[Senate Hearing 107-258]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 107-258
 
          CRITICAL INFRASTRUCTURE PROTECTION: WHO'S IN CHARGE?
=======================================================================



                                HEARING

                               before the

                              COMMITTEE ON
                          GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                      ONE HUNDRED SEVENTH CONGRESS

                             FIRST SESSION
                               __________

                            OCTOBER 4, 2001
                               __________

      Printed for the use of the Committee on Governmental Affairs





                     U.S. GOVERNMENT PRINTING OFFICE
77-434                       WASHINGTON : 2002
________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001







                   COMMITTEE ON GOVERNMENTAL AFFAIRS

               JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan                 FRED THOMPSON, Tennessee
DANIEL K. AKAKA, Hawaii              TED STEVENS, Alaska
RICHARD J. DURBIN, Illinois          SUSAN M. COLLINS, Maine
ROBERT G. TORRICELLI, New Jersey     GEORGE V. VOINOVICH, Ohio
MAX CLELAND, Georgia                 PETE V. DOMENICI, New Mexico
THOMAS R. CARPER, Delaware           THAD COCHRAN, Mississippi
JEAN CARNAHAN, Missouri              ROBERT F. BENNETT, Utah
MARK DAYTON, Minnesota               JIM BUNNING, Kentucky
           Joyce A. Rechtschaffen, Staff Director and Counsel
             Kiersten Todt Coon, Professional Staff Member
         Hannah S. Sistare, Minority Staff Director and Counsel
                Ellen B. Brown, Minority Senior Counsel
                    Robert J. Shea, Minority Counsel
         Morgan P. Muchnick, Minority Professional Staff Member
                     Darla D. Cassell, Chief Clerk






                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Cleland..............................................     1
    Senator Thompson.............................................     2
    Senator Carnahan.............................................     4
    Senator Collins..............................................     5
    Senator Bennett..............................................     6
    Senator Voinovich............................................     7
    Senator Domenici.............................................    21
Prepared statement:
    Senator Bunning..............................................    41

                               WITNESSES
                       Thursday, October 4, 2001

John S. Tritak, Director, Critical Infrastructure Assurance 
  Office, Bureau of Export Administration, U.S. Department of 
  Commerce.......................................................     9
Ronald L. Dick, Director, National Infrastructure Protection 
  Center, Federal Bureau of Investigation........................    11
Sallie McDonald, Assistant Commissioner, Office of Information 
  Assurance and Critical Infrastructure Protection, U.S. General 
  Services Administration........................................    13
Jamie S. Gorelick, Vice Chair, Fannie Mae........................    23
Joseph P. Nacchio, Chairman and Chief Executive Officer, Qwest 
  Communications International, Inc..............................    25
Frank J. Cilluffo, Co-chairman, Cyber Threats Task Force, 
  Homeland Defense Project, Center for Strategic and 
  International Studies..........................................    27
Kenneth C. Watson, President, Partnership for Critical 
  Infrastructure Security (PCIS).................................    30

                     Alphabetical List of Witnesses

Cilluffo, Frank J.:
    Testimony....................................................    27
    Prepared statement...........................................    83
Dick, Ronald L.:
    Testimony....................................................    11
    Prepared statement...........................................    52
Gorelick, Jamie S.:
    Testimony....................................................    23
    Prepared statement...........................................    70
McDonald, Sallie:
    Testimony....................................................    13
    Prepared statement...........................................    61
Nacchio, Joseph P.:
    Testimony....................................................    25
    Prepared statement...........................................    76
Tritak, John S.:
    Testimony....................................................     9
    Prepared statement...........................................    42
Watson, Kenneth C.:
    Testimony....................................................    30
    Prepared statement with attachments..........................    98










          CRITICAL INFRASTRUCTURE PROTECTION: WHO'S IN CHARGE?

                              ----------                              


                       THURSDAY, OCTOBER 4, 2001

                                       U.S. Senate,
                         Committee on Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 9:35 a.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Max Cleland, 
presiding.
    Members present: Senators Cleland, Carnahan, Thompson, 
Collins, Bennett, Voinovich, and Dominici.

              OPENING STATEMENT OF SENATOR CLELAND

    Senator Cleland [presiding]. At the request of Senator 
Lieberman, who must be out of town today to attend a funeral, I 
am chairing today's hearing on critical infrastructure 
protection. I appreciate this opportunity to examine who in the 
public and private sector is responsible for ensuring the 
protection of our Nation's infrastructure. This is the second 
hearing held by Senator Lieberman and the Committee in our 
continuing series on the security of our Nation's critical 
infrastructure and the vulnerability of the country's 
financial, transportation, and communications networks, also 
our utilities, our public health system, law enforcement, and 
emergency systems, and others. As you can tell infrastructure 
covers just about everything of value in our country.
    Prior to the September 11 terrorist attacks the 
Governmental Affairs Committee has been actually diligent in 
its examination of the responsibilities of Federal agency heads 
for developing and implementing security programs. In fact, the 
computer security law, enacted during the 106th Congress, 
requires Federal agencies to upgrade their practices and 
procedures in order to protect government information systems 
from cyber attack. However, since the attacks on Washington and 
New York City, we have learned that there is still much to be 
done to protect the Nation's critical infrastructure.
    The terrorist attacks provide evidence that physical 
assaults can cause severe disruptions in the service and 
delivery of goods and products, triggering ripple effects 
throughout the Nation's economy, and more importantly damaging 
the faith of the people in the viability of the day-to-day 
functioning of the country. Nothing affects Americans more than 
the disruption of the Nation's transportation, communications, 
banking, finance, and utilities systems. The country's critical 
infrastructures are growing increasingly complex, relying on 
computers and computer networks to operate efficiently and 
reliably.
    The growing complexity and the interconnectedness resulting 
from networking means that a disruption in one win may lead to 
disruptions in others. Therefore, President Clinton established 
the President's Commission on Critical Infrastructure 
Protection in July 1996. In 1997, this organization released 
its report and recommended that greater cooperation and 
communication between the private sector and the public sector 
is needed in order to decrease the vulnerability of the 
Nation's infrastructures, which led to their President's 
release of Presidential Decision Directive 63.
    In May 1998, President Clinton released this directive, 
which sets up groups within the Federal Government to develop 
and implement plans that would protect government-operated 
infrastructures and calls for a dialogue between government and 
the private sector to develop a national infrastructure 
assurance plan that would protect the Nation's critical 
infrastructures by the year 2003. This Presidential decision 
memorandum identified 12 areas critical to the functioning of 
the country: Information and communications; banking and 
finance; water supply; transportation; emergency law 
enforcement; emergency fire service; emergency medicine; 
electric power; oil and gas supply and distribution; law 
enforcement and internal security; intelligence; foreign 
affairs; and national defense, just about everything you can 
think of.
    The directive required each Federal agency to secure its 
own critical infrastructure and to identify a chief officer to 
assume that responsibility. The directive also established 
several new offices to oversee and coordinate critical 
infrastructure protection. One was a national coordinator 
designated to ensure that a national plan was developed. The 
coordinator would be supported by a critical infrastructure 
assurance office, to be located in the Export Administration of 
the Department of Commerce.
    The directive also created a joint FBI and private sector 
office, the National Infrastructure Protection Center, which 
serves as a focal point for Federal threat assessment, 
vulnerability analysis, early-warning capability, law-
enforcement investigations and response coordination. NIPC is 
also the private sector point of contact for information 
sharing. Finally, the directive recommended that we have the 
capacity and the capability to detect and respond to cyber 
attacks while they are in progress. The Federal Computer 
Incident Response Center gives agencies the tools to detect and 
respond to such attacks, and it coordinates response and 
detection information.
    We are fortunate today to have several witnesses who will 
present their views on the status of the Nation's critical 
infrastructures, and offer their recommendations on protecting 
public and private systems from outside attacks.
    Senator Thompson, would you like to make any opening 
remarks.

             OPENING STATEMENT OF SENATOR THOMPSON

    Senator Thompson. Thank you, Mr. Chairman, just very 
briefly. I think this is certainly a timely hearing. I think we 
all appreciate now the vulnerability that we have had for a 
long time, and one that we have discussed in this Committee and 
others on very many occasions, certainly including cyber 
security and the problems we have with computer security, and 
so forth. Of course, that was the background for Senator 
Lieberman and I introducing the Government Information Security 
Act.
    I think that we are now looking at all these threats 
through different glasses. Today we are probably going to 
emphasize, perhaps, one particular issue a little more than 
others, and that is the cyber threat. Now we are all familiar, 
all of a sudden, with the threats of biological elements, 
chemical, certainly nuclear, certainly conventional 
combinations of all the above, and in addition to that is the 
cyber threat, which many people think would precede any major 
conflict that we had with a major power.
    Of course, we now know that in this modern age of 
technology, you do not need to have a major nation-state or a 
national power in order to create grave problems for us. So now 
that we have our attention focused after all this time, we are 
thinking about rearranging the boxes again and creating new 
laws and new offices, and trying to fit all the stuff that is 
out there together. Of course, Governor Ridge's appointment, I 
think, is a good step. But within his bailiwick, as I 
understand it, will be an Office of Cyber Security.
    You have Presidential Decision Directive 63, which 
addressed the same general problem of cyber security. The GAO 
has indicated that has not done very well, in terms of what it 
was designed to do and the offices that it set up. Now we have 
a new proposed executive order that is not with us yet that 
will address all of this. We have got the question of what is 
OMB's role going to be in all of this, since they have 
responsibility for computer security, and then we have got to 
ask ourselves how does all this relate to the private sector, 
as Senator Bennett spent a lot of time on and has legislation 
on, because we know that most of our critical infrastructure is 
basically in private hands.
    So we have got real big organizational issues on the table 
to deal with. To me, I think it gets down to a pretty simple 
proposition, it is going to require leadership, authority at 
the top, and leadership, and accountability. Maybe we can learn 
from our past experience with other government agencies and 
other crises and things of that nature, and not make the same 
mistakes as we go about trying to rearrange these boxes and 
decide who reports to who and who has what authority.
    Maybe we will take the lessons we learned from our other 
management problems. In particular, the government basically 
cannot manage large projects very well. We are told time and 
time and time again by GAO, by the inspectors general, all the 
reports that we have seen in terms of our problems with regard 
to financial management. For example, billions and billions of 
dollars in waste, fraud, and abuse.
    We are told that we cannot manage large information 
systems. We have spent billions and billions of dollars, money 
down the drain basically, in trying to get computers to talk to 
one another. This is a government-wide problem and we think 
that we are going to come in here and efficiently set this 
particular thing up and it is going to work well, when nothing 
else--well, that is an overstatement, of course--but so many 
things are producing billions of dollars of waste, fraud, and 
abuse every year. The same agencies come before us every year 
on the high-risk list, subject to waste, fraud, and abuse, for 
a decade, but we are going to pull this out and set the boxes 
right, and then go on about our business the way we did before; 
we have solved that problem. Well, it isn't going to happen 
that way unless we have what we have been lacking for years and 
years and years, and that is leadership from the top on these 
issues, with the right person having the right authority, and 
accountability when it does not work.
    We are very good at setting up plans and goals, and 
terrible at implementing them. So I do not want to start out 
this optimistic exercise on a sour note, but I think it is 
important to understand that we have got a bigger job than 
probably what we realize in trying to cut through this morass 
that we always find ourselves in when we try to solve a 
problem. And it is especially important here because of the 
nature of the problem. So, hopefully, today we can get some 
ideas as to who ought to do what, where the responsibility 
lies.
    I defy anybody to tell us today where the responsibility 
lies for any of this, but maybe we can talk about where it 
should lie and where we should go, the direction we should go 
in, and I think for that reason it will be a useful exercise.
    Thank you, Mr. Chairman.
    Senator Cleland. Thank you, Senator Thompson. We will allow 
everyone to make an opening statement, if they wish.
    Senator Carnahan, would you like to make an opening 
statement?

             OPENING STATEMENT OF SENATOR CARNAHAN

    Senator Carnahan. Thank you, Mr. Chairman. Terrorists did 
not want to bring down just our buildings. They wanted to bring 
down our economy. They wanted to bring down our military and 
our financial and political infrastructure as well. Our losses 
are incalculable and far-reaching. Still we must face a stark 
reality: It could have been worse. Now this Congress, alongside 
the President, must take the lead to ensure we are prepared for 
the future. I applaud the Chairman for addressing these issues 
with this series of hearings. When we talk about critical 
infrastructure, we are talking about American families and 
their ability to have a quality life.
    This means freedom to travel; it means freedom to make a 
living; and it means freedom to conduct business without fear 
of terrorism. It means having the peace of mind that your 
government is doing all that it can to protect you and your 
children. Grim experience has taught us that terrorist attacks 
know no boundaries. The ripple effect is extensive. The 
emotional trauma is long-lasting, and the economic impact is 
real and widespread. We are all affected, and all of us must be 
part of the Nation's defense against further attacks.
    As the witnesses will discuss today, there are difficulties 
in creating a unified system to protect our national 
infrastructure, because control of the different components 
rests with different entities. On the most basic level, there 
is a division between what the government owns and operates 
versus what the private sector owns and operates, but the issue 
is really much more complex. We live in a global, computerized, 
and interconnected world. Technological changes have led to 
great opportunities for human progress, but they have also 
created vulnerabilities that did not exist even 5 years ago.
    Securing our critical infrastructure from cyber attacks, 
which could be launched from anywhere, is a tremendous 
challenge for both government and industry. I look forward to 
hearing from the witnesses today and learning from their 
expertise. I want to hear their suggestions on what more needs 
to be done. The question being raised today, who is in charge 
of protecting our national infrastructure, needs to be answered 
as soon as possible. We cannot afford to wait for another 
attack.
    Thank you, Mr. Chairman.
    Senator Cleland. Thank you, Senator Carnahan. Senator 
Collins.

