b"<html>\n<title> - HOW SECURE IS OUR CRITICAL INFRASTRUCTURE?</title>\n<body><pre>[Senate Hearing 107-205]\n[From the U.S. Government Printing Office]\n\n\n\n                                                        S. Hrg. 107-205\n\n               HOW SECURE IS OUR CRITICAL INFRASTRUCTURE?\n\n=======================================================================\n\n\n                                HEARING\n\n                               before the\n\n                              COMMITTEE ON\n                          GOVERNMENTAL AFFAIRS\n                          UNITED STATES SENATE\n\n                      ONE HUNDRED SEVENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           SEPTEMBER 12, 2001\n\n                               __________\n\n      Printed for the use of the Committee on Governmental Affairs\n\n\n76-799              U.S. GOVERNMENT PRINTING OFFICE\n                            WASHINGTON : 2002\n____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpr.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n                   COMMITTEE ON GOVERNMENTAL AFFAIRS\n\n               JOSEPH I. LIEBERMAN, Connecticut, Chairman\nCARL LEVIN, Michigan                 FRED THOMPSON, Tennessee\nDANIEL K. AKAKA, Hawaii              TED STEVENS, Alaska\nRICHARD J. DURBIN, Illinois          SUSAN M. COLLINS, Maine\nROBERT G. TORRICELLI, New Jersey     GEORGE V. VOINOVICH, Ohio\nMAX CLELAND, Georgia                 PETE V. DOMENICI, New Mexico\nTHOMAS R. CARPER, Delaware           THAD COCHRAN, Mississippi\nJEAN CARNAHAN, Missouri              ROBERT F. BENNETT, Utah\nMARK DAYTON, Minnesota               JIM BUNNING, Kentucky\n           Joyce A. Rechtschaffen, Staff Director and Counsel\n                   Jinnett Rona-Finley, Detailee, CIA\n     Kiersten Todt Coon, Congressional Fellow for Senator Lieberman\n         Hannah S. Sistare, Minority Staff Director and Counsel\n                Ellen B. Brown, Minority Senior Counsel\n                    Robert J. Shea, Minority Counsel\n         Morgan P. Muchnick, Minority Professional Staff Member\n                     Darla D. Cassell, Chief Clerk\n\n\n                            C O N T E N T S\n\n                                 ------                                \nOpening statements:\n                                                                   Page\n    Senator Lieberman............................................     1\n    Senator Thompson.............................................     3\n    Senator Levin................................................     5\n    Senator Bennett..............................................     6\n    Senator Dayton...............................................     7\n    Senator Bunning..............................................     8\n    Senator Carper...............................................    26\n\n                               WITNESSES\n                     Wednesday, September 12, 2001\n\nHon. Roberta L. Gross, Inspector General, National Aeronautics \n  and Space Administration.......................................     9\nJoel C. Willemssen, Managing Director, Information Technology \n  Issues, U.S. General Accounting Office.........................    11\n\n                     Alphabetical List of Witnesses\n\nGross, Hon. Roberta L.:\n    Testimony....................................................     9\n    Prepared statement...........................................    33\nWillemssen, Joel C.:\n    Testimony....................................................    11\n    Prepared statement...........................................    43\n\n                                Appendix\n\nChristopher Darby, CEO, @stake, Inc., Peiter Zatko, Chief \n  Scientist and VP of Research and Development, @stake, Inc., and \n  Chris Wysopal, Director of Research and Development, @stake, \n  Inc., prepared statement.......................................    77\nChart: Critical Infrastructure Protection Organization, September \n  2000 (submitted by Senator Bennett)............................    78\n``Critical Infrastructure Protection: Significant Challenges in \n  Protecting Federal Systems and Developing Analysis and Warning \n  Capabilities, GAO Highlights, September 2001...................    87\n\n \n               HOW SECURE IS OUR CRITICAL INFRASTRUCTURE?\n\n                              ----------                              \n\n\n                     WEDNESDAY, SEPTEMBER 12, 2001\n\n                                       U.S. Senate,\n                         Committee on Governmental Affairs,\n                                                    Washington, DC.\n    The Committee met, pursuant to notice, at 11:06 a.m., in \nroom SH-216, Hart Senate Office Building, Hon. Joseph I. \nLieberman, Chairman of the Committee, presiding.\n    Present: Senators Lieberman, Thompson, Levin, Bennett, \nDayton, Bunning, and Carper.\n\n            OPENING STATEMENT OF CHAIRMAN LIEBERMAN\n\n    Chairman Lieberman. Good morning. This morning, the Senate \nGovernmental Affairs Committee will proceed with its previously \nscheduled hearing--the first in what we expect to be a series \nof hearings and investigations on a problem that is today even \nmore important to us than before--the security of our critical \ninfrastructure and the vulnerability of our homeland to \nunconventional enemy attack.\n    The attacks yesterday struck many individual families and \nthe broader American family. I pause for a moment here at the \noutset of this hearing to indicate that it also struck the \nfamily of the Senate Governmental Affairs Committee. Barbara \nOlson, who was killed on one of the planes yesterday, had \nserved as an assistant to Senator Nickles for some period of \ntime in his work on this Committee. On behalf of the entire \nCommittee, I extend my condolences to her husband and her \nfamily and want them to know that they are in our prayers.\n    Today, we do consider critical infrastructure to be a vast \narray of elements that form the backbone of America. The \ncritical infrastructure is, in essence, our Nation's skeleton, \nthe framework underlying our well-being and our freedom. It \nincludes telecommunications systems, air traffic control \nsystems, electricity grids, emergency and law enforcement \nservices, water supplies, financial networks, and energy \npipelines.\n    Today, our hearts and minds are naturally focused on \nyesterday's tragedy, but it is important that the Senate \ncontinue with America's business, particularly as it affects \nAmerica's security. Thus, we are holding this hearing as \noriginally planned, with the same focus that we had intended, \nwhich is to explore the extent to which our critical \ninfrastructure is vulnerable, particularly to manipulations and \nattacks from cyberspace, the consequences of that vulnerability \nand what the government is doing and must do to reduce that \nvulnerability. For as we saw tragically yesterday, our enemies \nwill increasingly strike this mighty Nation at places where \nthey believe we are not only dependent but we are unguarded. \nAnd that is surely true of our cyberspace infrastructure today.\n    More and more we find that everything in our lives is being \noperated by a computer system, from Wall Street to Main Street. \nWhere once our economy was dependent primarily on the movement \nof goods and services by road or rail, the products and \nservices of our new economy are now just as likely to travel \nvia the Internet as they are to move on an interstate.\n    While it has never been easy to protect all of our critical \ninfrastructure from conventional attacks--and, of course, they \nhave happened only rarely in our history here at home--it has \nbecome even more difficult now to safeguard our Nation from \ncyber attacks, which can be launched by any sophisticated \ncomputer user located anywhere in the world, let alone by a \nnetwork of terrorist organizations or a hostile power.\n    Yesterday's tragedies open a new era for our security \ninfrastructure and for our critical infrastructure here at \nhome. Therefore, we must now have an expanded notion of \nprecisely what is important to our national security, and that \nmore expanded notion must encompass much of our critical \ninfrastructure. Thus, we must be prepared to defend ourselves \nagainst threats from foreign armies, but also to defend \nourselves against threats from sophisticated opponents who will \nuse both conventional and cyber weapons to destroy or disrupt \nsectors critical to our Nation's functioning. And, they will \nattack, as they did yesterday, here at home.\n    Yesterday's attacks demonstrate how an organized, \ncoordinated effort can be devastating to our Nation. But make \nno mistake about it. Those attacks were aimed at destroying \nbuildings, killing people, and breaking our confidence in the \nsame way future attacks can and probably will be aimed at \nparalyzing our financial markets, our utilities, our \ntransportation systems, and other core aspects of our critical \ninfrastructure that are dependent on computer networks.\n    Today, individuals or terrorists or nations with no chance \nof success against America on the battlefield can pose just as \nsignificant a threat to our society from the isolation of their \nhomes or offices or terrorist camps.\n    The nature of our critical infrastructure has changed that \nmuch in the information age. And while it has clearly enriched \nour lives, it has simultaneously left us much more dependent \nand more vulnerable to attacks by insidious forces.\n    So examining the vulnerability of our critical \ninfrastructure is the focus of this hearing, but it is not an \nissue new to this Committee. Two Congresses ago, we held a \nseries of hearings on computer security issues, and last \nCongress, Senator Thompson and I authored and the Congress \nenacted a law aimed at enhancing the government's computer \nsecurity. This year, Senator Bennett particularly has urged us \nto launch this series of hearings that we begin today on the \nvulnerability of our critical infrastructure. His very \nsuccessful leadership of our government's response to the Y2K \nchallenge aroused his concern on this subject and makes him a \nvaluable partner in this effort.\n    In the resolution that is currently before the Senate, \nthere is some appropriately strong language used, and it refers \nto a war against terrorism: ``Ask our allies to continue to \nstand with the United States in the war against international \nterrorism.'' The resolution commits us to support increased \nresources in the war to eradicate terrorism.\n    I think the important thing to say as we begin these \nhearings today is that if we are serious about commencing a war \nagainst terrorism, which the acts of war committed against us \nyesterday certainly justify, we have to understand that it is \ngoing to be a different kind of war. It is not going to be a \nmatter of a single retaliation against a single terrorist \nopponent. It will be a much longer, sustained, and \ncomprehensive conflict in which we will need to be more \naggressive internationally to root out terrorists and stop them \nbefore they strike at us, to demand that our allies join us in \npressuring and insisting countries around the world that harbor \nterrorists to decide whether they want to be our allies or the \nallies of our enemies, and to raise our defenses here at home \nagainst the kinds of insidious acts that we suffered from \nyesterday.\n    This means that we are going to have to consider, I think, \nsome of the ideas that have been discussed previously in this \nCommittee, and others, that came out most recently from the \ncommission headed by our former colleagues Warren Rudman and \nGary Hart as to whether we need an agency or even a department \nwhich is committed to homeland defense--a subject we have not \nhad to worry about before, thinking that the oceans at least \nprotected us from attack. But in the rising and escalating \nseries of terrorist acts committed against us here at home, \nfrom the World Trade Tower attack 8 years ago, to Oklahoma \nCity, and now culminating in the outrage yesterday, I think we \nhave to begin to think about defending our homeland, just as we \nhave thought and acted to defend our interests, our people, and \nour principles previously around the world.\n    I look forward to having this Committee, on a bipartisan \nbasis, consider these questions and, as appropriate, make \nrecommendations to our colleagues here in Congress.\n    Senator Thompson.\n\n             OPENING STATEMENT OF SENATOR THOMPSON\n\n    Senator Thompson. Thank you, Mr. Chairman. We commonly \nthank the Chairman for holding hearings, whether we mean it or \nnot, but I think today we all mean it when we say that. It is \nvery appropriate that we continue on with our work here and not \nbe cowed into disrupting the work of the American people. I \nthink that is what we expect, and this is certainly a very \ntimely hearing.\n    I think we are reminded that, contrary to perhaps our \nthinking since the end of the Cold War, that the world is in \nmany respects a more dangerous place than ever before, instead \nof less dangerous. The Soviet Union threat has been replaced \nnow by several other threats that are more insidious and \ndangerous in many respects than the ones that we used to face. \nWe face them from many different sources. We face them from \nrogue nations. We face them from terrorists. We may face them \nfrom combinations of both.