[Senate Hearing 107-205]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 107-205

               HOW SECURE IS OUR CRITICAL INFRASTRUCTURE?

=======================================================================


                                HEARING

                               before the

                              COMMITTEE ON
                          GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                      ONE HUNDRED SEVENTH CONGRESS

                             FIRST SESSION

                               __________

                           SEPTEMBER 12, 2001

                               __________

      Printed for the use of the Committee on Governmental Affairs


76-799              U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2002
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                   COMMITTEE ON GOVERNMENTAL AFFAIRS

               JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan                 FRED THOMPSON, Tennessee
DANIEL K. AKAKA, Hawaii              TED STEVENS, Alaska
RICHARD J. DURBIN, Illinois          SUSAN M. COLLINS, Maine
ROBERT G. TORRICELLI, New Jersey     GEORGE V. VOINOVICH, Ohio
MAX CLELAND, Georgia                 PETE V. DOMENICI, New Mexico
THOMAS R. CARPER, Delaware           THAD COCHRAN, Mississippi
JEAN CARNAHAN, Missouri              ROBERT F. BENNETT, Utah
MARK DAYTON, Minnesota               JIM BUNNING, Kentucky
           Joyce A. Rechtschaffen, Staff Director and Counsel
                   Jinnett Rona-Finley, Detailee, CIA
     Kiersten Todt Coon, Congressional Fellow for Senator Lieberman
         Hannah S. Sistare, Minority Staff Director and Counsel
                Ellen B. Brown, Minority Senior Counsel
                    Robert J. Shea, Minority Counsel
         Morgan P. Muchnick, Minority Professional Staff Member
                     Darla D. Cassell, Chief Clerk


                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Lieberman............................................     1
    Senator Thompson.............................................     3
    Senator Levin................................................     5
    Senator Bennett..............................................     6
    Senator Dayton...............................................     7
    Senator Bunning..............................................     8
    Senator Carper...............................................    26

                               WITNESSES
                     Wednesday, September 12, 2001

Hon. Roberta L. Gross, Inspector General, National Aeronautics 
  and Space Administration.......................................     9
Joel C. Willemssen, Managing Director, Information Technology 
  Issues, U.S. General Accounting Office.........................    11

                     Alphabetical List of Witnesses

Gross, Hon. Roberta L.:
    Testimony....................................................     9
    Prepared statement...........................................    33
Willemssen, Joel C.:
    Testimony....................................................    11
    Prepared statement...........................................    43

                                Appendix

Christopher Darby, CEO, @stake, Inc., Peiter Zatko, Chief 
  Scientist and VP of Research and Development, @stake, Inc., and 
  Chris Wysopal, Director of Research and Development, @stake, 
  Inc., prepared statement.......................................    77
Chart: Critical Infrastructure Protection Organization, September 
  2000 (submitted by Senator Bennett)............................    78
``Critical Infrastructure Protection: Significant Challenges in 
  Protecting Federal Systems and Developing Analysis and Warning 
  Capabilities, GAO Highlights, September 2001...................    87

 
               HOW SECURE IS OUR CRITICAL INFRASTRUCTURE?

                              ----------                              


                     WEDNESDAY, SEPTEMBER 12, 2001

                                       U.S. Senate,
                         Committee on Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 11:06 a.m., in 
room SH-216, Hart Senate Office Building, Hon. Joseph I. 
Lieberman, Chairman of the Committee, presiding.
    Present: Senators Lieberman, Thompson, Levin, Bennett, 
Dayton, Bunning, and Carper.

            OPENING STATEMENT OF CHAIRMAN LIEBERMAN

    Chairman Lieberman. Good morning. This morning, the Senate 
Governmental Affairs Committee will proceed with its previously 
scheduled hearing--the first in what we expect to be a series 
of hearings and investigations on a problem that is today even 
more important to us than before--the security of our critical 
infrastructure and the vulnerability of our homeland to 
unconventional enemy attack.
    The attacks yesterday struck many individual families and 
the broader American family. I pause for a moment here at the 
outset of this hearing to indicate that it also struck the 
family of the Senate Governmental Affairs Committee. Barbara 
Olson, who was killed on one of the planes yesterday, had 
served as an assistant to Senator Nickles for some period of 
time in his work on this Committee. On behalf of the entire 
Committee, I extend my condolences to her husband and her 
family and want them to know that they are in our prayers.
    Today, we do consider critical infrastructure to be a vast 
array of elements that form the backbone of America. The 
critical infrastructure is, in essence, our Nation's skeleton, 
the framework underlying our well-being and our freedom. It 
includes telecommunications systems, air traffic control 
systems, electricity grids, emergency and law enforcement 
services, water supplies, financial networks, and energy 
pipelines.
    Today, our hearts and minds are naturally focused on 
yesterday's tragedy, but it is important that the Senate 
continue with America's business, particularly as it affects 
America's security. Thus, we are holding this hearing as 
originally planned, with the same focus that we had intended, 
which is to explore the extent to which our critical 
infrastructure is vulnerable, particularly to manipulations and 
attacks from cyberspace, the consequences of that vulnerability 
and what the government is doing and must do to reduce that 
vulnerability. For as we saw tragically yesterday, our enemies 
will increasingly strike this mighty Nation at places where 
they believe we are not only dependent but we are unguarded. 
And that is surely true of our cyberspace infrastructure today.
    More and more we find that everything in our lives is being 
operated by a computer system, from Wall Street to Main Street. 
Where once our economy was dependent primarily on the movement 
of goods and services by road or rail, the products and 
services of our new economy are now just as likely to travel 
via the Internet as they are to move on an interstate.
    While it has never been easy to protect all of our critical 
infrastructure from conventional attacks--and, of course, they 
have happened only rarely in our history here at home--it has 
become even more difficult now to safeguard our Nation from 
cyber attacks, which can be launched by any sophisticated 
computer user located anywhere in the world, let alone by a 
network of terrorist organizations or a hostile power.
    Yesterday's tragedies open a new era for our security 
infrastructure and for our critical infrastructure here at 
home. Therefore, we must now have an expanded notion of 
precisely what is important to our national security, and that 
more expanded notion must encompass much of our critical 
infrastructure. Thus, we must be prepared to defend ourselves 
against threats from foreign armies, but also to defend 
ourselves against threats from sophisticated opponents who will 
use both conventional and cyber weapons to destroy or disrupt 
sectors critical to our Nation's functioning. And, they will 
attack, as they did yesterday, here at home.
    Yesterday's attacks demonstrate how an organized, 
coordinated effort can be devastating to our Nation. But make 
no mistake about it. Those attacks were aimed at destroying 
buildings, killing people, and breaking our confidence in the 
same way future attacks can and probably will be aimed at 
paralyzing our financial markets, our utilities, our 
transportation systems, and other core aspects of our critical 
infrastructure that are dependent on computer networks.
    Today, individuals or terrorists or nations with no chance 
of success against America on the battlefield can pose just as 
significant a threat to our society from the isolation of their 
homes or offices or terrorist camps.
    The nature of our critical infrastructure has changed that 
much in the information age. And while it has clearly enriched 
our lives, it has simultaneously left us much more dependent 
and more vulnerable to attacks by insidious forces.
    So examining the vulnerability of our critical 
infrastructure is the focus of this hearing, but it is not an 
issue new to this Committee. Two Congresses ago, we held a 
series of hearings on computer security issues, and last 
Congress, Senator Thompson and I authored and the Congress 
enacted a law aimed at enhancing the government's computer 
security. This year, Senator Bennett particularly has urged us 
to launch this series of hearings that we begin today on the 
vulnerability of our critical infrastructure. His very 
successful leadership of our government's response to the Y2K 
challenge aroused his concern on this subject and makes him a 
valuable partner in this effort.
    In the resolution that is currently before the Senate, 
there is some appropriately strong language used, and it refers 
to a war against terrorism: ``Ask our allies to continue to 
stand with the United States in the war against international 
terrorism.'' The resolution commits us to support increased 
resources in the war to eradicate terrorism.
    I think the important thing to say as we begin these 
hearings today is that if we are serious about commencing a war 
against terrorism, which the acts of war committed against us 
yesterday certainly justify, we have to understand that it is 
going to be a different kind of war. It is not going to be a 
matter of a single retaliation against a single terrorist 
opponent. It will be a much longer, sustained, and 
comprehensive conflict in which we will need to be more 
aggressive internationally to root out terrorists and stop them 
before they strike at us, to demand that our allies join us in 
pressuring and insisting countries around the world that harbor 
terrorists to decide whether they want to be our allies or the 
allies of our enemies, and to raise our defenses here at home 
against the kinds of insidious acts that we suffered from 
yesterday.
    This means that we are going to have to consider, I think, 
some of the ideas that have been discussed previously in this 
Committee, and others, that came out most recently from the 
commission headed by our former colleagues Warren Rudman and 
Gary Hart as to whether we need an agency or even a department 
which is committed to homeland defense--a subject we have not 
had to worry about before, thinking that the oceans at least 
protected us from attack. But in the rising and escalating 
series of terrorist acts committed against us here at home, 
from the World Trade Tower attack 8 years ago, to Oklahoma 
City, and now culminating in the outrage yesterday, I think we 
have to begin to think about defending our homeland, just as we 
have thought and acted to defend our interests, our people, and 
our principles previously around the world.
    I look forward to having this Committee, on a bipartisan 
basis, consider these questions and, as appropriate, make 
recommendations to our colleagues here in Congress.
    Senator Thompson.