              OPENING STATEMENT OF SENATOR COLLINS

    Senator Collins. Thank you very much, Mr. Chairman, for 
convening this important hearing. It would be hard to imagine a 
more current topic for a hearing than the one that we have 
before us today on the question of who is in charge of 
protecting the critical infrastructure of our Nation. Until the 
terrorist attacks of September 11, in fact, most Americans 
probably never fully realized the importance of this issue. 
Tragically, however our eyes are all too open now.
    As I have talked with my constituents throughout Maine 
during the past 2\1/2\ weeks, the question of our vulnerability 
to attack--to various kinds of attacks--and who is in charge 
and who is coordinating it all has come up repeatedly. This 
morning, I did early morning radio, back in Maine, and one of 
the questions was who is coordinating if we have a biological 
or chemical attack? Another constituent asked me what about our 
ports? What about if we have a big tanker that is full of 
liquefied gas coming in? What about the computer systems that 
are so critical to our commerce and to our government?
    The answer to the question of who is in charge seems to be, 
``Nobody is quite sure.'' Less than 2 weeks ago, this Committee 
heard compelling testimony from the distinguished chairmen of 
two commissions appointed to study this Nation's security, 
former Senators Gary Hart and Warren Rudman, and Governor James 
Gilmore of Virginia eloquently expressed their unanimous, but 
unfortunate, conclusion that, as a Nation, we are simply not 
properly prepared to defend our critical resources.
    If we were poorly prepared for the challenges we thought we 
faced before the terrible events of September 11, we must 
surely realize that we are woefully unready now. It seems clear 
that the protection of our critical infrastructure still 
consists largely of a smorgasbord of independently-run and 
poorly-coordinated programs across the breadth of the Federal 
system. President Bush took an important step when he took 
office in focusing the National Security Council upon terrorism 
issues and appointing Vice President Cheney to head a task 
force to develop better ways to respond to catastrophic 
disasters.
    As the Hart-Rudman Commission and the Gilmore Commission 
made clear, however, and as recent events have so tragically 
underlined, it is necessary to do even more. We, in America, 
have long been blessed by being spared most of the traumas of 
terrorist attacks that became far too familiar to Europeans in 
the 1970's, and have been a tragic part of Israeli life for 
decades. It should be clear, however, that we can no longer 
afford to attempt to protect our critical infrastructures 
without clear lines of authority and accountability, and 
without being able to answer readily and precisely the question 
of who is in charge.
    The difficult, but crucial question now, of course, is who 
should be in charge and of what? In other words, we must ask 
who should be in charge at what level, with what specific 
responsibilities and resources, and with what means of ensuring 
accountability? And that is why I believe this series of 
hearings is such an important contribution to the national 
dialogue of protecting our infrastructure and of winning the 
battle against terrorism. I am very eager to hear the testimony 
of our witnesses today, and I want to thank the Chairman and 
the Ranking Member for their leadership on this issue. Thank 
you, Mr. Chairman.
    Senator Cleland. Thank you very much, Senator Collins. 
Senator Bennett.

              OPENING STATEMENT OF SENATOR BENNETT

    Senator Bennett. Thank you, Mr. Chairman. I appreciate the 
hearing and I appreciate the opportunity for us to examine 
these issues, and the point I want to make with respect to the 
challenge that we face is that it is seamless. The networks do 
not begin and end at any particularly defined place. But the 
efficiency that comes out of the information revolution that we 
live in has brought with it an increased vulnerability, and the 
two are two sides of the same coin.
    If you go back in American history to George Washington's 
time, there was little or no connection, let us say, between 
Charleston and Boston, between Virginia and Massachusetts, or 
New York, whatever. It was a 7-day journey to travel from one 
major metropolitan area, if you could call it that, to another. 
Today, we go around the world with information, money, deals, 
negotiations, etc., literately with the speed of light. There 
are no boundaries in today's economy. The borderless economy is 
a reality, and those who want to take down the Americans who 
are the best at playing this particular game have 
vulnerabilities virtually everywhere in the system.
    The seamlessness is part of our efficiency. It is also part 
of our vulnerability, and I got introduced to this whole thing 
when we got into the Y2K issue and discovered that 
seamlessness, for me, for the first time. I am interested that 
the emergency people in New York, who handled all the 
difficulties after the World Trade Center was hit, have said to 
Senator Dodd, who has repeated it to me, we could not have 
handled this emergency if we had not done the remediation 
required with respect to Y2K.
    Prior to the Y2K remediation, they were in the stovepipe 
mentality, a computer here, a computer there, a system 
someplace else. Y2K caused them to look at it in horizontal 
terms, and they praised Senator Dodd for his work, I think 
appropriately, on Y2K awareness and remediation, because it 
addressed this problem. We are now, in the terrorist world, 
simply looking at a situation where this same vulnerability 
that we identified with Y2K, if the computer should fail by 
accident, now what do we do if the computers fail on purpose, 
not our purpose, but somebody else's purpose who wants to break 
into this infrastructure and cripple us?
    So we need to do what we did with respect to Y2K, address 
the stovepipes, look at this in a strategic manner and say how 
is the entire system to be protected? As Senator Thompson has 
said, the majority of the ownership of the entire system is in 
private hands, not government hands, which is why I have 
introduced a bill to increase the flow of information between 
the government and the private sector, back and forth, so that 
each one can understand in this seamless situation what is 
going on in their particular part of the world.
    So I think homeland security and critical infrastructure 
protection can come down to two words: Interagency 
coordination. Now, if that sounds too bureaucratic, think of 
interagency as including private agencies, but coordination of 
information, coordination of protection activities, 
coordination of understanding so that we do not go around with 
the attitude, ``Well, there is no hole in my end of the boat, 
so I do not need to worry about sinking.'' With this boat, a 
hole anywhere hurts us all, and this is an issue that is going 
to be with us for a long, long time. We are just beginning to 
understand it. That is why this hearing and others like it are 
very worthwhile, because it adds to this continually-building 
layer of understanding, awareness, and, we hope, solutions to 
this problem.
    We cannot go back. We cannot say, ``Let us leave the 
computer age and go back to paper and dial telephones.'' We are 
in the Internet age. We are in the electronic age, whether we 
want to be or not, and we simply have to learn to live with 
that new vulnerability. Thank you, Mr. Chairman.
    Senator Cleland. Thank you, Senator Bennett. Senator 
Voinovich.

             OPENING STATEMENT OF SENATOR VOINOVICH

    Senator Voinovich. Thank you, Mr. Chairman. I thank 
Chairman Lieberman for calling this hearing this morning, and 
although he is not able to be with us, we are in good hands 
with our Chairman pro tem. Today's hearing focuses on the 
protection of our Nation's infrastructure, an aspect of our 
society that most Americans tend to take for granted. America's 
water and sewer systems, computer, roads and bridges, and 
banking networks, they are all things that most Americans use 
on a daily basis, but rarely give more than a passing thought.
    The events of September 11, however, have changed our way 
of thinking forever. Americans are now actually aware of how 
vulnerable our infrastructure systems and physical surroundings 
can be. That is why it is so critical that we work to protect 
that infrastructure. This hearing will give us an opportunity 
to examine how we allocate the responsibility of getting the 
job done. I would like to just say at this time, Mr. Chairman, 
that we are having all of these hearings about the various 
threats we face, but we are not discussing the human capital 
crisis confronting the Federal Government, which is also a 
threat. Our witnesses will be talking to us today about all 
kinds of things that need to be done, but the real issue is, do 
you have the people in your respective agencies with the 
qualifications that you need to get the job done?
    From my observation of studying this human capital crisis 
for the last 2 years, we are in very bad shape today. Many 
people are unaware of the fact that by 2005, about 80 percent 
of our Senior Executive Service can retire. Van Harp, a senior 
FBI agent here in Washington who used to live and work in 
Cleveland told me that, ``I'm running my shop with people that 
are ready to go out the door.'' And so as we talk about all of 
these things that need to be undertaken, Mr. Chairman, we had 
better be aware of the fact that our No. 1 threat is the crisis 
that we have in our human capital.
    As a former Mayor and Governor, I am very much aware of the 
water, sewers, and other infrastructure that we have in this 
country. I have to say that even without terrorists, our sewer 
and water systems in this country are vulnerable because of 
aging. With the new mandates coming out of Washington today, in 
my State, for example, sewer rates, and water rates are going 
up 100 percent. If we are going to do some of the things that 
we are talking about to protect them, it is going to be costly. 
And it seems to me, Mr. Chairman, that one of the things that 
is missing here in Washington today is that we are not 
prioritizing the expenditure of dollars.
    Some of the things that I think are high on people's agenda 
in terms of spending are much less important than some of the 
infrastructure needs that we confront here in our Nation.
    So I will be very interested to hear from you in terms of 
the cyber problem. I would say this: I remember how worried we 
were about Y2K. Do you remember? And we were wringing our hands 
and we were worried, could we get the job done and is 
everything going to fall apart? Senator Bennett, who is very 
familiar with this area, was very much involved in that, but we 
got the job done, didn't we? But we did not get it done without 
making it a major priority in terms of personnel and the 
expenditure of money, and that is what it is going to take if 
we are going to protect our infrastructure from this new threat 
of terrorism.
    Thank you, Mr. Chairman.
    Senator Cleland. Thank you, Senator Voinovich. Wonderful 
comments by all the Members of the Committee here. Thank you 
very much for your participation. I will say as a member of the 
Armed Services Committee, 1 week before the attacks, as we were 
marking up the defense authorization bill, I personally asked 
Senator Pat Roberts, who had been the Chairman of the Emerging 
Threat Subcommittee, and Senator Mary Landrieu, who is now the 
Chairman of the Emerging Threat Subcommittee, what they thought 
was the most probable attack on the United States, where we 
were most vulnerable. Both agreed that No. 1--a terrorist 
attack below the radar screen, stealth in nature, either 
biological or chemical, primarily biological and then cyber 
attack.
    So on the Armed Services Committee, we have been gathering 
data and information for at least a couple of years now that 
certainly point to a cyber attack as one of the top two or 
three attacks that could come via terrorist means on this 
country.
    We would like to welcome all of you. Today's first panel 
consists of public sector witnesses who represent three of the 
primary offices created by the Presidential directive. The 
Committee will hear from John Tritak, Director of the Critical 
Infrastructure Assurance Office in the Bureau of Export 
Administration at the U.S. Department of Commerce; Ronald Dick, 
Director of the National Infrastructure Protection Center; and 
Sallie McDonald, Director of the Federal Computer Incident 
Response Center.
    Thank you all for joining us here. Before you begin, just 
some rules of the road here. Just let me mention to you that 
your full statement will be entered into the hearing record. 
You can have an opportunity to make a short statement and you 
will be subject to a time limit, according to Committee rules. 
Once the light turns from green to yellow, you will have about 
a minute to wrap up before the red light appears. If you do not 
stop then, we will make you an air marshal out at National. 
Thank you for coming.
    Tell us a little bit about youselves, and what you do, and 
some of your thoughts on the subject. But, before I turn you 
loose, let me just say I have been here in the Senate almost a 
full term now and on this Committee for well over 5 years. I 
had no idea you all existed. So please tell us who you are and 
where you came from and what you do.
    Mr. Tritak, do you want to start off?

      TESTIMONY OF JOHN S. TRITAK,\1\ DIRECTOR, CRITICAL 
       INFRASTRUCTURE ASSURANCE OFFICE, BUREAU OF EXPORT 
          ADMINISTRATION, U.S. DEPARTMENT OF COMMERCE

    Mr. Tritak. Thank you, Senator, Chairman, and Members of 
the Committee. I welcome this opportunity, truly, to be here 
before you. We generally feel obligated to say that we applaud 
your leadership on various issues. It is almost a canonical 
thing you need to say, but, in this case it is absolutely true. 
I want to add to the remark that was made earlier that this 
hearing, in fact, was supposed to happen before the attack--it 
was scheduled before the attack, and underscores the fact that 
this Committee recognizes there is a real need to address the 
challenges to our critical infrastructures.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Tritak appears in the Appendix on 
page 42.
---------------------------------------------------------------------------
    As was indicated in the opening remarks by a number of 
Senators, we basically have been guided by PDD 63 for about 3 
years, and that Directive was created based on recommendations 
of an interagency group as well as a Presidential commission. 
Jamie Gorelick, who will be appearing in the next panel, was 
actually leading that interagency process. So this goes back to 
the mid-1990's, in terms of the concerns. It created, as you 
indicated, three organizations, a number of organizations; 
myself at CIAO, Ron Dick over at the FBI, and Sallie McDonald 
over at FedCIRC. Needless to say, after 3 years, we were ripe 
for review, a thorough review in terms of the policies that 
were established under PDD 63, and frankly, to take a look at 
the organizational setup of the Federal Government to determine 
where fixes and improvements could be made.
    After 3 years of experience and being in the trenches, if 
we could not come up with improvements, we really are not doing 
our job. And President Bush said as much in May of this year, 
in which he directed that the critical infrastructure policy be 
thoroughly reviewed with a view towards figuring out ways to 
improve the organization of the Federal Government to better 
deal with and address the concerns of this issue, which are 
extremely complex, as you have all indicated.
    He also announced that he wanted, under the directorship of 
my office, the Critical Infrastructure Assurance Office, to 
begin to prepare a national plan or strategy to be developed 
with industry, to develop a consensus in this country, through 
a document that would be used to inform and make aware and 
educate on what the problems of critical infrastructure are and 
what the respective roles and responsibilities of government 
and industry are in addressing the problem. We all speak about 
this as a critical infrastructure protection program. If I had 
it my way, I would strike the word ``protection'' and say it is 
critical infrastructure ``assurance''--for the simple reason 
that what we are really worried about here is the assured 
delivery of vital services over our Nation's critical 
infrastructures. Those services are provided by both physical- 
and cyber-based assets.
    Increasingly, those infrastructures are being restructured 
and are increasingly dependent upon information systems and 
networks--not just to support their business, but to operate 
their assets. They are also becoming more interdependent, so 
that disruptions in one sector can actually affect other 
sectors, as well. What we learned about September 11, if 
nothing else, is now there are at least some groups whose 
purpose and goal is to undermine our way of life. They will 
exploit vulnerabilities wherever they can find them. We had 
some horrific examples of that back on September 11. I suspect 
they are not going to stop there.
    If they can find and exploit the vulnerabilities of 
cyberspace, they are going to do so. So it is incumbent upon 
our government to deal with that problem and work closely with 
private industry in order to do it. As indicated before, 
President Bush had inaugurated a thorough review of government 
structure and government policy, and frankly, we were very 
close to completing that. In fact, at the time that the 
original hearing was going to take place we were close to 
finishing that review. Then the horrific events of September 11 
intervened--and what we are working on now, and I expect that 
the review will be completed fairly soon, is recognition that 
this is not just about infrastructure protection, it is about 
homeland security, of which the infrastructures themselves are 
but a component part.
    So what we are trying to do now is identify how and in what 
ways we can improve, both organizationally and in policy, to 
address the new issues when, in fact--and I will be quite 
candid, since one of the roles of my office is to raise 
awareness, to draw the various sectors together and identify 
common problems across those sectors to involve other sectors 
of the economy, like the risk management community, the 
insurers, the auditing community, the people who influence the 
corporate leaders--is that we had to emphasize the business 
case as a way of moving forward. The national security case, in 
many cases, but not all, but many cases, is simply not self-
executing in the market.
    It seemed too remote to affect day-to-day business 
decisions and investments in security. That is not to say 
people did not take it seriously, but they had to be able to 
justify those kinds of expenditures against their bottom line--
and shareholders and investors who have a whole lot of other 
things on their minds. Well, September 11 has just frankly 
changed all of that. I do not think anyone doubts anymore what 
the needs and importance of investing in infrastructure 
security, and particularly taking into account now what needs 
to be done that was not done before September 11 when we got 
our wake-up call.
    So I would say that one of our jobs at the CIAO is to work 
toward developing a national strategy, working with Ron Dick, 
who is the operational side of PDD 63--with my organization 
learning more about the policy-support side--is to address 
those issues. And what I expect to happen in the fairly near 
term is for the President to be able to provide a much more 
comprehensive statement about how homeland security will be 
prosecuted and how the critical infrastructure dimension of 
that fits into this overall effort.
    Thank you for the opportunity to appear here today, 
Senator, and I look forward to your comments.
    Senator Cleland. Thank you, Mr. Tritak.
    Mr. Dick, tell us a little bit about youself, and what you 
do.