\n    While much speculation now is on Bin Laden as far as \nyesterday's activities are concerned, it seems quite clear that \nhe does not have access to 767's on a regular basis in order to \ntrain pilots to the extent to which those pilots were clearly \ntrained. So the question becomes whether or not it is a \ncombination of terrorist and state-sponsored activity.\n    We face many different kinds of threats. I think we, \nunfortunately, spend too much time in Congress debating on \nwhich threat is more likely, even though you would think we \nwould be a little more humble about our predictions in light of \nyesterday's activities, which no one expected the precise \nnature of that particular attack. But we know we face threats \nfrom missiles which could make the casualty numbers of \nyesterday look small in comparison. We face them from suitcase \nbombs, conventional attacks, and, of course, cyber attacks, \nwhich is the primary subject of today's consideration.\n    You mentioned the Hart-Rudman report, and I think it is \nespecially apt. I took another look today. I had read it in \ntimes past. It is one of several reports that we have had over \nthe last few years, at least going back to 1998. We have to be \ntold so many different times and so many different ways in this \ncountry that something is important before we pay adequate \nattention to it, and we have report on report now, Governor \nGilmore's report, others, numerous witnesses testifying before \nnumerous committees about the nature of this threat.\n    But going back as late as January 31 of this year, when \nthey submitted their last volume, Hart-Rudman said, ``One of \nthis Commission's most important conclusions in its Phase 1 \nreport was that attacks against American citizens on American \nsoil, possibly causing heavy casualties, are likely over the \nnext quarter century. This is because both the technical means \nfor such attacks and the array of actors who might use such \nmeans are proliferating, despite the best efforts of American \ndiplomacy.''\n    It further says, ``This Commission believes that the \nsecurity of the American homeland from the threats of the new \ncentury should be the primary national security mission of the \nU.S. Government.'' It says, ``However, the United States is \nvery poorly organized to design and implement any comprehensive \nstrategy to protect the homeland.'' It says, ``The U.S. \nGovernment has not adopted homeland security as a primary \nnational security mission. Its structures and strategy are \nfragmented and inadequate.''\n    And it points out that, ``These attacks may involve weapons \nof mass destruction, weapons of mass disruption. As porous as \nU.S. physical borders are in an age of burgeoning trade and \ntravel, its cyber borders are even more porous.'' And, of \ncourse, the cyber threat is one of the major threats that we \nare facing here today and something that this Committee has \ndealt with over the last several years.\n    So I agree with you, Mr. Chairman, that we have to change \nour way of looking at things. We have got to get more serious \nabout the threats to our country. For me, I think it starts \nwith our military budget. It is hard for me to believe that we \nare still apparently debating irrelevancies like lock boxes and \nthings of that nature that some people would prioritize over \nour national defense. We are going to have an appropriations \nbudget, and we will have an appropriation bills and an \nopportunity to address that in the near future.\n    There have been other instances of democracies who have \ntaken their peace divided and ignored the clear threats around \nthem and have thought that technology could bail them out in \ncase of real problems and have ignored the misbehavior of \nnations around them that are weaker at the time that it starts. \nBut the nations, the democracies have a tendency to turn inward \nand want to reduce their military budgets and think that the \nlast war was the last war. All those mistakes England made \nafter World War I, we must not go down that same road, and that \nhas to do with military budget, including intelligence \nactivities, including attention to our infrastructure, which is \npart of this exercise and our hearings today.\n    I think our witnesses will indicate that we haven't gotten \nvery far in terms of the Presidential directive in 1998 that \ncame down to try to organize this. You and I joined together, \ngot a bill passed that we felt would improve our computer \nsecurity. Perhaps we are set on the right path. I am not sure. \nBut the word that I am getting from the progress we have made \nover the last few years is not good.\n    If there is something good to come out of yesterday, \nperhaps it will be a heightened awareness that we must do \nbetter. So, again, thank you for calling these hearings today.\n    Chairman Lieberman. Thank you, Senator Thompson.\n    Senator Levin.\n\n               OPENING STATEMENT OF SENATOR LEVIN\n\n    Senator Levin. Thank you, Mr. Chairman.\n    Yesterday, this hearing was one of our standard oversight \nhearings to assess how the government was securing critical \ninfrastructure, including a Presidential directive that set as \na goal the protection of the Nation's critical infrastructure, \nboth physical and cyber, by the year 2000. With yesterday's \nevents, terrorism has again demonstrated its evil face and has \ndemonstrated this time the scope of its ability to inflict \ndevastating damage on the United States. We, as a people, will \ndo everything in our power to demonstrate our ability to deter \nsuch acts and to respond swiftly and severely when they occur.\n    Yesterday, terrorism destroyed the World Trade Center and \nthe thousands of lives working in those buildings. It did \nserious damage to the Pentagon and caused a significant loss of \nlife there. It destroyed the lives of 266 passengers and crew \non four commercial airplanes. We run the risk that terrorism \nwill disrupt our vital computer services which control our \nairspace, our information systems, our product distribution \nsystems, our energy products, our entire economy.\n    The witnesses today will report on some of the efforts that \nwe are making to protect our infrastructure where we have made \nsome progress and where we have fallen short. But this hearing \njust puts words on what we already know because of what we \nwitnessed as a country yesterday.\n    It is also important, it seems to me, to note that we also \nwitnessed yesterday a determined and a unified response in our \npeople to the horror and a determination to track down and to \nroot out and to relentlessly pursue terrorists, states that \nsupport them, and states that harbor them.\n    The terrorists are the common enemy of the civilized world. \nOur institutions are strong and they will prevail, but in the \nmeantime, I think we should note that our unity here is \nabsolutely palpable.\n    Each one of us, each of our committees, has a special \nresponsibility, and I know that we are united and determined to \ncarry out that responsibility, as this Committee has in the \npast and will today, and will in the future under the \nleadership of Senator Lieberman, and before him, Senator \nThompson.\n    I hope you will excuse me, Mr. Chairman. I am on my way to \na meeting of members of another committee, the Intelligence \nCommittee, that is reviewing the intelligence budget and \nwhether or not there should be recommended additions to that, \nperhaps in a supplemental appropriation, to try to see if we \ncan't deter and address the places where we are not strong \nenough, particularly in the area of human intelligence.\n    Thank you.\n    Chairman Lieberman. Thanks, Senator Levin. Senator Bennett.\n    Senator Bennett. Senator Bunning came first.\n    Senator Bunning. That is all right. Go right ahead.\n\n              OPENING STATEMENT OF SENATOR BENNETT\n\n    Senator Bennett. Thank you, Mr. Chairman.\n    Like Senator Thompson, I appreciate your going forward with \nthe hearing, and I appreciate your going forward with the \nissue. When I came on the Committee in this Congress, Senator \nThompson and I had conversations about this, and I was very \npleased with his enthusiasm and support for it. And now, with \nthe change of leadership in the Committee, that enthusiasm and \nsupport has not diminished at all, and we are very grateful to \nyou for that.\n    A lot of references have been made to yesterday, aside from \nthe obvious concern about lives and the devastation. If I might \nbe a little bit analytical for a moment, this was an attack on \ninfrastructure, it was not an attack on the military \ninfrastructure, even though the Pentagon, of course, was part \nof it.\n    But at the World Trade Center, as a result of that attack, \nthe perpetrators succeeded in shutting down the air traffic \ncontrol system, which is a vital part of our Nation's \ncommunication pattern. Mail goes by air. People that are \nnecessary for conferences and communication go by air. And that \nis an infrastructure issue, separate and apart from the \nmilitary, that was shut down as a result of this attack.\n    The financial markets, Wall Street couldn't open. The \nphysical devastation on Wall Street made it impossible for \ntrading to go on, and Americans were out of the financial \nworld. Trading occurred only in Europe and in other markets, \nbut not in ours.\n    And then just think for a moment about the long-term \ninfrastructure devastation of the loss of all of the records \nthat were there in the World Trade Center: Law firms that lost \ncopies of wills, contracts, other things that would normally be \navailable that have to be reconstructed now in one way or \nanother in order for business to go ahead; transactions in \nprogress that now have to be reconstructed from the beginning. \nQuite aside from the loss of life, which is our first and \nprimary concern, and always must be, the economic devastation \nthat came out of that attack on infrastructure is going to take \nbillions of dollars and months if not years to repair.\n    So it is a horrific reminder of the fact that outside of \ngovernment is where most of the economic and social activity in \nthis country goes on, and the traditional kinds of attacks \nagainst government are going to be less and less attractive to \nsomebody who wishes us ill than attacks on infrastructure, \nwhether it is by computer or by airplanes that have been \nhijacked, or whatever it might be.\n    So the question arises with this Committee's jurisdiction \nhow well organized are we to deal as a government with this new \nkind of threat. I have taken the liberty, Mr. Chairman, of \npreparing a chart,\\1\\ and it is put up there, and I will be \nhappy to give you and Senator Thompson a copy, and Senator \nBunning. Here is another version of it that shows how the \nExecutive Branch is currently organized to deal with this \nparticular challenge. It is not quite as helter-skelter as it \nlooks. There is some degree of order in it, and it comes as the \nfirst attempt by the Clinton Administration with Presidential \nDecision Directive 63 (PDD 63) to get their arms around this. \nAnd I applaud that effort on behalf of President Clinton and \nthe others, but it clearly needs some more rationalization. And \nif may be so bold, as Hart-Rudman recognized, the Congress \nitself needs some reorganization to address this problem and \nbring some kind of coordination and focus to it.\n---------------------------------------------------------------------------\n    \\1\\ The chart entitled ``Critical Infrastructure Protection \nOrganization September 2000,'' submitted by Senator Bennett appears in \nthe Appendix on page 87.\n---------------------------------------------------------------------------\n    If I could conclude, Mr. Chairman, with this analogy: In \n1986, when you were here but I was not, Goldwater-Nichols \nreformed the Defense Department from these kinds of charts of \ncompeting services and redundant missions. Without Goldwater-\nNichols, I think every military historian would agree we could \nnot have mounted Desert Shield and then Desert Storm. If we had \ngone into that military challenge with business as usual, we \nwould have spent far more money, more time, more lives, and \npossibly not achieved anything like the result we achieved.\n    I like to think of this effort as a modern Goldwater-\nNichols kind of effort, to say let us reorganize the government \naround the new realities that we face in protecting our \ncritical infrastructure, reorganize the Executive Branch, and \nreorganize the Congress to recognize and deal with this \nchallenge so that when there is a challenge in the future, some \nfuture Senator sitting here can say without Lieberman-Thompson, \nor whatever the names are that go on it, we would not have \nsurvived that. And I would hope that this hearing would be part \nof the process to bring a Goldwater-Nichols type solution to \nthis enormously difficult problem. Thank you.\n    Chairman Lieberman. Thank you very much, Senator Bennett.\n    Senator Dayton.\n\n              OPENING STATEMENT OF SENATOR DAYTON\n\n    Senator Dayton. Well, thank you, Mr. Chairman. I just \nwanted to commend you and the Ranking Member and others for \nyour foresightedness in scheduling this hearing. It was almost \nprophetic, given what occurred yesterday, and I look forward to \nhearing the expert testimony. Thank you.\n    Chairman Lieberman. Thank you. Senator Bunning.\n\n              OPENING STATEMENT OF SENATOR BUNNING\n\n    Senator Bunning. Thank you, Mr. Chairman, and thank you for \nholding this hearing after the horrendous day we had yesterday.