIFF OMITTED] T7387.083
    
    [GRAPHIC] [TIFF OMITTED] T7387.084
    
    [GRAPHIC] [TIFF OMITTED] T7387.085
    
    [GRAPHIC] [TIFF OMITTED] T7387.086
    
    [GRAPHIC] [TIFF OMITTED] T7387.087
    
    [GRAPHIC] [TIFF OMITTED] T7387.088
    
    [GRAPHIC] [TIFF OMITTED] T7387.089
    
    [GRAPHIC] [TIFF OMITTED] T7387.090
    
    [GRAPHIC] [TIFF OMITTED] T7387.091
    
    [GRAPHIC] [TIFF OMITTED] T7387.092
    
    [GRAPHIC] [TIFF OMITTED] T7387.093
    
    [GRAPHIC] [TIFF OMITTED] T7387.094
    
    [GRAPHIC] [TIFF OMITTED] T7387.095
    
    [GRAPHIC] [TIFF OMITTED] T7387.096
    
    [GRAPHIC] [TIFF OMITTED] T7387.097
    
    [GRAPHIC] [TIFF OMITTED] T7387.098
    
    [GRAPHIC] [TIFF OMITTED] T7387.099
    
    [GRAPHIC] [TIFF OMITTED] T7387.100
    
    [GRAPHIC] [TIFF OMITTED] T7387.101
    
    [GRAPHIC] [TIFF OMITTED] T7387.102
    
    [GRAPHIC] [TIFF OMITTED] T7387.103
    
    [GRAPHIC] [TIFF OMITTED] T7387.104
    
    [GRAPHIC] [TIFF OMITTED] T7387.105
    
    Mr. Horn. Thank you. We appreciate that.
    Our next presenter is Ronald L. Dick, the Director of the 
National Infrastructure Protection Center, Federal Bureau of 
Investigation. I want to express the feelings of the Committee 
on Government Reform and this subcommittee in particular about 
what you have done to help us in many ways, and so thank you 
very much, Mr. Dick. You do a fine job down there.

STATEMENT OF RONALD L. DICK, DIRECTOR, NATIONAL INFRASTRUCTURE 
       PROTECTION CENTER, FEDERAL BUREAU OF INVESTIGATION

    Mr. Dick. Thank you, Mr. Chairman, for this opportunity to 
discuss our government's important and continuing challenges 
with respect to critical infrastructure protection. But before 
I begin my statement I would like to express my appreciation to 
you for your service in the House and note that everyone 
concerned with infrastructure protection will miss your 
leadership.
    Mr. Horn. That is kind of you.
    Mr. Dick. Thank you, sir.
    And ITC representatives have testified several times in 
front of this committee, most recently in September of last 
year. Since that time, while the Nation has focused on the war 
against terrorism, the NIPC has forged ahead on several fronts.
    I have been asked many times about what keeps me up at 
night and I think about a scenario that combines a serious 
physical attack with a concurrent cyber attack which would tie 
up 911 systems or stop the flow of electricity and water during 
the crisis. We work to prevent such a scenario through two-way 
information sharing. Because approximately 85 percent of the 
Nation's critical infrastructures are owned by the private 
sector, we rely heavily on private sector information sharing.
    In the written statement, I discuss some of the challenges 
we must overcome in two-way information sharing. I will focus 
on two areas in which we have made substantial progress in the 
last year.
    First, we have built many trusting relationships with 
members of the private sector, particularly those through our 
government-private sector infrastructure protection 
partnership, known as InfraGard, and with information sharing 
and analysis centers. For example, InfraGard membership has 
grown by more than 600 percent in the last 14 months from 800 
to nearly 5,000.
    Second, our news unit, the ISAC's Support and Development 
Unit, was designed to assist in the development and expansion 
of ISACs. Since formation of that unit, information sharing 
agreements have been signed with ISACs for telecommunications, 
information technology, food, water supply, emergency services 
like fire, banking and finance, chemical sectors and the 
Aviation Administration. Tomorrow I am scheduled to sign 
another agreement, adding the National Association of State 
Chief Information Officers to our list of infrastructure 
protection partners.
    One of the most recent agreements was with the ISAC for 
fire emergency services led by the U.S. Fire Administration, an 
organization which has been a model for mutual benefits of two-
way information sharing. Since that agreement, we have shared 
intelligence on scuba diving threats to waterfront facilities, 
suspicious attempts to purchase an ambulance in New York and 
the theft of a truck with 10 tons of cyanide in Mexico. In 
turn, they have told us of suspicious foreign nationals 
attempting to gather information on emergency services.
    However, more work still needs to be done. The annual 
Computer Security Institute and FBI Computer Crime and Security 
Survey, released in April, indicated that 90 percent of the 
respondents detected computer security breaches in the last 12 
months. Only 34 percent reported the intrusion to law 
enforcement. On the positive side, that 34 percent is more than 
double the 16 percent who reported intrusions in 1996. This 
nonreporting impairs the government's ability to analyze 
threats and vulnerabilities and take appropriate action. The 
two primary reasons for not reporting were the fear of negative 
publicity and the belief that competitors would use the 
information against them if it were released.
    First, I assure you that the Department of Justice and the 
FBI, Office of General Counsel will be happy to discuss with 
your staffs the issues more thoroughly regarding information 
sharing because it always must be kept in mind that sharing of 
information is voluntary. Therefore, it becomes the 
government's burden to demonstrate it can and will protect 
information.
    One of the issues we have heard for years is that companies 
are concerned that information they provide to the government 
will be released by the government under the Freedom of 
Information Act. We looked at the Freedom of Information Act 
and discussed it with the private sector. Under exemption 
(b)(4) of FOIA, the government is not required to disclose, 
``trade secrets and commercial or financial information 
obtained from a person and privileged or confidential.''
    On the face of that statute, you find the definite--you 
don't find, rather, the definition of those key terms. 
Companies asked us what ``trade secrets'' meant under FOIA as 
well as the scope and terms of information. They asked, for 
example, is vulnerability information considered commercial or 
financial? They also asked whether under the statute 
information gets different protection if it is voluntarily 
provided to the government.
    We worked with the Department of Justice and also did our 
own legal research. In doing so, we found a number of important 
cases that discuss these issues. The most important, I am told, 
is a case decided by the D.C. District Circuit Court of Appeals 
called Critical Mass Energy Project vs. the Nuclear Regulatory 
Commission. Nonetheless, despite these cases and some others 
like it, companies want clear statutes with straightforward 
language. They do not want to be kept up to date on the latest 
cases or have to keep up to date on the latest cases. They want 
a simple statute they can understand. Without that, many 
companies will not share information.
    The question of whether in the abstract we can protect the 
information becomes meaningless if the companies will not give 
us the information in the first place. Many companies seek 
certain outcomes and they don't want to rely on a judge's 
decision. They also don't want to face even the possibility of 
having to go to court to litigate the protection of their 
information whether under FOIA or under the Trade Secrets Act. 
Finally, they are also concerned about the State open records 
laws. Many have told us that they want to be able to share 
sensitive information with the Federal Government and they 
would like the Federal Government to be able to share 
information with them and would like to be able to share 
information with the States. But they are equally clear that if 
the sensitive information becomes public, they will not share 
it. Sharing a lot of this information publicly would weaken the 
Nation's security, not strengthen it.
    The NIPC has been asked to engage in a constructive dialog 
with industry in order to promote information sharing. For over 
4 years we have heard this same message. We would like the FOIA 
issue resolved in a manner that industry is convinced of the 
government's ability to protect their information.
    At a recent Senate hearing before Senator Lieberman, the 
NIPC, myself and the Department of Justice committed to work 
with Congress on these concerns so as to resolve them.
    And let me conclude. Faced with the hard fact that most 
companies are not reporting, the NIPC has promoted an 
aggressive outreach program and is seeing results. The system 
of information sharing amongst ISACs, the NIPC, government 
agencies and the private sector is beginning to work. At the 
NIPC we continue to seek partnerships and means which promote 
two-way information sharing. As Director Mueller stated in a 
speech on July 16, prevention of terrorist attacks is by far 
and away our most urgent priority. We can only prevent attacks 
on our critical infrastructures by building an intelligence 
base, analyzing that information and providing timely, 
actionable, threat-related products to our private and public 
sector partners.
    Therefore, we will continue our efforts with your committee 
in improving information sharing and infrastructure protection, 
and I welcome your comments.
    [The prepared statement of Mr. Dick follows:]
    [GRAPHIC] [TIFF OMITTED] T7387.106
    