      TESTIMONY OF RONALD L. DICK,\1\ DIRECTOR, NATIONAL 
      INFRASTRUCTURE PROTECTION CENTER, FEDERAL BUREAU OF 
                         INVESTIGATION

    Mr. Dick. Good morning, Senator Cleland and other Members 
of the Committee. Thank you for this opportunity to discuss our 
government's important and continuing challenges with respect 
to critical infrastructure protection. In my written statement 
I address our role in protecting the Nation's critical 
infrastructures and how we coordinate with other organizations, 
both public and private. Last week, while appearing before a 
subcommittee of House Government Reform, I heard compelling 
testimony from Mark Seton, who is the vice president with the 
New York Mercantile Exchange and an eyewitness to the attacks 
on the World Trade Center.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Dick appears in the Appendix on 
page 52.
---------------------------------------------------------------------------
    Although the computer systems and records of the exchange 
survived the attack, their communications, transportation, and 
power systems were devastated. Working through contacts in 
their emergency plans, the exchange opened 3 days after the 
attack, helping to stabilize energy markets both here and 
abroad. In this case, diesel generators provided the power, 
boats provided the transportation, law-enforcement officials 
and first-responders provided the secure environment. The 
telephone company provided new lines. His experience proves 
three things: How our Nation's various infrastructures are 
interdependent and vulnerable; how an entity that organizes for 
an emergency and plans for redundancy can operationally survive 
a major attack; and how the private sector, working with 
Federal, State and local agencies, can succeed in mitigating 
the damage in a time of crisis.
    The mission of the NIPC is to deter and prevent malicious 
acts by detecting, warning of, responding to, and investigating 
threats to our critical infrastructures. It is the only 
organization in the Federal Government with such a 
comprehensive national infrastructure protection mission. The 
NIPC gathers together under one roof representatives from, 
among others, the law enforcement, intelligence and defense 
communities, which collectively provide a unique analytical 
deterrent and response perspective to threat and incident 
information obtained from investigations, intelligence 
collection, foreign liaison, and private sector cooperation.
    This perspective ensures that no single community addresses 
threats to critical infrastructures in a vacuum; rather all 
information is examined from a multidisciplinary perspective 
for potential impact as a security, defense, 
counterintelligence, terrorist, or law-enforcement manner, and 
an appropriate response that reflects these issues is 
coordinated by decisionmakers. While developing our 
infrastructure protection capabilities, the NIPC has held firm 
to two basic tenets that grew from the extensive study of the 
President's Commission on Critical Infrastructure Protection.
    First, the government can only respond effectively to 
threats by focusing on protecting assets against attack while 
simultaneously identifying and responding to those who 
nonetheless would attempt or succeed in launching those 
attacks; and second, the government can only help protect the 
Nation's most critical infrastructures by building and 
promoting a coalition of trust; one, amongst all government 
agencies; two, between the government and the private sector; 
three, amongst the different business interests within the 
private sector itself; and, four, in concert with the greater 
international community.
    Therefore, the NIPC has focused on developing its capacity 
to warn, prevent, respond to, investigate, and build 
partnerships all at the same time. As our techniques continue 
to mature and our trusted partnerships gel, we will continue to 
experience ever-better results. Presidential Decision Directive 
63 commanded the National Infrastructure Protection Center to 
``provide a national focal point for gathering information on 
threats to the infrastructures.'' Additionally, pursuant to 
this 1998 Directive, the NIPC provides ``the principle means of 
facilitating and coordinating the Federal Government's response 
to an incident, mitigating attacks, investigating threats, and 
monitoring reconstitution efforts.'' In the 3 years since that 
mandate, the NIPC has established an unprecedented level of 
cooperation among various Federal and local agencies in the 
private sector.
    This cooperation was achieved because we have seen the 
success of joint multi-agency operations when all members of 
the intelligence, defense, law enforcement, and other critical 
infrastructure agencies, as well as our private sector 
counterparts, combine their widely-varied skills and 
specialties toward a single goal. The eight infrastructures set 
forth in PDD 63 have recognized that although they are 
independent, they are also interdependent and that they must 
work together in order to reduce or eliminate their own 
vulnerabilities, and the impact one infrastructure may have on 
another.
    The center has full-time representation from the defense 
agencies, numerous other Federal agencies, and the Critical 
Infrastructure Assurance Office. We work closely with the 
Federal Computer Incident Response Center, as well as the Joint 
Task Force for Computer Network Operations at Department of 
Defense, and other entities which respond to critical 
infrastructure events. Beyond this and moreover, we recognize 
the need for a military public-private sector partnership 
similar to that in the days of World War II.
    We in the National Infrastructure Protection Center 
continue to partner with and support lead agencies, such as the 
FBI and the Department of Defense. We continue to provide 
timely and credible warning information to law enforcement, 
counterintelligence, and counterterrorism, and support to all 
of our partners in order to fully perform this vital mission. 
The center is proud to work with your Committee and the 
Executive Branch to ensure that freedom continues to ring 
across this Nation.
    Thank you very much.
    Senator Cleland. Thank you very much, Mr. Dick. Ms. 
McDonald.

TESTIMONY OF SALLIE McDONALD,\1\ ASSISTANT COMMISSIONER, OFFICE 
     OF INFORMATION ASSURANCE AND CRITICAL INFRASTRUCTURE 
        PROTECTION, U.S. GENERAL SERVICES ADMINISTRATION