\n    Before I begin, I would like to express my deepest sympathy \nand condolences to the families and friends of all those \ninjured or killed in yesterday's attacks. This is a very \ndifficult time for the Nation, and we must all work together to \npull through it.\n    Protecting our critical infrastructure is of the utmost \nimportance, and I hope this hearing today will shed some light \non ways that we can improve the security of our Nation's \ncomputer system and infrastructure.\n    Our critical infrastructure impacts almost every aspect of \nour lives, from our Nation's security to our drinking water, to \nour financial transactions and communication services. Over the \nyears, we have become more and more reliant on computer \ntechnology and the information that passes over it. Key \nindustries in the Federal, State, and local governments have a \nresponsibility to do everything possible to protect their \ninformation from hackers. Not only are they under attack from \nteenagers who are out for a joyride on the Internet, but \nindividuals working for foreign governments, spies, and \ncriminals can sit at a computer in another country and try to \nhack their way into some of our most important and sensitive \ninformation. Also, as new technology comes into use, it brings \nwith it new challenges for businesses and the government in \nprotecting private information.\n    I want to thank our witnesses for being here today and look \nforward to hearing the testimony that they are about to share \nwith us about protecting our critical infrastructure.\n    Thank you very much.\n    Chairman Lieberman. Thank you very much, Senator Bunning.\n    We will turn now to the witnesses. We are going to hear \ntoday from Roberta Gross, who is NASA's Inspector General and \nwill tell us about a review of the implementation of the \nFederal Government's computer security policy conducted by the \nPresident's Council on Integrity and Efficiency. This was a \nreview of the PDD 63, a Presidential Decision Directive. And we \nare also going to hear from Joel Willemssen of the GAO, who \nwill discuss the government's efforts to work with the private \nsector to detect and respond to cyber attacks on critical \ninfrastructure.\n    We had intended to have other witnesses here today who have \nbeen unable to be here, either because of the aviation shutdown \nor because they have been called away to respond to yesterday's \nattacks, and we hope on another occasion that we might have \nthem here before us. But for now, we thank the two of you for \nbeing here, and, Ms. Gross, we now ask for your testimony.\n\n   TESTIMONY OF HON. ROBERTA L. GROSS,\\1\\ INSPECTOR GENERAL, \n         NATIONAL AERONAUTICS AND SPACE ADMINISTRATION\n\n    Ms. Gross. Thank you. I appreciate the opportunity to \ntestify before this Committee. It is very difficult to stop a \nterrorist bent on suicide. We all heard this yesterday during \nbroadcasts, both local and national. Did we ever imagine that \nwe would have a suicide attempt at the magnitude that we \nexperienced? Did we ever imagine that terrorists would use our \nown domestic airplanes as a weapon against our financial and \nmilitary institutions? Probably not, or not in America. But we, \nlike all nations, are a Nation at risk, and that is why this \nhearing is an important hearing.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Ms. Gross appears in the Appendix on \npage 33.\n---------------------------------------------------------------------------\n    After the Murrah Federal Building bombing in Oklahoma City, \nthe government decided that it needed to have a strategy to \naddress these new types of threats and vulnerabilities. The \nthreats are from cyber terrorism which, because of the \nnetwork's interconnectivity, might dislocate our financial, our \nelectrical, our military, our communications, our government \nservices, how we do business, how we live.\n    Clearly, we now know the threats can also be physical. We \nknew that before because not only was it physical threats like \nyesterday, we had physical threats in Oklahoma City and the \nLockerbie airplane crash.\n    Whatever the form of threats, this Nation must have an \neffective national response so that our government, our \neconomy, and our basic lives can go on. That was the purpose of \nthe last administration proposing the Presidential Decision \nDirective 63. PDD 63 was a requirement, ``for every department \nand agency of the Federal Government to be responsible for \nprotecting its own critical infrastructure.'' And then other \nagencies--I think this chart (Senator Bennett's) is a \nremarkable mapping of some of the responsibilities of the \ncoordination of agencies' responsibilities . . . had specific \ntasks to coordinate with the private sector to ensure \ncontinuity of communications, the Commerce Department; banking, \nthe Treasury Department; aviation and highways, Transportation \nDepartment; emergency law enforcement, the FBI and Justice \nDepartment; emergency fire service continuity of government, \nFEMA; and so on and so on.\n    There are also different entities within the Federal \nGovernment to oversee this process, a Critical Infrastructure \nAssurance Office that was out of the Commerce Department; the \nNational Security Agency; and OMB. (Again, I think this is a \nremarkable chart that really is the media becomes the message.)\n    I am proud of the collective efforts of the Inspectors \nGeneral for their role in helping their agencies as well as the \ngovernment, as a whole, build a strong protection of the \ninfrastructure. The NASA OIG on behalf of the PCIE and ECIE--\nand those are the collective organizations by which the \nInspectors General meet to look at trans-governmental issues--\ncontinue to look at agencies' implementation of PDD 63. And let \nme just briefly summarize that it is a four-part review.\n    The first part is complete. We looked at whether agencies \nhad adequate critical cyber plans, and this effort dovetails \nthe current effort of the IGs and their agencies under the \nGovernment Information Security Reform Act, GISRA, which this \nCommittee played a very important role. In fact, I was one of \nthe witnesses testifying in favor of the act when you proposed \nits predecessor, S. 1993. We (the IGs) have all submitted our \nagency and IG evaluations on September 10, and there will be an \neffort by OMB to evaluate these reports. So we thank this \nCommittee's effort on this legislation. I think the law gave a \nfocus that was needed by both the agencies and Inspectors \nGeneral that were not looking at this high-risk area.\n    GISRA, as you know, the Government Information Security \nReform Act, reviews the management, implementation, and \nevaluation of IT security. GISRA really does dovetail what we \nwere looking at with the PDD 63. We have a current and very \ntimely effort ongoing now with the Inspectors General on the \ncritical infrastructures, the identification, and the plans on \nthe physical planning and implementation. We are getting \npreliminary results in, and we will have Phases III and IV--the \nagencies are not only supposed to have plans, they are supposed \nto implement the plans, because plans collect dust. And so \nPhases III and IV for the Inspectors General will involve \nmaking sure that the agency's plans are adequate and that they \nare then implemented.\n    So what did we find? We did find some good starts, but it \nis an understatement to say more progress is needed. We found \nin part that there is a misunderstanding as to the \napplicability of PDD 63. Some agencies just didn't start \nidentifying their minimum essential infrastructure because they \ndidn't know the directive applied to them, despite reading the \ndirective that said ``every and each.'' And part of that was \nbecause of the confusion as to who was in charge of \nimplementing PDD 63. One of the major players had indicated if \nthe agency was not listed in PDD 63 specifically as having a \npart, it didn't have a part, even though every agency is \nsupposed to carry on its function and should, as an agency, \nidentify what it needs to do to carry on its function in an \nessential manner.\n    What else did we find? We found that even those agencies \nthat did have plans didn't necessarily identify all their \nmission-essential structures. They had confusing definitions. \nThey had confusing performance plans. And so that made it very \ndifficult.\n    The current administration is going to issue further \nguidance through an Executive Order on protecting the \ninfrastructure, and I am sure this body, as well as all of the \nSenate and House oversight bodies, will be devoting attention \nto what else needs to be done to make sure our critical \ninfrastructures are being protected.\n    I do want to say that I was happy to hear Senator Levin say \nthat they are talking about the need for collection of \ninformation and human intelligence. I think that the people \ninvolved in security of our critical infrastructure believe \nthat is a true need. I think one of the things I also want to \npoint out--and I am sure that you have had hearings on this \nbefore--is that the laws to detect cyber criminals and to \nprosecute them are inadequate. In particular, there is not an \nanti-trespassing statute, and not having that statute only \nprotects people who want to do ill against the cyber critical \ninfrastructures. You can have criminals come in ports that are \nnot used for normal communication, and the laws do not allow \nlaw enforcement to ably protect these systems.\n    So, in sum, important steps have been taken and important \nsteps continue to need to be taken to minimize attacks like \nyesterday, to avoid unknown terrorist attacks, whether cyber or \nphysical. The IGs collectively and individually will be playing \na role to help the Congress, their agencies, and OMB, get this \nNation to a point where we are protecting all of our safety.\n    Thank you very much.\n    Chairman Lieberman. Thank you for that statement. I look \nforward to asking you some questions.\n    Mr. Willemssen, thanks for being here.\n\n    TESTIMONY OF JOEL E. WILLEMSSEN,\\1\\ MANAGING DIRECTOR, \n INFORMATION TECHNOLOGY ISSUES, U.S. GENERAL ACCOUNTING OFFICE\n\n    Mr. Willemssen. Thank you, Mr. Chairman, Senators. In view \nof yesterday's tragic events, today's hearing I think reflects \nthe critical importance of protecting our infrastructures. As \nrequested, I am going to very briefly summarize our statement \non efforts to protect Federal agency information systems and \nthen, more broadly speaking, our Nation's critical computer-\ndependent infrastructures.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Willemssen appears in the \nAppendix on page 43.\n---------------------------------------------------------------------------\n    Overall, GAO's work continues to show that Federal agencies \nhave serious and widespread computer security weaknesses. These \nweaknesses present substantial risks to Federal operations, \nassets, and confidentiality. Because virtually all Federal \noperations are supported by automated systems and electronic \ndata, the risks are very high and the breadth of the potential \nimpact is very wide. The risks cover areas as diverse as \ntaxpayer records, law enforcement, national defense, and a wide \nrange of benefit programs.\n    While a number of factors have contributed to weak \ninformation security at Federal agencies, we believe the key \nunderlying problem is ineffective program management. Computer \nsecurity legislation you introduced and which was enacted last \nyear can go a long way to addressing this underlying problem. \nThe legislation requires that both agency management and \nInspectors General annually evaluate information security \nprograms. OMB is due to receive the first reports from them \nthis week. This new annual evaluation and reporting process is \nan important mechanism, previously missing, to holding agencies \naccountable for the effectiveness of their security programs.\n    Beyond the risks with Federal agency systems, the Federal \nGovernment has begun to address the threat of attacks on our \nNation's computer-dependent critical infrastructures, such as \nelectric power and telecommunications. The Presidential \nDecision Directive, previously noted as PDD 63, outlined a \ngovernment-wide strategy to address this. A key element of that \nstrategy was establishing the FBI's National Infrastructure \nProtection Center, or NIPC, as a focal point for gathering \ninformation on threats and facilitating the Federal \nGovernment's response to computer-based incidents.\n    As we reported earlier this year, the NIPC has initiated \nvarious efforts to carry out this responsibility. However, we \nalso found that the analytical and information-sharing \ncapabilities that were intended had not yet been achieved. We, \ntherefore, made numerous recommendations to the Assistant to \nthe President for National Security Affairs and the Attorney \nGeneral. These recommendations focused on more fully defining \nthe role and responsibilities of the NIPC, especially in view \nof the many other organizations involved in critical \ninfrastructure protection. Also, our recommendations focused on \ndeveloping plans for establishing analysis and warning \ncapabilities and formalizing information-sharing relationships \nwith private sector and Federal agencies.\n    In commenting on our report, the administration said that \nit would consider these recommendations as it reviewed how \ncritical infrastructure protection functions should be \norganized.\n    That concludes a summary of my statement, and I would be \npleased to address any questions you may have. Thank you.