             OPENING STATEMENT OF SENATOR THOMPSON

    Senator Thompson. Thank you, Mr. Chairman. We commonly 
thank the Chairman for holding hearings, whether we mean it or 
not, but I think today we all mean it when we say that. It is 
very appropriate that we continue on with our work here and not 
be cowed into disrupting the work of the American people. I 
think that is what we expect, and this is certainly a very 
timely hearing.
    I think we are reminded that, contrary to perhaps our 
thinking since the end of the Cold War, that the world is in 
many respects a more dangerous place than ever before, instead 
of less dangerous. The Soviet Union threat has been replaced 
now by several other threats that are more insidious and 
dangerous in many respects than the ones that we used to face. 
We face them from many different sources. We face them from 
rogue nations. We face them from terrorists. We may face them 
from combinations of both.
    While much speculation now is on Bin Laden as far as 
yesterday's activities are concerned, it seems quite clear that 
he does not have access to 767's on a regular basis in order to 
train pilots to the extent to which those pilots were clearly 
trained. So the question becomes whether or not it is a 
combination of terrorist and state-sponsored activity.
    We face many different kinds of threats. I think we, 
unfortunately, spend too much time in Congress debating on 
which threat is more likely, even though you would think we 
would be a little more humble about our predictions in light of 
yesterday's activities, which no one expected the precise 
nature of that particular attack. But we know we face threats 
from missiles which could make the casualty numbers of 
yesterday look small in comparison. We face them from suitcase 
bombs, conventional attacks, and, of course, cyber attacks, 
which is the primary subject of today's consideration.
    You mentioned the Hart-Rudman report, and I think it is 
especially apt. I took another look today. I had read it in 
times past. It is one of several reports that we have had over 
the last few years, at least going back to 1998. We have to be 
told so many different times and so many different ways in this 
country that something is important before we pay adequate 
attention to it, and we have report on report now, Governor 
Gilmore's report, others, numerous witnesses testifying before 
numerous committees about the nature of this threat.
    But going back as late as January 31 of this year, when 
they submitted their last volume, Hart-Rudman said, ``One of 
this Commission's most important conclusions in its Phase 1 
report was that attacks against American citizens on American 
soil, possibly causing heavy casualties, are likely over the 
next quarter century. This is because both the technical means 
for such attacks and the array of actors who might use such 
means are proliferating, despite the best efforts of American 
diplomacy.''
    It further says, ``This Commission believes that the 
security of the American homeland from the threats of the new 
century should be the primary national security mission of the 
U.S. Government.'' It says, ``However, the United States is 
very poorly organized to design and implement any comprehensive 
strategy to protect the homeland.'' It says, ``The U.S. 
Government has not adopted homeland security as a primary 
national security mission. Its structures and strategy are 
fragmented and inadequate.''
    And it points out that, ``These attacks may involve weapons 
of mass destruction, weapons of mass disruption. As porous as 
U.S. physical borders are in an age of burgeoning trade and 
travel, its cyber borders are even more porous.'' And, of 
course, the cyber threat is one of the major threats that we 
are facing here today and something that this Committee has 
dealt with over the last several years.
    So I agree with you, Mr. Chairman, that we have to change 
our way of looking at things. We have got to get more serious 
about the threats to our country. For me, I think it starts 
with our military budget. It is hard for me to believe that we 
are still apparently debating irrelevancies like lock boxes and 
things of that nature that some people would prioritize over 
our national defense. We are going to have an appropriations 
budget, and we will have an appropriation bills and an 
opportunity to address that in the near future.
    There have been other instances of democracies who have 
taken their peace divided and ignored the clear threats around 
them and have thought that technology could bail them out in 
case of real problems and have ignored the misbehavior of 
nations around them that are weaker at the time that it starts. 
But the nations, the democracies have a tendency to turn inward 
and want to reduce their military budgets and think that the 
last war was the last war. All those mistakes England made 
after World War I, we must not go down that same road, and that 
has to do with military budget, including intelligence 
activities, including attention to our infrastructure, which is 
part of this exercise and our hearings today.
    I think our witnesses will indicate that we haven't gotten 
very far in terms of the Presidential directive in 1998 that 
came down to try to organize this. You and I joined together, 
got a bill passed that we felt would improve our computer 
security. Perhaps we are set on the right path. I am not sure. 
But the word that I am getting from the progress we have made 
over the last few years is not good.
    If there is something good to come out of yesterday, 
perhaps it will be a heightened awareness that we must do 
better. So, again, thank you for calling these hearings today.
    Chairman Lieberman. Thank you, Senator Thompson.
    Senator Levin.

               OPENING STATEMENT OF SENATOR LEVIN

    Senator Levin. Thank you, Mr. Chairman.
    Yesterday, this hearing was one of our standard oversight 
hearings to assess how the government was securing critical 
infrastructure, including a Presidential directive that set as 
a goal the protection of the Nation's critical infrastructure, 
both physical and cyber, by the year 2000. With yesterday's 
events, terrorism has again demonstrated its evil face and has 
demonstrated this time the scope of its ability to inflict 
devastating damage on the United States. We, as a people, will 
do everything in our power to demonstrate our ability to deter 
such acts and to respond swiftly and severely when they occur.
    Yesterday, terrorism destroyed the World Trade Center and 
the thousands of lives working in those buildings. It did 
serious damage to the Pentagon and caused a significant loss of 
life there. It destroyed the lives of 266 passengers and crew 
on four commercial airplanes. We run the risk that terrorism 
will disrupt our vital computer services which control our 
airspace, our information systems, our product distribution 
systems, our energy products, our entire economy.
    The witnesses today will report on some of the efforts that 
we are making to protect our infrastructure where we have made 
some progress and where we have fallen short. But this hearing 
just puts words on what we already know because of what we 
witnessed as a country yesterday.
    It is also important, it seems to me, to note that we also 
witnessed yesterday a determined and a unified response in our 
people to the horror and a determination to track down and to 
root out and to relentlessly pursue terrorists, states that 
support them, and states that harbor them.
    The terrorists are the common enemy of the civilized world. 
Our institutions are strong and they will prevail, but in the 
meantime, I think we should note that our unity here is 
absolutely palpable.
    Each one of us, each of our committees, has a special 
responsibility, and I know that we are united and determined to 
carry out that responsibility, as this Committee has in the 
past and will today, and will in the future under the 
leadership of Senator Lieberman, and before him, Senator 
Thompson.
    I hope you will excuse me, Mr. Chairman. I am on my way to 
a meeting of members of another committee, the Intelligence 
Committee, that is reviewing the intelligence budget and 
whether or not there should be recommended additions to that, 
perhaps in a supplemental appropriation, to try to see if we 
can't deter and address the places where we are not strong 
enough, particularly in the area of human intelligence.
    Thank you.
    Chairman Lieberman. Thanks, Senator Levin. Senator Bennett.
    Senator Bennett. Senator Bunning came first.
    Senator Bunning. That is all right. Go right ahead.

              OPENING STATEMENT OF SENATOR BENNETT

    Senator Bennett. Thank you, Mr. Chairman.
    Like Senator Thompson, I appreciate your going forward with 
the hearing, and I appreciate your going forward with the 
issue. When I came on the Committee in this Congress, Senator 
Thompson and I had conversations about this, and I was very 
pleased with his enthusiasm and support for it. And now, with 
the change of leadership in the Committee, that enthusiasm and 
support has not diminished at all, and we are very grateful to 
you for that.
    A lot of references have been made to yesterday, aside from 
the obvious concern about lives and the devastation. If I might 
be a little bit analytical for a moment, this was an attack on 
infrastructure, it was not an attack on the military 
infrastructure, even though the Pentagon, of course, was part 
of it.
    But at the World Trade Center, as a result of that attack, 
the perpetrators succeeded in shutting down the air traffic 
control system, which is a vital part of our Nation's 
communication pattern. Mail goes by air. People that are 
necessary for conferences and communication go by air. And that 
is an infrastructure issue, separate and apart from the 
military, that was shut down as a result of this attack.
    The financial markets, Wall Street couldn't open. The 
physical devastation on Wall Street made it impossible for 
trading to go on, and Americans were out of the financial 
world. Trading occurred only in Europe and in other markets, 
but not in ours.
    And then just think for a moment about the long-term 
infrastructure devastation of the loss of all of the records 
that were there in the World Trade Center: Law firms that lost 
copies of wills, contracts, other things that would normally be 
available that have to be reconstructed now in one way or 
another in order for business to go ahead; transactions in 
progress that now have to be reconstructed from the beginning. 
Quite aside from the loss of life, which is our first and 
primary concern, and always must be, the economic devastation 
that came out of that attack on infrastructure is going to take 
billions of dollars and months if not years to repair.
    So it is a horrific reminder of the fact that outside of 
government is where most of the economic and social activity in 
this country goes on, and the traditional kinds of attacks 
against government are going to be less and less attractive to 
somebody who wishes us ill than attacks on infrastructure, 
whether it is by computer or by airplanes that have been 
hijacked, or whatever it might be.
    So the question arises with this Committee's jurisdiction 
how well organized are we to deal as a government with this new 
kind of threat. I have taken the liberty, Mr. Chairman, of 
preparing a chart,\1\ and it is put up there, and I will be 
happy to give you and Senator Thompson a copy, and Senator 
Bunning. Here is another version of it that shows how the 
Executive Branch is currently organized to deal with this 
particular challenge. It is not quite as helter-skelter as it 
looks. There is some degree of order in it, and it comes as the 
first attempt by the Clinton Administration with Presidential 
Decision Directive 63 (PDD 63) to get their arms around this. 
And I applaud that effort on behalf of President Clinton and 
the others, but it clearly needs some more rationalization. And 
if may be so bold, as Hart-Rudman recognized, the Congress 
itself needs some reorganization to address this problem and 
bring some kind of coordination and focus to it.
---------------------------------------------------------------------------
    \1\ The chart entitled ``Critical Infrastructure Protection 
Organization September 2000,'' submitted by Senator Bennett appears in 
the Appendix on page 87.
---------------------------------------------------------------------------
    If I could conclude, Mr. Chairman, with this analogy: In 
1986, when you were here but I was not, Goldwater-Nichols 
reformed the Defense Department from these kinds of charts of 
competing services and redundant missions. Without Goldwater-
Nichols, I think every military historian would agree we could 
not have mounted Desert Shield and then Desert Storm. If we had 
gone into that military challenge with business as usual, we 
would have spent far more money, more time, more lives, and 
possibly not achieved anything like the result we achieved.
    I like to think of this effort as a modern Goldwater-
Nichols kind of effort, to say let us reorganize the government 
around the new realities that we face in protecting our 
critical infrastructure, reorganize the Executive Branch, and 
reorganize the Congress to recognize and deal with this 
challenge so that when there is a challenge in the future, some 
future Senator sitting here can say without Lieberman-Thompson, 
or whatever the names are that go on it, we would not have 
survived that. And I would hope that this hearing would be part 
of the process to bring a Goldwater-Nichols type solution to 
this enormously difficult problem. Thank you.
    Chairman Lieberman. Thank you very much, Senator Bennett.
    Senator Dayton.

              OPENING STATEMENT OF SENATOR DAYTON

    Senator Dayton. Well, thank you, Mr. Chairman. I just 
wanted to commend you and the Ranking Member and others for 
your foresightedness in scheduling this hearing. It was almost 
prophetic, given what occurred yesterday, and I look forward to 
hearing the expert testimony. Thank you.
    Chairman Lieberman. Thank you. Senator Bunning.

              OPENING STATEMENT OF SENATOR BUNNING

    Senator Bunning. Thank you, Mr. Chairman, and thank you for 
holding this hearing after the horrendous day we had yesterday.
    Before I begin, I would like to express my deepest sympathy 
and condolences to the families and friends of all those 
injured or killed in yesterday's attacks. This is a very 
difficult time for the Nation, and we must all work together to 
pull through it.
    Protecting our critical infrastructure is of the utmost 
importance, and I hope this hearing today will shed some light 
on ways that we can improve the security of our Nation's 
computer system and infrastructure.
    Our critical infrastructure impacts almost every aspect of 
our lives, from our Nation's security to our drinking water, to 
our financial transactions and communication services. Over the 
years, we have become more and more reliant on computer 
technology and the information that passes over it. Key 
industries in the Federal, State, and local governments have a 
responsibility to do everything possible to protect their 
information from hackers. Not only are they under attack from 
teenagers who are out for a joyride on the Internet, but 
individuals working for foreign governments, spies, and 
criminals can sit at a computer in another country and try to 
hack their way into some of our most important and sensitive 
information. Also, as new technology comes into use, it brings 
with it new challenges for businesses and the government in 
protecting private information.
    I want to thank our witnesses for being here today and look 
forward to hearing the testimony that they are about to share 
with us about protecting our critical infrastructure.
    Thank you very much.
    Chairman Lieberman. Thank you very much, Senator Bunning.
    We will turn now to the witnesses. We are going to hear 
today from Roberta Gross, who is NASA's Inspector General and 
will tell us about a review of the implementation of the 
Federal Government's computer security policy conducted by the 
President's Council on Integrity and Efficiency. This was a 
review of the PDD 63, a Presidential Decision Directive. And we 
are also going to hear from Joel Willemssen of the GAO, who 
will discuss the government's efforts to work with the private 
sector to detect and respond to cyber attacks on critical 
infrastructure.
    We had intended to have other witnesses here today who have 
been unable to be here, either because of the aviation shutdown 
or because they have been called away to respond to yesterday's 
attacks, and we hope on another occasion that we might have 
them here before us. But for now, we thank the two of you for 
being here, and, Ms. Gross, we now ask for your testimony.