    [GRAPHIC] [TIFF OMITTED] T7387.107
    
    [GRAPHIC] [TIFF OMITTED] T7387.108
    
    [GRAPHIC] [TIFF OMITTED] T7387.109
    
    [GRAPHIC] [TIFF OMITTED] T7387.110
    
    [GRAPHIC] [TIFF OMITTED] T7387.111
    
    [GRAPHIC] [TIFF OMITTED] T7387.112
    
    [GRAPHIC] [TIFF OMITTED] T7387.113
    
    [GRAPHIC] [TIFF OMITTED] T7387.114
    
    [GRAPHIC] [TIFF OMITTED] T7387.115
    
    [GRAPHIC] [TIFF OMITTED] T7387.116
    
    Mr. Horn. Thank you very much. We will now hear from John 
S. Tritak, Director of the Critical Infrastructure Assurance 
Office in the Department of Commerce. Now that is partly, with 
NIST, also involved in standards and that kind of thing. Very 
good, if you want to give us a better view of that, start in 
with it.

STATEMENT OF JOHN S. TRITAK, DIRECTOR, INFRASTRUCTURE ASSURANCE 
                 OFFICE, DEPARTMENT OF COMMERCE

    Mr. Tritak. Thank you for the opportunity to be here today. 
I submitted my written remarks, and I would be more than happy 
to talk about the move to the Department of Homeland Security 
and our respective roles as you would like, but I would like to 
touch on a few themes that have arisen during the course of 
this hearing and give some reflection on those in my brief 
remarks now.
    I want to begin by focusing--homeland security differs 
fundamentally from what I would call classic national security. 
And by classic national security, I am referring to those 
things the government more or less did on its own on behalf of 
the United States and its citizenry. We are now confronted with 
a unique challenge. And that is because, as we have heard from 
al Qaeda and others, is that the terrorists have indicated that 
the economy is a target, particularly the pillars of that 
economy, and the vast majority of those are privately owned and 
operated. Terrorists' followers have been urged to attack these 
pillars of the economy wherever vulnerabilities exist, whether 
they are in the physical domain or in the cyber domain.
    And we know they're looking at the cyber domain as well. 
And we have heard a little bit earlier that attacking SCADA 
systems or major facilities through cyberspace is not easy and 
is not something that the average hacker can do, and I would 
completely concur in that. It is not easy, but I will submit 
the terrorists are not lazy. And it wasn't easy to orchestrate 
the hijacking of four aircraft and turn those aircraft into 
cruise missiles.
    The point of all of these terrorist activities is to force 
the United States to look inward and change and rethink its 
global commitments overseas, particularly in the Persian Gulf 
and the Middle East. Their goal was to create serious impact 
and force us to redo and rethink our commitments overseas.
    So I would submit to you it is not a question of whether 
cyber terrorism exists or whether it is overblown. I think to 
the extent that our economy relies on information systems and 
networks to function and to the extent there are 
vulnerabilities of the kind that could be exploited to cause 
harm in combination with other forms of attack--Ron Dick just 
mentioned one. I think he is right on this. We don't 
necessarily have to envision terrorism playing out like a war 
game or Nintendo. We are talking about a situation where 
perhaps in combination with a devastating physical attack 
certain key information systems networks are disrupted and 
therefore exacerbate an already terrible situation because that 
is the impact they are seeking. It is their goal we have to 
keep an eye on when we are talking about this problem. 
Therefore, because the economy is largely privately owned and 
operated, we have to see homeland security as a shared 
responsibility, and this is going to require redefining our 
respective roles between government and industry and how we go 
about achieving this new goal, and that is going to require a 
level of collaboration that frankly we've never had to have 
before.
    And that is why I think it is very important when we create 
this new department that the culture of partnership and 
collaboration suffuse that organization. It has to actually 
build on the premise that government and industry together need 
to achieve this goal and that neither government nor industry 
alone can do it.
    Information sharing is deemed one very important way in 
which we actually operationalize homeland security, and 
information sharing is taking place now. Ron Dick will tell you 
and many of the ISAC people will tell you they are sharing now. 
But the real goal here is to create an environment where 
dynamic sharing can take place on an ongoing basis to deal with 
problems as they arise in real-time. And I would submit to you 
that the question with respect to FOIA or any other question is 
whether the current statutory and regulatory environment is 
conducive to promoting voluntary acts of information sharing.
    Now, this is not an easy issue and I know there are very 
important public interests and public goods at stake here and 
honest people can disagree over the challenge of open 
government on the one hand and the need to secure information 
and how it could come into conflict. And frankly, it is the 
Congress who is going to have to resolve these problems.
    I also want to make clear that any change in the FOIA is 
not going to be a silver bullet because the one thing you can't 
do through the regulation or statutory reform is create trust 
and legislate trust. That has to come out of experience. What I 
would suggest, however, is that to the extent that the current 
environment is viewed as an impediment that we very carefully 
narrow reform to actually create an environment that induces 
that collaboration and that kind of dynamic information sharing 
which I think everyone agrees needs to take place if we are 
going to achieve the mission of securing our homeland.
    And I thank you for the opportunity to be here, Mr. 
Chairman. You will be deeply missed by all of us who have 
respected your work over these last few years.
    [The prepared statement of Mr. Tritak follows:]
    [GRAPHIC] [TIFF OMITTED] T7387.117
    
    [GRAPHIC] [TIFF OMITTED] T7387.118
    
    [GRAPHIC] [TIFF OMITTED] T7387.119
    
    [GRAPHIC] [TIFF OMITTED] T7387.120
    
    [GRAPHIC] [TIFF OMITTED] T7387.121
    
    [GRAPHIC] [TIFF OMITTED] T7387.122
    
    [GRAPHIC] [TIFF OMITTED] T7387.123
    
    Mr. Horn. Well, thank you very much. Let us now move to 
Stanley Jarocki, chairman of the Financial Services Information 
and Analysis Center and vice president of Morgan Stanley IT 
Security.

 STATEMENT OF STANLEY R. JAROCKI, CHAIRMAN, FINANCIAL SERVICES 
  INFORMATION AND ANALYSIS CENTER, AND VICE PRESIDENT, MORGAN 
                      STANLEY IT SECURITY