    Ms. McDonald. Thank you and good morning, Mr. Chairman and 
Members of the Committee. On behalf of the Federal Technology 
Service of the General Services Administration, let me thank 
you for this opportunity to appear before you to discuss our 
role in critical infrastructure protection. FedCIRC is a 
component of GSA's Federal Technology Service and it is the 
central coordination facility for dealing with computer 
security-related incidents within the civilian agencies of the 
U.S. Government. Our role is to assist those agencies with the 
containment of security incidents and to aid them with the 
recovery process. This directly supports a critical 
infrastructure protection mission because the Federal 
Government's agencies depend upon their computer systems, not 
only to conduct government operations, but also to provide 
final connectivity to the owners and operators of the Nation's 
critical infrastructures.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. McDonald appears in the Appendix 
on page 61.
---------------------------------------------------------------------------
    Incidents involving new vulnerabilities or previously 
unseen exploits require in-depth analysis. Effective incident 
analysis is a collaborative effort. Data is collected from 
multiple sources, then verified, correlated and analyzed to 
determine the potential for proliferation and damage. This 
collaborative effort has resulted in the development of an 
incident response community that includes FedCIRC, the NIPC, 
the National Security Agency, the Department of Defense, the 
intelligence community, industry, academia, and individual 
incident response components within Federal agencies.
    Though the respective missions of these organizations vary 
in scope and responsibility, this virtual network enables the 
Federal Government to capitalize on each organization's 
strategic positioning within the national infrastructure, and 
on each organization's unique access to a variety of 
information sources. Each entity has a different but mutually 
supportive mission and focus, which enables the critical 
infrastructure protection community to simultaneously obtain 
information from and provide assistance to the private sector, 
Federal agencies, the intelligence community, the law-
enforcement community, the Department of Defense, and to 
academia.
    The unified response to recent threats to the cyber 
infrastructure, including the Code Red worm and the Nimbda 
worm, clearly demonstrate how these collaborative relationships 
work and how each participant's contributions help to assess 
and mitigate potential damage. In both instances, industry 
alerted the incident response community to the new exploit. 
During a previous event, a collaborative communication network 
had been established among numerous government agencies 
including FedCIRC, the NIPC and the Critical Infrastructure 
Assurance Office, in addition to academia, industry, software 
vendors, antivirus engineers and security professionals.
    This network enabled participants to share details as they 
performed analyses and developed remediation processes and 
consensus for protection strategies. In the case of Code Red, 
through the collaboration of the above-named groups, the 
collective team concluded that this worm had the potential to 
pose a threat to the Internet's ability to function. An 
unprecedented public awareness campaign ensued concurrent with 
efforts to ensure that all vulnerable servers were protected. 
Statistical information provided by software vendors indicated 
an unprecedented rush by users to obtain security patches and 
software updates addressing the vulnerabilities. As a result, 
the impact of Code Red and its variants was significantly 
mitigated and serious impact to Internet performance was 
avoided.
    Mr. Chairman, the information presented today highlights 
the critical and effective relationship that exists between 
FedCIRC and other members of the critical infrastructure 
community. Though each contributes individually to critical 
infrastructure protection, our strength in protecting 
information systems government-wide lies in our collaborative 
and coordinated efforts. I trust that you will derive from my 
remarks an understanding of the cyber threat and response 
issues, and also an appreciation for the joint commitment to 
infrastructure protection of FedCIRC and the other members of 
the critical infrastructure community.
    We appreciate your leadership and that of the Committee for 
helping us achieve our goals and allowing us to share 
information that we feel is crucial to the protection of our 
Nation's technology resources. Thank you.
    Senator Cleland. Thank you very much, Ms. McDonald. We will 
open it up in a minute for a round of questions. Each Senator 
will have 8 minutes in order to delve into some of these 
questions that plague our country. One of the things that 
occurs to me on this particular point of vulnerability to cyber 
warfare is a question that I ask myself about the intelligence 
community, but what comes to mind is that line by a humorist in 
Georgia, now deceased, Lewis Grizzard, who once said that life 
is like a dog sled team. If you ain't the lead dog, the scenery 
never changes. I am looking for the lead dog. Who is the lead 
dog among you here? Is there one? And is that a problem?
    In other words, it is interesting, Mr. Dick, you are 
director of the National Infrastructure Protection Center, FBI. 
Mr. Tritak, you are the director of the Critical Infrastructure 
Assurance Office, U.S. Department of Commerce. Ms. McDonald, 
you are over in the Federal Computer Incident Response Center, 
GSA.
    Do we have a lead dog in the Federal Government that runs 
the war against cyber terrorism, Mr. Tritak?
    Mr. Tritak. Senator, under PDD 63, the lead person for 
coordinating government policy on critical infrastructure 
protection and assurance issues is the National Coordinator for 
Security, Infrastructure Protection, and Counterterrorism at 
the National Security Council, and that is Richard Clarke. What 
they did is create two basically parallel offices; one for 
operational threat assessment and warning and the like. It is 
an interagency office that happens to be housed at the FBI. 
That is Ron Dick's.
    The other was a policy, planning and support group with an 
emphasis on dealing with some of the cross-cutting issues of 
private industry. So if you ask under the PDD 63 rubric, the 
person that has front-line responsibility in oversight is 
Richard Clarke over at the National Security Council. As I 
tried to indicate before, all this is under review, and what is 
being considered now is how to not only accomplish what Senator 
Thompson had indicated, which was to establish the lines of 
authority, accountability, but, frankly, also what are our 
policy priorities. If you have the best organizational chart in 
the world, things won't get done unless the matter is a 
priority with the backing of the highest guy in the land--the 
President of the United States.
    I think there is no question under the current 
circumstances--and I do not think it was a question before the 
circumstances of September 11--that critical infrastructure 
protection is going to be a priority for this President. But, 
as things are, the policy review process is ongoing, but being 
wrapped up and, unfortunately, many of the people who are 
involved in finalizing the policy review are also very busy 
actually dealing with the terrorist problem we are confronting 
at the moment. So if you ask me today: To what extent is PDD 63 
still in play? I would say that it is for the interim, but I 
would also tell you that is going to change very soon.
    Senator Cleland. Mr. Dick, any comments?
    Mr. Dick. No, I completely agree with John's comments as to 
who is in charge--that is according to the guidelines under 
which we exist today and which are under review. I would like 
to make one quick comment in agreement with Senator Bennett. No 
matter who is in charge, the key to success that we have found 
is the building of interagency cooperation to include the 
private sector. We in the center, as I said, have been in 
existence for about 3 years. We have had a number of 
initiatives. One is called InfraGuard, a grassroots effort with 
security professionals in both cyber and the physical world, to 
share information.
    We currently have about 2,000 members throughout the 
country. We have chapters in every one of our 56 field offices 
at the FBI and even a few more cities across the Nation. We are 
working very closely with the information sharing and analysis 
centers that are formed within the private sector for banking 
and finance and electrical power and water, and we are working 
very closely, obviously, with our partners in the Federal 
Government to share information, and succeeding in getting 
cooperation in that. But the key to that interagency 
cooperation is the building of one word, as I said in my 
statement, trust.
    Trust takes time, but trust is evolving. I think the things 
we have seen that Sallie alluded to, with the Leaves virus, 
Nimbda, where you saw a combining of law enforcement, 
intelligence community, private sector individuals coming 
together, really experts in this field, determining what is the 
issue, what is the resolution to it and providing to the public 
a means by which to mitigate and solve the problem, was truly 
successful. And I think that across all infrastructure 
protection, as well as homeland security, that is the issue--is 
what Mr. Bennett alluded to, is the cooperation between all of 
the agencies.
    Senator Cleland. Can I just underscore that? It does seem, 
and I hate to inflict another comment on you, but I was 
thinking about Casey Stengal's great line when he was coach of 
the Yankees. He said that it is easy to find the players, but 
it is tough to get them to play together. It does seem to me 
that the challenge here is the coordination of the existing 
assets, I mean, step one, and we are all human beings. We all 
have our offices. We all have our departments. We all have our 
allegiances. Trusting someone outside that department, outside 
the framework is the challenge. In other words, building a team 
may be tougher than just putting some names on an 
organizational chart.
    Mr. Dick. And you are absolutely right and let me, if I 
may, give you another, what I think, is a very good example. My 
experience in being involved with the center for over 3 years 
and being the director for the last 6 months, is that the 
people I have dealt with in the other agencies, people I have 
dealt with in the private sector, are all trying to do the 
right thing. There are no agendas here going on in my opinion. 
These are people that are legitimately trying to do the right 
thing and figure that out.
    One of the things, I think, is a success from our 
standpoint is the relationship the center has built up with the 
Joint Task Force for Computer Network Operations under General 
Bryant in the Department of Defense. General Bryant and I are 
in complete agreement about one thing, that I cannot do my job 
without JTFCNO and the Department of Defense as an integral 
partner. And General Bryant agrees with that same statement. So 
we have built, what I think and I think General Bryant does 
too, a very good working relationship that is built upon trust 
and sharing information, and that information not being used in 
a wrongful manner. But that takes time.
    Senator Cleland. Mr. Dick, I would like to observe, too, 
that we are all trying to do the right thing here, too. If some 
person on the National Security Council is the lead dog or the 
top coordinator or the ultimate person to which this 
information is followed up, that person is not confirmed by the 
Congress and it is tough for the Congress to be part of the 
team. In other words, I do not think we have the authority to 
call up Mr. Clarke and ask him how the war against cyber 
terrorism is going? I mean, he is on the National Security 
Council. So that is just a challenge for us here as we try to 
plug ourselves into our oversight responsibilities.
    Ms. McDonald. Well, I certainly agree with both John and 
Ron's statements. We have come together as a team, because I 
think this community, probably more than others, has recognized 
the vulnerabilities in the cyber area, and recognized, as Dick 
Clarke frequently says, that there will be an electronic Pearl 
Harbor. None of us were expecting the events of September 11, 
and we in the cyber community are hoping not to see anything of 
that magnitude in this area. But if we do not all come 
together, if we do not devote resources, if we do not correct 
the human capital situation that Senator Voinovich addressed, 
we have a tough job ahead of us and many challenges.
    Senator Cleland. Amen. Well said. Senator Carnahan, any 
questions?
    Senator Carnahan. Certainly, all of us would agree that we 
are going to have to be looking into the types of attacks that 
we are likely to face, and whether or not we are prepared for 
them in the public or private sector. The attacks in New York 
and Washington were targeted attacks. Is our infrastructure 
equipped to withstand a larger geographical attack on a larger 
geographical area? I would address that question to Mr. Dick, 
and also, could you explain how NIPC is preparing for such a 
scenario, and what steps you are taking to help the private 
sector prepare for something of that nature?
    Mr. Dick. Thank you. Obviously, whether we are prepared for 
a particular attack depends on how big. Obviously, you can make 
a threat scenario so large that you eventually lead to--well, 
everything is shut down, but in taking what would normally be 
perceived by the intelligence community and us as reasonable 
threats that are out there, that are potential, that could 
occur--I think the private sector and the U.S. Government 
entities, as well as State and locals, are preparing 
themselves. Are they adequately prepared? No. Like the events 
of September 11, no one could have predicted, I think, with any 
great certainty that those things could have occurred.
    What has happened, though, in the last few years is a 
raising of the awareness, if you will, of the need for the 
contingency plans that I talked about in my statement by Mr. 
Seton, and with the Mercantile Exchange in New York. Because of 
those efforts, this particular company took a lot of time and 
effort to build these contingency plans. Has North American 
Electrical Liability Council and all the electrical power 
companies done the kind of contingency planning and 
consideration of redundancy issues that they should have? 
Probably not, but I think with heightened awareness and 
coordinated planning, as Mr. Bennett was talking about, in 
cooperation with each other, we can achieve a very robust 
ability to respond and survive almost any kind of attack.
    Senator Carnahan. Do you feel like you need additional 
resources or tools to be able to make NIPC more effective in 
this regard?
    Mr. Dick. Well, absolutely. We are moving forward right 
now. We have submitted a supplemental proposal and we are 
working it through the Department of Justice and OMB as we 
speak, to address many of those issues to reach what we are 
calling full capacity to address these issues as they occur, 
and it will be through a phased-in approach. But we have made 
that request already. What I think is another issue here, and 
it is not just a matter of funding to the NIPC or funding to 
the FBI--it is a matter of being able to get the experts in 
this area, whether it be in the cyber, whether it be in WMD 
issues, in the private sector, at the table with the government 
to share what those vulnerabilities are and how those fixes are 
occurring. So it is not just a personnel issue for governmental 
entities. It is much broader than that.
    Senator Carnahan. One final question, Mr. Tritak. Certainly 
a key component of our country's ability to recover from a 
terrorist attack is the government's ability to continue 
functioning. I was wondering if you could discuss what steps 
are being taken to ensure that the Federal agencies have the 
capability to continue functioning in the event of an attack, 
and with whom does this responsibility fall?
    Mr. Tritak. Well, Senator, actually, there is one piece of 
this I can answer and there is another bit of it that, I think, 
probably would be better discussed in another environment about 
the continuity of government and how we ensure you have a fully 
functioning government under all circumstances. But one thing 
we are doing under my mandate, under PDD 63, is to assist 
agencies in identifying the key critical services they provide, 
identifying the systems that support those service deliveries 
as a way of mapping potential dependencies and vulnerabilities 
that they have to address and safeguard.
    So for example, and I use this in my written testimony, I 
think everyone would agree, for example, that a timely warning 
of a hurricane would be a vital service the government needs to 
provide. Ensuring that service is deliverable--it is not 
sufficient simply to make sure that the Tropical Prediction 
Center in Miami, Florida works. The fact of the matter is, a 
number of inputs from other government agencies and private 
sector entities feed into that system. Some of those, if 
disrupted for even brief periods of time, could actually impair 
the delivery of vital information that warned of hurricanes 
with the result in loss of life if it is not brought up 
quickly.
    So one of the things we are all doing in accelerating, and 
this is, in fact, something that is fully supportive of the 
efforts that were passed under the Lieberman-Thompson bill of 
last year, is to accelerate that mapping process within each of 
the civilian agencies, where we focus on the civilian agencies, 
because, frankly, the Defense Department, they do this as a 
matter of course. So in that respect, what we are looking at is 
ensuring critical government services. In some of those cases 
they rely on private sector infrastructure service providers to 
help. We have given these agencies a way of identifying what 
they have to prioritize and pay attention to to ensure that 
those services, whether they are Social Security checks, 
hurricane warnings, or mobilization of U.S. forces to project 
power overseas can be done.
    Senator Carnahan. Thank you.
    Ms. McDonald. Senator Carnahan, if I could add, the General 
Services Administration is also charged with continuity of 
government operations. As you probably know, we not only have 
the Federal Technology Service, which provides long-distance 
telecommunications service and information technology service, 
but we also have the Federal Supply Service that has been 
instrumental in providing supplies both to New York and the 
Pentagon, and we have the Public Building Service where we 
provide office space, etc. So we do have contingency plans to 
reconstitute government as far as buildings, technology, and 
supplies are concerned.
    Senator Carnahan. Thank you.
    Senator Cleland. Thank you very much. Senator Bennett.
    Senator Bennett. Thank you, Mr. Chairman. Mr. Dick, can you 
tell us how many people are actually doing analysis in your 
information sharing unit?
    Mr. Dick. I think there are 10 or 12 that are FBI 
employees. I would have to confirm those numbers. From an 
interagency standpoint, we probably have another four or five. 
Now, that is just doing analysis. Within the center, we have a 
total of approximately 90 FBI and 20 interagency folks.
    Senator Bennett. I understand that in November 2000 the FBI 
director wrote to Sandy Berger complaining that the other 
Federal agencies did not recognize NIPC's mission, and he said 
NIPC would not be able to provide analysis and warning, if the 
NSC did not, in fact, assist NIPC in obtaining personnel. Are 
you aware of that letter or of that concern and do you share 
that concern?
    Mr. Dick. I am aware of the letter and I share that 
concern. As I spoke a moment ago, to one of the key factors of 
the success of being able to provide strategic analysis, is the 
interagency nature of being able to get many people from 
different disciplines to look at the same data, and to 
determine if the vulnerability in the banking and finance 
sector is applicable to the electrical power sector. And that 
is one of the findings that was referenced by Mr. Thompson in 
the GAO report. In fact, my reading of the GAO report was that 
it said we did investigations pretty well and we did outreach 
pretty well, because of InfraGuard and some other things, key 
asset initiatives. It said we did training pretty well. So we 
did a number of things pretty well.
    But what it said we did not do very well was strategic 
analysis. They said we did not do strategic analysis very well, 
meaning predictive analysis, because we did not have the 
resources, both from an FBI standpoint, but more importantly, 
from an interagency standpoint. And it has been my public 
position that GAO was right. You know, their conclusion was 
absolutely correct, but----
    Senator Bennett. It always bothers you when that happens.
    Mr. Dick. Yes, it does, but I try to get over it. We have 
been working very diligently with other partners, and there has 
been some response from many of the agencies in providing us 
resources.
    Senator Bennett. That was going to be my next question. 
Have things gotten any better since November 2000?
    Mr. Dick. They have gotten better. The CIA has provided a 
senior officer to head the analysis and warning section, and it 
made a commitment for multiple years for that person to be 
engaged there. He is an excellent person. Behind me here, the 
Department of Defense has sent over a two-star Rear Admiral 
from the Navy to be my deputy director for the center, Admiral 
Plehal. He is working very diligently with the other Department 
of Defense agencies to fill those gaps that we have talked 
about before. The National Security Agency has sent over a 
senior analyst to head up the analysis and information sharing 
unit.
    So there have been a number of issues that we have made 
progress on. Are there still gaps? Yes, sir, there still are 
gaps, but I am seeing greater cooperation, and I think since 
the events of September 11, there has been an even heightened 
awareness of the need for participation and sharing of 
information within the center.
    Senator Bennett. Well, let me ask all of you, you have 
referred to this collaborative analysis, who has the ultimate 
responsibility?
    Mr. Dick. For production of products?
    Senator Bennett. Yes.
    Mr. Dick. Generally, the center is the one that assists in 
the production of that and coordinates the production of that, 
along with others, particularly in the private sector, and then 
pushes those products out. One of the things that you have to 
keep in mind, a lot of the solutions are not necessarily 
government solutions.
    Senator Bennett. Oh, I understand that. I am just talking 
about the analysis here, and you are saying it is focused in 
the NIPC and the FBI.
    Mr. Dick. But it is a collaborative effort, where like--as 
Sallie was talking about on the Code Red worm, we bring the 
unique skills that each of us possessed together to look at a 
particular problem or issue, and then come up with mitigation 
or a solution. So it is not us in the center alone. It is a 
partnership with the others, a big partner, private sector, the 
antivirus community, and the other software vendors.
    Senator Bennett. Yes, and that is what my legislation is 
trying to address, to increase that partnership with the 
private sector, but if the Chairman can quote baseball, if I 
were advising Tom Clancy on his next novel, who would be the 
official who would go running to the Oval Office and say, ``Mr. 
President, an attack is coming,'' and our analysis shows this 
from the private sector creates a pattern that we discover that 
holds with the Defense Department, and the CIA tells us and so 
on. Our analysis shows that there is going to be a major 
incident coming, on the Tom Clancy mode, would that be Dick 
Clarke who would go forward with that? Would that be the 
director of the FBI? Would the director of the FBI tell the 
Attorney General? Who? Who ultimately is the one in whose mind 
that the alarm bell should go off that, ``Hey, this pattern of 
analysis shows we have a major, major vulnerability here, and 
it looks like somebody is getting ready to exploit it?''
    Mr. Dick. Yes, I think it would be a collaborative effort. 
Obviously, we are in direct contact with Mr. Clarke and the 
National Security Council almost on a daily basis because of 
the events of today. So when you are saying who is going to run 
and brief the President, those briefings that occur every day 
with the Attorney General, the director of the FBI, and 
representatives from the National Security Council. In the kind 
of event that you are talking about, there are sensors out 
within the private sector, but also within CIA, NSA, DOD, the 
FBI, and all of that intelligence is churned together to make 
those briefings. So I do not know that there is a person that 
would be running up to the President.
    Senator Bennett. Do you have any expectation, and I realize 
this is speculation, but let's speculate--do you have any 
expectation that Governor Ridge will become that person?
    Mr. Dick. I have not seen the final--or I have seen a draft 
of the executive order, but I do not know how that is all going 
to flesh out.
    Senator Bennett. Either of the other two? Do you have any--
    Mr. Tritak. I will venture a speculation, which hopefully I 
will not pay for. [Laughter.]
    Senator Bennett. We will protect you.
    Mr. Tritak. I think it is fair to say that just based on 
administration statements recently, there is going to be 
someone who will be responsible for this--recognizing there are 
channels of constant communication on intelligence matters with 
the FBI and everybody else--there will be somebody who will, in 
addition, have a responsibility for reporting those sorts of 
things to the Cabinet and therefore the President. It is a 
question of who and under what circumstances, and I think that 
is what is actually being worked out.
    I think what is informing your question is the recognized 
need to ensure is that there is someone with sufficient 
authority, accountability, and has the ear of the President who 
is going to be able to communicate these concerns in a timely 
manner, and I think that there is every effort from what I can 
tell, just in the various reviews that have been going on at an 
accelerated pace, that the answer will be yes, there will be 
someone responsible. What we cannot tell you now is who, for 
sure.
    Senator Bennett. If I may, Mr. Chairman, I am asking these 
questions of the administration. If someone were to turn the 
tables and say who in the Senate would be the one to alert 
Leader Daschle, we would not have an answer to that on this 
side of the dais. Thank you very much for your testimony and 
for your service in this area.
    Senator Cleland. Thank you very much, Senator Bennett. 
Senator Domenici.