   TESTIMONY OF HON. ROBERTA L. GROSS,\1\ INSPECTOR GENERAL, 
         NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

    Ms. Gross. Thank you. I appreciate the opportunity to 
testify before this Committee. It is very difficult to stop a 
terrorist bent on suicide. We all heard this yesterday during 
broadcasts, both local and national. Did we ever imagine that 
we would have a suicide attempt at the magnitude that we 
experienced? Did we ever imagine that terrorists would use our 
own domestic airplanes as a weapon against our financial and 
military institutions? Probably not, or not in America. But we, 
like all nations, are a Nation at risk, and that is why this 
hearing is an important hearing.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Gross appears in the Appendix on 
page 33.
---------------------------------------------------------------------------
    After the Murrah Federal Building bombing in Oklahoma City, 
the government decided that it needed to have a strategy to 
address these new types of threats and vulnerabilities. The 
threats are from cyber terrorism which, because of the 
network's interconnectivity, might dislocate our financial, our 
electrical, our military, our communications, our government 
services, how we do business, how we live.
    Clearly, we now know the threats can also be physical. We 
knew that before because not only was it physical threats like 
yesterday, we had physical threats in Oklahoma City and the 
Lockerbie airplane crash.
    Whatever the form of threats, this Nation must have an 
effective national response so that our government, our 
economy, and our basic lives can go on. That was the purpose of 
the last administration proposing the Presidential Decision 
Directive 63. PDD 63 was a requirement, ``for every department 
and agency of the Federal Government to be responsible for 
protecting its own critical infrastructure.'' And then other 
agencies--I think this chart (Senator Bennett's) is a 
remarkable mapping of some of the responsibilities of the 
coordination of agencies' responsibilities . . . had specific 
tasks to coordinate with the private sector to ensure 
continuity of communications, the Commerce Department; banking, 
the Treasury Department; aviation and highways, Transportation 
Department; emergency law enforcement, the FBI and Justice 
Department; emergency fire service continuity of government, 
FEMA; and so on and so on.
    There are also different entities within the Federal 
Government to oversee this process, a Critical Infrastructure 
Assurance Office that was out of the Commerce Department; the 
National Security Agency; and OMB. (Again, I think this is a 
remarkable chart that really is the media becomes the message.)
    I am proud of the collective efforts of the Inspectors 
General for their role in helping their agencies as well as the 
government, as a whole, build a strong protection of the 
infrastructure. The NASA OIG on behalf of the PCIE and ECIE--
and those are the collective organizations by which the 
Inspectors General meet to look at trans-governmental issues--
continue to look at agencies' implementation of PDD 63. And let 
me just briefly summarize that it is a four-part review.
    The first part is complete. We looked at whether agencies 
had adequate critical cyber plans, and this effort dovetails 
the current effort of the IGs and their agencies under the 
Government Information Security Reform Act, GISRA, which this 
Committee played a very important role. In fact, I was one of 
the witnesses testifying in favor of the act when you proposed 
its predecessor, S. 1993. We (the IGs) have all submitted our 
agency and IG evaluations on September 10, and there will be an 
effort by OMB to evaluate these reports. So we thank this 
Committee's effort on this legislation. I think the law gave a 
focus that was needed by both the agencies and Inspectors 
General that were not looking at this high-risk area.
    GISRA, as you know, the Government Information Security 
Reform Act, reviews the management, implementation, and 
evaluation of IT security. GISRA really does dovetail what we 
were looking at with the PDD 63. We have a current and very 
timely effort ongoing now with the Inspectors General on the 
critical infrastructures, the identification, and the plans on 
the physical planning and implementation. We are getting 
preliminary results in, and we will have Phases III and IV--the 
agencies are not only supposed to have plans, they are supposed 
to implement the plans, because plans collect dust. And so 
Phases III and IV for the Inspectors General will involve 
making sure that the agency's plans are adequate and that they 
are then implemented.
    So what did we find? We did find some good starts, but it 
is an understatement to say more progress is needed. We found 
in part that there is a misunderstanding as to the 
applicability of PDD 63. Some agencies just didn't start 
identifying their minimum essential infrastructure because they 
didn't know the directive applied to them, despite reading the 
directive that said ``every and each.'' And part of that was 
because of the confusion as to who was in charge of 
implementing PDD 63. One of the major players had indicated if 
the agency was not listed in PDD 63 specifically as having a 
part, it didn't have a part, even though every agency is 
supposed to carry on its function and should, as an agency, 
identify what it needs to do to carry on its function in an 
essential manner.
    What else did we find? We found that even those agencies 
that did have plans didn't necessarily identify all their 
mission-essential structures. They had confusing definitions. 
They had confusing performance plans. And so that made it very 
difficult.
    The current administration is going to issue further 
guidance through an Executive Order on protecting the 
infrastructure, and I am sure this body, as well as all of the 
Senate and House oversight bodies, will be devoting attention 
to what else needs to be done to make sure our critical 
infrastructures are being protected.
    I do want to say that I was happy to hear Senator Levin say 
that they are talking about the need for collection of 
information and human intelligence. I think that the people 
involved in security of our critical infrastructure believe 
that is a true need. I think one of the things I also want to 
point out--and I am sure that you have had hearings on this 
before--is that the laws to detect cyber criminals and to 
prosecute them are inadequate. In particular, there is not an 
anti-trespassing statute, and not having that statute only 
protects people who want to do ill against the cyber critical 
infrastructures. You can have criminals come in ports that are 
not used for normal communication, and the laws do not allow 
law enforcement to ably protect these systems.
    So, in sum, important steps have been taken and important 
steps continue to need to be taken to minimize attacks like 
yesterday, to avoid unknown terrorist attacks, whether cyber or 
physical. The IGs collectively and individually will be playing 
a role to help the Congress, their agencies, and OMB, get this 
Nation to a point where we are protecting all of our safety.
    Thank you very much.
    Chairman Lieberman. Thank you for that statement. I look 
forward to asking you some questions.
    Mr. Willemssen, thanks for being here.