    Mr. Jarocki. Mr. Chairman and members of committee, thank 
you for this opportunity to testify about the importance of 
information sharing and the protection of this Nation's 
critical infrastructure. It is an honor to appear before you as 
we discuss these matters in our efforts to further the 
protection of our great Nation. My name is Stash Jarocki and I 
come before you to speak from a perspective formed by three 
decades of experience in the information security field and 
also as founder and present chairman of the Financial Services 
Information Sharing and Analysis Center. The FS-ISAC is the 
first of the private sector's Information Sharing and Analysis 
Center created in response to PD-63. This directive called for 
the establishment of these centers to assist sector efforts in 
the protection of critical infrastructure components from the 
cyber and the physical world.
    I have come before you today to speak about terrorism, both 
the cyber and the physical, and one of the successful 
approaches for mitigating its risks. I will also discuss the 
obstacles to this approach and the steps necessary to address 
impediments that will slow our successful battle against 
infrastructure threats. I would like to begin by asking us all 
to consider the nature of cyber terrorism. It is not merely a 
creation of an attention hungry, sensationalized media, or the 
result of panicked public outcry. Cyber terrorism is as much of 
a threat to us as the painfully realized danger of its 
counterpart, physical based terrorism. Its implications are far 
reaching, as the potential for cyber-based terrorism is 
directly proportional to the pervasiveness of possible targets.
    Due to the utter saturation and dependence on a technology-
based infrastructure, the realities of the dangers of cyber 
terrorism must be acknowledged. We may begin with the sad fact 
that our information technology systems are already under 
attack and we have every reason to believe that these threats 
will worsen as we go forward. Also, it lives and depends on a 
physical environment that has been harshly attacked and could 
be attacked again and again, not only by man but by the natural 
forces that exist.
    We must act, and we must act quickly. Furthermore, we are 
not powerless. Just as it is our physical and cyber 
infrastructure systems that are subject to these attacks, it is 
our ability to share and exchange information that can provide 
us with a strong foundation for defense.
    Today, there are some 57 of the largest financial 
institutions, banks, brokerages, insurances and SROs, which 
represent more than 50 percent of all the credit assets who are 
members of the FS-ISAC.
    Our mission is straightforward: Through information sharing 
and analysis, provide its members with early notification of 
computer vulnerabilities and access to subject matter expertise 
and other relevant information such as trending analysis for 
all levels of management and first responders. In fact, we are 
embarking on a major effort to be the information dissemination 
pipeline for the entire financial sector, comprised of clients 
that use our systems to the family run bank to the largest 
multinational financial institutions. We are joined in this 
endeavor by other organizations with similar missions. These 
include the National Infrastructure Protection Center, NIPC; 
U.S. Secret Service, especially their New York Electronic 
Crimes Task Force; the Department of Defense's Joint Task Force 
for Computer Network Operations and others trying to create an 
effective and trusted network of government and private sector 
entities sharing information to collectively benefit critical 
infrastructure protection.
    Unfortunately, I am here today to tell you that we cannot 
succeed in this mission without your help. Legitimate concern 
has arisen among members of the private sector that has 
directly affected information sharing, the result of a 
legislative environment that is not conducive to our best 
infrastructure protection efforts. We believe there are three 
actions that must be taken in order to remove legislative 
obstacles that block effective, robust sharing:
    One, provide a narrowly written exemption to FOIA for 
critical infrastructure information voluntarily shared from 
private companies or private sharing groups to the Federal 
Government.
    Two, provide an exemption or guidance under the antitrust 
laws on both a Federal and State level to critical 
infrastructure information voluntarily shared in good faith 
within the private sector, especially with a formal structure 
like the ISACs.
    And, finally, provide safe harbor legislation similar to 
that provided for Y2K to protect the disclosure of 
infrastructure information within the private sector as long as 
such disclosure is made in good faith.
    We have heard a lot. The risk is too great. Better to keep 
your mouth shut. Better safe than sorry. These statements 
represent the danger we face today because that is the kind of 
advice by general counsels throughout the Nation. We faced this 
danger before, preparing for the Y2K turnover. In the Y2K 
effort we avoided it through thoughtful and balanced 
legislation. We must avoid that danger again. While legislation 
alone will not solve all the challenges in information sharing, 
it will go a long way in providing the protection industry 
needs as well as demonstrating the government's commitment and 
desire to be an active member of the information sharing 
process.
    As a founder and supporter of the ISAC concept and 
practitioner in the information security world, I can state 
that information security is essential.
    Finally, effectively robust information sharing becomes the 
foundation for mapping trends and developing actuarial tables 
needed to create a factual basis for risk management and a 
stabilized, insurable environment, thereby reducing the risk 
that industry sectors must manage on a daily basis.
    Mr. Chairman, I would like to thank the committee for 
permitting me to testify on this important subject. I will be 
pleased to answer any questions you may have at this time. 
Thank you.
    [The prepared statement of Mr. Jarocki follows:]
    [GRAPHIC] [TIFF OMITTED] T7387.124
    
    [GRAPHIC] [TIFF OMITTED] T7387.125
    
    [GRAPHIC] [TIFF OMITTED] T7387.126
    
    [GRAPHIC] [TIFF OMITTED] T7387.127
    
    Mr. Horn. Thank you, Mr. Jarocki. The last presenter is 
Louis G. Leffler, the Manager-Projects of North American 
Electric Reliability Council. I am very fascinated by your 
companion councils around the country, so you might just like 
to tell us a little bit about it before you start in on the 
substance of all this.

   STATEMENT OF LOUIS G. LEFFLER, MANAGER-PROJECTS OF NORTH 
             AMERICAN ELECTRIC RELIABILITY COUNCIL

    Mr. Leffler. Thank you, Mr. Chairman, and thank you for 
this opportunity to present some of the work of the electricity 
sector directed at securing our critical infrastructure from 
cyber and/or physical attack with specific emphasis on the 
Electricity Sector, Information Sharing Analysis Center.
    Regarding NERC, the North American Electric Reliability 
Council was formed in the aftermath of the 1965 power system 
failure in the Northeast; it was formed actually in 1968. There 
are currently 10 regional councils which includes all of the 
United States, virtually all of Canada and a very small part of 
Mexico.
    One of the points that is made in the testimony, and I will 
make it here, is that electricity is unique. All the critical 
infrastructures have their own unique characteristics. One of 
the uniquenesses of ours is that electricity is an on-demand 
product. It is made the moment it is required. And one other 
point that is extremely important in what we are trying to do 
here, is that we are all connected. We are all interconnected. 
Virtually every single power producer, power transmission 
system and distribution grid one way or another is connected 
with every one. So what happens to one may very well impact 
what happens to another.
    Therefore, it is imperative and absolutely essential that 
we coordinate and have the policies in place on how we operate 
the system so this system is operated reliably to avoid another 
cascading power system failure, be it due to any myriad of 
possible things like bad weather, equipment malfunction or a 
terrorist attack. That is a little bit of a sum-up as to what 
NERC is.
    Mr. Horn. Thank you. We will now go into the question 
period.
    Mr. Leffler. I am not done.
    Where interdependencies were mentioned before, I mention 
them now within our sector, and of course they exist between 
our sector and the others. We did an exercise years ago on 
Governor's Island in New York, and it was interesting. It was 
10 years ago or more, brought together all these same critical 
infrastructures and we sat around a table and the challenge 
was, here it is Sunday morning, snowstorm coming, terrorists 
have come in and shut down a major power system and you are all 
here. President is at Camp David and he is coming back to the 
White House at 3 o'clock in the afternoon, what are you going 
to tell him? So we sat around and looked at ourselves and 
started to come up with solutions. Some interdependency 
problems, some of the things that one of the other presenters 
spoke about regarding this intricate linkage of the 
interdependencies and so on.
    Our sector is well equipped for a panoply of events. I 
already said that. We established--and then we really 
established right after the PDD-63 was promulgated by the last 
administration--a group to start dealing with this, and we 
began meeting with our sector liaison, which is the Department 
of Energy, and immediately following that we found out about an 
organization called the National Infrastructure Protection 
Center and began working with Ron Dick and his people over 
there. We established excellent relationships.
    In order to do this for the electricity sector so it was 
done once and done well for the entire sector, we created a 
thing called the Critical Infrastructure Advisory Group and it 
represents the subject matter experts in physical security, 
cyber security and operations from all the industry segments. 
And it is working pretty well; it reports directly to the NERC 
board of trustees.
    We also worked with--I mentioned the Department of Energy 
and the NIPC, the Department of Defense, the Critical 
Infrastructure Assurance Office, the Nuclear Regulatory 
Commission and the Federal Energy Regulatory Commission, the 
FERC. The testimony goes into a lot of what we have done. I am 
not going to repeat that here.
    We do have a set of security guidelines, both physical and 
cyber. We have one on security of data that we think is 
extremely important and we are working with the FERC on 
including appropriate security measures in the standard market 
design for electricity.
    Our ISAC was established about the same time that we 
initiated the IAW--Indications, analysis, waring program--with 
the NIPC. That was in October 2000. The mission is to receive 
information for analysis, provide interpretive analytical 
support to the NIPC and other government agencies, and 
disseminate threat warnings together with interpretation to 
guide the sector. The staff with NERC personnel is available to 
any electricity sector entity at no charge.
    What can the government do to encourage information 
sharing? We already talked quite a bit around this table about 
the need for some considerations to FOIA. I am not an expert in 
this area, but it has been said very well that we want to 
voluntarily share this information. We need to voluntarily 
share this information, and we need some additional limited 
protections in that area.
    We request faster granting of U.S. clearances. We have a 
number of clearances. The ISAC people have them. A number of 
people in the industry do, and we need them to enhance our 
capabilities for analysis and understanding.
    The very essence of ISAC operations requires 
communications. We must increase the availability of reliable 
and secure telecommunications for use among sector 
participants, the government and the ISAC. The electric 
industry operates in a constant state of preparedness planning, 
training and operating synchronous grids, requires preparedness 
for natural disaster energy emergencies and the attacks of 
sabotage or terrorism.
    We greatly appreciate our working relationships with the 
government agencies and look forward to answering any questions 
you may have for us. Thank you.
    [The prepared statement of Mr. Leffler follows:]
    [GRAPHIC] [TIFF OMITTED] T7387.128
    