\n    Chairman Lieberman. Thank you both. I will begin. We are \ngoing to do 6-minute rounds, and we will keep going until \nMembers have asked as many questions as they want.\n    Let me approach this through the Presidential Decision \nDirective 63, whose issuance was, I take it from what you have \nsaid, initiated or motivated by the terrorist attack at \nOklahoma City, the Federal building.\n    Ms. Gross. Yes.\n    Chairman Lieberman. So we have a real-life event, a tragic \nevent, a kind of precursor to what happened yesterday. And then \ncomes a study, the Presidential Directive. Am I correct? And, \nincidentally, the directive covers both physical infrastructure \nin the normal, traditional way in which we know it, and cyber \ninfrastructure in the new sense.\n    I take it from the consensus of the IGs--and I will ask GAO \nas well--that your judgment today is that the directive has \nbeen inadequately implemented, and in that sense, our critical \ninfrastructure remains vulnerable.\n    Ms. Gross. That is correct. I would have to agree with one \nof the Senators--and I think it may have been Senator Levin--\nthat the United States is a strong, proud country, and when an \nemergency happens--as opposed to when an IG or GAO does a \nreview . . . and we can find a lot of internal control problems \n. . . when an emergency happens like we had yesterday, there is \na rallying in a way that, unfortunately, normally doesn't \noccur. So, in many ways, I think that the agencies recently \nwere focusing hard on cooperating and coordinating.\n    But I think one of the failures under PDD 63-designated \nagencies and at each agency level, is what is the plan? What is \nthe plan for the unknowns? And who is in charge, and how will \nthat happen? I think that one of the things we were surprised \nat is for cyber, having gone through the year Y2K, is why \ndidn't agencies have plans in effect for minimum essential \ninfrastructure when, in fact, agencies could piggyback on their \nY2K because they were supposed to be identifying key systems--\nthey couldn't identify every system for Y2K compliance. \nAgencies would identify critical systems.\n    And if I even just look at the summary of the IG PDD 63 \nreview comments from the different agencies, some of them said, \n``no, vulnerability assessment work is in progress; no, \ninsufficient management attention to this level of detail''; \n``no, maybe some vulnerability assessments but no remediation \nplan because no funding''; ``no, cause is lack of control over \nthe various agencies''; ``not performed because of other IT \npriorities.''\n    The answers went on and on and on. It is hard to believe \nminimum essential critical infrastructure is not a priority.\n    Chairman Lieberman. That is your conclusion, that it still \nremains that way?\n    Ms. Gross. Yes. We are finding the same thing in the PDD 63 \nphysical review. We are getting reports in from Inspectors \nGeneral. We have 8 out of 16 that are going to be participating \nin this phase, and out of the 8, we have the same problems--\nplans not done, mission-essential infrastructures not \nidentified, interdependencies not identified.\n    Chairman Lieberman. What is happening? Why is this \nhappening? Are people not taking it seriously, or were they not \ntaking it seriously? Or was it not made a priority by the \nleadership of the respective agencies?\n    Ms. Gross. Yes, yes, and yes. I think that what happens is \neverybody gets involved in programs. You see it at NASA. You \nsee it at probably every agency that GAO has looked at. We want \nto get to Mars. We want to get the Space Station up. And what \nhappens--and budgets go down, budgets get flattened, civil \nservants get flattened. And so people get focused on mission, \nand they forget about the infrastructure that supports the \nmission.\n    Low priorities become security, including IT security, \noftentimes oversight functions like contracting oversight. \nThose are the kinds of things that look dispensable when you \nwant to get to the moon, you want to get to Mars, and missions \nlike that.\n    And so what happens is we forget the history of the \nOklahoma bombing. We forget Lockerbie. Nobody is going to \nforget yesterday, I think it was so massive. But what happens \nis that then everybody stops putting attention on and a focus \non these issues, and these are the issues where, if you look \nagency by agency, there is not the funding and there is not the \nsupport.\n    Chairman Lieberman. It is a very important point. I \nmentioned before that we are beginning to use again the \nterminology of ``a war against terrorism,'' and it is not bad \nterminology if we understand it is a different kind of war. And \npart of it is going to be fought here at home in areas that are \nnot normally involved in defense. But they are involved in \nhelping the government and the private sector protect the \ncritical infrastructure.\n    Ms. Gross. That was a financially cheap attack for the \nterrorists. I mean, if you think about yesterday's attack----\n    Chairman Lieberman. Yesterday, with enormous consequences.\n    Ms. Gross. With enormous consequences.\n    Chairman Lieberman. And very costly, as my colleagues have \nsaid.\n    Ms. Gross. And so that we need to focus on--it is not cheap \nfor the cost to human life and re-creating it. And so we are \nhaving to put some attentions where the kinds of wars are going \nto be different, and they are going to be cheap for the other \nsides.\n    Chairman Lieberman. Right.\n    Ms. Gross. And I put it as ``sides.''\n    Chairman Lieberman. Yes. Mr. Willemssen, let me ask you, \nyou mentioned the probability that the new administration will \nbe issuing a new Executive Order on this subject. Based on your \nwork, what do you think are the most important issues that \nshould be addressed? And I suppose that is another way of \nasking what are the major weaknesses in our current approach to \ninfrastructure protection.\n    Mr. Willemssen. Among the most critical issues is clearly \nidentifying roles and responsibilities of the players. I think \nit is especially important for everyone to know who is exactly \nin charge overall and then within particular sectors. When \nplayers who are to some degree involved in critical \ninfrastructure protection see an organizational maze such as \nthat, (points to chart) it becomes very difficult to understand \nand to coordinate all the activities associated with \ninfrastructure protection. So that is one especially critical \nelement.\n    The second critical element is being in a position \nstrategically to understand the threat and warning capability. \nThat is not at this point from a cyber perspective where it \nneeds to be.\n    Chairman Lieberman. Say a little more so I understand what \nyou mean.\n    Mr. Willemssen. Well, let me contrast individual incidents \nwhich occur and we are positioned to understand, OK, this \nincident happened.\n    Chairman Lieberman. So give me an example.\n    Mr. Willemssen. An example would be the most recent Code \nRed virus.\n    Chairman Lieberman. OK.\n    Mr. Willemssen. By stepping back and starting with each of \nthe key sectors that have been defined, the eight key ones, \nfirst understanding what is the extent of the threat here, \nwhere do we think we could possibly get hit, where are our risk \npoints. Second, what is the probability of those threats \nmaterializing? And if they do, what kind of severity, what will \nbe the adverse impact on us? Taking all that into \nconsideration, you then model a strategy to combat that.\n    In some cases, if the threat is huge but the impact is nil, \nyou don't put a lot of effort into it. And, conversely, if you \nhave got a high threat and a high impact, then we need to make \nsure that we are going to be protected.\n    Chairman Lieberman. And thus far you haven't seen that kind \nof thinking.\n    Mr. Willemssen. Progress has been slow in that particular \narea.\n    Now, part of the challenge here in infrastructure \nprotection is this is a public-private partnership, and so the \nFederal Government needs to work closely with the private \nsector in moving forward and achieving the goal of having a \nfull operational capability by 2003. One of the key impediments \nto getting there is that the private sector, for good reasons, \ndoes not always want to share information related to threats, \nwhat the risks may be, what kind of incidents have occurred in \nthe past, all the kind of information that can give us a sense \nof where we stand strategically and where our risks are.\n    Chairman Lieberman. It is a very important point. My time \nis up, and if my colleagues don't get back to it, I will. I \nthank you.\n    Senator Thompson.\n    Senator Thompson. Thank you very much, Mr. Chairman.\n    I think, Ms. Gross, you are absolutely correct about the \ndifferent nature of the threat we face today and that the \nthreats may be cheap for the perpetrator and expensive for us \nto deal with. However, I hope that we begin to spend less time \non trying to evaluate the probabilities in terms of these \nthreats and what we are most likely to be attacked by, because \nwe can't predict these things, anyway, and realize that as the \nworld's number one target, and likely to remain so, we have to \nguard against all of these threats. And it is a matter of our \nown priorities.\n    You point out some familiar themes when addressing this \nproblem. One is management. So many of the problems that this \nCommittee sees get back to the overall management issue. That \nhas to do with priorities and the squeaky wheel and so forth. \nUnfortunately, it takes an event like yesterday sometimes to \nreally get our attention.\n    We have a new administration, and every administration that \ncomes into office now is taking longer and longer and longer to \nget its team together. So you have a National Security Adviser \nwho, from day one, is faced with the most serious national \nsecurity problems imaginable. And we expect her to kind of \nsupervise this whole thing and these minute details that we are \ntalking about here, totally unrealistic. So, it is multifaceted \nin terms of dealing with it.\n    I notice, Mr. Willemssen, one of the things that you \npointed out is a lack of methodology, even to analyze the \nthreats. How do we develop a methodology?\n    Mr. Willemssen. One approach that we would suggest is \ngetting the top experts in the field who have experience in \nthis area reaching agreement on the methodology and then \nessentially using that as an approved model to go forward.\n    Senator Thompson. Why should that be so difficult? Why \nshould that take 3 years and we still do not have one?\n    Mr. Willemssen. I wouldn't minimize the chart that Senator \nBennett's placed up there----\n    Senator Thompson. Senator Bennett's chart?\n    Mr. Willemssen [continuing]. As a key factor in that, and, \nsecond, the other issue I mentioned in this is a public-private \npartnership. This is not something that the Federal Government \ncan simply mandate is going to be done.\n    Senator Thompson. Yes, and our critical infrastructure is \nin private hands for the most part, and it requires cooperation \nin order to address it. And yet you are asking private industry \nto perhaps reveal some of their most sensitive information, \nsaying, ``We are from the government, we are here to help \nyou.'' And I don't see them doing that willingly under any \ncircumstances. How do we break through that fear and skepticism \non the part of private industry?\n    Mr. Willemssen. Again, Senator Bennett is very familiar \nwith this, but there were some of those same concerns as we \nwent through the Y2K situation, and there was legislation \nenacted to try to provide private entities some protection in \nthe event that they were sharing information. And I think in \nretrospect that legislation turned out to be an outstanding \npiece of legislation.\n    Senator Thompson. That is a good analogy.\n    Senator Bennett. Have I got a bill for you. [Laughter.]\n    Senator Thompson. You also mentioned in your report \nleadership vacancies. I alluded to how difficult it is becoming \nto get an administration together. We are talking about over a \nyear now--a fourth of his term is over--before a President has \nhis team together. I take it that is certainly--these are not \nhigh-profile positions, are they, that get a lot of attention \nand a lot of appreciation in normal times, I take it? Is that \npart of the problem?\n    Mr. Willemssen. I would say up until yesterday, you are \ncorrect, Senator.\n    Senator Thompson. Well, again, hopefully we once again \nidentify the problem, and you certainly have done that. Both of \nyou have done excellent work in this area. I was looking over \nthe GAO reports done for the Governmental Affairs Committee \njust on information security alone, nine major reports that GAO \nhas done on this very issue.\n    And lest we forget, what we are talking about, the CSIS did \na study in 1998 and reminded us that, using the tools of \ninformation warfare, cyber terrorists can overload telephone \nlines with special software, disrupt the operations of air \ntraffic control as well as shipping and railroad computers, \nscramble the software used by major financial institutions, \nhospitals, and other emergency services, alter by remote \ncontrol the formulas for medication at pharmaceutical plants, \nchange the pressure in gas pipelines to cause a valve failure, \nsabotage the New York Stock Exchange, not to mention military \ncommand and control.