    TESTIMONY OF JOEL E. WILLEMSSEN,\1\ MANAGING DIRECTOR, 
 INFORMATION TECHNOLOGY ISSUES, U.S. GENERAL ACCOUNTING OFFICE

    Mr. Willemssen. Thank you, Mr. Chairman, Senators. In view 
of yesterday's tragic events, today's hearing I think reflects 
the critical importance of protecting our infrastructures. As 
requested, I am going to very briefly summarize our statement 
on efforts to protect Federal agency information systems and 
then, more broadly speaking, our Nation's critical computer-
dependent infrastructures.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Willemssen appears in the 
Appendix on page 43.
---------------------------------------------------------------------------
    Overall, GAO's work continues to show that Federal agencies 
have serious and widespread computer security weaknesses. These 
weaknesses present substantial risks to Federal operations, 
assets, and confidentiality. Because virtually all Federal 
operations are supported by automated systems and electronic 
data, the risks are very high and the breadth of the potential 
impact is very wide. The risks cover areas as diverse as 
taxpayer records, law enforcement, national defense, and a wide 
range of benefit programs.
    While a number of factors have contributed to weak 
information security at Federal agencies, we believe the key 
underlying problem is ineffective program management. Computer 
security legislation you introduced and which was enacted last 
year can go a long way to addressing this underlying problem. 
The legislation requires that both agency management and 
Inspectors General annually evaluate information security 
programs. OMB is due to receive the first reports from them 
this week. This new annual evaluation and reporting process is 
an important mechanism, previously missing, to holding agencies 
accountable for the effectiveness of their security programs.
    Beyond the risks with Federal agency systems, the Federal 
Government has begun to address the threat of attacks on our 
Nation's computer-dependent critical infrastructures, such as 
electric power and telecommunications. The Presidential 
Decision Directive, previously noted as PDD 63, outlined a 
government-wide strategy to address this. A key element of that 
strategy was establishing the FBI's National Infrastructure 
Protection Center, or NIPC, as a focal point for gathering 
information on threats and facilitating the Federal 
Government's response to computer-based incidents.
    As we reported earlier this year, the NIPC has initiated 
various efforts to carry out this responsibility. However, we 
also found that the analytical and information-sharing 
capabilities that were intended had not yet been achieved. We, 
therefore, made numerous recommendations to the Assistant to 
the President for National Security Affairs and the Attorney 
General. These recommendations focused on more fully defining 
the role and responsibilities of the NIPC, especially in view 
of the many other organizations involved in critical 
infrastructure protection. Also, our recommendations focused on 
developing plans for establishing analysis and warning 
capabilities and formalizing information-sharing relationships 
with private sector and Federal agencies.
    In commenting on our report, the administration said that 
it would consider these recommendations as it reviewed how 
critical infrastructure protection functions should be 
organized.
    That concludes a summary of my statement, and I would be 
pleased to address any questions you may have. Thank you.
    Chairman Lieberman. Thank you both. I will begin. We are 
going to do 6-minute rounds, and we will keep going until 
Members have asked as many questions as they want.
    Let me approach this through the Presidential Decision 
Directive 63, whose issuance was, I take it from what you have 
said, initiated or motivated by the terrorist attack at 
Oklahoma City, the Federal building.
    Ms. Gross. Yes.
    Chairman Lieberman. So we have a real-life event, a tragic 
event, a kind of precursor to what happened yesterday. And then 
comes a study, the Presidential Directive. Am I correct? And, 
incidentally, the directive covers both physical infrastructure 
in the normal, traditional way in which we know it, and cyber 
infrastructure in the new sense.
    I take it from the consensus of the IGs--and I will ask GAO 
as well--that your judgment today is that the directive has 
been inadequately implemented, and in that sense, our critical 
infrastructure remains vulnerable.
    Ms. Gross. That is correct. I would have to agree with one 
of the Senators--and I think it may have been Senator Levin--
that the United States is a strong, proud country, and when an 
emergency happens--as opposed to when an IG or GAO does a 
review . . . and we can find a lot of internal control problems 
. . . when an emergency happens like we had yesterday, there is 
a rallying in a way that, unfortunately, normally doesn't 
occur. So, in many ways, I think that the agencies recently 
were focusing hard on cooperating and coordinating.
    But I think one of the failures under PDD 63-designated 
agencies and at each agency level, is what is the plan? What is 
the plan for the unknowns? And who is in charge, and how will 
that happen? I think that one of the things we were surprised 
at is for cyber, having gone through the year Y2K, is why 
didn't agencies have plans in effect for minimum essential 
infrastructure when, in fact, agencies could piggyback on their 
Y2K because they were supposed to be identifying key systems--
they couldn't identify every system for Y2K compliance. 
Agencies would identify critical systems.
    And if I even just look at the summary of the IG PDD 63 
review comments from the different agencies, some of them said, 
``no, vulnerability assessment work is in progress; no, 
insufficient management attention to this level of detail''; 
``no, maybe some vulnerability assessments but no remediation 
plan because no funding''; ``no, cause is lack of control over 
the various agencies''; ``not performed because of other IT 
priorities.''
    The answers went on and on and on. It is hard to believe 
minimum essential critical infrastructure is not a priority.
    Chairman Lieberman. That is your conclusion, that it still 
remains that way?
    Ms. Gross. Yes. We are finding the same thing in the PDD 63 
physical review. We are getting reports in from Inspectors 
General. We have 8 out of 16 that are going to be participating 
in this phase, and out of the 8, we have the same problems--
plans not done, mission-essential infrastructures not 
identified, interdependencies not identified.
    Chairman Lieberman. What is happening? Why is this 
happening? Are people not taking it seriously, or were they not 
taking it seriously? Or was it not made a priority by the 
leadership of the respective agencies?
    Ms. Gross. Yes, yes, and yes. I think that what happens is 
everybody gets involved in programs. You see it at NASA. You 
see it at probably every agency that GAO has looked at. We want 
to get to Mars. We want to get the Space Station up. And what 
happens--and budgets go down, budgets get flattened, civil 
servants get flattened. And so people get focused on mission, 
and they forget about the infrastructure that supports the 
mission.
    Low priorities become security, including IT security, 
oftentimes oversight functions like contracting oversight. 
Those are the kinds of things that look dispensable when you 
want to get to the moon, you want to get to Mars, and missions 
like that.
    And so what happens is we forget the history of the 
Oklahoma bombing. We forget Lockerbie. Nobody is going to 
forget yesterday, I think it was so massive. But what happens 
is that then everybody stops putting attention on and a focus 
on these issues, and these are the issues where, if you look 
agency by agency, there is not the funding and there is not the 
support.
    Chairman Lieberman. It is a very important point. I 
mentioned before that we are beginning to use again the 
terminology of ``a war against terrorism,'' and it is not bad 
terminology if we understand it is a different kind of war. And 
part of it is going to be fought here at home in areas that are 
not normally involved in defense. But they are involved in 
helping the government and the private sector protect the 
critical infrastructure.
    Ms. Gross. That was a financially cheap attack for the 
terrorists. I mean, if you think about yesterday's attack----
    Chairman Lieberman. Yesterday, with enormous consequences.
    Ms. Gross. With enormous consequences.
    Chairman Lieberman. And very costly, as my colleagues have 
said.
    Ms. Gross. And so that we need to focus on--it is not cheap 
for the cost to human life and re-creating it. And so we are 
having to put some attentions where the kinds of wars are going 
to be different, and they are going to be cheap for the other 
sides.
    Chairman Lieberman. Right.
    Ms. Gross. And I put it as ``sides.''
    Chairman Lieberman. Yes. Mr. Willemssen, let me ask you, 
you mentioned the probability that the new administration will 
be issuing a new Executive Order on this subject. Based on your 
work, what do you think are the most important issues that 
should be addressed? And I suppose that is another way of 
asking what are the major weaknesses in our current approach to 
infrastructure protection.
    Mr. Willemssen. Among the most critical issues is clearly 
identifying roles and responsibilities of the players. I think 
it is especially important for everyone to know who is exactly 
in charge overall and then within particular sectors. When 
players who are to some degree involved in critical 
infrastructure protection see an organizational maze such as 
that, (points to chart) it becomes very difficult to understand 
and to coordinate all the activities associated with 
infrastructure protection. So that is one especially critical 
element.
    The second critical element is being in a position 
strategically to understand the threat and warning capability. 
That is not at this point from a cyber perspective where it 
needs to be.
    Chairman Lieberman. Say a little more so I understand what 
you mean.
    Mr. Willemssen. Well, let me contrast individual incidents 
which occur and we are positioned to understand, OK, this 
incident happened.
    Chairman Lieberman. So give me an example.
    Mr. Willemssen. An example would be the most recent Code 
Red virus.
    Chairman Lieberman. OK.
    Mr. Willemssen. By stepping back and starting with each of 
the key sectors that have been defined, the eight key ones, 
first understanding what is the extent of the threat here, 
where do we think we could possibly get hit, where are our risk 
points. Second, what is the probability of those threats 
materializing? And if they do, what kind of severity, what will 
be the adverse impact on us? Taking all that into 
consideration, you then model a strategy to combat that.
    In some cases, if the threat is huge but the impact is nil, 
you don't put a lot of effort into it. And, conversely, if you 
have got a high threat and a high impact, then we need to make 
sure that we are going to be protected.
    Chairman Lieberman. And thus far you haven't seen that kind 
of thinking.
    Mr. Willemssen. Progress has been slow in that particular 
area.
    Now, part of the challenge here in infrastructure 
protection is this is a public-private partnership, and so the 
Federal Government needs to work closely with the private 
sector in moving forward and achieving the goal of having a 
full operational capability by 2003. One of the key impediments 
to getting there is that the private sector, for good reasons, 
does not always want to share information related to threats, 
what the risks may be, what kind of incidents have occurred in 
the past, all the kind of information that can give us a sense 
of where we stand strategically and where our risks are.
    Chairman Lieberman. It is a very important point. My time 
is up, and if my colleagues don't get back to it, I will. I 
thank you.
    Senator Thompson.
    Senator Thompson. Thank you very much, Mr. Chairman.
    I think, Ms. Gross, you are absolutely correct about the 
different nature of the threat we face today and that the 
threats may be cheap for the perpetrator and expensive for us 
to deal with. However, I hope that we begin to spend less time 
on trying to evaluate the probabilities in terms of these 
threats and what we are most likely to be attacked by, because 
we can't predict these things, anyway, and realize that as the 
world's number one target, and likely to remain so, we have to 
guard against all of these threats. And it is a matter of our 
own priorities.
    You point out some familiar themes when addressing this 
problem. One is management. So many of the problems that this 
Committee sees get back to the overall management issue. That 
has to do with priorities and the squeaky wheel and so forth. 
Unfortunately, it takes an event like yesterday sometimes to 
really get our attention.
    We have a new administration, and every administration that 
comes into office now is taking longer and longer and longer to 
get its team together. So you have a National Security Adviser 
who, from day one, is faced with the most serious national 
security problems imaginable. And we expect her to kind of 
supervise this whole thing and these minute details that we are 
talking about here, totally unrealistic. So, it is multifaceted 
in terms of dealing with it.
    I notice, Mr. Willemssen, one of the things that you 
pointed out is a lack of methodology, even to analyze the 
threats. How do we develop a methodology?
    Mr. Willemssen. One approach that we would suggest is 
getting the top experts in the field who have experience in 
this area reaching agreement on the methodology and then 
essentially using that as an approved model to go forward.
    Senator Thompson. Why should that be so difficult? Why 
should that take 3 years and we still do not have one?
    Mr. Willemssen. I wouldn't minimize the chart that Senator 
Bennett's placed up there----
    Senator Thompson. Senator Bennett's chart?
    Mr. Willemssen [continuing]. As a key factor in that, and, 
second, the other issue I mentioned in this is a public-private 
partnership. This is not something that the Federal Government 
can simply mandate is going to be done.
    Senator Thompson. Yes, and our critical infrastructure is 
in private hands for the most part, and it requires cooperation 
in order to address it. And yet you are asking private industry 
to perhaps reveal some of their most sensitive information, 
saying, ``We are from the government, we are here to help 
you.'' And I don't see them doing that willingly under any 
circumstances. How do we break through that fear and skepticism 
on the part of private industry?
    Mr. Willemssen. Again, Senator Bennett is very familiar 
with this, but there were some of those same concerns as we 
went through the Y2K situation, and there was legislation 
enacted to try to provide private entities some protection in 
the event that they were sharing information. And I think in 
retrospect that legislation turned out to be an outstanding 
piece of legislation.
    Senator Thompson. That is a good analogy.
    Senator Bennett. Have I got a bill for you. [Laughter.]
    Senator Thompson. You also mentioned in your report 
leadership vacancies. I alluded to how difficult it is becoming 
to get an administration together. We are talking about over a 
year now--a fourth of his term is over--before a President has 
his team together. I take it that is certainly--these are not 
high-profile positions, are they, that get a lot of attention 
and a lot of appreciation in normal times, I take it? Is that 
part of the problem?
    Mr. Willemssen. I would say up until yesterday, you are 
correct, Senator.
    Senator Thompson. Well, again, hopefully we once again 
identify the problem, and you certainly have done that. Both of 
you have done excellent work in this area. I was looking over 
the GAO reports done for the Governmental Affairs Committee 
just on information security alone, nine major reports that GAO 
has done on this very issue.
    And lest we forget, what we are talking about, the CSIS did 
a study in 1998 and reminded us that, using the tools of 
information warfare, cyber terrorists can overload telephone 
lines with special software, disrupt the operations of air 
traffic control as well as shipping and railroad computers, 
scramble the software used by major financial institutions, 
hospitals, and other emergency services, alter by remote 
control the formulas for medication at pharmaceutical plants, 
change the pressure in gas pipelines to cause a valve failure, 
sabotage the New York Stock Exchange, not to mention military 
command and control.
    Finally, you have spoken favorably toward Senator 
Lieberman's and my computer security law. It sunsets next 
September. Because we were in negotiations with the House, 
quite frankly, we had to accept a 2-year sunset. I hope that we 