    [GRAPHIC] [TIFF OMITTED] T7387.129
    
    [GRAPHIC] [TIFF OMITTED] T7387.130
    
    [GRAPHIC] [TIFF OMITTED] T7387.131
    
    [GRAPHIC] [TIFF OMITTED] T7387.132
    
    [GRAPHIC] [TIFF OMITTED] T7387.133
    
    [GRAPHIC] [TIFF OMITTED] T7387.134
    
    [GRAPHIC] [TIFF OMITTED] T7387.135
    
    [GRAPHIC] [TIFF OMITTED] T7387.136
    
    [GRAPHIC] [TIFF OMITTED] T7387.137
    
    [GRAPHIC] [TIFF OMITTED] T7387.138
    
    [GRAPHIC] [TIFF OMITTED] T7387.139
    
    Mr. Horn. Thank you. We will now have the question period, 
and it will alternate between Ms. Schakowsky, the ranking 
member, and myself, and we will do 5 minutes each so everybody 
gets a chance here. So Ms. Schakowsky, 5 minutes.
    Ms. Schakowsky. Well, I am hearing the drum beat of FOIA 
and while there are many other things to focus on, I want to 
focus on that because I am very disturbed about what I am 
hearing. I was particularly concerned and I quoted in my 
opening statement, Mr. Dick, a remark of yours that talks--that 
says, ``if the private sector doesn't think the law is clear, 
then by definition it isn't clear.''
    It seems like that's the theme of the day--have talked 
about not a conducive atmosphere for the private sector to 
share, and therefore we should change FOIA. I would just want 
to suggest there is another option, and that is to say this 
information isn't voluntary, that we require it; that this is a 
time of a war on terrorism, and that we are calling on 
individuals and businesses to be patriotic and to provide 
information. I just--I'm not suggesting I am going to introduce 
anything of the sort, but I wanted to just say that this is a 
critical time, we all agree, that's why we are here today to 
discuss it. That we could, in fact, just say that because this 
is so critical to our national security, our homeland security, 
we could simply require this rather than, in my view, pander to 
the desires of businesses to keep information secret, an item 
that's been on that agenda for many years, not just now.
    And when I see public officials saying that individuals--
because that's what we're saying--individual citizens should be 
deprived of information that is--now, we have a Freedom of 
Information Act, and I want to talk to you about that, that has 
nine exemptions to protect information from the public when 
necessary. And such exemption b(4) deals with trade secrets, 
confidential business information, protecting--and I know, Mr. 
Dick, you don't think that's sufficient. And, so in addition, 
we have Executive Order 12600 that says if information is to be 
released and a business objects, there is a whole procedure to 
stop that information from being released.
    And it astounds me that at a moment in history when 
transparency in business is on the headlines every day, the 
need for us to know what is going on in our private sector, 
which has deprived many of our citizens of their ability to 
retire and employees of their future retirement plans, sends 
the stock market diving because of this lack of transparency, 
cooking the books, that now we want to offer, in my view--and I 
want your opinion on this--not a narrowly constructed exemption 
to FOIA, but a loophole big enough to drive any corporation and 
its secrets through, in my view. One that says that if they 
simply declare it to be--to need to be secret, that not only in 
an amendment that would--I think may be part of the bill--is 
that 12, Department exemption now, the Davis amendment? 
Homeland Security.
    So now if a company wants to protect information from 
public view, they could dump it in the Department of Homeland 
Security and say we don't want anyone to have access to it 
because it's critical information, and it could be something 
that communities need to know, about pollution of a chemical 
plant or etc.
    I think we ought to be concerned about these abridgements 
of individual rights to information, and have a little more 
concern about that than we seem to be exhibiting today about 
the lack of interest of private businesses at this time of war 
to share critical information.
    If I seem outraged, it is only because I am. So I would 
like some response.
    Mr. Tritak. I would like to take this, if I may just 
comment on a couple things. One is the administration's 
position has been very clear. One--this is supposed to be a 
narrowly crafted exemption.
    Ms. Schakowsky. And do you think this one is?
    Mr. Tritak. Well, let me--what I would like to say is what 
the administration's position has been. Right now, you are in 
the give-and-take process of creating law. If things aren't as 
clear as they need to be, this is the time to work on them. I 
can tell you what the President has made clear about what the 
intentions are: It is to be narrowly crafted. It is not to be a 
permit or a process for data dumping--if I may finish, please.
    Also, we are talking about voluntary information, as we 
said before. Now, you just presented an alternative to that. 
But the point is, right now, today, there is information of the 
kind that right now is not mandatorily required that could help 
safeguard the homeland through a voluntary sharing regime? I 
think the answer is yes. But no one is talking about creating a 
safe haven for negligence or a safe haven for criminal 
activity.
    Now, what I said before, that we are talking about a 
culture collaboration, I don't want that to be viewed as a 
synonym for a culture of coddling. What we are talking about 
here is we have a shared responsibility, and we have got to 
manage it properly. If the existing provisions that have been 
put forward suggest otherwise than what the President has made 
clear and has been his position before, then it seems to me 
this is the give-and-take process----
    Ms. Schakowsky. What does the administration think about 
it? Is it narrowly focused enough for the administration, the 
current language that we are going to be considering tomorrow 
or Friday? This is not imaginary language. There is language.
    Mr. Tritak. No. Look, I am aware of the concerns that have 
been expressed, and they have been expressed quite a bit. I am 
also aware that there has been a fairly active dialog to 
address those concerns and to bring this into--my sense is that 
the new provision is going to look a lot different from the one 
that exists today. So that's why----
    Ms. Schakowsky. That's not my understanding.
    Mr. Tritak. Well----
    Ms. Schakowsky. We're going to try, certainly.
    Mr. Tritak. Well, but I think this is in fact an active 
dialog that's happening between the administration and the 
Congress as we speak.
    Ms. Schakowsky. No, I think that's really a copout, because 
there is language, as was proposed by the administration, that 
is currently in the bill. I will be offering an amendment, I 
hope it will get bipartisan support, that will change that 
language. But it's not theoretical or--I mean, it is written 
right now in a piece of legislation. And I want to know if that 
is the language that you think is narrowly crafted enough, and 
that's the administration's language.
    Mr. Tritak. I think the position the administration put 
forward is the one that it believes would advance the issues I 
have just addressed. I also think that people recognized going 
in that this was going to be a provision that was going to be 
worked. So the real question at the end of the day is, the 
final bill that is going to pass both the House, the Senate, 
and the administration, is going to reflect a consensus on this 
matter. And I can only tell you that what the administration 
has been fairly clear on is that this is not intended to be an 
open-ended, overly broad information sharing process; it is 
meant to provide clarity and certainty to the stakeholders of 
the infrastructure as to what is in and out of bounds in terms 
of what is protected under FOIA.
    Ms. Schakowsky. So the language in the Armey bill--that's 
the bill right now--came out of the select committee. That's 
the bill, that's the language. Is that the--does the 
administration support that language currently?
    Mr. Tritak. You know, what I have to tell you, I think that 
there currently is a review about that language as part of the 
administration's response, and I would rather not say anything 
about it at this time. But I take the point, and----
    Ms. Schakowsky. OK.
    Mr. Tritak [continuing]. All----
    Ms. Schakowsky. But, no. Let me ask--can I ask another 
quick question?
    Mr. Horn. Certainly.
    Ms. Schakowsky. What efforts have been made to let the 
private sector that might have this critical information know 
about how to use the existing FOIA act, about the Executive 
order, and to create a sense of comfort--which, I guess, is 
what we need to do. It seems to me that the tools are here. It 
doesn't surprise me that the private sector might want to go 
further. But have there been efforts, particularly post-
September 11th, when we are trying to get this information, to 
encourage that information and to make it clear how to use the 
current tools?
    Mr. Dick. I will take that one. Since the inception of the 
ITC, one of the issues that has continually come up, as I said 
in my oral statement, is this very issue. We have had a 
continual dialog with the ISACs, the InfraGard members, which, 
as I said, total over 5,000, and anyone else that we can get in 
front of, and try and clarify and explain how the government 
would be able to protect information under the FOIA exemptions.
    The reality is, though, for example, in the Trade Secrets 