\n    Finally, you have spoken favorably toward Senator \nLieberman's and my computer security law. It sunsets next \nSeptember. Because we were in negotiations with the House, \nquite frankly, we had to accept a 2-year sunset. I hope that we \ncan count on your support to get past that sunset. Senator \nLieberman, that might be something we want to address right \naway.\n    Chairman Lieberman. Good idea.\n    Mr. Willemssen. Yes, sir.\n    Senator Thompson. Thank you very much.\n    Chairman Lieberman. Thank you. Senator Dayton.\n    Senator Dayton. Thank you, Mr. Chairman. Again, I want to \ncommend you and the Ranking Member and other Members of the \nCommittee who, for some time--years, in fact--have been delving \ninto these areas that we realized yesterday we cannot take so \nmuch of what we take for granted for granted. And I also \ncertainly want to associate myself with the remarks of Senator \nThompson regarding the unbelievable and unacceptable length of \ntime it takes to fill an administration. I serve on the Armed \nServices Committee. I know Secretary Rumsfeld has opined on \nthat matter to us, and if the events of yesterday had occurred \n2 months or 4 months after the President took office, and as \nthe Secretary said at the time, he was literally in that suite \nof offices alone, it would have been even more overwhelming, I \nwould suspect, than it must have been yesterday. So I think \nthat would really be a very fitting subject for this Committee \nto address and really try to assure that no subsequent \nadministration has to endure those kinds of delays.\n    Again, my experience over the last 8 months has been \nprimarily on other committees, and in the Armed Services \nCommittee, in both public and private meetings and briefings, \nno one portrayed a scenario that even approached what occurred \nyesterday in terms of the threats of terrorist attacks and the \nlike. So, on the one hand, I don't want you to be unduly \nalarmist. On the other hand, I think maybe we need to be more \nalarmed than we are in these critical areas. And I wonder if \neither of you or both of you individually would paint for us a \nscenario of what a major, well-coordinated, highly \nsophisticated assault on these systems might look like for our \ncountry.\n    Ms. Gross. I think we saw one yesterday.\n    Senator Dayton. Well, yes, physical assault, and obviously, \nthat involved others, but in terms of----\n    Ms. Gross. You could have it from the computer by having \nmassive denial of services, which hackers are able to do by \ntaking tools of the Internet, so that you can have hackers who \nhave terroristic motives using juveniles who think that this is \nfun but they don't know they are being used. You can also have \nit be for individuals who see it as an opportunity for economic \nespionage, and it is an opportunity to get either companies' \ninformation, and so that you can have a coordinated--you can \nhave a mastermind by some terrorists who are using other \nentities who don't even know they are being used, so that you \nhave viruses, Trojan horses, denial of services. You have tools \nbeing implanted in critical systems, non-sensitive systems, so \nthat they will then be available for an attack later. Everybody \nthinks it is all over, we finish with the Red virus, we finish \nwith the denial of services, yet they park their tools \nbasically at NASA's systems, at EPA's systems, and at other \nsystems, and they just wait then for another onslaught and \nnobody is looking. You have systems administrators who haven't \nbeen trained, who are having privileges for root access without \ntraining. You have multiple people who have root access that \nshouldn't have root access. You have common vulnerabilities. \nAnd so the cyber terrorists have the tools there waiting for \nthe event to happen because we don't shut down no-cost, low-\ncost vulnerabilities. It is waiting to happen.\n    Senator Dayton. Mr. Willemssen.\n    Mr. Willemssen. Yes, Senator, in addition to those kind of \nrisks which can focus on disruption or stoppage of operations, \nwhich becomes especially critical when we are in a real-time \ncommand and control environment, there are also the kinds of \nrisks that don't always attract as much attention, but they are \nstill important, and that is the inappropriate disclosure of \nsensitive information.\n    For example, in work we did after the 2000 filing season at \nthe Internal Revenue Service, we were able to penetrate their \nsystems and browse data. We could have changed the data if we \nwanted to. There are also those kind of impacts in terms of the \nsensitivity of information, the disclosure of that information, \nand also the ability to either change or modify or destroy that \ndata. So there are those associated impacts in addition to the \nwork disruptions, work stoppages.\n    Senator Dayton. Maybe I didn't phrase my question \neloquently enough, but I just would leave for our future \nconsideration, I mean, what you both describe accurately are \nakin to what I heard in other settings as individual terrorists \nwith a suitcase, a car, or whatever. What we saw yesterday was \nsomething that in its scale and its sophistication and \ncoordination greatly exceeded at least anything I had heard \ndescribed as a possible scenario, and as a result I think \nreally overwhelmed our system because we in a sense hadn't \nimagined how dastardly the deeds could be. And I would hope \nthat that is being done, and maybe akin to that--my time is \nalmost over--how do we prevent the invasion of one system, one \nagency, or whatever, from being then the conduit to go to all \nothers, especially as these systems reap the advantages of \nbeing more interconnected with one another?\n    Ms. Gross. A layered approach, and they have got to be \nstarting--I mean, you had to start yesterday, but you have got \nto certainly start now. If you don't have as one layer a bully \npulpit from the administrator of each agency, from OMB--and I \nthink GISRA will play an important part of it--a priority. \nEmployees have to hear it at every meeting. Layering requires \npassword controls, training, and software installed only for \ndesired uses. That is for the Federal Government control. There \nis a whole side--again, when you talk about the public-private \npartnership, why are private industries allowed to rush to the \nmarket with vulnerabilities on the market? We are vulnerable. \nThey know better than we do. We find out about these \nvulnerabilities. The hackers find out and put them on their web \npages.\n    But you have manufacturers rushing to put their software \nout, and then agencies install the softwares on their systems \nwhich later require ``patches.'' If you want to also talk about \nthe public-private partnership, the private sector has got to \nbe responsible because they are developing the software that we \nuse, by and large. Both the Executive Branch as well as the \nCongress is asking more and more agencies to go use off-the-\nshelf software. I saw that even--I think it is NSA, or NRC, I \ncan't remember which one--is going to use off-the-shelf \nsoftware.\n    So if you want to talk about something that has to be paid \nattention to, this off-the-shelf software cannot be coming to \nthe government and others with vulnerabilities. There have got \nto be some warranties.\n    Mr. Willemssen. Let me just add, Senator, the Inspector \nGeneral has talked about the protection side of computer \nsecurity, which is critically important, and we need to place a \nlot of resources on that. One caveat to always keep in mind is \nwe can never provide absolute protection whenever we are \ncommunicating electronically. That is why the other two legs of \nwhat we refer to as a three-legged computer security stool are \nespecially important, not only protection but detection and \nprosecution. Detection so that when somebody gets in \nimmediately, and you take prompt action, and then prosecution, \nyou have to go after the perpetrators.\n    Senator Dayton. Thank you, Mr. Chairman.\n    Chairman Lieberman. Thank you, Senator Dayton. I appreciate \nyour asking the witnesses to go forward and project how a cyber \nattack might occur against us, because obviously we hold a \nhearing like this to gauge how realistic these threats are so \nthat we will never have to look back and say, gee, we never \nknew this was possible. And, of course, the other part of it is \nthat ourselves, together with the Executive Branch and our IG \nfriends and the GAO, will motivate some action to protect us \nfrom those threats.\n    Senator Bennett.\n    Senator Bennett. Thank you, Mr. Chairman.\n    Mr. Willemssen, I didn't set you up as a straight man, but \nI do have a bill patterned after the Y2K bill to deal with the \nissue of disclosure between the government and the private \nsector in circumstances that we have never had before. Go back \na decade, and there would never be any anticipation that we \nwould need private industry to explain to government agencies \nwhat kind of attacks they are receiving and vice versa, sharing \nof information. And I think the Freedom of Information Act, \nwhich we amended with respect to Y2K and to which you referred, \nhas got to be amended again in this circumstance. And you are \nnodding, but I will ask for the record the obvious question: Do \nyou agree that we need something of that kind?\n    Mr. Willemssen. I agree that that would be a great \nmotivator to enable increased sharing of information between \nthe private and public sectors, which is absolutely critical.\n    Senator Bennett. Now, you talk about the three-legged \nstool. When we have had hearings on this subject in the Joint \nEconomic Committee, the witnesses have pointed out that part of \nour problem is that we need to think strategically rather than \ntactically. And tactically comes down basically to law \nenforcement and prosecution after the fact. Thinking \nstrategically is asking the kinds of questions that have been \nasked here of what could happen and what do we need to put in \nplace before the fact.\n    One of the criticisms I have of PDD 63--and I repeat once \nagain, I applaud the Clinton Administration for the action that \nthey took in moving in that direction. But we need to move \nmore.\n    One of the criticisms I have of PDD 63 is that it puts the \nprimary responsibility with the FBI and with people who have a \nlaw enforcement mentality. If you have a law enforcement \nmentality, you wait until a crime is committed, and then you go \nlook for the bad guys, arrest them, and haul them to jail.\n    In this circumstance, we can't wait for the crime to be \ncommitted, and for that reason, I think the FBI and the \nDepartment of Justice is not the right place to have the \nprimary domestic responsibility. I think we have to do the \nkinds of things which were hinted at in your testimony, almost \na red team/blue team approach of let's take a red team into the \nDepartment of Commerce and see how easy it is to break in and \nsee what kinds of chain reaction can be established.\n    Again, I have used this example where an IT supervisor in \nhis company suddenly discovered that someone was in, and so he \nhacks back to find out who it is and finds himself at root \nlevel, which means he owns the system of a Canadian company. He \ncalls the company on the telephone and says, I am at root level \nin your computers, which means I can do all the things you were \ndescribing, Mr. Willemssen. I can change your passwords. I can \nsteal your data. I can scramble the data so that you can give \nfalse instructions. I can do whatever I want. Are you aware \nthat you are being used as a conduit to get into me? And the \nCanadians were unaware that their computers had been used in \nthat fashion. They were very grateful for the phone call.\n    But the fact is that under existing law, the American could \nbe sent to jail for having gotten into the Canadian computer to \nthat degree. So a strategic analysis of what do we have to do \nto protect ourselves has to trump a law enforcement attitude \nthat says, well, we don't care what you did to protect \nyourself, but under this law you broke the law.\n    Now, the Canadians obviously did not seek to prosecute. \nThey were very grateful that this man helped them understand \ntheir own vulnerability.\n    Could you address that whole general question of what kinds \nof strategic moves you would recommend, red team/blue team \napproach or anything else, as to how we might build a strategic \nattitude and then we go to work on the chart? Once we have the \nattitude and the vision where we want to go, then we move the \nboxes around on the chart as to who does what?\n    Mr. Willemssen. Yes, I would like to address that. We found \nourselves at GAO with a similar predicament a few years ago of \ntrying to be in a position of convincing agencies that they \nreally needed to do a better job of protecting their key \nassets. In response to that, we elected to develop our own \ninternal capability to penetrate systems, our own white-hatted \nhackers, so to speak, that we have used over the last couple of \nyears at selected agencies and continue to use.\n    This approach has been very effective at demonstrating that \nwe can get in, we can see this data, we can change the data.\n    The most recent department where we did that was at several \nbureaus at the Department of Commerce where we got in. We had \nroot access. We were able to view a lot of very sensitive data. \nAnd, again, consistent with what you mentioned, in most cases \nDepartment officials didn't know we were there.