can count on your support to get past that sunset. Senator 
Lieberman, that might be something we want to address right 
away.
    Chairman Lieberman. Good idea.
    Mr. Willemssen. Yes, sir.
    Senator Thompson. Thank you very much.
    Chairman Lieberman. Thank you. Senator Dayton.
    Senator Dayton. Thank you, Mr. Chairman. Again, I want to 
commend you and the Ranking Member and other Members of the 
Committee who, for some time--years, in fact--have been delving 
into these areas that we realized yesterday we cannot take so 
much of what we take for granted for granted. And I also 
certainly want to associate myself with the remarks of Senator 
Thompson regarding the unbelievable and unacceptable length of 
time it takes to fill an administration. I serve on the Armed 
Services Committee. I know Secretary Rumsfeld has opined on 
that matter to us, and if the events of yesterday had occurred 
2 months or 4 months after the President took office, and as 
the Secretary said at the time, he was literally in that suite 
of offices alone, it would have been even more overwhelming, I 
would suspect, than it must have been yesterday. So I think 
that would really be a very fitting subject for this Committee 
to address and really try to assure that no subsequent 
administration has to endure those kinds of delays.
    Again, my experience over the last 8 months has been 
primarily on other committees, and in the Armed Services 
Committee, in both public and private meetings and briefings, 
no one portrayed a scenario that even approached what occurred 
yesterday in terms of the threats of terrorist attacks and the 
like. So, on the one hand, I don't want you to be unduly 
alarmist. On the other hand, I think maybe we need to be more 
alarmed than we are in these critical areas. And I wonder if 
either of you or both of you individually would paint for us a 
scenario of what a major, well-coordinated, highly 
sophisticated assault on these systems might look like for our 
country.
    Ms. Gross. I think we saw one yesterday.
    Senator Dayton. Well, yes, physical assault, and obviously, 
that involved others, but in terms of----
    Ms. Gross. You could have it from the computer by having 
massive denial of services, which hackers are able to do by 
taking tools of the Internet, so that you can have hackers who 
have terroristic motives using juveniles who think that this is 
fun but they don't know they are being used. You can also have 
it be for individuals who see it as an opportunity for economic 
espionage, and it is an opportunity to get either companies' 
information, and so that you can have a coordinated--you can 
have a mastermind by some terrorists who are using other 
entities who don't even know they are being used, so that you 
have viruses, Trojan horses, denial of services. You have tools 
being implanted in critical systems, non-sensitive systems, so 
that they will then be available for an attack later. Everybody 
thinks it is all over, we finish with the Red virus, we finish 
with the denial of services, yet they park their tools 
basically at NASA's systems, at EPA's systems, and at other 
systems, and they just wait then for another onslaught and 
nobody is looking. You have systems administrators who haven't 
been trained, who are having privileges for root access without 
training. You have multiple people who have root access that 
shouldn't have root access. You have common vulnerabilities. 
And so the cyber terrorists have the tools there waiting for 
the event to happen because we don't shut down no-cost, low-
cost vulnerabilities. It is waiting to happen.
    Senator Dayton. Mr. Willemssen.
    Mr. Willemssen. Yes, Senator, in addition to those kind of 
risks which can focus on disruption or stoppage of operations, 
which becomes especially critical when we are in a real-time 
command and control environment, there are also the kinds of 
risks that don't always attract as much attention, but they are 
still important, and that is the inappropriate disclosure of 
sensitive information.
    For example, in work we did after the 2000 filing season at 
the Internal Revenue Service, we were able to penetrate their 
systems and browse data. We could have changed the data if we 
wanted to. There are also those kind of impacts in terms of the 
sensitivity of information, the disclosure of that information, 
and also the ability to either change or modify or destroy that 
data. So there are those associated impacts in addition to the 
work disruptions, work stoppages.
    Senator Dayton. Maybe I didn't phrase my question 
eloquently enough, but I just would leave for our future 
consideration, I mean, what you both describe accurately are 
akin to what I heard in other settings as individual terrorists 
with a suitcase, a car, or whatever. What we saw yesterday was 
something that in its scale and its sophistication and 
coordination greatly exceeded at least anything I had heard 
described as a possible scenario, and as a result I think 
really overwhelmed our system because we in a sense hadn't 
imagined how dastardly the deeds could be. And I would hope 
that that is being done, and maybe akin to that--my time is 
almost over--how do we prevent the invasion of one system, one 
agency, or whatever, from being then the conduit to go to all 
others, especially as these systems reap the advantages of 
being more interconnected with one another?
    Ms. Gross. A layered approach, and they have got to be 
starting--I mean, you had to start yesterday, but you have got 
to certainly start now. If you don't have as one layer a bully 
pulpit from the administrator of each agency, from OMB--and I 
think GISRA will play an important part of it--a priority. 
Employees have to hear it at every meeting. Layering requires 
password controls, training, and software installed only for 
desired uses. That is for the Federal Government control. There 
is a whole side--again, when you talk about the public-private 
partnership, why are private industries allowed to rush to the 
market with vulnerabilities on the market? We are vulnerable. 
They know better than we do. We find out about these 
vulnerabilities. The hackers find out and put them on their web 
pages.
    But you have manufacturers rushing to put their software 
out, and then agencies install the softwares on their systems 
which later require ``patches.'' If you want to also talk about 
the public-private partnership, the private sector has got to 
be responsible because they are developing the software that we 
use, by and large. Both the Executive Branch as well as the 
Congress is asking more and more agencies to go use off-the-
shelf software. I saw that even--I think it is NSA, or NRC, I 
can't remember which one--is going to use off-the-shelf 
software.
    So if you want to talk about something that has to be paid 
attention to, this off-the-shelf software cannot be coming to 
the government and others with vulnerabilities. There have got 
to be some warranties.
    Mr. Willemssen. Let me just add, Senator, the Inspector 
General has talked about the protection side of computer 
security, which is critically important, and we need to place a 
lot of resources on that. One caveat to always keep in mind is 
we can never provide absolute protection whenever we are 
communicating electronically. That is why the other two legs of 
what we refer to as a three-legged computer security stool are 
especially important, not only protection but detection and 
prosecution. Detection so that when somebody gets in 
immediately, and you take prompt action, and then prosecution, 
you have to go after the perpetrators.
    Senator Dayton. Thank you, Mr. Chairman.
    Chairman Lieberman. Thank you, Senator Dayton. I appreciate 
your asking the witnesses to go forward and project how a cyber 
attack might occur against us, because obviously we hold a 
hearing like this to gauge how realistic these threats are so 
that we will never have to look back and say, gee, we never 
knew this was possible. And, of course, the other part of it is 
that ourselves, together with the Executive Branch and our IG 
friends and the GAO, will motivate some action to protect us 
from those threats.
    Senator Bennett.
    Senator Bennett. Thank you, Mr. Chairman.
    Mr. Willemssen, I didn't set you up as a straight man, but 
I do have a bill patterned after the Y2K bill to deal with the 
issue of disclosure between the government and the private 
sector in circumstances that we have never had before. Go back 
a decade, and there would never be any anticipation that we 
would need private industry to explain to government agencies 
what kind of attacks they are receiving and vice versa, sharing 
of information. And I think the Freedom of Information Act, 
which we amended with respect to Y2K and to which you referred, 
has got to be amended again in this circumstance. And you are 
nodding, but I will ask for the record the obvious question: Do 
you agree that we need something of that kind?
    Mr. Willemssen. I agree that that would be a great 
motivator to enable increased sharing of information between 
the private and public sectors, which is absolutely critical.
    Senator Bennett. Now, you talk about the three-legged 
stool. When we have had hearings on this subject in the Joint 
Economic Committee, the witnesses have pointed out that part of 
our problem is that we need to think strategically rather than 
tactically. And tactically comes down basically to law 
enforcement and prosecution after the fact. Thinking 
strategically is asking the kinds of questions that have been 
asked here of what could happen and what do we need to put in 
place before the fact.
    One of the criticisms I have of PDD 63--and I repeat once 
again, I applaud the Clinton Administration for the action that 
they took in moving in that direction. But we need to move 
more.
    One of the criticisms I have of PDD 63 is that it puts the 
primary responsibility with the FBI and with people who have a 
law enforcement mentality. If you have a law enforcement 
mentality, you wait until a crime is committed, and then you go 
look for the bad guys, arrest them, and haul them to jail.
    In this circumstance, we can't wait for the crime to be 
committed, and for that reason, I think the FBI and the 
Department of Justice is not the right place to have the 
primary domestic responsibility. I think we have to do the 
kinds of things which were hinted at in your testimony, almost 
a red team/blue team approach of let's take a red team into the 
Department of Commerce and see how easy it is to break in and 
see what kinds of chain reaction can be established.
    Again, I have used this example where an IT supervisor in 
his company suddenly discovered that someone was in, and so he 
hacks back to find out who it is and finds himself at root 
level, which means he owns the system of a Canadian company. He 
calls the company on the telephone and says, I am at root level 
in your computers, which means I can do all the things you were 
describing, Mr. Willemssen. I can change your passwords. I can 
steal your data. I can scramble the data so that you can give 
false instructions. I can do whatever I want. Are you aware 
that you are being used as a conduit to get into me? And the 
Canadians were unaware that their computers had been used in 
that fashion. They were very grateful for the phone call.
    But the fact is that under existing law, the American could 
be sent to jail for having gotten into the Canadian computer to 
that degree. So a strategic analysis of what do we have to do 
to protect ourselves has to trump a law enforcement attitude 
that says, well, we don't care what you did to protect 
yourself, but under this law you broke the law.
    Now, the Canadians obviously did not seek to prosecute. 
They were very grateful that this man helped them understand 
their own vulnerability.
    Could you address that whole general question of what kinds 
of strategic moves you would recommend, red team/blue team 
approach or anything else, as to how we might build a strategic 
attitude and then we go to work on the chart? Once we have the 
attitude and the vision where we want to go, then we move the 
boxes around on the chart as to who does what?
    Mr. Willemssen. Yes, I would like to address that. We found 
ourselves at GAO with a similar predicament a few years ago of 
trying to be in a position of convincing agencies that they 
really needed to do a better job of protecting their key 
assets. In response to that, we elected to develop our own 
internal capability to penetrate systems, our own white-hatted 
hackers, so to speak, that we have used over the last couple of 
years at selected agencies and continue to use.
    This approach has been very effective at demonstrating that 
we can get in, we can see this data, we can change the data.
    The most recent department where we did that was at several 
bureaus at the Department of Commerce where we got in. We had 
root access. We were able to view a lot of very sensitive data. 
And, again, consistent with what you mentioned, in most cases 
Department officials didn't know we were there.
    Now, when you share that kind of information with senior 
management, it does tend to be an eye-opener. And so I would 
concur with your approach on the red team/blue team. It is a 
very effective approach for getting top management focused on 
the issue and for them to understand there are some real 
threats here.
    Ms. Gross. I think yes and no. I mean, I think your red 
team/blue team is a very important effort. NASA was one of the 
agencies that GAO had reviewed but didn't use their own 
intrusion resources. I think they used another Federal agency 
for NASA. They successfully got into a mission-critical or a 
very critical system at one of the centers that we always call 
the Center of Excellence for Intrusions, and that center still 
has problems. NASA, to its credit, has come a long ways in 
doing policies and procedures. It is also hiring its own 
penetration testers. As part of the Chief Financial Officer's 
audit is having a penetration testing going on.
    You got to keep bucking up that attention. GAO is only so 
big. We were talking about the assets they have for doing this. 
None of us have enough assets. I think you had a focus from the 
GISR Act that is going to expire, but this is the first time 
that OMB is going to get reports from every agency. The 
agencies are going to give their opinion, and the IGs are going 
to give their opinion. There is no hiding. The agency may say, 
hey, everything is great, Pollyanna. And the IGs may say 
everything is horrible. And maybe the truth is somewhere on one 
side or the other.
    But OMB is going to have to grapple with every agency, each 
agency's IG is learning how to do IT oversight better. You 
don't want to let that heat go off. You don't want to rely on 
GAO. They will cover us again maybe in the next 5 years. And, 
OK, we will have a hearing, probably before this Committee or 
another committee, and you will get NASA's attention, and we 
will come up with more policies and procedures. And you know 
what? We are still going to have vulnerabilities.
    It is hard to make it risk-free. That is not the problem. 
But it has to be a kind of attention where the government is 
saying, Hey, we really do care.
    I read to you earlier what was coming on our review from 
the PDD 63 for agencies on their mission-essential 
infrastructures on their cyber plans: Lower priority, not 
enough money, didn't know it applied to us. They should have 
been able to just roll over the Y2K information.
    So, I think it is not merely just red team/blue team. You 
are going to have to keep a focus. I think sustained government 
oversight is a real key tool.
    Chairman Lieberman. Thanks very much, Senator Bennett.
    I was reminded by Mr. Willemssen's answer to one of your 
questions about how they got the attention of the agency. 
Unfortunately, the folks from @stake, Inc. could not be here 
today.\1\ They are part of a group we had here some years ago, 
when they were with another organization called the Lopht, 
which was a kind of think tank. They got out of that business 
because they were able to hack their way into major corporate 
computer systems to inform the management of vulnerabilities, 
and than offer these companies help gratis. But the capacity to 
do damage here, as you both said--and your tests prove--is very 
real.
---------------------------------------------------------------------------
    \1\ The prepared statement of @stake, Inc. appears in the Appendix 
on page 78.
---------------------------------------------------------------------------
    Senator Bunning.
    Senator Bunning. Thank you, Senator.
    I would like to just ask Ms. Gross, are you telling this 
Committee that the agencies of the Federal Government have this 
important project at the bottom of the list?
    Ms. Gross. Well, they had--some of them had PDD 63, which 
was a Presidential decision----
    Senator Bunning. Yes, I understand that.