Act, one of the things that I am told--I am not a lawyer--that 
if there is a request for that, the industry would have to come 
forward and discuss in court what it had done to protect that 
information. So therefore, they would have to go into court and 
prove, I assume beyond some standard, that they had adequately 
protected it in the first place.
    One of the things you have to keep in mind is that the 
information that we are talking about is owned by the private 
sector, and FOIA does not apply to the private sector; it only 
applies to the executive branch.
    So we are talking about information that the private sector 
believes is sensitive and are concerned about it being 
disclosed, and they have questions as to whether the government 
can adequately protect it. And what we are recommending is not 
some broad loophole, but a measured response in the language 
that provides them the assurances that will provide better 
information sharing.
    Ms. Schakowsky. Well, first of all, my understanding is 
that you are wrong about the protection of that information. If 
it is voluntarily provided to the Federal Government and then 
there is a FOIA request, it is not because it is in that 
category of voluntary information that it is automatically 
released and not covered by FOIA; it is now covered by FOIA, 
and all of those nine exemptions and the Executive order apply 
to that information.
    But I think perhaps a more central question is, do any of 
you know of any instance, even one, where confidential 
information has been released by the Federal Government in 
response to a FOIA request over the objection of the business 
that supplied that information?
    Mr. Dick. The answer is we are not--meaning the NIPC and 
the FBI--aware of that. But on the flip side of that, because 
of these concerns, I can't tell you that we are getting an 
extremely high volume of information either. So it hasn't 
really been tested.
    Mr. Horn. We will move from 5 minutes to 10.
    And Mr. Tritak, again, when is the Comprehensive National 
Infrastructure Protection Plan expected to be completed?
    Mr. Tritak. Well, as you know, the overall homeland 
security strategy was just released last week. And the next 
step is that there will be two, what I would consider to be 
baseline strategies, one dealing with the concerns of the 
cyberspace security, which is being overseen by Dick Clarke, 
and the other is the challenges to the physical 
infrastructures--critical infrastructures, which will be coming 
out sometime in September or October as well.
    It is then the intention of the homeland security effort to 
create one integrated approach, which would follow sometime 
thereafter. I think the real answer is as soon as possible, but 
there hasn't been that date set. But given--frankly, given the 
pace with which things have been moving, I wouldn't expect it 
to follow much longer from those releases.
    Mr. Horn. Will the proposed plan address specific roles, 
responsibilities, and relationships for all the critical 
infrastructure protection entities, establish interim 
objectives, and set milestones for the achievement, and 
establish performance measures?
    Mr. Tritak. Yes, that is the intention.
    Mr. Horn. OK.
    Mr. Tritak. And I will also add, more infrastructure 
sectors have been added since PDD-63 to take into account the 
homeland security issues of food protection and the rest. So, 
yes.
    Mr. Horn. What are the incentives for the private sector to 
share information with the Federal Government?
    Mr. Tritak. They're a target. And there is also I think a 
recognition that there are certain pieces of information that 
the government can provide, once it knows more about the 
challenges that the private sector is facing, that can help 
them better do their jobs.
    Mr. Horn. What can we do to do anything to improve these 
various incentives?
    Mr. Tritak. I think one of the purposes of the strategy is 
to actually--by the way, the strategy that will be coming out 
in September is actually the product of industry and government 
working together. And I think what will be extremely important 
is as we find obstacles to homeland security, some of them may 
very well raise issues, statutory concerns or otherwise, and 
then we will be coming to people like you to discuss how we go 
about dealing with them. And so I think it is the constant 
vigilance of the Congress as these public issues come to the 
fore, in which government has to play a role in order to get to 
advance the cause of homeland security that you will provide 
the most helpful function in that regard.
    Mr. Horn. Do you think the private sector in the State and 
local governments are willing to fund the efforts required to 
adequately secure our critical infrastructures?
    Mr. Tritak. I think they are. I think the question is 
always going to be, particularly with State and local 
governments, how much of this is quintessentially the roles and 
responsibilities of the State and local government, and how 
much is the homeland security proposition at the State and 
local level really a Federal issue as well.
    Governor Ridge has made it very clear that at the end of 
the day, homeland security is won in the hometown, which is 
exactly what happened in New York. We were much, much better 
off because of the brilliant work that was done by New Jersey, 
Arlington, Virginia and the rest, and the contingency plans 
that they had done. And we would have been in a lot worse shape 
if they hadn't been thinking through this problem before.
    Mr. Horn. How long will the move to the new Department of 
Homeland Security improve the Critical Infrastructure Assurance 
Office's ability to fullfil its mission? Will it stay with 
Commerce, essentially?
    Mr. Tritak. No. The idea is that it will actually be under 
the Department of Homeland Security. And I think what it will 
do is allow us to leverage our resources along with the co-
location of people like Ron Dick and others, so that we--
basically, we could be more focused. We give industry, for 
example, single points of contact as opposed to multiple points 
of contact. It will be more efficient and effective, Mr. 
Chairman.
    Mr. Horn. Well, thank you. That's a good response.
    Mr. Leffler, do you believe that the private sector is 
willing to fund the efforts necessary to adequately secure our 
critical infrastructure?
    Mr. Leffler. Absolutely. I think that with--with some help. 
I think that we have to define very clearly and very carefully 
what securing this infrastructure really means, and we have 
begun that dialog. Cyber is one perspective. We heard a lot of 
discussions on the earlier panel about process control systems. 
It's an issue that we have on our--under our purview right now. 
We are seriously considering what needs to be done. It's a big 
issue, and it does need to be addressed, and we are in the 
process of commencing that process.
    The other one on cyber controls or cyber perspective is the 
cyber business commerce. And this, I mentioned in my testimony, 
this is--we are working with the FERC in developing a security 
standard for the standard marketing design, and we will work 
with them in establishing that, promulgating what needs to be 
done by everybody. Basically anybody who is going to be 
participating in this industry, will need to step up to the bar 
on that one.
    And then, securing everything in the cyber world, we have 
another project called Public Key Infrastructure, which we have 
embarked upon received approval from our board to commence, and 
we are working that one to do it as well.
    Now, we get to physical. And we say, OK, how do we secure 
this system from physical--from any kind of physical attack? It 
is everywhere, as everyone knows. And that's an extremely 
difficult thing to do. So part of the answer is in knowing 
where critical things are, knowing what things are critical, 
knowing what we need in the way of spares. Perhaps we can get 
some support there in establishing spares, locating spares, 
transporting spares when they are needed to be used. Those are 
some of the things that we may need some assistance in. And 
then, finally having excellent--I mean excellent--plans for 
reconstitution in place, as did ConEd in New York City. Their 
restoration of that city's electricity, gas, and steam 
infrastructures was just fantastic.
    Mr. Horn. Mr. Jarocki, you probably ought to be in on this 
dialog here. Any thoughts with what Mr. Leffler thought?
    Mr. Jarocki. I think a lot of the things that are already 
being done are helpful and an expansion. For instance, let me 
give you some examples. During--obviously, during the September 
11th scenario, the FS-ISAC opened up the ISAC to the entire 
industry, and we created an eBay type environment that says, 
what is available? Is there space available? Is there product 
available? And everything else.
    We also found that in order to communicate readily with 
each other, we needed the exact thing that Lou said. Where is 
the emergency communications? Through John's office we were 
able to get a lot of guest cards immediately issued to our 
executives to start that process, because it is key. When all 
fails--in New York City, I was a participant in the September 
11th exercise. Unfortunately, what worked--it was strange. Two-
way pagers worked; cell phones and everything else just went 
out. And I saw the fear in people's eyes. You know, what do we 
do? It was a war. It was a definite war, and communications 