\n    Now, when you share that kind of information with senior \nmanagement, it does tend to be an eye-opener. And so I would \nconcur with your approach on the red team/blue team. It is a \nvery effective approach for getting top management focused on \nthe issue and for them to understand there are some real \nthreats here.\n    Ms. Gross. I think yes and no. I mean, I think your red \nteam/blue team is a very important effort. NASA was one of the \nagencies that GAO had reviewed but didn't use their own \nintrusion resources. I think they used another Federal agency \nfor NASA. They successfully got into a mission-critical or a \nvery critical system at one of the centers that we always call \nthe Center of Excellence for Intrusions, and that center still \nhas problems. NASA, to its credit, has come a long ways in \ndoing policies and procedures. It is also hiring its own \npenetration testers. As part of the Chief Financial Officer's \naudit is having a penetration testing going on.\n    You got to keep bucking up that attention. GAO is only so \nbig. We were talking about the assets they have for doing this. \nNone of us have enough assets. I think you had a focus from the \nGISR Act that is going to expire, but this is the first time \nthat OMB is going to get reports from every agency. The \nagencies are going to give their opinion, and the IGs are going \nto give their opinion. There is no hiding. The agency may say, \nhey, everything is great, Pollyanna. And the IGs may say \neverything is horrible. And maybe the truth is somewhere on one \nside or the other.\n    But OMB is going to have to grapple with every agency, each \nagency's IG is learning how to do IT oversight better. You \ndon't want to let that heat go off. You don't want to rely on \nGAO. They will cover us again maybe in the next 5 years. And, \nOK, we will have a hearing, probably before this Committee or \nanother committee, and you will get NASA's attention, and we \nwill come up with more policies and procedures. And you know \nwhat? We are still going to have vulnerabilities.\n    It is hard to make it risk-free. That is not the problem. \nBut it has to be a kind of attention where the government is \nsaying, Hey, we really do care.\n    I read to you earlier what was coming on our review from \nthe PDD 63 for agencies on their mission-essential \ninfrastructures on their cyber plans: Lower priority, not \nenough money, didn't know it applied to us. They should have \nbeen able to just roll over the Y2K information.\n    So, I think it is not merely just red team/blue team. You \nare going to have to keep a focus. I think sustained government \noversight is a real key tool.\n    Chairman Lieberman. Thanks very much, Senator Bennett.\n    I was reminded by Mr. Willemssen's answer to one of your \nquestions about how they got the attention of the agency. \nUnfortunately, the folks from @stake, Inc. could not be here \ntoday.\\1\\ They are part of a group we had here some years ago, \nwhen they were with another organization called the Lopht, \nwhich was a kind of think tank. They got out of that business \nbecause they were able to hack their way into major corporate \ncomputer systems to inform the management of vulnerabilities, \nand than offer these companies help gratis. But the capacity to \ndo damage here, as you both said--and your tests prove--is very \nreal.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of @stake, Inc. appears in the Appendix \non page 78.\n---------------------------------------------------------------------------\n    Senator Bunning.\n    Senator Bunning. Thank you, Senator.\n    I would like to just ask Ms. Gross, are you telling this \nCommittee that the agencies of the Federal Government have this \nimportant project at the bottom of the list?\n    Ms. Gross. Well, they had--some of them had PDD 63, which \nwas a Presidential decision----\n    Senator Bunning. Yes, I understand that.\n    Ms. Gross. We are----\n    Senator Bunning. I am talking about generally now, of all \nof the agencies of the Federal Government that deal with \ncritical information on computers.\n    Ms. Gross. Oh, all, I wouldn't say all. I think it has been \na real low priority for a number of years. When the GAO was \ndoing its exit conference for NASA and they reported the \nabsence of the layers of protection an agency's supposed to \nhave, that is, policies, procedures, education, intrusion \ndetection, your own penetration studies--components needed to \nhave a security program. At the end of the conference, one of \nthe managers turned to the GAO person and said, ``Do you have \nany good news for us?'' And they said, ``Yes, the good news is \nat least you are one of the agencies that has an awareness you \nhave a problem.'' When they go----\n    Senator Bunning. That is the attitude?\n    Ms. Gross. We had awareness, partially because we had been \ndoing work and then they started doing some of their own work. \nBut what the GAO was saying is that other agencies were denying \nthey even had a problem.\n    Senator Bunning. OK.\n    Ms. Gross. I think people are becoming more sophisticated \nabout the problem.\n    Senator Bunning. Sometimes there are very simple remedies \nto some of these problems, and I would ask Mr. Willemssen, you \nmentioned weakness as a result of some agencies not even \ndeleting accounts and passwords of people who are no longer \nemployed or change passwords. Now, how hard is that?\n    Mr. Willemssen. It is not hard at all. It is a matter----\n    Senator Bunning. We do it in our office, and our office \nhappens to be connected to the Senate office, but we change \npasswords on a monthly or bimonthly basis and do a lot of other \nthings.\n    You mean to tell me that when someone leaves NASA, for \ninstance, that you don't delete the password or you don't \ndelete entrance to that----\n    Ms. Gross. Not always. We have audits that show that. Not \nalways.\n    Senator Bunning. That is unbelievable.\n    Ms. Gross. It is. Those are low-cost, no-cost kinds of \nremedies. When we are talking about not enough money, why \nagencies can't do things, there is a lot of low-cost, no-cost \nsolutions and fixing 90 percent of the vulnerabilities are low-\ncost, no-cost. It is a matter of attention, starting from the \ntop. It is using the bully pulpit by each agency administrator \nand department head that IT security is what they expect from \neach program manager. CIO's need to tell their agency heads if \nthey don't have an education program. For example, one of the \nthings that upsets me about NASA's program, we haven't trained \nour systems administrators. They have a metric on evaluating \nthe training for systems administrator. They are the front-line \npeople that manage and have root access to your systems. They \nhave metrics on the civil servants system administrators, which \nthey are tracking, though most of our systems administrators \nare contractors. It was in the low percentages as to the number \nof people who received the training.\n    Now, part of that is because the training components had \nnot been finished, and that is for various and sundry reasons. \nBut part of it was they didn't even have the money or staff.\n    Senator Bunning. Well, but if you have a systems \nadministrator, they ought to know who and who doesn't work, and \nthey could automatically delete access to the system when a \nperson leaves.\n    Ms. Gross. There has to be a communication between the \nsystems administrator and the program people. Sometimes the \nsystem administrators is just--it could be a scientist doing a \nprogram. I mean, the system administrator is not necessarily--\n--\n    Senator Bunning. I am talking about the people that are in \ncharge of the computer system. You can call them whatever you \nwant to call them.\n    Ms. Gross. Should it be easy? Yes. Should there be an easy \nsystem? Yes.\n    Senator Bunning. What about the kids that hack for fun, \nthat are hired for, unfortunately, bad things? They could have \nassisted in getting access to these aircraft by making \nreservations, by doing whatever is done to get a hijacker onto \nan aircraft, not knowing what was going to happen. Why can't we \nget those people?\n    Ms. Gross. That is a good question. I think the Justice \nDepartment is starting a program that needs to be a major \neducation effort. The government needs to get into the high \nschools and into the junior highs.\n    In my written testimony is one of the cases where both \ninternational and national activity were involved. A hacker \nfrom Israel was mentoring juveniles who were breaking into DOT \nsystems--excuse me, DOD, the Department of Defense systems. And \nthey thought that this was just a lark on their part. They were \nnot intending to----\n    Senator Bunning. How good they were that they could do all \nthis.\n    Ms. Gross. Yes. We don't know the full intent of what the \nhacker from Israel was, but, nevertheless, these were juveniles \nwho think they are just on a lark and being smart, who were \nbeing used by and mentored and cultivated by somebody else. \nYour question is an important question. It is an important \neducation process for the government to get into the high \nschools, to get into the junior highs, because sometimes adults \nuse juveniles. It is just like what happened in the war on \ndrugs where you have a minimum mandatory sentences for drug \ncouriers in the District of Columbia, which I am very familiar \nwith as a DC resident and I used to be with the Office of the \nCorporation Counsel. As soon as the city had a minimum \nmandatory sentence for adults for drugs, drug addicts used \njuveniles because for juveniles it wouldn't be a real sentence, \nthey wouldn't be criminals. They would remain in the juvenile \nsystem.\n    And so you will have people who will be motivated to use \njuveniles because nothing will happen to the juveniles. And \nthey won't know they are even being used. Your question is a \nkey one, and I think that needs to be grappled with.\n    Senator Bunning. Thank you, Mr. Chairman.\n    Chairman Lieberman. Thank you, Senator Bunning. Thank you \nvery much. I share your sense of outrage and disbelief, and \nhopefully we can generate some reactions here.\n    Did I see Senator Carper? If not, for the moment I will \nproceed with another round of questions.\n    I want to go to the private sector involvement here. Maybe \nfirst I would just ask this question by way of setting the \nscene, the landscape. We distinguish traditionally between \nphysical and cyberspace infrastructure. But Senator Bunning's \nquestion regarding the suggestion that it is quite possible \nthat the terrorists yesterday had to--in this case, it probably \nwas a fairly simple action--penetrate some or at least use \ncomputers to determine flight schedules and gain access to \nthem. Is it fair to say that there has been a kind of melding \nin our time of both physical and cyberspace infrastructure that \nto get today at the physical infrastructure, whether we are \ntalking about a power grid or financial services networks or \ntransportation, that you really are probably going to end up, \nin whole or in part, also in cyberspace?\n    Ms. Gross. I think that was the philosophy behind PDD 63, \nis that the whole interrelatedness of our infrastructures, the \ncritical infrastructures, could be shut down through a cyber \nattack. How interrelated we are, from a physical attack is \nclear, who could get through yesterday to New York? Even \ncommunication through some of the networks got shut down \nbecause of what was happening. The world between the network \nsystems and the physical systems are so interrelated. We have a \nvery efficient world, and we can do lots of work, and our \neconomy was so strong, in part, because we are such a networked \neconomy. But because we are interrelated, we are also \nvulnerable.\n    Chairman Lieberman. OK. So let's ask about the private \nsector now because, as we said before, a lot of what we are \ndescribing--we have been talking a lot about what the \ngovernment has done with our systems, but a lot of what we are \ndescribing--utilities, transportation, financial services, the \nrest--are private.\n    Give us a very brief overview of what the Presidential \nDecision Directive 63 asks of the private sector. How is it \nperforming? And what more should we ask of it? In other words, \nMr. Willemssen has referred a few times to the public-private \npartnership here. Is there a genuine working partnership going \non?\n    Ms. Gross. I would say on the education level universities \nare working--but, a simple answer is no, there is not really a \npublic-private/partnership. I think that Senator Bennett is \ncorrect. We are going to have to talk about legislation and \nwhat is it that we need to motivate this partnership.\n    Some of what happened yesterday is going a long ways to \nmotivate a partnership because the most vulnerable group was \ncertainly in many ways the private sector. And the private \nsector is absolutely depending on the public sector for its \nrescue, and that is FEMA, FBI, Justice, Energy, all these \nentities are coming to help the private sector. So that is \ngoing to help cooperation.\n    But I think you are going to have to find the motivations \nfor partnership. They are working on these partnerships for \neducation. Universities are talking about being centers of \nexcellence for IT security or for IT. The government is talking \nabout forgiving loans. IT is setting up centers of excellence. \nBut the university community is more used to working with the \ngovernment.