    Ms. Gross. We are----
    Senator Bunning. I am talking about generally now, of all 
of the agencies of the Federal Government that deal with 
critical information on computers.
    Ms. Gross. Oh, all, I wouldn't say all. I think it has been 
a real low priority for a number of years. When the GAO was 
doing its exit conference for NASA and they reported the 
absence of the layers of protection an agency's supposed to 
have, that is, policies, procedures, education, intrusion 
detection, your own penetration studies--components needed to 
have a security program. At the end of the conference, one of 
the managers turned to the GAO person and said, ``Do you have 
any good news for us?'' And they said, ``Yes, the good news is 
at least you are one of the agencies that has an awareness you 
have a problem.'' When they go----
    Senator Bunning. That is the attitude?
    Ms. Gross. We had awareness, partially because we had been 
doing work and then they started doing some of their own work. 
But what the GAO was saying is that other agencies were denying 
they even had a problem.
    Senator Bunning. OK.
    Ms. Gross. I think people are becoming more sophisticated 
about the problem.
    Senator Bunning. Sometimes there are very simple remedies 
to some of these problems, and I would ask Mr. Willemssen, you 
mentioned weakness as a result of some agencies not even 
deleting accounts and passwords of people who are no longer 
employed or change passwords. Now, how hard is that?
    Mr. Willemssen. It is not hard at all. It is a matter----
    Senator Bunning. We do it in our office, and our office 
happens to be connected to the Senate office, but we change 
passwords on a monthly or bimonthly basis and do a lot of other 
things.
    You mean to tell me that when someone leaves NASA, for 
instance, that you don't delete the password or you don't 
delete entrance to that----
    Ms. Gross. Not always. We have audits that show that. Not 
always.
    Senator Bunning. That is unbelievable.
    Ms. Gross. It is. Those are low-cost, no-cost kinds of 
remedies. When we are talking about not enough money, why 
agencies can't do things, there is a lot of low-cost, no-cost 
solutions and fixing 90 percent of the vulnerabilities are low-
cost, no-cost. It is a matter of attention, starting from the 
top. It is using the bully pulpit by each agency administrator 
and department head that IT security is what they expect from 
each program manager. CIO's need to tell their agency heads if 
they don't have an education program. For example, one of the 
things that upsets me about NASA's program, we haven't trained 
our systems administrators. They have a metric on evaluating 
the training for systems administrator. They are the front-line 
people that manage and have root access to your systems. They 
have metrics on the civil servants system administrators, which 
they are tracking, though most of our systems administrators 
are contractors. It was in the low percentages as to the number 
of people who received the training.
    Now, part of that is because the training components had 
not been finished, and that is for various and sundry reasons. 
But part of it was they didn't even have the money or staff.
    Senator Bunning. Well, but if you have a systems 
administrator, they ought to know who and who doesn't work, and 
they could automatically delete access to the system when a 
person leaves.
    Ms. Gross. There has to be a communication between the 
systems administrator and the program people. Sometimes the 
system administrators is just--it could be a scientist doing a 
program. I mean, the system administrator is not necessarily--
--
    Senator Bunning. I am talking about the people that are in 
charge of the computer system. You can call them whatever you 
want to call them.
    Ms. Gross. Should it be easy? Yes. Should there be an easy 
system? Yes.
    Senator Bunning. What about the kids that hack for fun, 
that are hired for, unfortunately, bad things? They could have 
assisted in getting access to these aircraft by making 
reservations, by doing whatever is done to get a hijacker onto 
an aircraft, not knowing what was going to happen. Why can't we 
get those people?
    Ms. Gross. That is a good question. I think the Justice 
Department is starting a program that needs to be a major 
education effort. The government needs to get into the high 
schools and into the junior highs.
    In my written testimony is one of the cases where both 
international and national activity were involved. A hacker 
from Israel was mentoring juveniles who were breaking into DOT 
systems--excuse me, DOD, the Department of Defense systems. And 
they thought that this was just a lark on their part. They were 
not intending to----
    Senator Bunning. How good they were that they could do all 
this.
    Ms. Gross. Yes. We don't know the full intent of what the 
hacker from Israel was, but, nevertheless, these were juveniles 
who think they are just on a lark and being smart, who were 
being used by and mentored and cultivated by somebody else. 
Your question is an important question. It is an important 
education process for the government to get into the high 
schools, to get into the junior highs, because sometimes adults 
use juveniles. It is just like what happened in the war on 
drugs where you have a minimum mandatory sentences for drug 
couriers in the District of Columbia, which I am very familiar 
with as a DC resident and I used to be with the Office of the 
Corporation Counsel. As soon as the city had a minimum 
mandatory sentence for adults for drugs, drug addicts used 
juveniles because for juveniles it wouldn't be a real sentence, 
they wouldn't be criminals. They would remain in the juvenile 
system.
    And so you will have people who will be motivated to use 
juveniles because nothing will happen to the juveniles. And 
they won't know they are even being used. Your question is a 
key one, and I think that needs to be grappled with.
    Senator Bunning. Thank you, Mr. Chairman.
    Chairman Lieberman. Thank you, Senator Bunning. Thank you 
very much. I share your sense of outrage and disbelief, and 
hopefully we can generate some reactions here.
    Did I see Senator Carper? If not, for the moment I will 
proceed with another round of questions.
    I want to go to the private sector involvement here. Maybe 
first I would just ask this question by way of setting the 
scene, the landscape. We distinguish traditionally between 
physical and cyberspace infrastructure. But Senator Bunning's 
question regarding the suggestion that it is quite possible 
that the terrorists yesterday had to--in this case, it probably 
was a fairly simple action--penetrate some or at least use 
computers to determine flight schedules and gain access to 
them. Is it fair to say that there has been a kind of melding 
in our time of both physical and cyberspace infrastructure that 
to get today at the physical infrastructure, whether we are 
talking about a power grid or financial services networks or 
transportation, that you really are probably going to end up, 
in whole or in part, also in cyberspace?
    Ms. Gross. I think that was the philosophy behind PDD 63, 
is that the whole interrelatedness of our infrastructures, the 
critical infrastructures, could be shut down through a cyber 
attack. How interrelated we are, from a physical attack is 
clear, who could get through yesterday to New York? Even 
communication through some of the networks got shut down 
because of what was happening. The world between the network 
systems and the physical systems are so interrelated. We have a 
very efficient world, and we can do lots of work, and our 
economy was so strong, in part, because we are such a networked 
economy. But because we are interrelated, we are also 
vulnerable.
    Chairman Lieberman. OK. So let's ask about the private 
sector now because, as we said before, a lot of what we are 
describing--we have been talking a lot about what the 
government has done with our systems, but a lot of what we are 
describing--utilities, transportation, financial services, the 
rest--are private.
    Give us a very brief overview of what the Presidential 
Decision Directive 63 asks of the private sector. How is it 
performing? And what more should we ask of it? In other words, 
Mr. Willemssen has referred a few times to the public-private 
partnership here. Is there a genuine working partnership going 
on?
    Ms. Gross. I would say on the education level universities 
are working--but, a simple answer is no, there is not really a 
public-private/partnership. I think that Senator Bennett is 
correct. We are going to have to talk about legislation and 
what is it that we need to motivate this partnership.
    Some of what happened yesterday is going a long ways to 
motivate a partnership because the most vulnerable group was 
certainly in many ways the private sector. And the private 
sector is absolutely depending on the public sector for its 
rescue, and that is FEMA, FBI, Justice, Energy, all these 
entities are coming to help the private sector. So that is 
going to help cooperation.
    But I think you are going to have to find the motivations 
for partnership. They are working on these partnerships for 
education. Universities are talking about being centers of 
excellence for IT security or for IT. The government is talking 
about forgiving loans. IT is setting up centers of excellence. 
But the university community is more used to working with the 
government.
    Again, I go back to an earlier remark, it is important, you 
have to make sure that companies are not allowed to put known 
vulnerabilities into the market. But in terms of sharing those 
vulnerabilities, you have to talk about what is going to create 
incentives. Some of those are going to be carrots and some of 
those are going to be sticks. And I don't think we know.
    Chairman Lieberman. Is it fair to say that a business may 
have some evidence that it has been attacked?
    Ms. Gross. Yes.
    Chairman Lieberman. And it is a very interesting and 
difficult question as to what is the point at which that 
business should feel a responsibility. Should we require by law 
that it report that to government? Because it may, of course, 
be the beginning of a more broad-scale attack on a critical 
infrastructure, a utility, an airline, a bank, the Federal 
Reserve--well, a bank. Let's stick with that. What is happening 
on that front now? I will get you in on this, Mr. Willemssen, 
too.
    Ms. Gross. Well, that is the $64,000 question in many ways. 
I mean, you have the FedCIRC--you have a number of entities 
where both the private and the public do participate in sharing 
information. It is not a law enforcement model. And I think 
that it bothers a number of entities to have that law 
enforcement model. I have a very strong cyber group, of which I 
am very proud, for criminal prosecutions. But, in part to deter 
bad acts, we do press releases, companies get publicity. 
Intrusions becomes known.
    Chairman Lieberman. And a lot of businesses don't want that 
to happen.
    Ms. Gross. Absolutely not.
    Chairman Lieberman. Even though they may be the first line 
of what is a larger attack on infrastructure.
    Ms. Gross. Yes. Some are becoming more courageous about it 
because they want to deter, they want to say we care and we 
will prosecute, so that they won't be held up. This is a very 
sensitive issue. If you say to people we are going to prosecute 
you, too, and you are not going to embarrass us, then you can't 
hold up people, for----
    Chairman Lieberman. Mr. Willemssen, why don't you talk a 
little bit on this subject? Because my sense is from what I 
have heard so far that the partnership, at least at the 
defensive level, between the public and public sectors is not--
there is not much happening there.
    Mr. Willemssen. It is mixed, and one way to look at it 
instructively is to take each sector individually because 
different sectors are at different stages of maturity in the 
extent to which they share information.
    Chairman Lieberman. Which are better and which are worse, 
would you say?
    Mr. Willemssen. For example, when we ended our work on 
NIPC, the two areas which had established information-sharing 
and analysis centers were in the electricity area and in the 
financial services area. Those information-sharing and analysis 
centers, or ISACs, are your mechanisms for determining, OK, 
what are we all going to agree to share? What are the 
thresholds going to be when an attack occurs?
    Chairman Lieberman. And at what point, right?
    Mr. Willemssen. And so these are very important mechanisms 
to try to pull together.
    Now, some of the sectors are further ahead. For example, in 
the electricity area, you have the North American Electric 
Reliability Council. That already is a very good group of 
bringing everybody together. They like to partner. They have to 
partner. And so that has worked fairly successfully. Some of 
the other sectors are going to take some time.
    I think from an oversight perspective, part of what you may 
want to look at is the particular lead agencies for those eight 
critical infrastructures and where are those lead agencies in 
helping to make sure that this gets done.
    Chairman Lieberman. In other words, the lead governmental 
agencies related to those sectors of our infrastructure.
    Mr. Willemssen. Yes, sir.
    Chairman Lieberman. Which are largely private.
    Mr. Willemssen. Yes, sir. And so if you were looking at 
Senator Bennett's chart, it would be on the right-hand side 
where it says ``Lead agency,'' and then the ones going down, 
each of those has a lead for one of those eight critical 
infrastructures.
    Chairman Lieberman. OK. Thank you. That is a big part of 
the problem. Again, because they are not here, I will just take 
a moment--our two witnesses from @stake, Inc. who were going to 
be here--to read very briefly from the testimony they prepared 
for today. These are the former hackers who now are consultants 
at a digital security consulting and engineering firm: ``It 
must be remembered that the mandate for these companies is to 
drive shareholder return, not to secure critical 
infrastructure. Today @stake, Inc.'s client base views security 
as a sunk cost, largely a product of information technology 
architecture and associated spending. Security is viewed as a 
cost borne to mitigate risks that may negatively impact the 
corporate mandate of generating shareholder return.''
    I am going to stop there. Senator Bennett, do you have a 
moment for me to call on Senator Carper?
    Senator Bennett. By all means.
    Chairman Lieberman. Senator Carper, welcome.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Thank you, Mr. Chairman. Thank you for 
calling this hearing, and I am pleased, in spite of the tragic 
events of yesterday that continue to unfold, that we are having 
this hearing. I think it is appropriate that we do express our 
thanks to our witnesses as well.
    I apologize for arriving a bit late. I have a question that 
I would like to pose. When one arrives a bit late at a hearing, 
you don't know how many people have asked the same question so 
I would ask you to bear with me, if you would.
    But I understand that there are some segments of our 
infrastructure which have done a better job than others in 
terms of providing the kind of security that we need in this 
day and age. There are others where there is some work to be 
done. And I would ask you just to again reiterate for us where 
you think some of the better work has been done and to mention 
several of the areas where we have our work still cut out for 
us.
    Mr. Willemssen. I would say, Senator, that the banking and 
finance area is probably one of the more mature in its 
understanding of security risks and----
    Senator Carper. They have a lot at stake, so I could see 
that.
    Mr. Willemssen [continuing]. Need for protection. I would 
say that is probably near the top of the list in terms of the 
evidence we have seen.
    Senator Carper. In terms of being particularly well 
prepared or better prepared than other segments?
    Mr. Willemssen. Well, prepared from a protection 
perspective and a detection perspective, so that when they are 
penetrated--again, speaking very generally--they know it fairly 
quickly and take action.
    Senator Carper. What other segments of our private sector 
are maybe better prepared than others, and where are some that 
we might need to----
    Mr. Willemssen. Again, I think the area of electric power 
has the advantage of a very strong organization, coordinating 
organization, North American Electric Reliability Council, 
which has served very well. I mean, obviously, all the members 
of that must work together, given the resources that we are 
talking about. So that is another one that you can point to, to 
some degree. Again, speaking generally.
    Senator Carper. What are a couple where we have our work 
cut out for us?
    Mr. Willemssen. Well, I would say if you look at some of 
the other critical sectors, I would say a lot of work remains 