             OPENING STATEMENT OF SENATOR DOMENICI

    Senator Domenici. Thank you, Mr. Chairman. I apologize for 
being late and I am sorry I did not get to hear whatever you 
had to say before I arrived.
    I just want to make two observations, Mr. Chairman. It 
would be good to have before us how many meetings we have had 
of this type, talking about better coordination among the 
important aspects of the government and the people, so that 
they know what is happening and what might beset them and their 
families. Most of those hearings would be drab and dull, and 
maybe if the Committee had not reported so many bills during 
the year, it might report one on the subject of coordination, 
so that we would not just add to another tall list of 
coordination requirements.
    I will not say people in the government will not follow 
them, but I would suggest there would not be a great deal of 
urgency about getting them operative, solving problems within 
the legislation that requires meeting for this and meeting with 
this leader or that person. I would hope that has ended, and I 
would hope that you, Mr. Chairman, and the Chairman of the 
Committee, would consider the subject matter of this hearing 
something serious enough that within a very reasonable time, it 
should be achieved.
    We should have legislation that does something with 
reference to this area of infrastructure, organizationally 
speaking, so as to preserve it and make sure we know what we 
are doing and others can rely upon what we know. I happen to 
have a bill that is before us, S. 1407, the Critical 
Infrastructure Protection Act. It follows in tandem with what 
we understand the President's proposals are going to be, by way 
of executive order. I am hopeful that soon, whatever other 
bills are going to be introduced and considered, that our 
Chairman will proceed with dispatch to mark up this kind of 
bill, unless to be effective, we need to do a lot of other 
bills.
    I have not passed judgment on that yet myself, but 
obviously a very big vacuum existed in terms of communicating 
to someone about a problem that was going to fall upon our 
people on that now infamous day, September 11. I compliment you 
and this Committee, because I think this is not normally very 
exciting work. But we ought to do something with the smartest 
people we have and the equipment we are capable of buying and 
putting in place if we think the problem is serious enough. We 
surely can do much better than we have done, and we can have in 
place within a year something much better than we have by way 
of infrastructure safety, cooperation, and information 
exchange.
    Thank you for what you all do. I am going to wear my other 
hat, which I am a little bit better known for, the budgeting 
part, and I am going to go talk about the stimulus. I have 
already chatted with you, so I kind of know what you think. 
Maybe we can get something done on that quickly, too, let's 
hope.
    Thank you, Mr. Chairman.
    Senator Cleland. Thank you, Senator Domenici. Thank you for 
stimulating and underlining the need for increased coordination 
and cooperation on this vital issue of security, in terms of 
our cyber world, both public and private, and just to point out 
and underscore the Senators concern if we cannot get together 
public entities, private entities, Legislative and Executive 
Branches--if we cannot get together now, under these 
circumstances, when will we ever get together? So that is our 
charge.
    We would like to thank the panelists for your time and 
attention. Thank you very much. We would now like to call the 
second panel.
    We thank you all very much for coming today, and we would 
like to welcome Frank Cilluffo. He is the senior policy analyst 
and deputy director for the Global Organized Crime Project, 
from the well-known and well-respected Center for Strategic and 
International Studies, which I understand the board of trustees 
is chaired by my friend, Senator Sam Nunn, from Georgia. You 
are a senior policy analyst and recently chaired two homeland 
defense committee hearings on counterterrorism and cyber 
threats and information security at CSIS. We welcome you today.
    Jamie Gorelick, the Vice Chair of Fannie Mae, who, as you 
know, is a private shareholder-owned company that works to make 
sure mortgage money is available for people in communities all 
across America. We welcome you today.
    Joseph Nacchio, Chairman and CEO, Qwest Communications, and 
Vice Chairman of the National Security Telecommunications 
Advisory Committee. We would like to learn more about that. 
Qwest Communications offers local and long distance telephone, 
wireless, and Internet web hosting services over a state-of-
the-art network to homes, businesses and government agencies in 
the United States and around the world.
    Kenneth Watson, President, Partnership for Critical 
Infrastructure Protection Security, who is very much involved 
in dealing with these threats and vulnerabilities, 
countermeasures and best practices within and between 
industries. We are delighted to welcome all of you here.
    May I just throw out a couple of questions here that you 
can respond to, please? The President has put forward the 
notion of an Office of Homeland Defense. It is interesting that 
it has cabinet-level status, and it needs it, and the office 
will report directly to the President, and I think that is very 
much needed. However, interestingly enough, the Rudman-Hart 
Commission that looked for 2 years at the question of American 
defense focused more and more, because of the testimony they 
received, on a terrorist attack and concluded that--a year ago, 
in their report--that it was not a question of whether a 
terrorist attack would come on this country, but when, and 
therefore recommended a full-blown agency of homeland defense, 
in effect with a budget of its own and, in effect, infantry, 
troops, people at its command, Border Patrol and so forth, the 
Coast Guard and the like, that could be put into operation in 
terms of homeland defense.
    We just want to let you know that is something that is on 
my mind as you now have an opportunity to give an opening 
statement, and we will start off with Ms. Gorelick.

   TESTIMONY OF JAMIE S. GORELICK,\1\ VICE CHAIR, FANNIE MAE

    Ms. Gorelick. Thank you very much, Senator Cleland, and I 
very much appreciate the opportunity to be here. I testified on 
this subject, I think, the first time before this Committee in 
July 1996, and I said at the time that I hope we would not have 
to see the electronic equivalent of Pearl Harbor before we did 
something substantial. We have not had an electronic Pearl 
Harbor, but we have had a Pearl Harbor, and it, I think, puts 
what we are doing as a country in a different perspective.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Gorelick appears in the Appendix 
on page 70.
---------------------------------------------------------------------------
    As Senator Thompson said just a little while ago, we are 
seeing things through different glasses. I have a long interest 
in this issue. I came to the Department of Justice from the 
Department of Defense. At the Department of Justice, where I 
served as deputy, I was in a position--not unique, but there 
are not very many people who see both domestic and foreign 
intelligence on a daily basis--that caused me to be very 
concerned about our national infrastructure and the lack of 
responsibility for protecting it, particularly in the area of 
cyber security (but also our entire national infrastructure).
    We started a Working Group which resulted in a Presidential 
Commission, which resulted in PDD 63. I have been long 
interested in these issues. I currently serve on the Director 
of Central Intelligence National Security Advisory Panel and on 
President Bush's National Intelligence Review Panel. So I have 
kept an interest in these things. I am here as Vice Chairman of 
Fannie Mae, to comment on the readiness of the financial 
services sector of our economy, but also with this background.
    So let me make a couple of comments and see if I can come 
back to the question that you posed, Senator Cleland. We have 
realized as a country, for now 5 or 6 years, that we need to 
have a hardened-against-attack private and public 
infrastructure. We need to have the comprehensive ability to 
detect intrusions. We need to have comprehensive planning, 
warning, and operational response capabilities.
    The two original actions that emerged from the Presidential 
Commission did, as we just heard from the last panel, create 
two efforts, a law-enforcement effort and an effort to get 
industry to where it needed to be. There has been progress, but 
frankly it has not been enough. The events of September 11 
serve, if nothing else, as a wake-up call. From the point of 
view of industry, the original concept was that industry should 
be encouraged, if you will, to work together to form such 
things as the Partnership for Critical Infrastructure Security, 
and various information sharing analytic centers, to work 
together.
    That made sense, because industry asked the Commission not 
to put in place government command-and-control of industry 
infrastructure. And there was, as you have heard from the 
previous panel, a decided lack of trust between industry and 
government. So the first step was to build trust and each 
industry was to be encouraged to work together. Various of 
these information sharing and analysis centers have, in fact, 
been stood up. I would say to you--and I have submitted my 
testimony in greater length on this subject--that there is an 
uneven range of results, uneven participation, uneven 
robustness of capacity. And in some industries, the effort is 
still nascent.
    These ISACS, by and large, have no funding, no permanent 
staffing, no real operational capability. So when you point 
out, Senator, as you have quite appropriately, that 90-plus 
percent of the information infrastructure on which this 
country's security rests belong in the private sector, that 
private sector's organizations to deal with this issue are not, 
I think, where they need to be. I think now, perhaps with the 
greater sense of urgency, there will be a greater willingness 
on the part of industry to step up to the plate and also to 
accept help from the government.
    I think we need a more realistic approach, one in which the 
government does more to bring industry together for the sharing 
of information. We need a new legal rubric, and I commend 
Senator Bennett for addressing the Freedom of Information Act 
issue and the antitrust issue, both of which will bring greater 
coordination to and greater flow of information from the 
private sector to the government. And we need greater clarity 
on chain of command, if you will, within the governmental 
structure.
    I would say one word about law enforcement. The NIPC is to 
be commended for the work that it has done. To the question 
that all of you have asked, the FBI is in charge, under PDD 63; 
it is very clearly the lead agency. But if you look at the 
resources that the FBI in general has had to fight terrorism, 
compared to the resources that a CINC would have to protect the 
national interest, say, in the Pacific, it is absolutely 
dwarfed. There is no relationship between the job and the 
resources.
    The worry that I have about a coordinator in the White 
House is that we will not get to the point of real homeland 
security and defense, the way the Defense Department would step 
up to it if it had that job. I do not know what the thinking is 
in that regard, since I am not in the government. But I would 
say to you, having served in both places, there is no one in 
the government with the operational capacities and the 
wherewithal of our Defense Department. And unless you get to 
that level of scale and capacity to protect our national 
infrastructure, we will, I am afraid, remain at risk.
    There is no one currently doing the kind of planning we 
need done, and there is no capacity, for example, that I am 
aware of for a military response to a cyber attack on the 
private sector.
    Thank you.
    Senator Cleland. Fascinating testimony, Ms. Gorelick. Thank 
you very much. Powerful. Mr. Nacchio.

TESTIMONY OF JOSEPH P. NACCHIO,\1\ CHAIRMAN AND CHIEF EXECUTIVE 
       OFFICER, QWEST COMMUNICATIONS INTERNATIONAL, INC.

    Mr. Nacchio. Thank you, Mr. Chairman and Members of the 
Committee for inviting us. It is an honor to be here this 
morning. Let me begin by first introducing who we are. We are 
not as well-known as most other big companies. We are a 5-year-
old Fortune 100 company. We have 66,000 employees and revenues 
of about $20 billion. We provide local, long distance, 
Internet, broadband, and wireless services across the United 
States and Western Europe, and we own the incumbent local 
telephone company in 14 Western States. We also provide 
services to agencies of the U.S. Government, notably the 
Departments of Defense, Energy, and Treasury.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Nacchio appears in the Appendix 
on page 76.
---------------------------------------------------------------------------
    I am also testifying today, as you noted earlier, in 
addition to my capacity as Chairman and CEO of Qwest, as the 
Vice Chairman of the National Security Telecommunication 
Advisory Committee (NSTAC), and I bring to that organization 
all of my experience in the industry, about 30 years, and a 
deep concern on this issue, an issue we have been addressing 
for the better part of the last 3 years. In cyberspace, we have 
been at war for 3 years. It is now just catching up to the 
general consciousness of the country.
    We are constantly hit with viruses and almost ironically, 
the success that the telecommunications industry has had over 
the last 30 years in defending against physical attacks and 
nuclear war, has now made us vulnerable in cyberspace. Although 
we have moved much of the physical layer out of danger, 
although there is still some danger, we now have cyber defense 
as one of our biggest issues.
    I would tell you though, that instead of focusing just on 
vulnerability, we should also look at resiliency. And, as the 
President reassured the Nation 2 weeks ago that the state of 
the Union is strong, I would tell you this morning and assure 
you that the telecommunications infrastructure of this country 
is strong.
    Our infrastructure and telecommunications is the best in 
the world. Our engineers, technicians and workers maintain it 
second to none, and we saw that proof on September 11, because 
despite the horrific damage at the World Trade Center and at 
the Pentagon, most of the Nation's telecommunications and 
Internet infrastructure worked flawlessly at a time of 
increased demand.
    The problems were isolated to the end links in the network. 
We had wireless overlays in play. It was far better than most 
people, I think, would have imagined. At ground zero in New 
York, telecommunications companies put aside their everyday 
marketplace rivalries, including ourselves. For example, we 
diverted a multimillion dollar shipment of equipment that was 
supposed to come to us in the West directly to Verizon, so that 
we could restore those central offices down on West Street. We 
worked with FEMA to provide communications between the two 
critical locations in lower Manhattan the day after the attack, 
and we provided Internet connections and services to all who 
had lost them.
    Similar efforts were made by other telecom companies. We 
have a collaborative industry, and in this case, it was praised 
by FCC Chairman Michael Powell, who quoted it as a heroic act, 
ensuring the world's premier communications network has 
continued to be available in times of tragedy. So we should 
look at both the vulnerabilities and the resiliency of our 
infrastructure, and understand how resiliency came to pass: It 
has been through collaborative efforts that have occurred over 
the last 20 or 30 years.
    The telecom industry understands that our networks are 
quite literally the conduits that connect the world and the 
essential sectors of the economy, and keeping both our internal 
and external networks safe is something that the companies in 
our industry do every day and will continue to do. Let me give 
you two examples that make this real from our own experience.
    First, to defend our internal Qwest physical network from 
physical and cyber attack we have implemented a comprehensive 
information network security program which includes 
classification of the network assets, the implementation of a 
complete set of security policies and procedures, extensive 
employee training and a plan for disaster recovery and reacting 
to disasters.
    The NSTAC leadership has broadly circulated the Qwest 
program, encouraging the other members of NSTAC to implement a 
similar program.
    Second, to protect our external networks, just last month 
we dedicated 1,000 technical experts to assist our customers 
affected by the global Code Red computer virus, which 
penetrated our firewalls and took down our customer networks. 
Such a quick and comprehensive response is what is necessary 
across all networks. But doing it in our own networks is not 
enough. Doing it inside the telecommunications infrastructure 
is not enough. Other industries need to take similar steps 
because we are all interconnected in cyberspace.
    It is no longer important to just protect your physical 
layer. You have to protect the software layer. We are all 
connected. Each company must therefore protect its own network, 
assets and people, and all companies must coordinate those 
actions. I have some very specific proposals that I think 
address this.
    First, NSTAC and the National Security Council should 
immediately initiate a project to develop benchmarks and 
requirements for information security best practices for the 
telecommunications industry and its users, because again we are 
interconnected. Either NSTAC or another public organization, 
such as the National Infrastructure Simulation and Analysis 
Center, proposed by Senator Domenici, should be given the 
responsibility to extend these clearinghouse and coordination 
functions to other industries and other agencies, as well.
    Second, I think Congress should remove the perceived 
barriers to information sharing. Your legislation, Senator 
Bennett, with Senator Kyl, is critical to allow us to share 
information safe and secure, so that the information we are 
sharing with the government does not fall into the hands of the 
perpetrators to begin with, under the Freedom of Information 
Act, and we can collaborate without the threat of antitrust, 
based upon the national security needs.
    Third, and this is very important to us who are fighting 
this every day, we need legislation increasing the penalties 
for cyber attacks. This is not a humorous subject for hackers. 
It has to be a serious subject. It costs money. It costs time. 
It puts people in vulnerable circumstances when they lose their 
communications infrastructure. We need to give law enforcement 
greater latitude to investigate and to prosecute these attacks.
    Let me conclude by saying that the telecommunication 
infrastructure is strong. There is more work to be done, but it 
can and must be made stronger, and I know that we at Qwest and 
my colleagues in the communication industry will do whatever is 
necessary to help this Committee, the Congress and the 
administration to ensure the continued strength of America's 
telecommunications infrastructure.
    Senator Cleland. Thank you very much, sir, for that very 
strong testimony. Mr. Cilluffo.