\n    Again, I go back to an earlier remark, it is important, you \nhave to make sure that companies are not allowed to put known \nvulnerabilities into the market. But in terms of sharing those \nvulnerabilities, you have to talk about what is going to create \nincentives. Some of those are going to be carrots and some of \nthose are going to be sticks. And I don't think we know.\n    Chairman Lieberman. Is it fair to say that a business may \nhave some evidence that it has been attacked?\n    Ms. Gross. Yes.\n    Chairman Lieberman. And it is a very interesting and \ndifficult question as to what is the point at which that \nbusiness should feel a responsibility. Should we require by law \nthat it report that to government? Because it may, of course, \nbe the beginning of a more broad-scale attack on a critical \ninfrastructure, a utility, an airline, a bank, the Federal \nReserve--well, a bank. Let's stick with that. What is happening \non that front now? I will get you in on this, Mr. Willemssen, \ntoo.\n    Ms. Gross. Well, that is the $64,000 question in many ways. \nI mean, you have the FedCIRC--you have a number of entities \nwhere both the private and the public do participate in sharing \ninformation. It is not a law enforcement model. And I think \nthat it bothers a number of entities to have that law \nenforcement model. I have a very strong cyber group, of which I \nam very proud, for criminal prosecutions. But, in part to deter \nbad acts, we do press releases, companies get publicity. \nIntrusions becomes known.\n    Chairman Lieberman. And a lot of businesses don't want that \nto happen.\n    Ms. Gross. Absolutely not.\n    Chairman Lieberman. Even though they may be the first line \nof what is a larger attack on infrastructure.\n    Ms. Gross. Yes. Some are becoming more courageous about it \nbecause they want to deter, they want to say we care and we \nwill prosecute, so that they won't be held up. This is a very \nsensitive issue. If you say to people we are going to prosecute \nyou, too, and you are not going to embarrass us, then you can't \nhold up people, for----\n    Chairman Lieberman. Mr. Willemssen, why don't you talk a \nlittle bit on this subject? Because my sense is from what I \nhave heard so far that the partnership, at least at the \ndefensive level, between the public and public sectors is not--\nthere is not much happening there.\n    Mr. Willemssen. It is mixed, and one way to look at it \ninstructively is to take each sector individually because \ndifferent sectors are at different stages of maturity in the \nextent to which they share information.\n    Chairman Lieberman. Which are better and which are worse, \nwould you say?\n    Mr. Willemssen. For example, when we ended our work on \nNIPC, the two areas which had established information-sharing \nand analysis centers were in the electricity area and in the \nfinancial services area. Those information-sharing and analysis \ncenters, or ISACs, are your mechanisms for determining, OK, \nwhat are we all going to agree to share? What are the \nthresholds going to be when an attack occurs?\n    Chairman Lieberman. And at what point, right?\n    Mr. Willemssen. And so these are very important mechanisms \nto try to pull together.\n    Now, some of the sectors are further ahead. For example, in \nthe electricity area, you have the North American Electric \nReliability Council. That already is a very good group of \nbringing everybody together. They like to partner. They have to \npartner. And so that has worked fairly successfully. Some of \nthe other sectors are going to take some time.\n    I think from an oversight perspective, part of what you may \nwant to look at is the particular lead agencies for those eight \ncritical infrastructures and where are those lead agencies in \nhelping to make sure that this gets done.\n    Chairman Lieberman. In other words, the lead governmental \nagencies related to those sectors of our infrastructure.\n    Mr. Willemssen. Yes, sir.\n    Chairman Lieberman. Which are largely private.\n    Mr. Willemssen. Yes, sir. And so if you were looking at \nSenator Bennett's chart, it would be on the right-hand side \nwhere it says ``Lead agency,'' and then the ones going down, \neach of those has a lead for one of those eight critical \ninfrastructures.\n    Chairman Lieberman. OK. Thank you. That is a big part of \nthe problem. Again, because they are not here, I will just take \na moment--our two witnesses from @stake, Inc. who were going to \nbe here--to read very briefly from the testimony they prepared \nfor today. These are the former hackers who now are consultants \nat a digital security consulting and engineering firm: ``It \nmust be remembered that the mandate for these companies is to \ndrive shareholder return, not to secure critical \ninfrastructure. Today @stake, Inc.'s client base views security \nas a sunk cost, largely a product of information technology \narchitecture and associated spending. Security is viewed as a \ncost borne to mitigate risks that may negatively impact the \ncorporate mandate of generating shareholder return.''\n    I am going to stop there. Senator Bennett, do you have a \nmoment for me to call on Senator Carper?\n    Senator Bennett. By all means.\n    Chairman Lieberman. Senator Carper, welcome.\n\n              OPENING STATEMENT OF SENATOR CARPER\n\n    Senator Carper. Thank you, Mr. Chairman. Thank you for \ncalling this hearing, and I am pleased, in spite of the tragic \nevents of yesterday that continue to unfold, that we are having \nthis hearing. I think it is appropriate that we do express our \nthanks to our witnesses as well.\n    I apologize for arriving a bit late. I have a question that \nI would like to pose. When one arrives a bit late at a hearing, \nyou don't know how many people have asked the same question so \nI would ask you to bear with me, if you would.\n    But I understand that there are some segments of our \ninfrastructure which have done a better job than others in \nterms of providing the kind of security that we need in this \nday and age. There are others where there is some work to be \ndone. And I would ask you just to again reiterate for us where \nyou think some of the better work has been done and to mention \nseveral of the areas where we have our work still cut out for \nus.\n    Mr. Willemssen. I would say, Senator, that the banking and \nfinance area is probably one of the more mature in its \nunderstanding of security risks and----\n    Senator Carper. They have a lot at stake, so I could see \nthat.\n    Mr. Willemssen [continuing]. Need for protection. I would \nsay that is probably near the top of the list in terms of the \nevidence we have seen.\n    Senator Carper. In terms of being particularly well \nprepared or better prepared than other segments?\n    Mr. Willemssen. Well, prepared from a protection \nperspective and a detection perspective, so that when they are \npenetrated--again, speaking very generally--they know it fairly \nquickly and take action.\n    Senator Carper. What other segments of our private sector \nare maybe better prepared than others, and where are some that \nwe might need to----\n    Mr. Willemssen. Again, I think the area of electric power \nhas the advantage of a very strong organization, coordinating \norganization, North American Electric Reliability Council, \nwhich has served very well. I mean, obviously, all the members \nof that must work together, given the resources that we are \ntalking about. So that is another one that you can point to, to \nsome degree. Again, speaking generally.\n    Senator Carper. What are a couple where we have our work \ncut out for us?\n    Mr. Willemssen. Well, I would say if you look at some of \nthe other critical sectors, I would say a lot of work remains \nto be done in public health, especially as we continue to \nincreasingly share medical data electronically. I think that is \nan area that will continue to require some attention.\n    I think the transportation area is hard to generalize. You \nkind of have to go by mode of transportation. But, again, that \nis an area that also will require more focus.\n    Senator Carper. What advice do you have for this Committee \nand for the Senate?\n    Mr. Willemssen. The advice I would have is on a couple \nlevels. First, we should think of our Federal agencies as \nsetting a good example, I think, for the rest of the country, \nand that is why I continue to think that the legislation that \nwas put in last year that is requiring these reports is an \nopportunity for the Senate to provide oversight and hold these \nagencies accountable for how well they are doing. And then, \nsecond, speaking more broadly on critical infrastructure \nprotection, I think also the opportunity is there for you to \nprovide oversight of those lead agencies for the critical \ninfrastructures to inquire of them where they stand in reaching \nagreements with the private sector in making their ISACs, their \ninformation-sharing and analysis centers, a reality. And then \nto the extent that they aren't there yet, asking for some \nmilestones and some tasks and then, again, holding them \naccountable to those.\n    Senator Carper. Legislation has been introduced by our \nchairman and his immediate predecessor, Senator Thompson, that \nI would welcome your comments on, if you would.\n    Mr. Willemssen. Well, among the items in the legislation \nthat we strongly support is the need for the Federal chief \ninformation officer setting the standards and the stage for the \nFederal Government on exactly who is in charge of information \ntechnology overall, including information security. I think the \nlegislation has a number of other key elements that are \nespecially important in the security area, in the area of e-\ngovernment that we have got to start looking at providing \nservices more from an electronic perspective, pursuant to \nexisting law.\n    Ms. Gross. If you look at the analogy with the Y2K, no \nagency head had any doubt that they were going to be held \nresponsible if there was a failure. John Koskinen was a focal \npoint appointed by the President as his adviser. He went both \nto the private sector and to the public sector. He went to \nagencies, he went to CIO's as well as agency IGs to find out if \nthere were going to be problems. There were quarterly reports \nthat went to OMB. There were reports by Congress.\n    There is nobody that had a doubt that this country was \ncommitted to making sure that when the new millennium happened \nwe were not going to crash with all of our systems. And it \ndidn't happen. There was a priority that was clear. It was the \nNation's priority, from the Executive Branch to the Congress to \nprogram managers. And you need to have that kind of same \npriority, bully pulpit at all levels, and believability that \nthere will be no--that nobody wants to have the failure and \nthat everybody believes that it is an agency priority, it is a \nCongress priority, and it is an Executive Branch priority.\n    Senator Carper. Thank you. One last question. Reflecting on \nwhat occurred in America yesterday and realizing that you may \nnot be an expert in this area, what lessons do you think we \nhave learned as far as transportation security goes?\n    Mr. Willemssen. A difficult question to address. I wish I \nknew more information about the effort yesterday.\n    I think one item that was mentioned earlier that is worth \nnoting is that the demarcation between physical and cyber is \nbecoming less clear. And so I think as the investigation \nproceeds on the events of yesterday, it will be worth noting, \nif there were any automated means which provided expedited \ntools to provide the perpetrators with an easier effort than \notherwise would have been the case, I think that is something \nthat should be noted as the investigations go forward.\n    Chairman Lieberman. Do you mean to gain access to flight \ninformation? How did you mean anything that might have given \nthe perpetrators----\n    Mr. Willemssen. Any tools that they could have used \nelectronically that in the past may not have been there in \nterms of getting flight information, information on who is \ngoing to be on the flight, when it is taking off, when it is \nlanding, any delays. To the extent that those are there today \nthat they didn't used to be, and if it turns out those were \nmajor tools, I think that is worth noting.\n    Senator Carper. I'm just thinking out loud now, but to the \nextent that there are people whom our intelligence officials \nknow to be a possible threat to our country, and to the extent \nthat they travel in our country, it would be helpful if we had \nthe ability to know when they are moving, especially if they \nare moving in aircraft, obviously. That is something that we \nmight want to be mindful of going forward, far more in the \nfuture than we have been in the past. Also, one of the things \nthat struck me, aircraft as they fly, commercial and military \nand others, they carry equipment on the plane, transponders, \nwhich controllers can communicate with to find out the altitude \nof the aircraft, the direction of the aircraft, the speed of \nthe aircraft, the identification of the aircraft, and pilots \nhave the ability to trigger from the aircraft an automatic \nsignal that would indicate to anyone who is interrogating them \nfrom the ground whether there is a hijacking underway. One of \nthe things we will be interested to find out is to what extent \nthat technology could have been used by the pilots to alert \nsomeone else that there was an emergency.