to be done in public health, especially as we continue to 
increasingly share medical data electronically. I think that is 
an area that will continue to require some attention.
    I think the transportation area is hard to generalize. You 
kind of have to go by mode of transportation. But, again, that 
is an area that also will require more focus.
    Senator Carper. What advice do you have for this Committee 
and for the Senate?
    Mr. Willemssen. The advice I would have is on a couple 
levels. First, we should think of our Federal agencies as 
setting a good example, I think, for the rest of the country, 
and that is why I continue to think that the legislation that 
was put in last year that is requiring these reports is an 
opportunity for the Senate to provide oversight and hold these 
agencies accountable for how well they are doing. And then, 
second, speaking more broadly on critical infrastructure 
protection, I think also the opportunity is there for you to 
provide oversight of those lead agencies for the critical 
infrastructures to inquire of them where they stand in reaching 
agreements with the private sector in making their ISACs, their 
information-sharing and analysis centers, a reality. And then 
to the extent that they aren't there yet, asking for some 
milestones and some tasks and then, again, holding them 
accountable to those.
    Senator Carper. Legislation has been introduced by our 
chairman and his immediate predecessor, Senator Thompson, that 
I would welcome your comments on, if you would.
    Mr. Willemssen. Well, among the items in the legislation 
that we strongly support is the need for the Federal chief 
information officer setting the standards and the stage for the 
Federal Government on exactly who is in charge of information 
technology overall, including information security. I think the 
legislation has a number of other key elements that are 
especially important in the security area, in the area of e-
government that we have got to start looking at providing 
services more from an electronic perspective, pursuant to 
existing law.
    Ms. Gross. If you look at the analogy with the Y2K, no 
agency head had any doubt that they were going to be held 
responsible if there was a failure. John Koskinen was a focal 
point appointed by the President as his adviser. He went both 
to the private sector and to the public sector. He went to 
agencies, he went to CIO's as well as agency IGs to find out if 
there were going to be problems. There were quarterly reports 
that went to OMB. There were reports by Congress.
    There is nobody that had a doubt that this country was 
committed to making sure that when the new millennium happened 
we were not going to crash with all of our systems. And it 
didn't happen. There was a priority that was clear. It was the 
Nation's priority, from the Executive Branch to the Congress to 
program managers. And you need to have that kind of same 
priority, bully pulpit at all levels, and believability that 
there will be no--that nobody wants to have the failure and 
that everybody believes that it is an agency priority, it is a 
Congress priority, and it is an Executive Branch priority.
    Senator Carper. Thank you. One last question. Reflecting on 
what occurred in America yesterday and realizing that you may 
not be an expert in this area, what lessons do you think we 
have learned as far as transportation security goes?
    Mr. Willemssen. A difficult question to address. I wish I 
knew more information about the effort yesterday.
    I think one item that was mentioned earlier that is worth 
noting is that the demarcation between physical and cyber is 
becoming less clear. And so I think as the investigation 
proceeds on the events of yesterday, it will be worth noting, 
if there were any automated means which provided expedited 
tools to provide the perpetrators with an easier effort than 
otherwise would have been the case, I think that is something 
that should be noted as the investigations go forward.
    Chairman Lieberman. Do you mean to gain access to flight 
information? How did you mean anything that might have given 
the perpetrators----
    Mr. Willemssen. Any tools that they could have used 
electronically that in the past may not have been there in 
terms of getting flight information, information on who is 
going to be on the flight, when it is taking off, when it is 
landing, any delays. To the extent that those are there today 
that they didn't used to be, and if it turns out those were 
major tools, I think that is worth noting.
    Senator Carper. I'm just thinking out loud now, but to the 
extent that there are people whom our intelligence officials 
know to be a possible threat to our country, and to the extent 
that they travel in our country, it would be helpful if we had 
the ability to know when they are moving, especially if they 
are moving in aircraft, obviously. That is something that we 
might want to be mindful of going forward, far more in the 
future than we have been in the past. Also, one of the things 
that struck me, aircraft as they fly, commercial and military 
and others, they carry equipment on the plane, transponders, 
which controllers can communicate with to find out the altitude 
of the aircraft, the direction of the aircraft, the speed of 
the aircraft, the identification of the aircraft, and pilots 
have the ability to trigger from the aircraft an automatic 
signal that would indicate to anyone who is interrogating them 
from the ground whether there is a hijacking underway. One of 
the things we will be interested to find out is to what extent 
that technology could have been used by the pilots to alert 
someone else that there was an emergency.
    We have heard of the several telephone calls, cell phone 
calls that were made from the aircraft, but I have not yet 
heard how that might have been used as a tool by the air crew 
to alert others that something was awry.
    Again, Mr. Chairman, thank you for holding this hearing and 
for letting me join you.
    Chairman Lieberman. Thanks, Senator Carper. Those were very 
good questions and good points.
    I would say to you that I spoke to David Walker, the 
Comptroller General, yesterday and Mr. Willemssen has focused 
on the matters to which he has testified and done so very ably. 
There are others at GAO who are focused on the security of air 
traffic systems and airport security, and I haven't had a 
chance to talk to Senator Thompson about this, but it might be 
that we would want soon, in the aftermath of yesterday, to call 
them in and see what their years of experience and reports, 
some of which were referenced in the newspapers this morning, 
tell us about what we can do after yesterday to protect 
ourselves in the future.
    Mr. Willemssen. I would just add, Senator, I do have with 
me the Managing Director of GAO who is responsible for that 
area in the event questions on that come up at today's hearing.
    Chairman Lieberman. I appreciate that you did that. I think 
we will probably want to do that soon and focus on it 
separately at a hearing. Senator Bennett.
    Senator Bennett. Thank you, Mr. Chairman.
    Ms. Gross, again, we didn't coordinate in advance, but you 
are a great straight person.
    Chairman Lieberman. I am beginning to have doubts about 
this.
    Senator Bennett. Your references to Y2K and John Koskinen, 
I can't resist. As John was leaving government service, he and 
I talked, as we did every week through the whole Y2K 
experience. John and I talked every Wednesday afternoon, and I 
told him what we were doing here, and he told me what he was 
doing there. And we did our best to coordinate all of our 
efforts. He said, ``I understand you are now interested in 
critical infrastructure protection, and you are going to push 
the Congress on that issue.'' And I said, ``Yes, I am.'' And he 
said, ``I think that is very important, and I congratulate you 
and applaud your efforts, and you will do it without me.'' 
[Laughter.]
    Senator Bennett. He said, ``I am going to go back into the 
private sector. I am through with this business. And I wish you 
well, but I am not going to be involved.''
    There were some in the Clinton Administration that wanted 
him to be the CIO for the entire government, and he turned that 
down.
    Ms. Gross. He is working with the public sector still. You 
may know that he is working with the District of Columbia 
Government. He can't resist public work.
    Senator Bennett. He is an excellent public servant, and I 
thoroughly enjoyed my association with him.
    But back to--as long as I am telling anecdotes--your 
reference to some people thinking of this in terms of sunk 
cost, and it is something we have to do, but we are not going 
to get any return on our investment. And that was exactly the 
attitude with Y2K. Everything we spent on Y2K is technically a 
waste of money because there will be no return on it at all; 
therefore, we need to spend as little as possible.
    Looking back on it, we can say that was not true, that the 
amount of money spent on Y2K, yes, portions of it were sunk 
costs, but a large portion of it had a tremendous benefit. And 
Alan Greenspan has said to me, ``I think the untold story of 
Y2K has been the upgrading of America's computer capability in 
the name of Y2K remediation that, in fact, produced a 
tremendous technological leap for which we will reap benefits 
for the years to come.''
    So if we follow the Koskinen model, as you suggest, of 
having someone constantly reminding the head of the agency that 
this is his or her responsibility--this is not the CIO's 
responsibility. This is not the IT people's responsibility. 
This is the secretary's responsibility. This is the 
administrator's responsibility. And John would have that 
experience. He would go to an agency, and they would say, 
``Well, you have come to fix Y2K,'' and he would say, ``No, I 
haven't. You have to fix Y2K. I have come to monitor your 
efforts and report your efforts.''
    If we can get that going in the government, we will have 
the same response.
    Now, I have asked GAO through my hat on the Joint Economic 
Committee for a report that is due October 15. Mr. Willemssen, 
I would assume you are involved in helping put that together. 
Can you give us any sense of whether we are going to be ready 
by October 15?
    Mr. Willemssen. You will have a report on October 15, yes, 
sir.
    Senator Bennett. OK. I like----
    Chairman Lieberman. That is the right answer.
    Senator Bennett. I like that.
    Now, mention has been made here about the Executive Order 
that is going to be issued. I have seen a copy of it. I assume 
the Chairman has as well. One of the things about that that I 
think we ought to focus on, Mr. Chairman, is the need for the 
ability of the Chairman of this effort to be able to testify 
before Congress. When we were talking about witnesses here, 
this was kind of a gray area, and the attitude was, well, it is 
the position of the White House that members of the White House 
staff don't testify. John Koskinen got around that because even 
though his title was Assistant to the President, the entire 
office was funded by the GSA. And, therefore, he was 
technically a GSA employee, regardless of what his title was. 
And, of course, if anybody has oversight over GSA, it is this 
Committee.
    So I have had that conversation with people in the 
administration and said you ought to arrange it in such a way 
as to make it possible for the individual who is appointed as 
the chair of that effort within the administration to be able 
to come to the Congress, it will have a very beneficial effect 
on the relationships with the Congress.
    So, simply reacting to your questions, I don't have a 
further question, but as I say, I love what you are saying 
because it coincides with the positions that I have taken.
    Thank you, Mr. Chairman.
    Chairman Lieberman. Thank you, Senator Bennett. It is 
really great to have you involved in this based on all your 
experience with Y2K and all your other experience.
    One of my staff members, just in response to what you said 
before about the possible use of automated systems in 
yesterday's tragedy, tells me that this morning on one of the 
networks there was an expert here saying that the precision 
with which the pilots hit the World Trade Center could have 
only been achieved through a computer system that allowed the 
pilots to input the exact coordinates of the World Trade Center 
and to have done so within a very short time of taking over the 
cockpit. This is hearsay, but it validates the point you raised 
in response to Senator Carper's question.
    Senator Bennett. If I could, Mr. Chairman, another piece of 
hearsay in response to Senator Carper, the plane that crashed 
presumably on the way to either Camp David or the Capitol had 
the transponder turned off manually in the cockpit. And, again, 
back to the point--this has nothing to do with the hearing, but 
you raised it and I think we ought to close the loop on it. 
Turning off the transponder that allows the air traffic 
controller to track the airplane is not an easy thing to do and 
it is not an obvious switch to find. So whoever did turn it off 
was well trained in cockpit procedures.
    Chairman Lieberman. One last question, going back to 
something you said very early in your testimony, Ms. Gross, 
that I was fascinated by but didn't understand was the possible 
desirability of laws to stop intrusions over cyberspace. Just 
develop that a bit more. You were talking about foreign 
intrusions, that is, intrusions that originate from abroad.
    Ms. Gross. Well, you never know exactly where they 
originate, but wherever they originate, once they come into the 
United States, there are a number of ports. Many of those ports 
are used for E-mail. They are used for other kinds of activity 
that is the normal use. But there are all these ports that are 
used for example for the system to test its own health. It is 
not a communication mechanisms.
    Intruders come into those ports. They are called high 
ports. Those ports you can't banner and say, hey, this is a 
government computer, if you come in here we will monitor your 
keystrokes and stuff. Coming in the high port is like somebody 
coming in--instead of coming in your front door where people 
ring the bell and come in, is to come in through your chimney. 
Well, that is not a normal access route. These high ports are 
not normal access routes. The only ones that come in there are 
people that are going to do felonious activity. And yet it is 
not against the law from that to happen. There is not an anti-
trespass act.
    Chairman Lieberman. Anti-trespass, OK. Understood.
    Ms. Gross. Yes. And that is a key bill. It has been talked 
about. The Department of Justice has talked about it. It has 
been proposed. I think that the FBI is pretty adamant on its 
need. It is one of the most crippling omissions for law 
enforcement being able to do both the detection and the 
prosecution from a law enforcement point of view. High ports 
are used by hackers that are domestic and foreign. In our cases 
that we have seen where it looks like they have been coming in 
through various countries internationally, it is through those 
high ports. And the difficulty that we have in law enforcement, 
not system administrators, is there is no anti-trespass rule. 
It is a trespass for somebody to come into your house, and we 
don't have that law in cyberspace. And the laws have got to 
catch up with the 21st Century--the 20th Century, but now we 
are into the 21st Century.
    Chairman Lieberman. Yes, well said. I understand and 
appreciate it.
    Senator Carper. Just to follow up on that, you said it has 
been proposed but not enacted.
    Ms. Gross. Yes.
    Senator Carper. Has legislation been introduced in this 
Congress?
    Ms. Gross. It was introduced, I think, yes, in the DOD 
bill, just like GISRA was, the Government Information Security 
Reform Act. And I believe it got taken out.
    Senator Carper. Say that again? I am sorry.
    Ms. Gross. It was taken out of the defense authorization. I 
think Justice had been proposing it. It was winding its way 
through the Executive Branch and I don't believe they actually 
proposed it. It then became introduced in the Defense bill, and 
it never made it to the floor for final action.
    There is no agency in law enforcement--there is uniform 
agreement. This is a key bill. You cannot talk to anybody in 
law enforcement that doesn't agree with that.
    Senator Carper. Would this be a good bill for Senators 
Lieberman, Bennett, and Carper to introduce?
    Ms. Gross. Absolutely.
    Chairman Lieberman. Let's do it.
    Ms. Gross. We liked GISRA.
    Chairman Lieberman. Are you sure that one wasn't 
coordinated, too? No, it sounds like a great idea. We should 
work together on it.
    Thank you both. You have been superb, very thoughtful, 
substantive witnesses on a most pressing matter. I thank you 
and I would adjourn the hearing at this point.
    [Whereupon, at 1 p.m., the Committee was adjourned.]