 TESTIMONY OF FRANK J. CILLUFFO,\1\ CO-CHAIRMAN, CYBER THREATS 
TASK FORCE, HOMELAND DEFENSE PROJECT, CENTER FOR STRATEGIC AND 
                     INTERNATIONAL STUDIES

    Mr. Cilluffo. Mr. Chairman, Senator Bennett, it is a 
privilege to appear before you today to discuss this important 
matter. In the wake of the terrorist attacks on the World Trade 
Center and the Pentagon, the United States is confronted with 
harsh realities.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Cilluffo appears in the Appendix 
on page 83.
---------------------------------------------------------------------------
    Our homeland is vulnerable to physical attack and gone is 
the sense that two oceans that have historically protected our 
country can continue to protect Americans. The terrorists 
attack highly visible symbols, not only of military strength, 
but also of our economic prowess. Though exceedingly well-
planned, coordinated and executed, the comparatively low-tech 
means employed by the terrorists raises the possibility of a 
cyber strike or perhaps a more inclusive, more sophisticated 
assault combining both physical and virtual means on one or 
several critical infrastructures.
    As we will never be able to protect everything, everywhere, 
all the time, from every adversary and every modality of 
attack, now is clearly the time for clearheaded prioritization 
of policies and resources. Unless we examine this issue in its 
totality, we may simply be displacing risk from one 
infrastructure to another. We need to approach the issue 
holistically and examine the dangers posed to our critical 
infrastructures from both physical attack, a well-placed bomb, 
and cyber attack, and perhaps most important where the two 
converge.
    Infrastructures have long provided popular terrorist 
targets. Telecommunications, electric power systems, oil and 
gas, finance and banking, transportation, water supply systems, 
and emergency services have been frequent targets to terrorist 
attacks, and I listed a bunch in my prepared remarks. The 
destruction or incapacitation could have a debilitating effect 
on U.S. national or economic security, clearly the reason for 
this hearing and others.
    One should state that bits and bytes or bugs and gas, for 
that matter, will never replace bullets and bombs as the 
terrorist weapon of choice. Al Qaeda, in particular, chooses 
vulnerable targets and varies its modus operandi accordingly. 
They become more lethal and more innovative with every attack. 
While bin Laden may have his finger on the trigger, his 
grandchildren may have their fingers on the computer mouse. 
Moreover, cyber attacks need not originate directly from Al 
Qaeda, but from those with sympathetic views, and given the 
anonymity of cyberspace, it is very difficult to discern who is 
really behind the clickety-clack of the keyboard.
    For too long, our cyber security efforts have focused on 
the beep and squeak issues, and it focused on the individual 
virus or hacker du jour in the news, often to the neglect of 
the bigger picture. It is now time to identify gaps and 
shortfalls in our current policies, programs and procedures, 
begin to take significant steps forward and pave the way for 
the future by laying down the outlines of a solid course of 
action that will remedy these existing shortcomings.
    Along these lines, there have already been a series of 
actions taken, some prior to September 11, some post. In 
particular, I do applaud the creation of the new cabinet-level 
Office of Homeland Security, directed by Governor Ridge. It is 
my understanding that a comprehensive review will be completed 
by next week, which will set out the office's roles, missions, 
and responsibilities. We will then have a better sense of the 
explicit roles and responsibilities pertaining to homeland 
security and how they directly impact critical infrastructure 
protection, and as was mentioned earlier, there was already an 
executive order in the works, about to be signed, on cyber 
security. So this is clearly something the President has been 
engaged in, in advancing our cyber defenses, for quite some 
time.
    To get to the point you have brought up earlier, Mr. 
Chairman, this attack was a transforming event. Many have 
claimed that the Office of Homeland Security may not have the 
authority to succeed. Well, I disagree. One cannot look to 
history alone to identify what organizational model will be 
most effective. Because this is the highest priority facing our 
Nation today, organizational charts, titles, and line items, 
boxes, historic emblems of bureaucratic power, fade to the 
background. Governor Ridge will have the ammunition required to 
carry out his responsibilities because he and his mission have 
the full confidence of the President of the United States.
    But even an undertaking of this importance takes time to 
move from concepts to capabilities. Once the immediacy of the 
problem has settled into routine, perhaps several months from 
now, we should consider codifying and institutionalizing its 
mission with congressional legislation and additional statutory 
authority if needed, but I think we have to crawl before we 
run. As both the Executive Branch and the Congress consider how 
best to proceed in this area, we should not be afraid to wipe 
the slate clean and review the matter with fresh eyes.
    We need to be willing to press fundamental assumptions of 
national security. Critical infrastructure protection and 
information assurance are cross-cutting issues, but our 
government is still organized along vertical lines in their 
respective stovepipes. When we do this review, we should do it 
with a critical eye, not only one that appreciates how far we 
have to go, but also where we have come, and there have been 
some centers of excellence, both in government and the private 
sector, that we should leverage and build upon.
    Ultimately, it is essential that any strategy encompasses 
prevention, preparedness and incident response, vis-a-vis the 
public and private sectors and the interface between them. What 
we need is a strategy that would generate synergies and result 
in the whole amounting to more than simply the sum of its 
parts, which is currently the case.
    Information technology's impact on society has been 
profound and touches everyone, whether we examine our economy, 
our quality of life, or our national security. Unfortunately, 
our ability to network has far outpaced our ability to protect 
networks. Though the myth persisted that the United States had 
not been invaded since 1812, invasion through cyberspace has 
been a near-daily occurrence, a marked counterpoint to 
September 11 attacks.
    Fortunately, however, we have yet to see the coupling of 
capabilities and intent, aside from foreign intelligence 
collection, where the really bad guys exploit the really good 
stuff and become technosavvy. We have not seen that marriage, 
but in my eyes that is a matter of time. Let me jump very 
briefly--I have laid out a number of recommendations that I 
thought we should be looking to in terms of building this 
partnership. As to who is responsible, it is a shared 
responsibility.
    The government must, however, lead by example. Only by 
leading by example and getting its own house in order can they 
expect the private sector to commit the resources in both time 
and effort to get the job done, and we need to clarify 
accountability. We need to clarify roles and missions. Right 
now, there really is no one held accountable, and clearly that 
is going to be something that will be examined with all the new 
executive orders.
    Let me skip through the rest and close with a couple of 
initiatives that can be taken to incentivize the private 
sector. First, from the government perspective, by improving 
the resilience of our economic infrastructure we improve the 
government's readiness, because so many of these critical 
functions are owned and operated by the private sector. But, 
second, we also improve our economic security, which cannot be 
seen as black or white. These are now blurred.
    We need to encourage standards to incentivize the private 
sector. We need to improve information sharing, and I 
wholeheartedly applaud Senator Bennett's initiative in this 
area, because FOIA has been a significant obstacle to sharing 
information between the public and private sector. We can also 
look at liability relief. Government could provide 
extraordinary liability relief to the private sector in the 
case of cyber warfare, similar to the indemnification authority 
set up in the case of destruction of commercial assets during 
conventional warfare. So these are some of the areas we can 
look to.
    Mr. Chairman, I know I am over my time. I have rarely had 
an unspoken thought. Forgive me, but not to digress, but I 
would like to close by saying thank you. We have all done some 
soul-searching in the last couple of weeks. I, for one, have 
never been so proud to be an American, proud of our President, 
proud of our Congress, and proud of the millions of Americans 
that make this country great. I believe we have all emerged 
from this with a stronger sense of purpose and appreciation of 
our Republic and its institutions.
    This is precisely what our forefathers had in mind. We were 
put to the test. We will prevail. They will fail. And critical 
infrastructure protection is clearly an important element to 
improving our Nation's security.
    Thank you, Mr. Chairman.
    Senator Cleland. Thank you, Mr. Cilluffo. Wonderful, strong 
statement. We are proud of you, too, and all of you.
    Mr. Watson.

 TESTIMONY OF KENNETH C. WATSON,\1\ PRESIDENT, PARTNERSHIP FOR 
            CRITICAL INFRASTRUCTURE SECURITY (PCIS)