breaking down. I mean, we were lucky at Morgan Stanley because 
of the redundancy in everything else, our communications did 
not break down internally; but externally, we were there. So I 
think there is a lot there.
    Wearing my old hat from many, many years ago as an 
intelligence officer at Fort Meade and working with that group, 
I think one of the things that we could get from the government 
is we learned a lot about taking large volumes of data, 
analyzing it, and being able to extract the fine points that 
are necessary to make an operation valid and give us value 
information. I think a lot of that, if we can get at those 
algorithms, get at that process, is what we need in the 
civilian community, in the ISACs, so we could start processing, 
and get at--I think the last time we did a catalog of over 108 
Federal data bases which had significant information that we 
could use that might very well help us out in protecting our 
infrastructure.
    Mr. Horn. How would you characterize the quality and 
quantity of the data being shared from the Information Sharing 
Analysis Center to the government?
    Mr. Jarocki. I looked at it--it is sort of a marriage; 
we're dating, and so we are exchanging information. We haven't 
gotten to the altar yet. But I think it is a positive thing. 
You know, you are testing the waters.
    You are saying, here it is. It's a very good relationship 
with the organizations I mentioned: NIPC, the New York 
Electronic Crimes Task Force. To me, it's a very positive 
relationship. Again, it was built on one important thing--how 
can we trust each other--as opposed to having guns and badges. 
It's a trust of people and exchanging information, and I think 
it's--it is only getting better.
    Mr. Horn. What type of information is shared among 
Information Sharing and Analysis Center members but not with 
the Federal Government?
    Mr. Jarocki. Right now I will only reflect on the 
technology side, is we share an awful lot of information on 
what's technology and, specifically, what might be within our 
own realm of the financial sector, this piece of software or 
whatever we have. Is that shared with other sectors? No, 
because it's not germane to them. But we would look at that and 
say, OK, here is what we use; this is a payment system, this is 
it. How can we shore this up? How can we make it better?
    And we are also working with the vendors that supply. 
That's a key issue because we're saying, look, we find these 
things; how can we work together to fix them. And fix them 
when? Immediately, if not sooner. So we are looking at--I don't 
think there is--at this stage of the game, there is no, shall 
we say, holding back of information that would be critical in 
any instance.
    Mr. Horn. What Federal organizations do you coordinate with 
now? And do you have any suggestions to improve this 
coordination? For example, the proposed Department of Homeland 
Security, will that affect this coordination or will that 
improve it, as you look at the puzzle?
    Mr. Jarocki. I sincerely hope it improves it, and I think 
it's the right direction, because it's going to focus a lot of 
the separate efforts that are taking place today. If you took a 
look at the entire catalog of information that we analyze and 
collect at the FS-ISAC, it is over 100 different sources. 
That's not saying it's all Federal, but there is over 100 
different sources. And I think, as you suddenly focus it all 
and bring it together so we have one point of contact, much 
like we have done with Ron Dick--I mean, one of the good things 
that we managed to put together was how do we formalize what we 
do. Where are the points of contacts? How can we get 
information together? And, how can we hold--a simple thing like 
we agreed to call each other once a week and say, hi, anything 
going on? Because you just forget. You are so busy in business-
running that sometimes that phone call is necessary. So I think 
Homeland Security. And if we--everything we read, though, it 
keeps changing, though. So I'm just trying to map this on my 
screen. It's not that easy.
    Mr. Horn. I have one more question on this, and then I will 
yield 10 minutes for Ms. Schakowsky. What are the impediments 
that limit additional firms from participating in your 
Information sharing and Analysis Center?
    Mr. Jarocki. I don't think there's any impediments right 
now, because we are actually working on opening it up to the 
entire sector. The only impediment, like anything else, is 
sheer cost. There is always a dollar associated with providing 
it. And what we are working toward today is a multitiered 
system so that at least the most important information, which 
is the alerts and the vulnerabilities, can be gotten to the 
first responders, to the executive management thing at the 
lowest levels, immediately, if not sooner.
    Mr. Horn. Thank you. Do you want to add something to that, 
Mr. Tritak?
    Mr. Tritak. No.
    Mr. Horn. OK. Ten minutes for Ms. Schakowsky.
    Ms. Schakowsky. Back to FOIA. Mr. Tritak, you said that the 
President has wanted a narrowly crafted exemption to FOIA or 
addition to FOIA. Let me just read to you from the bill that 
came from the administration.
    It says: ``information Voluntarily Provided, Section 204. 
Information provided voluntarily by non-Federal entities or 
individuals that relates to infrastructure vulnerabilities or 
other vulnerabilities to terrorism and is or has been in the 
possession of the Department shall not be subject to section 
552 of Title 5, United States Code.''
    That's the Freedom of Information Act.
    ``anything that relates to infrastructure vulnerabilities 
or other vulnerabilities to terrorism will be exempt from the 
Freedom of Information Act.'' You could hardly call this a 
narrow exemption to FOIA.
    Now, it has been fleshed out a bit in the Armey bill, but 
the goal of the administration within this Department was to 
protect all of this information. Now, how does that jibe with 
your saying that the President wants a narrow exemption?
    Mr. Tritak. Well, as I said before, I think the idea here 
is to make it narrowly crafted to deal with very sensitive 
matters relating to critical infrastructure vulnerabilities. It 
is not to provide a--basically, a dumping ground for any 
information related to anything with respect to the 
infrastructure industry that someone might want to put in there 
and then claim it's protected under the----
    Ms. Schakowsky. So--now, so the narrowness is as long as 
you can somehow hook it to infrastructure----
    Mr. Tritak. Vulnerabilities. Yes. Now, look, again, this is 
a draftsman issue. I take your point. I understand that this is 
very contentious. All I'm saying is that's precisely the 
process. You are now in play to fix it if you have a problem 
with it. I mean, truly. No one--let me tell you, nobody intends 
this to become a mechanism by which basically people can, you 
know, foist their responsibilities off by data dumping. No one 
is trying to create a mechanism by which gross negligence and 
criminal activity can be buried in the government and therefore 
it can't be prosecuted or otherwise----
    Ms. Schakowsky. Intention really doesn't matter. Intention 
really doesn't matter. Depending on how the law is crafted, it 
could be exactly used for that.
    Mr. Tritak. Sure. But part of it--that's why, as I say, 
it's the give and take of this process, to make it read what 
it's supposed to do.
    Ms. Schakowsky. OK. Mr. Dick, I want to get back to your 
statement, and see if you wanted to reconsider it, the 
statement you made before the Senate: ``if the private sector 
doesn't think the law is clear, then by definition it isn't 
clear.'' What do you mean? And do you want to reconsider?
    Mr. Dick. One is, as I talked about a moment ago, we spent 
a good deal of time with the private sector and their general 
counsels trying to explain how the exemptions as they currently 
exist under FOIA will protect the information that is provided 
to it.
    The problem that we run into is that the general counsels 
for these companies either, (a) don't believe it, or cannot 
provide to the CEOs absolute assurance that the sensitive 
information that they would be providing to the government 
would be protected. And so what, by definition, if it--
obviously, we're not being able to convince the private sector 
that those exemptions are adequate, because we have done it 
over and over again--you have heard it by the members here, on 
this panel--that it's still a concern to them. And one of my 
missions as the director of the Center is to try and promote, 
as best I can, the partnership with the private sector so that 
they do share that information so that we can compare threats 
and vulnerabilities so as to assess the risk to our critical 
infrastructures. And that's what we are seeking. If there is 
not clarity there, if there is not our concerns, and if there 
is a way that Congress can resolve those issues, then we 
support that.
    Ms. Schakowsky. It's really stunning to me. I mean, if 
WorldCom or Enron or somebody comes to us and says, well, you 
know, we really don't think we can provide you that information 
even though we're--our stock has gone all the way down and 
we're just not going to provide information--that the U.S. 
Government should change its laws to accommodate that. It seems 
to me, if we need the information, then we have laws in place 
and they should give the information. I would like to----
    Mr. Dick. This goes back to the point, though. At this 