                            A P P E N D I X

                              ----------                              

[GRAPHIC] [TIFF OMITTED] T6799.001

[GRAPHIC] [TIFF OMITTED] T6799.002

[GRAPHIC] [TIFF OMITTED] T6799.003

[GRAPHIC] [TIFF OMITTED] T6799.004

[GRAPHIC] [TIFF OMITTED] T6799.005

[GRAPHIC] [TIFF OMITTED] T6799.006

[GRAPHIC] [TIFF OMITTED] T6799.007

[GRAPHIC] [TIFF OMITTED] T6799.008

[GRAPHIC] [TIFF OMITTED] T6799.009

[GRAPHIC] [TIFF OMITTED] T6799.010

[GRAPHIC] [TIFF OMITTED] T6799.011

[GRAPHIC] [TIFF OMITTED] T6799.012

[GRAPHIC] [TIFF OMITTED] T6799.013

[GRAPHIC] [TIFF OMITTED] T6799.014

[GRAPHIC] [TIFF OMITTED] T6799.015

[GRAPHIC] [TIFF OMITTED] T6799.016

[GRAPHIC] [TIFF OMITTED] T6799.017

[GRAPHIC] [TIFF OMITTED] T6799.018

[GRAPHIC] [TIFF OMITTED] T6799.019

[GRAPHIC] [TIFF OMITTED] T6799.020

[GRAPHIC] [TIFF OMITTED] T6799.021

[GRAPHIC] [TIFF OMITTED] T6799.022

[GRAPHIC] [TIFF OMITTED] T6799.023

[GRAPHIC] [TIFF OMITTED] T6799.024

[GRAPHIC] [TIFF OMITTED] T6799.025

[GRAPHIC] [TIFF OMITTED] T6799.026

[GRAPHIC] [TIFF OMITTED] T6799.027

[GRAPHIC] [TIFF OMITTED] T6799.028

[GRAPHIC] [TIFF OMITTED] T6799.029

[GRAPHIC] [TIFF OMITTED] T6799.030

[GRAPHIC] [TIFF OMITTED] T6799.031

[GRAPHIC] [TIFF OMITTED] T6799.032

[GRAPHIC] [TIFF OMITTED] T6799.033

[GRAPHIC] [TIFF OMITTED] T6799.034

[GRAPHIC] [TIFF OMITTED] T6799.035

[GRAPHIC] [TIFF OMITTED] T6799.036

[GRAPHIC] [TIFF OMITTED] T6799.037

[GRAPHIC] [TIFF OMITTED] T6799.038

[GRAPHIC] [TIFF OMITTED] T6799.039

[GRAPHIC] [TIFF OMITTED] T6799.040

[GRAPHIC] [TIFF OMITTED] T6799.041

[GRAPHIC] [TIFF OMITTED] T6799.042

[GRAPHIC] [TIFF OMITTED] T6799.043

[GRAPHIC] [TIFF OMITTED] T6799.044

[GRAPHIC] [TIFF OMITTED] T6799.045

[GRAPHIC] [TIFF OMITTED] T6799.046

[GRAPHIC] [TIFF OMITTED] T6799.047

[GRAPHIC] [TIFF OMITTED] T6799.048

[GRAPHIC] [TIFF OMITTED] T6799.049

[GRAPHIC] [TIFF OMITTED] T6799.050

[GRAPHIC] [TIFF OMITTED] T6799.051

[GRAPHIC] [TIFF OMITTED] T6799.052

[GRAPHIC] [TIFF OMITTED] T6799.053

[GRAPHIC] [TIFF OMITTED] T6799.054

[GRAPHIC] [TIFF OMITTED] T6799.055