    Mr. Watson. Good morning, Mr. Chairman and Senator Bennett, 
I am honored to be here today on behalf of the more than 70 
companies and organizations from all the critical 
infrastructure sectors that comprise the Partnership for 
Critical Infrastructure Security, or the PCIS. The question: 
``Critical infrastructure protection: Who is in charge?'' is 
timely, but may not have a quick and easy answer, as we have 
heard many times today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Watson appears in the Appendix on 
page 98.
---------------------------------------------------------------------------
    We would all like to be able to turn to a single government 
or industry executive or agency with the authority and 
responsibility to assure the continued delivery of vital 
services to our citizens in the face of these new and emerging 
threats. The truth is that the infrastructure architecture 
requires a distributed leadership, cooperation, and partnership 
to accomplish that goal, exactly what Senator Bennett said 
earlier.
    I would like to describe for you the environment of the 
critical infrastructures, explain what we were doing before the 
horrendous attacks 3 weeks ago, and what has changed since 
then. I will also make a few recommendations.
    Over the last 10 to 20 years, the network of networks has 
truly changed the way we live and work. There is no turning the 
clock back. This has brought about unprecedented levels of 
productivity and profitability; however, each industry is now 
more dependent on every other than before, and all have come to 
depend on computer networks for core operations, not just as a 
business enhancing tool.
    The Federal Government cannot function without services 
provided by the private sector infrastructure owners and 
operators. Most of these are multinational corporations with an 
interlaced network of suppliers, partners and customers, many 
of whom are outside the United States. The Internet itself 
relies on key name servers and routers located around the world 
with no central ownership or authority. Therefore, the health 
of the global economy is directly related to America's national 
and economic security.
    Just as the Internet is open, borderless, international and 
unregulated, responsibility for protecting critical 
infrastructures is distributed among companies and government 
organizations. Form follows function. This applies not only to 
architecture, but also to how we organize to protect our 
critical infrastructures. Even with the best of intentions and 
the most modern tools, the Defense Department could not defend 
against a cyber attack on the information systems of a power 
plant in Omaha. That power plant must have the technologies and 
teams to defend itself and to prevent cascading effects beyond 
its own perimeter, and it must be connected to a distributed 
indications and warning system in order to be able to respond 
quickly and proactively.
    Also, since every unsecured computer connected to the 
Internet could be used as a zombie in a distributed denial-of-
service attack, these tools, teams and warnings must become 
part of every business' standard networking procedures. 
Activities that an enterprise can take: Conducting 
vulnerability and risk assessments; deploying security 
technologies; investing in research and development; resourcing 
and enabling incident response teams must now be distributed 
and coordinated.
    Many in industry and government have been focusing on how 
to accomplish this coordination for at least the last 5 years. 
The President's National Security Telecommunications Advisory 
Committee, or NSTAC, has been providing advice on national 
security and emergency preparedness issues in the 
telecommunications sector since 1982. The NSTAC is still 
extremely relevant, even more today, conducting studies and 
holding network security information exchanges on current 
issues.
    The President's Commission--as has been mentioned several 
times--on Critical Infrastructure Protection, reported in 
October 1997, recognizing the need for close public-private 
coordination, that applies to all the infrastructure sectors. 
Industry responded to the government's invitation to a dialogue 
by launching the Partnership for Critical Infrastructure 
Security at the World Trade Center in December 1999. Since its 
formation, the PCIS has become a model for cross-sector 
coordination and public-private cooperation.
    Last year, the PCIS identified barriers to information 
sharing with government, and now Senator Bennett's bill and 
others in Congress are working through legislation based on our 
findings. During the response to the Code Red worm, government 
and industry turned to the PCIS to represent industry alongside 
the NIPC and security experts as we made the public service 
announcement that ultimately blunted the impact of that 
infestation. Inthe coming year, the administration will publish 
a public-private national plan for critical infrastructure 
protection, with industry sections coordinated by the PCIS.
    This is not just an American problem. Several countries are 
establishing similar partnerships. The PCIS is forming close 
relationships with them and we are collaborating several areas. 
We are currently working with critical infrastructure 
protection organizations in Canada and the United Kingdom, and 
we are following similar activity in Switzerland. The United 
States and Australia conducted a bilateral meeting in August, 2 
months ago, where we agreed to cooperate on security standards 
and in other areas.
    One of the keys to success is the timely sharing of 
information about threats, vulnerabilities, countermeasures and 
best practices within and between industries and between the 
public and private sectors. Information Sharing Analysis 
Centers, or ISACs, are proving their value as both computer 
defense centers and awareness vehicles. There are currently 
five ISACs in operation: Financial services; 
telecommunications; information technology; electrical power; 
and oil and natural gas.
    These ISACs have shared information on threats to members 
and helped their sectors prevent damage and disruption from 
threats like the Code Red and Nimda software worms. The telecom 
ISAC is able to share vital information from the government to 
industry that has been proved both valuable and timely. Four 
additional ISACs are in various stages of development: 
Railroads; aviation; water; and information service providers, 
or ISPs. One of this year's top goals for the PCIS is to 
establish a cross-sector and public-private information sharing 
architecture.
    With the same goal, the existing ISACs, under the 
leadership of the National Communications System, met last week 
to work out a cross-sector operational information exchange 
capability. This meeting greatly accelerated the progress we 
have made in this area and the procedures they develop will 
form the foundation for the overall cross-sector architecture.
    What has changed since September 11? The terrorist attacks 
on the World Trade Center and the Pentagon did not change the 
architecture of the new economy or our interdependency, or the 
interlinked nature of the economy's national security in the 
nations of the world. What those attacks did was create a sense 
of urgency and an increase in security awareness. Just as the 
administration carefully and deliberately seeks out those that 
conducted and supported these barbaric acts and learns about 
this new battlefield environment, I urge everyone involved to 
take the time to understand the infrastructure environment and 
not to move too quickly to try to solve the infrastructure 
protection problem.
    So what can we do to protect our critical infrastructures? 
We need to raise the security bar worldwide, by streamlining 
communication and coordination, accelerating research and 
development, practicing good network security, and by not 
abandoning our values. I have four recommendations: First, 
support the administration initiatives to streamline 
coordination within the Federal Government. We will continue to 
work closely with the Critical Infrastructure Assurance Office, 
the National Infrastructure Protection Center, and the national 
coordinator, as the government organizes itself to manage 
homeland security, counterterrorism, and critical 
infrastructure protection.
    Second, support initiatives that will secure the next 
generation's network of networks, as well as patches and fixes 
we are applying today, by providing resources to government 
agencies with increased responsibilities in this area and 
providing funding for research. To assist in this effort, the 
PCIS is developing a research and development roadmap that will 
include a gap analysis of current industry, academic and 
government programs, and recommendations for focusing resources 
to meet sector and cross-sector needs.
    Third, encourage government organizations, businesses and 
individuals to practice sound information security, starting by 
adequately funding network security programs in all Federal 
departments and agencies; updating passwords, disallowing 
unauthorized accounts and unneeded services and installing 
firewalls and intrusion detection are no longer just common 
sense, but a matter of cyber civil defense.
    And, last, carefully consider the impact of any new 
legislation on the freedoms Americans cherish: Individual 
privacy; freedom of expression; and freedom of 
entrepreneurship. We all understand that without security there 
is no privacy, but we must always strive for balance. My 
colleagues of the PCIS and I welcome any invitation to discuss 
our activities with you at any time. We believe a dialogue 
where we can hear your insight and you can hear our concerns 
will be healthy and fruitful.
    We are all in this together: Industry, academia, the 
administration, the Congress, the American people, and we need 
all points of view to ensure that our critical infrastructures 
continue to meet the needs of every citizen by ensuring the 
continued delivery of vital services and enabling the economy 
that underpins our security and our way of life.
    Thank you very much, and I am happy to answer any 
questions.
    Senator Cleland. Thank you very much, Mr. Watson. You are 
right. We are all in this together.
    Mr. Cilluffo, I was fascinated by a comment. If you would 
go back in your testimony, if you could find that section where 
you said something about the terrorist will not do something--
and ultimately will not give up bombs and bullets. Can you say 
that section again? Since you seemed to say that maybe bombs 
and bullets, in bin Laden's case, was maybe generational, and 
his offspring may have their finger on a mouse or something. 
Talk about that section again.
    Mr. Cilluffo. If we look at the threat, we need to look at 
a full spectrum of threats. If we are focusing on Al Qaeda 
specifically, this is an organization that understands the 
lethality, has demonstrated the capability, and bombs and 
bullets are the effective weapon of choice, and he will 
continue to accelerate the capability. If you look at it, even 
Al Qaeda, if you go back to Kobar Towers, you saw car bombs, 
then you had truck bombs at the African embassies. The U.S.S. 
Cole, you had boats as bombs. Now, unfortunately, you have 
planes as bombs. So it is more innovative every time, more 
lethal every time, he is not, and his followers in Al Qaeda and 
this loosely affiliated network of radicals, because what they 
really do is they pool resources. There is no monolithic 
organization. He is the chief financial officer of this loosely 
affiliated organization that brings groups together.
    He is not going to be turning to cyber means. They use it, 
cyber, for tradecraft, to communicate. Whether they use 
stegonography, as some media have said, I do not know, to hide 
code messages inside, or whether they use simple code words, 
where ``Go walk the dog,'' could mean something very different, 
and seemingly innocuous could mean something very different if 
they have communications beforehand, and he has demonstrated 
the ability to mix very high-tech and very rudimentary low-tech 
means of tradecraft, to include communications.
    And so I think that it is important to say that when we 
look at the terrorist threat today, we need to look at it 
holistically. We need to recognize that Al Qaeda is not all 
terrorism. You are going to see some that are turning to cyber 
means. There is only one official terrorist use of offense 
information warfare, and that was the Tamil Tigers of LTTE, who 
disabled embassy communications in Ottawa, Seoul, and 
Washington. But that is going to change.
    What we see mostly are nations--and they are in the 
stealing secret business. They are not going to crash systems. 
They would be compromising such a valuable method and technique 
to steal America's secrets. So we just need to look at it 
holistically.
    Senator Cleland. Thank you.
    Mr. Nacchio, thank you for your testimony. When I saw the 
Pentagon smoking and I looked at the Capitol and realized that 
the Capitol might be the next target, it was a strange feeling. 
So I tried to get on a cell phone. Of course, by now the whole 
system was clogged, and my immediate thought, though, was that 
we are also under a cyber attack. In other words, they have 
jammed our communications. As an old Army signal officer, I 
guess that was the first thing that came to my mind. Actually, 
I later realized the whole system was overloaded.
    Also, you mentioned the reliability of the system. Again, 
in my training, the first week I was on active duty I had an 
old colonel tell me that, ``Cleland, the secret to reliability 
is redundancy.'' Have you learned anything about this, in 
effect, instant overload, when the country is attacked or some 
spectacular thing happens, have you learned anything in your 
world that you are going to do differently? Are you going to 
program in more redundancy for a peak usage for a few hours, so 
that average citizens can communicate by the millions, which is 
what they wanted to do, and I just wondered if you had a 
comment on that?
    Mr. Nacchio. Well, yes, it is a very pertinent point, and 
it really relates to a question you asked an earlier panel that 
said how do you protect against a massive attack? The 
communication networks are best designed, of course, for a 
massive attack. There are many of them, multiple paths, 
physical redundancy, multiple fiber paths that you can travel. 
What happened in New York and the Pentagon, specifically New 
York, is when the towers were on fire, West Street central 
office of Verizon went out, so all of southern Manhattan, at 
the end point, was taken out. The rest of the nationwide 
infrastructure worked well, but you could not get in and out of 
southern New York, and similarly the wireless networks and 
points did not work if you were going in and out of New York or 
in and out of northern Virginia.
    But the rest of the Nation, communicating about it, worked 
well. So you still have physical points of vulnerability. What 
we learned here is that what we used to protect for a nuclear 
attack, the same thing could happen with an airplane attack or 
if we had a massive fiber cut or if a bridge across the 
Mississippi River went down. These infrastructures need to be 
protected. So we are not invulnerable to physical attacks, and 
that is what was demonstrated, but it is very isolated.
    The bigger danger is what my colleague here on the left has 
said; it is only a question of time, only a question of time 
that what nation-states can do to attack the fiber 
infrastructure, terrorists will learn how to do, and you will 
see a massive shutdown, and that is what I know national 
security has worried about in the past and what we have tried 
to assist on, a massive cyber attack that disables nationwide 
communications, not just a pair of points, say in New York or 
Washington.
    Senator Cleland. Then do we in the Federal Government and 
many in the private sector need to think about redundancy, some 
kind of redundant capability?
    Mr. Nacchio. Right.
    Senator Cleland. Certain leaders were moved to, in effect, 
a redundant headquarters outside of Washington. In the case of, 
shall we say, a national emergency in our telecommunications 
world, in our cyber world, do we need to be able to have some 
kind of built-in redundancy?
    Mr. Nacchio. Absolutely, and I think for most of the 
infrastructure in this country, you have redundancy. There are 
still critical points and there is a limit at the last mile, so 
to speak, at some point you are not going to have redundancy, 
and that is what we have to be careful of.
    Senator Cleland. Thank you.
    Mr. Watson, do you have any feeling about your own view 
about whether an Office of Homeland Defense is going to be 
adequate, or do you feel a cabinet-level agency with budget and 
with troops in the field and so forth, massing their assets, is 
something we ought to seriously think about? Have you come to a 
conclusion on that?
    Mr. Watson. There are many agencies and organizations in 
the Federal Government that are currently contributing to the 
critical infrastructure protection effort. There certainly 
needs to be some streamlining. I am in no position to tell the 
government how to organize itself, but simply the fact that the 
pending executive order seems to indicate that there will be 
someone to coordinate critical infrastructure protection, we 
believe, is a very positive step, and we look at that as a 
parallel effort to what we have at the PCIS, coordinating all 
the infrastructure sectors.
    Senator Cleland. Mr. Cilluffo, I see your head nodding. Do 
you want to come in on that?
    Mr. Cilluffo. Oh, no, I pretty much agree. What we will 
have to work out are the details, of course. There are a number 
of potential executive orders out there, a number of great 
ideas and a number of commissions that have come out with 
different ideas. What I think you are seeing now is the 
amalgamation of the best of the best. There is no right answer. 
Whatever answer they choose, though, is in some ways the right 
answers, because they are the ones who are going to have to 
implement and execute.
    So what I say here is let's not rush to judgment. Let's see 
where this goes. Six months from now, maybe we are going to see 
there is a need for additional statutory authority or very 
specific legislative proposals or even access to troops. But I 
think let's focus now on the short-term needs requirements, 
backfill those threats to be able to withstand, prevent and 
preempt an incident, make sure that we are looking at this from 
not just the top-down, but the bottom-up; that our emergency 
responders and the public health community, for a bio event, 
are ready. So I do not disagree, but I think now let's focus on 
the short-term and then look to long-term capacity building.
    Senator Cleland. Ms. Gorelick, any ideas?
    Ms. Gorelick. As I said earlier, I think we do need some 
streamlining from the point of view of business to know who is 
doing what, operationally. I would make a comment about NSTAC 
in that regard. The reason that NSTAC is as robust as it is and 
has the capacity that it does, compared to the other ISACs that 
are more nascent, is that it was actually stood up by the 
government. The CEOs of the industry were, in 1982, named to 
the panel. They were given clearances. They get briefings. 
There is an extant staff. Industry is not told what to do by 
the government, but there is an infrastructure provided.
    There are many willing partners in the private sector, and 
we have a lot of technical expertise. We understand, from our 
own business perspective, the need to have business continuity. 
We understand, from our own business perspective, the need for 
our partners to have business continuity, but we are in 
business, we are unused to collective or collaborative action 
of the sort that is really called for here. If you could have 
the NSTAC model in each of the other industries, you would have 
a much more robust capacity on the part of industry doing the 
sorts of things that Mr. Watson is talking about. Other 
industries would get caught up to where communications is.
    The financial services sector did very well, considering 
what happened to it. It does have a lot of individual 
redundancy. We have backup centers and we have done a lot of 
thinking about hardening those resources. But if we are going 
to get where we need to be as industries responsible for this 
national infrastructure, I think we need, as I suggest in my 
written testimony, more adequate support on an industry by 
industry basis. I think we would be all helped by that. I do 
not think it is tremendously expensive, and it would 
dramatically increase the way that industry and government 
communicate with each other, and that industry communicates 
across itself.
    Senator Cleland. Mr. Nacchio.
    Mr. Nacchio. Mr. Chairman, let me just build on that--a 
couple of quick thoughts. Something that we do in the private 
sector, I think, applies here. If you want to get something 
done, define it clearly, focus and align resources, and keep it 
simple. Today, when we have a problem on our networks, we are 
required under the law to report it within 30 minutes to the 
FCC, as Verizon did to Chairman Powell when they had the 
outage. If we, NSTAC members, are faced with a cyber attack, 
will report it to NSTAC so it can be shared. But just to be 
clear, we take care of ourselves. NSTAC does not direct what we 
do. We are together.
    I have a fiduciary responsibility to make sure my network 
does not go down no matter who is attacking. I have my own guys 
who protect it. We hire ex-FBI, ex-anybody we can. We are kind 
of a nation-state in defending our physical and our cyber 
infrastructure. We are happy to share that as long--under the 
Freedom of Information Act--as it not get passed out to the bad 
guys, so to speak.
    So what NSTAC is really good at, which I think was touched 
here and why I am involved, is that my biggest job as the vice-
chair is not necessarily working with national security, it is 
working with all my colleagues in industry as best I can to 
encourage them, based upon what we learned, because we are all 
responsible for this, not just the government. But if you can 
keep it focused and keep it simple, your pertinent question 
about what do you do about homeland defense--I could not tell 
you how to organize the government--but I would say keep it 
simple.
    There are at least a dozen agencies, if something really 
bad is happening, we have to call, and that is all good, 
including the FBI, the local police, and the FCC. We generally 
get on it ourselves to start with. So, I recommend that you can 
keep it focused, streamlined, with clear accountability, and, 
of course, dedicate the resources.
    Ms. Gorelick. I would second that.
    Senator Cleland. Thank you. Senator Bennett.
    Senator Bennett. Thank you, Mr. Chairman.
    Mr. Nacchio, they taught me in high school that nature 
abhors a vacuum. Government abhors simplicity. [Laughter.]
    Senator Bennett. And may I, as a former customer of US 
West, and now one who writes a check to you every month, thank 
you for the improvement in service that has come since you took 
over. We are grateful that you have put the kind of resources 
you have into increasing customer service, and it is not 
unnoticed and not unappreciated.
    Mr. Nacchio. Thank you.
    Senator Bennett. Mr. Nacchio has told us what they did at 
September 11. I would be interested, Ms. Gorelick, what Fannie 
Mae did with respect to September 11.
    Ms. Gorelick. We stayed in business.
    Senator Bennett. What kind of challenges did you face?
    Ms. Gorelick. We were open for business. Our challenges 
were communication with sources of funding. The capital 
markets, as you know, were not really operating. We were able 
to establish communication with the Fed. We were able to 
maintain our communications with our customers.
    Basically, what we do, as you know, is fund those who are 
making mortgage loans around the country, and, by and large, 
the other outlets were, at least for the period of September 11 
and for some period after that, not able to function. 
Fortunately, for us, we were able to. We have a very robust 
system. Like Mr. Nacchio, we try to hire the best. Our head of 
security is out of DISA. We have spent a lot of time thinking 
about cyber security.
    So we were able to function and I think we were able to 
perform a real service to those who needed the capital markets 
to function. Eventually, those markets came back, but it took 
awhile, and I think if you look at what some of the learnings 
are, I think a lot of financial services companies have learned 
what makes their backup systems work. If you have your backup 
system right down the street from your main system, that may 
not work. If your backup system is reliant on the same 
communications grid, even if it may be in Brooklyn rather than 
lower Manhattan, it may not work.
    If you have a backup system that relies on the same people 
and the people cannot get there, it may not work. Fannie Mae 
did not experience any of those problems, and that is partly 
good planning and partly good luck, but I think there are a lot 
of learnings for the financial services sector coming out of 
this event.
    Senator Bennett. Thank you.
    Mr. Cilluffo, you made reference to the motivations of Al 
Qaeda, and I will share with you and put into this record 
information that came from a hearing we held in the Joint 
Economic Committee on this issue less than 60 days ago, where I 
asked one of the witnesses from the CIA if, in fact, the next 
terrorist attack would not come in the form of a cyber attack, 
because I said, as I said before, if I were someone who wished 
this country ill--back to your world, Ms. Gorelick--I would 
want to shut down the Fed wire and break into the computer 
system that keeps that going. If you could do that, you would 
produce long-term devastation.
    Ms. Gorelick. If I might suggest, Senator Bennett--I am 
sorry to interrupt--but I would actually think it useful to 
inquire as to what occurred, because that is a very vulnerable 
node, and we saw----
    Senator Bennett. We have done that on the Banking 
Committee. I sit on the Banking Committee, and I have asked 
Alan Greenspan directly about that issue and have had my staff 
down at the Fed looking at it for exactly the reason that you 
are underscoring. The answer I got from the witness was very 
interesting, and, in view of what has now happened, prophetic. 
He said, ``Senator, that is because you think the way you 
think. To the terrorist, shutting down the Fed wire does not 
give him what he wants, which is television footage that can be 
broadcast around the world to inflame people,'' and one of the 
analysts after September 11 who spoke to us said, ``In a sense, 
this attack by Al Qaeda backfired and failed, because what they 
wanted to produce was such a reaction out of America as to 
create a war of civilizations that would then polarize the 
Muslim world on their side. It backfired in that it caused such 
revulsion among good Muslims, who said this is not what they 
teach in the Koran, that it has driven moderate Arab States and 
Muslim States to our side in this confrontation.'' So cutting 
down the Fed wire does not give them any footage at all on 
international television, and therefore was not a notion that 
he looked at.
    But we go to the issue of hostile nation-states, and the 
ability to shut down the Fed wire would be something that a 
dictator in a hostile nation-state could hold this country 
hostage, a phone call or a hotline to the President of the 
United States, saying, ``Mr. President, we want the following 
things done in the international scene, and if they are not, 
within 20 minutes,'' or they would probably give him less time 
than that, ``the Fed wire will be shut down and the American 
economy will come to a screeching halt.''
    If we think in strategic terms, isn't that the kind of 
long-term protection that we have got to deal with, in addition 
to the immediate challenge of terrorists that want to use 
kinetic weapons--isn't this the long-term strategic 
vulnerability that we have?
    Mr. Cilluffo. Absolutely, Mr. Chairman--Senator Bennett.
    Senator Bennett. I will take that, but the Senate probably 
would not concur. [Laughter.]
    Mr. Cilluffo. But let me build on what I thought was such 
an important point. The single common denominator of all 
terrorism is that it is a psychological weapon intended to 
erode trust and undermine confidence in a government, its 
institutions, its elected officials, its policies in a region 
or, more generally, its values, and on and on and on and on. 
This did backfire. It united our country and it united--we 
united at home and we built a united front abroad. In the back 
of the minds, I think, of the administration, they have done a 
wonderful job of keeping this to fighting the really radical 
radicals. This is not about Islam. It is about radical Islamic 
fundamentalism, which Islam abhors, and we need to keep it that 
way.
    But, to the cyber question, I do not think there is an easy 
answer. Since the end of the Cold War, threat forecasting has 
arguably made astrology look respectable, and I do not have a 
crystal ball, but I would say that one thing we do want to 
think about in terms of conventional terrorist organizations 
are combined attacks, where perhaps you detonate your 
conventional explosive, big, large, whatever it may be, and you 
disrupt emergency 911, so the first responders cannot get to 
the scene, or something similar--and we do not want to 
advertise too many possibilities.
    But you are right. In terms of nations, that is where we 
have seen capabilities. There is no question that nations are 
doing surveillance, the cyber equivalence of intelligence 
preparation of the battlefield, on our networks. And those same 
tools to steal secrets can automatically be turned on to deny 
service, to attack. So this is something we need to be looking 
at, absolutely, and we need to be looking at it in a many-
pronged lens. We need to improve our own computer network, 
exploit the ability to steal cyber secrets of others, as well 
as good old espionage.
    Senator Bennett. If I could just make one quick comment, 
Mr. Chairman, before we wind it up. One of the vulnerabilities 
that we have to deal with, with the Defense Department, is the 
potential ability of an enemy to break into that communications 
system and then send the wrong instructions to the CINCs, and 
even if they do not, the mere fact that there is the 
possibility that they have will cause the CINC not to act on 
real instructions until he can be absolutely sure, through 
redundancy, that this order did come from the CINC, and in that 
process, time is lost, efficiency is lost, and the combination 
that Mr. Cilluffo was talking about of a kinetic weapon attack 
and then a scrambling of our command and control system or a 
threatening of our command and control system that slows down 
our response is an additional tool of warfare that we need to 
deal with as we are thinking about this in strategic long-
term----
    Mr. Watson. Senator Bennett, if I may make an additional 
comment to piggyback on that, I spent 23 years in the Marine 
Corps, the last eight of which were devoted to what became 
information warfare, and we were very much concerned with the 
combination of things like electronic warfare, military 
deception, psychological operations, destructive capabilities. 
But our feeling now in the private sector--and there are many 
of us that believe that the center of gravity for this country 
has moved to the private sector, because everyone is dependent 
on the private sector for the services that the infrastructures 
provide, we understand that we are on the front lines of 
defense, and I think it is impressive that the board of 
directors of the PCIS is all volunteer, and they all represent 
presidents and executives from companies like Bank of America, 
BellSouth, Consolidated Edison, Union Pacific, Conaco, 
Microsoft, and Merrill Lynch. You name the industry association 
and they are on the board. We get it, and we are ready to 
cooperate and help.
    Senator Bennett. Thank you. Thank you, Mr. Chairman.
    Senator Cleland. Thank you, Senator Bennett, and thank our 
panelists today, wonderful testimony.
    In conclusion, talking about the unity that has been 
brought about here, I have been often asked about the 
historical impact of the attack on September 11, and I quote 
Admiral Yamamoto, who planned and executed the attack on Pearl 
Harbor, that afterwards he felt he had only awakened a sleeping 
giant, and in so many ways that is exactly what has happened.
    Thank you all very much. The hearing is adjourned.
    [Whereupon, at 11:59 a.m., the Committee was adjourned.]
                            A P P E N D I X