\n    We have heard of the several telephone calls, cell phone \ncalls that were made from the aircraft, but I have not yet \nheard how that might have been used as a tool by the air crew \nto alert others that something was awry.\n    Again, Mr. Chairman, thank you for holding this hearing and \nfor letting me join you.\n    Chairman Lieberman. Thanks, Senator Carper. Those were very \ngood questions and good points.\n    I would say to you that I spoke to David Walker, the \nComptroller General, yesterday and Mr. Willemssen has focused \non the matters to which he has testified and done so very ably. \nThere are others at GAO who are focused on the security of air \ntraffic systems and airport security, and I haven't had a \nchance to talk to Senator Thompson about this, but it might be \nthat we would want soon, in the aftermath of yesterday, to call \nthem in and see what their years of experience and reports, \nsome of which were referenced in the newspapers this morning, \ntell us about what we can do after yesterday to protect \nourselves in the future.\n    Mr. Willemssen. I would just add, Senator, I do have with \nme the Managing Director of GAO who is responsible for that \narea in the event questions on that come up at today's hearing.\n    Chairman Lieberman. I appreciate that you did that. I think \nwe will probably want to do that soon and focus on it \nseparately at a hearing. Senator Bennett.\n    Senator Bennett. Thank you, Mr. Chairman.\n    Ms. Gross, again, we didn't coordinate in advance, but you \nare a great straight person.\n    Chairman Lieberman. I am beginning to have doubts about \nthis.\n    Senator Bennett. Your references to Y2K and John Koskinen, \nI can't resist. As John was leaving government service, he and \nI talked, as we did every week through the whole Y2K \nexperience. John and I talked every Wednesday afternoon, and I \ntold him what we were doing here, and he told me what he was \ndoing there. And we did our best to coordinate all of our \nefforts. He said, ``I understand you are now interested in \ncritical infrastructure protection, and you are going to push \nthe Congress on that issue.'' And I said, ``Yes, I am.'' And he \nsaid, ``I think that is very important, and I congratulate you \nand applaud your efforts, and you will do it without me.'' \n[Laughter.]\n    Senator Bennett. He said, ``I am going to go back into the \nprivate sector. I am through with this business. And I wish you \nwell, but I am not going to be involved.''\n    There were some in the Clinton Administration that wanted \nhim to be the CIO for the entire government, and he turned that \ndown.\n    Ms. Gross. He is working with the public sector still. You \nmay know that he is working with the District of Columbia \nGovernment. He can't resist public work.\n    Senator Bennett. He is an excellent public servant, and I \nthoroughly enjoyed my association with him.\n    But back to--as long as I am telling anecdotes--your \nreference to some people thinking of this in terms of sunk \ncost, and it is something we have to do, but we are not going \nto get any return on our investment. And that was exactly the \nattitude with Y2K. Everything we spent on Y2K is technically a \nwaste of money because there will be no return on it at all; \ntherefore, we need to spend as little as possible.\n    Looking back on it, we can say that was not true, that the \namount of money spent on Y2K, yes, portions of it were sunk \ncosts, but a large portion of it had a tremendous benefit. And \nAlan Greenspan has said to me, ``I think the untold story of \nY2K has been the upgrading of America's computer capability in \nthe name of Y2K remediation that, in fact, produced a \ntremendous technological leap for which we will reap benefits \nfor the years to come.''\n    So if we follow the Koskinen model, as you suggest, of \nhaving someone constantly reminding the head of the agency that \nthis is his or her responsibility--this is not the CIO's \nresponsibility. This is not the IT people's responsibility. \nThis is the secretary's responsibility. This is the \nadministrator's responsibility. And John would have that \nexperience. He would go to an agency, and they would say, \n``Well, you have come to fix Y2K,'' and he would say, ``No, I \nhaven't. You have to fix Y2K. I have come to monitor your \nefforts and report your efforts.''\n    If we can get that going in the government, we will have \nthe same response.\n    Now, I have asked GAO through my hat on the Joint Economic \nCommittee for a report that is due October 15. Mr. Willemssen, \nI would assume you are involved in helping put that together. \nCan you give us any sense of whether we are going to be ready \nby October 15?\n    Mr. Willemssen. You will have a report on October 15, yes, \nsir.\n    Senator Bennett. OK. I like----\n    Chairman Lieberman. That is the right answer.\n    Senator Bennett. I like that.\n    Now, mention has been made here about the Executive Order \nthat is going to be issued. I have seen a copy of it. I assume \nthe Chairman has as well. One of the things about that that I \nthink we ought to focus on, Mr. Chairman, is the need for the \nability of the Chairman of this effort to be able to testify \nbefore Congress. When we were talking about witnesses here, \nthis was kind of a gray area, and the attitude was, well, it is \nthe position of the White House that members of the White House \nstaff don't testify. John Koskinen got around that because even \nthough his title was Assistant to the President, the entire \noffice was funded by the GSA. And, therefore, he was \ntechnically a GSA employee, regardless of what his title was. \nAnd, of course, if anybody has oversight over GSA, it is this \nCommittee.\n    So I have had that conversation with people in the \nadministration and said you ought to arrange it in such a way \nas to make it possible for the individual who is appointed as \nthe chair of that effort within the administration to be able \nto come to the Congress, it will have a very beneficial effect \non the relationships with the Congress.\n    So, simply reacting to your questions, I don't have a \nfurther question, but as I say, I love what you are saying \nbecause it coincides with the positions that I have taken.\n    Thank you, Mr. Chairman.\n    Chairman Lieberman. Thank you, Senator Bennett. It is \nreally great to have you involved in this based on all your \nexperience with Y2K and all your other experience.\n    One of my staff members, just in response to what you said \nbefore about the possible use of automated systems in \nyesterday's tragedy, tells me that this morning on one of the \nnetworks there was an expert here saying that the precision \nwith which the pilots hit the World Trade Center could have \nonly been achieved through a computer system that allowed the \npilots to input the exact coordinates of the World Trade Center \nand to have done so within a very short time of taking over the \ncockpit. This is hearsay, but it validates the point you raised \nin response to Senator Carper's question.\n    Senator Bennett. If I could, Mr. Chairman, another piece of \nhearsay in response to Senator Carper, the plane that crashed \npresumably on the way to either Camp David or the Capitol had \nthe transponder turned off manually in the cockpit. And, again, \nback to the point--this has nothing to do with the hearing, but \nyou raised it and I think we ought to close the loop on it. \nTurning off the transponder that allows the air traffic \ncontroller to track the airplane is not an easy thing to do and \nit is not an obvious switch to find. So whoever did turn it off \nwas well trained in cockpit procedures.\n    Chairman Lieberman. One last question, going back to \nsomething you said very early in your testimony, Ms. Gross, \nthat I was fascinated by but didn't understand was the possible \ndesirability of laws to stop intrusions over cyberspace. Just \ndevelop that a bit more. You were talking about foreign \nintrusions, that is, intrusions that originate from abroad.\n    Ms. Gross. Well, you never know exactly where they \noriginate, but wherever they originate, once they come into the \nUnited States, there are a number of ports. Many of those ports \nare used for E-mail. They are used for other kinds of activity \nthat is the normal use. But there are all these ports that are \nused for example for the system to test its own health. It is \nnot a communication mechanisms.\n    Intruders come into those ports. They are called high \nports. Those ports you can't banner and say, hey, this is a \ngovernment computer, if you come in here we will monitor your \nkeystrokes and stuff. Coming in the high port is like somebody \ncoming in--instead of coming in your front door where people \nring the bell and come in, is to come in through your chimney. \nWell, that is not a normal access route. These high ports are \nnot normal access routes. The only ones that come in there are \npeople that are going to do felonious activity. And yet it is \nnot against the law from that to happen. There is not an anti-\ntrespass act.\n    Chairman Lieberman. Anti-trespass, OK. Understood.\n    Ms. Gross. Yes. And that is a key bill. It has been talked \nabout. The Department of Justice has talked about it. It has \nbeen proposed. I think that the FBI is pretty adamant on its \nneed. It is one of the most crippling omissions for law \nenforcement being able to do both the detection and the \nprosecution from a law enforcement point of view. High ports \nare used by hackers that are domestic and foreign. In our cases \nthat we have seen where it looks like they have been coming in \nthrough various countries internationally, it is through those \nhigh ports. And the difficulty that we have in law enforcement, \nnot system administrators, is there is no anti-trespass rule. \nIt is a trespass for somebody to come into your house, and we \ndon't have that law in cyberspace. And the laws have got to \ncatch up with the 21st Century--the 20th Century, but now we \nare into the 21st Century.\n    Chairman Lieberman. Yes, well said. I understand and \nappreciate it.\n    Senator Carper. Just to follow up on that, you said it has \nbeen proposed but not enacted.\n    Ms. Gross. Yes.\n    Senator Carper. Has legislation been introduced in this \nCongress?\n    Ms. Gross. It was introduced, I think, yes, in the DOD \nbill, just like GISRA was, the Government Information Security \nReform Act. And I believe it got taken out.\n    Senator Carper. Say that again? I am sorry.\n    Ms. Gross. It was taken out of the defense authorization. I \nthink Justice had been proposing it. It was winding its way \nthrough the Executive Branch and I don't believe they actually \nproposed it. It then became introduced in the Defense bill, and \nit never made it to the floor for final action.\n    There is no agency in law enforcement--there is uniform \nagreement. This is a key bill. You cannot talk to anybody in \nlaw enforcement that doesn't agree with that.\n    Senator Carper. Would this be a good bill for Senators \nLieberman, Bennett, and Carper to introduce?\n    Ms. Gross. Absolutely.\n    Chairman Lieberman. Let's do it.\n    Ms. Gross. We liked GISRA.\n    Chairman Lieberman. Are you sure that one wasn't \ncoordinated, too? No, it sounds like a great idea. We should \nwork together on it.\n    Thank you both. You have been superb, very thoughtful, \nsubstantive witnesses on a most pressing matter. I thank you \nand I would adjourn the hearing at this point.\n    [Whereupon, at 1 p.m., the Committee was adjourned.]\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n[GRAPHIC] [TIFF OMITTED] T6799.001\n\n[GRAPHIC] [TIFF OMITTED] T6799.002\n\n[GRAPHIC] [TIFF OMITTED] T6799.003\n\n[GRAPHIC] [TIFF OMITTED] T6799.004\n\n[GRAPHIC] [TIFF OMITTED] T6799.005\n\n[GRAPHIC] [TIFF OMITTED] T6799.006\n\n[GRAPHIC] [TIFF OMITTED] T6799.007\n\n[GRAPHIC] [TIFF OMITTED] T6799.008\n\n[GRAPHIC] [TIFF OMITTED] T6799.009\n\n[GRAPHIC] [TIFF OMITTED] T6799.010\n\n[GRAPHIC] [TIFF OMITTED] T6799.011\n\n[GRAPHIC] [TIFF OMITTED] T6799.012\n\n[GRAPHIC] [TIFF OMITTED] T6799.013\n\n[GRAPHIC] [TIFF OMITTED] T6799.014\n\n[GRAPHIC] [TIFF OMITTED] T6799.015\n\n[GRAPHIC] [TIFF OMITTED] T6799.016\n\n[GRAPHIC] [TIFF OMITTED] T6799.017\n\n[GRAPHIC] [TIFF OMITTED] T6799.018\n\n[GRAPHIC] [TIFF OMITTED] T6799.019\n\n[GRAPHIC] [TIFF OMITTED] T6799.020\n\n[GRAPHIC] [TIFF OMITTED] T6799.021\n\n[GRAPHIC] [TIFF OMITTED] T6799.022\n\n[GRAPHIC] [TIFF OMITTED] T6799.023\n\n[GRAPHIC] [TIFF OMITTED] T6799.024\n\n[GRAPHIC] [TIFF OMITTED] T6799.025\n\n[GRAPHIC] [TIFF OMITTED] T6799.026\n\n[GRAPHIC] [TIFF OMITTED] T6799.027\n\n[GRAPHIC] [TIFF OMITTED] T6799.028\n\n[GRAPHIC] [TIFF OMITTED] T6799.029\n\n[GRAPHIC] [TIFF OMITTED] T6799.030\n\n[GRAPHIC] [TIFF OMITTED] T6799.031\n\n[GRAPHIC] [TIFF OMITTED] T6799.032\n\n[GRAPHIC] [TIFF OMITTED] T6799.033\n\n[GRAPHIC] [TIFF OMITTED] T6799.034\n\n[GRAPHIC] [TIFF OMITTED] T6799.035\n\n[GRAPHIC] [TIFF OMITTED] T6799.036\n\n[GRAPHIC] [TIFF OMITTED] T6799.037\n\n[GRAPHIC] [TIFF OMITTED] T6799.038\n\n[GRAPHIC] [TIFF OMITTED] T6799.039\n\n[GRAPHIC] [TIFF OMITTED] T6799.040\n\n[GRAPHIC] [TIFF OMITTED] T6799.041\n\n[GRAPHIC] [TIFF OMITTED] T6799.042\n\n[GRAPHIC] [TIFF OMITTED] T6799.043\n\n[GRAPHIC] [TIFF OMITTED] T6799.044\n\n[GRAPHIC] [TIFF OMITTED] T6799.045\n\n[GRAPHIC] [TIFF OMITTED] T6799.046\n\n[GRAPHIC] [TIFF OMITTED] T6799.047\n\n[GRAPHIC] [TIFF OMITTED] T6799.048\n\n[GRAPHIC] [TIFF OMITTED] T6799.049\n\n[GRAPHIC] [TIFF OMITTED] T6799.050\n\n[GRAPHIC] [TIFF OMITTED] T6799.051\n\n[GRAPHIC] [TIFF OMITTED] T6799.052\n\n[GRAPHIC] [TIFF OMITTED] T6799.053\n\n[GRAPHIC] [TIFF OMITTED] T6799.054\n\n[GRAPHIC] [TIFF OMITTED] T6799.055\n\n\x1a\n</pre></body></html>\n"