moment in time, this is voluntary information, owned by the 
private sector, that it has no obligation to share unless it 
wants to. We can't make them do it.
    Ms. Schakowsky. Right. And at a time of war, at a time 
where we feel threatened, we are negotiating with them to 
provide critical information, and changing our laws so that 
they will feel----
    Mr. Dick. This issue was raised before September 11th.
    Ms. Schakowsky. Oh, I know.
    Mr. Dick. This has gone on for 4 years.
    Ms. Schakowsky. Oh, I'm well aware. I'm well aware they 
don't want to provide information to the government that we 
might need to protect our--the safety and well-being of our 
citizens. And we are going to accommodate that in ways that I 
think diminish our ability for citizens to have information 
that they are rightfully entitled to.
    I would like examples of what kind of information that--
that you are saying that they don't want to provide us.
    Mr. Dick. Well, obviously if I knew what that was--you mean 
general scope examples? Or--I mean, if I knew what the 
information was, I would----
    Ms. Schakowsky. All right. Just give us categories of 
information that we aren't going to get because they are 
uncomfortable.
    Mr. Dick. Well, NOSA has to, you know, defer to Stash and 
the other people at the table for categories of this. But, for 
example, the specific vulnerabilities associated with the SCADA 
systems and the processing systems that they are able to 
determine. Nobody has attacked them yet. But what my job is is 
to compare what is the threat out there? Are there people, 
whether they're hackers or al Qaeda or whoever, looking for the 
vulnerabilities that have been identified out there?
    The second piece of the equation at times is unknown to me. 
I know that there are people out there looking to attack them, 
but I don't know what the vulnerability is that they may seek 
to do that by. And at times the private sector is concerned 
about if they share it, then it will become public and 
therefore the bad guys will know it and then attack them.
    Ms. Schakowsky. So there is so little confidence, that at 
this point in history that people within the government would 
not have the sense to know what information would be critical 
to al Qaeda, that they are just not going to provide that 
information?
    Mr. Dick. No. We do know what some of that information is.
    Ms. Schakowsky. No, no. I'm saying that businesses feel 
that they can't trust you to maintain secrecy around 
information that will help al Qaeda.
    Mr. Dick. Well, I think the issue is not if we know it; 
it's whether the industry's required to provide it, and whether 
FOIA, in their opinion--meaning the industry--believes that 
they can protect it.
    Ms. Schakowsky. That's what I'm saying. They don't believe 
it. They believe that if they provide information that's 
critical to terrorists, that this government under its current 
laws is just going to let that information out.
    Mr. Dick. Their concern is that the government--if I 
understand it correctly, and you should ask them--is that the 
government could not adequately protect it. That's the advice 
that I understand being given by the general counsels, and we 
are trying to work with them to resolve those issues.
    Ms. Schakowsky. And I just want to say that it is precisely 
because of those concerns that the exemptions to FOIA were 
crafted. It is precisely for that reason that the Executive 
order--to make sure, as kind of a backup system, Executive 
Order 12600 was put in place so that those would be protected. 
These are precious civil liberties, sunshine laws, that now 
have come into focus how important it is to have transparency. 
This is what we preach around the world. And I just am at a 
loss to see why we should use this moment to sacrifice those 
protections.
    Mr. Horn. I now yield 10 minutes for myself.
    Mr. Dick, what efforts should we focus on to improve 
information sharing and success of the Information Sharing and 
Analysis Center structure?
    Mr. Dick. I think the things that we are doing now, and I 
think we have been able to demonstrate, at least over the last 
couple of years, that the government can be trusted; and, in 
particular, the NIPC can be trusted with that information; that 
we have been able to demonstrate that with it, we can provide 
back to them timely actionable information to better provide--
better protect their assets.
    Frankly, as Stash has indicated, it's just going to take 
time to build up that trust to make the free flow of 
information to the point that we can do an even better job than 
what we are doing today.
    Mr. Horn. What changes should we make to the Information 
Sharing and Analysis Center in the new critical infrastructure 
protection strategy?
    Mr. Dick. I'm sorry? Changes insofar as the strategy itself 
to enhance information sharing? Is that what you're talking 
about?
    Mr. Horn. Yeah.
    Mr. Dick. I really think under the President's proposal, as 
it was talked about a moment ago, by combining these issues 
that--or, resources,--that we'll have a much more focused and 
effective and efficient manner by which to deal with assessing 
threats and vulnerabilities. I think that there will be a lot 
of leveraging of capabilities across the government by the 
merging of some of these agencies under one leadership, and 
overall should have a very positive effect on our capabilities.
    Mr. Horn. How are you assured that you are getting the 
appropriate intelligence information? And, how will the new 
Department improve the flow of intelligence information to the 
National Infrastructure Protection Center?
    Mr. Dick. One of the things--I mean, I think we've built 
some very good partnerships with the other agencies that are in 
the Center. For example, CIA and NSA and Department of Defense 
and U.S. Secret Service now has a manager within the Center. I 
think we have about 22 different agencies represented there. 
And I think one of the things that it is going to enhance, if I 
understand the proposal correctly, is that DHS will--you know, 
the flow of information, the requirement of sharing information 
on a much broader scale, will be further enhanced. With that 
comes responsibility and accountability for other people's 
information.
    But at least in the current structure, as I understand it, 
the ability to look at the big picture will be substantially 
increased.
    Mr. Horn. Do you think the private sector and State and 
local governments are willing to fund the efforts required to 
adequately secure our critical infrastructure?
    Mr. Dick. I think there is a will there. But in these 
fiscal times of budget deficits, I think it is going to be 
difficult for State and local governments to find those 
resources. But the will is there to do that.
    I met just last week with representatives from the State of 
Florida that are looking at starting a State--or, a State of 
Florida Critical Infrastructure Protection Center. I know 
that--participated with Texas in doing a similar type of 
project. And one of the things we have to ensure--I like to 
talk about the thousand points of light theory insofar as 
infrastructure protection. I don't care how many centers there 
are out there or how many ISACs there are out there or how many 
members of InfraGard out there, the point is that they are all 
interconnected and sharing information so that we truly have 
the ability to determine what the vulnerabilities are and when 
some threat is going to attack that vulnerability. So I think 
there is the will. The funding of it is a different question.
    Mr. Horn. Before I get to the General Accounting Office, 
our research arm--and I haven't forgotten you, Mr. Maifrett, 
and you've listened to all this. What's your thinking on that?
    Mr. Maifrett. I think the debate of like information 
sharing is obviously something that should happen. But I think 
the even bigger problem is that we don't really have any 
information to share or any worthwhile information. And 
basically that is to say that there are--you know, if you want 
to take SCADA systems or just control systems in general, 
there's plenty of them out there that do have vulnerabilities. 
I've actually had access to a few of these types of systems 
myself. And people--you know, myself and also other researchers 
of the eEye, we found numerous vulnerabilities in that, in the 
actual SCADA software themselves, in the actual control 
software.
    And this information, you know, it's slowly getting up to 
the software developers and whatnot so they can fix these 
problems, but there needs to be a lot more work actually done 
on determining what is the vulnerability, you know, why is a 
certain type of infrastructure site vulnerable, depending on 
the type of setup that it has, whether it's using commercial 
off-the-shelf software which has vulnerabilities, or whether it 
be, once again, the actual SCADA software itself.
    And you know, I will say again, I think we really need to 
work hard on actually--you know, to state the obvious, I think 
we need to work hard on actually fixing the infrastructure 
sites themselves. And that is creating, whether it be 
guidelines that are enforced, kind of like we've had in the 
health care with HIPAA and whatnot.
    But we need to basically get down in the trenches. I think 
there's--you know, while there's a certain amount of high-level 
talk that needs to be done, there is even more on a technical 
level that needs to be discussed and hammered out and, you 