                              ----------                              


                 PREPARED STATEMENT OF SENATOR BUNNING
    Thank you, Mr. Chairman.
    This is the second hearing on critical infrastructure protection 
the Committee has held this year, and I am pleased we are looking at 
this issue again.
    The first hearing the Committee held was on September 12, the day 
after the terrorist bombing. The importance of our security has never 
been more evident, as the reality of terrorism on America's soil was 
sadly brought home.
    Protecting critical infrastructure is a responsibility of all 
levels of government and the private sector.
    This will require businesses and government to share information 
and form alliances in ways they have traditionally not done.
    I am hopeful that we can make some good progress in protecting our 
critical infrastructure from future attacks over the next couple of 
months.
    However, we have a long way to go.
    In fact, during the September 12 hearing we discussed that too 
often in the Federal Government our critical infrastructure is weakened 
because simple, common-sense steps are not taken.
    This includes not changing passwords routinely or closing accounts 
for former employees or contractors.
    This leaves us vulnerable to future attacks. We must do better.
    I want to thank our witnesses for being here today, and look 
forward to hearing more about what else we need to do to protect our 
critical infrastructure.
[GRAPHIC] [TIFF OMITTED] T7434.001

[GRAPHIC] [TIFF OMITTED] T7434.002

[GRAPHIC] [TIFF OMITTED] T7434.003

[GRAPHIC] [TIFF OMITTED] T7434.004

[GRAPHIC] [TIFF OMITTED] T7434.005

[GRAPHIC] [TIFF OMITTED] T7434.006

[GRAPHIC] [TIFF OMITTED] T7434.007

[GRAPHIC] [TIFF OMITTED] T7434.008

[GRAPHIC] [TIFF OMITTED] T7434.009

[GRAPHIC] [TIFF OMITTED] T7434.010

[GRAPHIC] [TIFF OMITTED] T7434.011

[GRAPHIC] [TIFF OMITTED] T7434.012

[GRAPHIC] [TIFF OMITTED] T7434.013

[GRAPHIC] [TIFF OMITTED] T7434.014

[GRAPHIC] [TIFF OMITTED] T7434.015

[GRAPHIC] [TIFF OMITTED] T7434.016

[GRAPHIC] [TIFF OMITTED] T7434.017

[GRAPHIC] [TIFF OMITTED] T7434.018

[GRAPHIC] [TIFF OMITTED] T7434.019

[GRAPHIC] [TIFF OMITTED] T7434.020

[GRAPHIC] [TIFF OMITTED] T7434.021

[GRAPHIC] [TIFF OMITTED] T7434.022

[GRAPHIC] [TIFF OMITTED] T7434.023

[GRAPHIC] [TIFF OMITTED] T7434.024

[GRAPHIC] [TIFF OMITTED] T7434.025

[GRAPHIC] [TIFF OMITTED] T7434.026

[GRAPHIC] [TIFF OMITTED] T7434.027

[GRAPHIC] [TIFF OMITTED] T7434.028

[GRAPHIC] [TIFF OMITTED] T7434.029

[GRAPHIC] [TIFF OMITTED] T7434.030

[GRAPHIC] [TIFF OMITTED] T7434.031

[GRAPHIC] [TIFF OMITTED] T7434.032

[GRAPHIC] [TIFF OMITTED] T7434.033

[GRAPHIC] [TIFF OMITTED] T7434.034

[GRAPHIC] [TIFF OMITTED] T7434.035

[GRAPHIC] [TIFF OMITTED] T7434.036

[GRAPHIC] [TIFF OMITTED] T7434.037

[GRAPHIC] [TIFF OMITTED] T7434.038

[GRAPHIC] [TIFF OMITTED] T7434.039

[GRAPHIC] [TIFF OMITTED] T7434.040

[GRAPHIC] [TIFF OMITTED] T7434.041

[GRAPHIC] [TIFF OMITTED] T7434.042

[GRAPHIC] [TIFF OMITTED] T7434.043

[GRAPHIC] [TIFF OMITTED] T7434.044

[GRAPHIC] [TIFF OMITTED] T7434.045

[GRAPHIC] [TIFF OMITTED] T7434.046

[GRAPHIC] [TIFF OMITTED] T7434.047

[GRAPHIC] [TIFF OMITTED] T7434.048

[GRAPHIC] [TIFF OMITTED] T7434.049

[GRAPHIC] [TIFF OMITTED] T7434.050

[GRAPHIC] [TIFF OMITTED] T7434.051

[GRAPHIC] [TIFF OMITTED] T7434.052

[GRAPHIC] [TIFF OMITTED] T7434.053

[GRAPHIC] [TIFF OMITTED] T7434.054

[GRAPHIC] [TIFF OMITTED] T7434.055

[GRAPHIC] [TIFF OMITTED] T7434.056

[GRAPHIC] [TIFF OMITTED] T7434.057

[GRAPHIC] [TIFF OMITTED] T7434.058

[GRAPHIC] [TIFF OMITTED] T7434.059

[GRAPHIC] [TIFF OMITTED] T7434.060

[GRAPHIC] [TIFF OMITTED] T7434.061

[GRAPHIC] [TIFF OMITTED] T7434.062

[GRAPHIC] [TIFF OMITTED] T7434.063

[GRAPHIC] [TIFF OMITTED] T7434.064

                                   -