know, true technical solutions to a technical problem need to 
be put forth.
    Mr. Horn. One of your colleagues on Panel One said 
generally this--and that's Dr. Thomas--noted that hackers who 
have the skills to break into a supervisory control and data 
acquisition system are unlikely to conduct a targeted attack, 
based upon their ethics.
    Mr. Maifrett. I think with hackers--I mean, there's so many 
different kind of classes of hackers, if you will. There is 
more the typical term ``hacker'' which is used by the media and 
just by people in general, which is, you know, the people that 
are posting on mailing lists about security vulnerabilities and 
that type of thing and doing research. And I think those type 
of people, you know, people like myself, I definitely consider 
myself a hacker.
    Yes, we actually--you know, there is the ethic there that 
you would never do such a thing. At the same time, I know for a 
fact that there's plenty of foreign governments that do heavily 
research vulnerabilities and how to actually take control of 
these types of systems. There's other governments that have 
SCADA systems also, for example. And just like our government 
does a lot of analysis in finding vulnerabilities in these 
types of systems, although a lot of time that information 
doesn't kind of bubble up to the surface, you know, there's 
definitely other countries that are doing the same type of 
thing. And at the same time, there is definitely hackers that, 
you know, while they might not necessarily have the ethic, 
there is a certain dollar value that, when brought up, makes 
that ethic go away a little bit.
    So I definitely think there are people out there that do 
have the skills and they definitely think that sooner or later 
they are going to be approached, and it's going to start--you 
know, these types of attacks are going to take place.
    Mr. Horn. About a year and a half ago, I was in Italy when 
they had reached a wonderful part in their economy. And I 
happened to mention to the Prime Minister, are you worried 
about any foreign nation trying to upset your economy? Which is 
very electronic in many ways. And he said, ``We certainly 
are.''
    Now, from your background, do you worry about that kind of 
situation? And do you see that type of thing going on, where a 
good economy of the free world is under fire?
    Mr. Maifrett. Yeah. I don't know. I mean, there's a lot of 
times there's talks like that where it's kind of like the 
economy as a whole or, you know, the North American power grid 
as a whole and stuff. And I don't think that you necessarily 
right now are going to see the type of attack that could be 
that broad and affect that much. I think it's going to be more 
targeted attacks.
    For example, an attack that takes place and the power for 
Los Angeles goes off, or something like that. I don't think 
that it's really something that's so broad for the United 
States in general. But it obviously shouldn't be discounted 
that--you know, depending on the number of, you know, hackers 
that you have working for you and how well you are able to 
coordinate and things. If you hit a few of the major cities and 
stuff, it obviously can be just as devastating.
    Mr. Horn. You recommended enforcing a set of requirements 
on the security of sites and companies deemed to be integral 
parts of the Nation's critical infrastructure. Who do you 
believe should develop those requirements and who do you 
believe should enforce them? What are some of the practical 
limitations in enforcing such requirements?
    Mr. Maifrett. As far as creating them, obviously the 
infrastructure companies themselves need to be heavily 
involved. One of the things I stated in my written testimony, 
though, is that not just the kind of managers, the more high-
level people at the infrastructures, but more of the kind of 
people in the trenches. You know, I mean, I've sat over dinner 
with people before that do run the power grids, and they joke 
about how easy it would be for somebody to, using a dial-up 
modem, get in and shut down certain things.
    And I mean, it's people like that where they--you know, 
they work at these companies, they understand the technology, 
and a lot of times they understand what they do need to do to 
help secure it. And a lot of times, though, that information--
it's not easy to kind of bubble it up to the top where it can 
actually be used and they can start to enforce this thing.
    At the same time, I think there is definitely a lot of 
researchers, including some of the people on the first panel, 
that have a very good idea of how these systems work and, you 
know, the kind of technical mind definitely needs to be there. 
But at the same time, you know, there is a certain amount of 
the business aspect to it and stuff. So that all needs to be 
hammered out.
    And as far as enforcing it, you know, I don't know. It's 
not really my place to say who should be the one enforcing it, 
you know, just as long as there's--somebody is. And obviously--
I think it needs to be somebody at the government level.
    Mr. Horn. Well, there is a lot of now State information 
officers, and you have a real wealth of knowledge in the area, 
and hopefully they will be working with the various Silicon 
Valleys--east, west, south, and north--and that might be one 
way to get at the requirements.
    Mr. Maifrett. Definitely. And just one other, like, side 
comment. I'd say one of the other problems with why a lot of 
the infrastructure ends up being secure--you know, we were 
talking on the first panel, there was a lot of discussion about 
hackers and whatnot. And the thing that we have with a lot of 
just the kind, you know, kind of regular software systems that 
are out there and used by the public, is there are hackers out 
there that are testing the software, and they are attempting to 
break it and find flaws in it and whatnot. And these 
vulnerabilities do eventually get fixed.
    And part of the problem, a lot of the--you know, the kind 
of control systems and software out there are not really 
accessible by these types of people, and so they are actually 
not being tested. And, you know, I mean, the few that we 
actually have access to that we were able to set up, it was a 
matter of minutes before finding just, you know, total common 
vulnerabilities that have been known for a very long time now, 
and it's very easy.
    Mr. Horn. Moving now to Robert Dacey, the Director of the 
Information Security portion of the U.S. General Accounting 
Office.
    And in your testimony, you mention that a clearly defined 
strategy is essential to ensure that our national approach is 
comprehensive and well coordinated. What are the key components 
that should be included in our national strategy? And I would 
like to know, from your other colleagues here in Panel Two, 
what are your comments in response to what they've asked and 
answered some of these questions?
    Mr. Dacey. I think in terms of the strategy, we have 
indicated for a number of years that this was an important 
aspect. And, as we released in our report last week, there are 
over 50 entities directly involved in cyber CIP, let alone some 
of the physical aspects that are starting to be considered as 
part of our CIP strategy.
    I think the key issues go back to what we have in the 
testimony; and that is, we need to make sure there are clear 
roles and responsibilities, and how the relationships between 
all these organizations work. The proposed Department of 
Homeland Security would include--at least the President's 
proposal included six entities that would be transferred, still 
leaving a large number of entities that would not be. And it is 
going to be critical to make sure that there is clear 
coordination about the efforts involved.
    The second major area would be, again, establishing clear 
objectives and milestones and making sure that there are 
timeframes in place to address them, as well as performance 
measures which we have throughout government, with GPRA, found 
to be a very important aspect in terms of establishing the 
right performance measures and having a regular reporting 
process to understand the progress that's being made. And I 
think earlier on the panel, Mr. Tritak indicated the strategy 
would address those matters.
    Mr. Horn. Thank you. And I would like to thank those that 
brought you here, both Panels One and Two. And we have to 
vacate this for another subcommittee.
    To my left, your right, Claire Buckles is professional 
staff, American Political Science Association, congressional 
fellow. Vice President Cheney was one of those Fellows, and so 
was I. He's way ahead of every one of us. Back here on the wall 
is the staff director and chief counsel for the subcommittee, 
J. Russell George. And with him there is the deputy staff 
director, Bonnie Heald, and they all had a hand in this. And 
our assistant to the subcommittee, Chris Barkley, is very--
standing up in the door there. And we have a lot of interns: 
Sterling Bentley--is she here--and Joey DiSilvio, Freddie 
Ephraim, Michael Sazonov, and Yigal Kerszenbaum.
    And then for Ms. Schakowsky, we have a longtime 
professional staff member who knows what he is talking about, 
one David McMillen. And Jean Gosa, minority clerk, another 
great institution. And, last but not least, our two wonderful 
court reporters, and that's Desirae Jura, and Nancy O'Rourke. 
Thank you very much. And, with that, we are adjourned.
    [Whereupon, at 1:05 p.m., the subcommittee was adjourned.]

                                   - 
