[House Hearing, 108 Congress]
[From the U.S. Government Printing Office]

                       THE INVISIBLE BATTLEGROUND



                               before the


                                 of the

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             FIRST SESSION


                           SEPTEMBER 16, 2003


                           Serial No. 108-26


    Printed for the use of the Select Committee on Homeland Security

 Available via the World Wide Web: http://www.access.gpo.gov/congress/


21-354                      WASHINGTON : 2005
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512�091800  
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�0900012005


                 CHRISTOPHER COX, California, Chairman

JENNIFER DUNN, Washington            JIM TURNER, Texas, Ranking Member
C.W. BILL YOUNG, Florida             BENNIE G. THOMPSON, Mississippi
DON YOUNG, Alaska                    LORETTA SANCHEZ, California
Wisconsin                            NORMAN D. DICKS, Washington
W.J. (BILLY) TAUZIN, Louisiana       BARNEY FRANK, Massachusetts
DAVID DREIER, California             JANE HARMAN, California
DUNCAN HUNTER, California            BENJAMIN L. CARDIN, Maryland
SHERWOOD BOEHLERT, New York            New York
LAMAR S. SMITH, Texas                PETER A. DeFAZIO, Oregon
CURT WELDON, Pennsylvania            NITA M. LOWEY, New York
CHRISTOPHER SHAYS, Connecticut       ROBERT E. ANDREWS, New Jersey
DAVE CAMP, Michigan                    District of Columbia
LINCOLN DIAZ-BALART, Florida         ZOE LOFGREN, California
BOB GOODLATTE, Virginia              KAREN McCARTHY, Missouri
PETER T. KING, New York              BILL PASCRELL, JR., New Jersey
JOHN LINDER, Georgia                 DONNA M. CHRISTENSEN,
JOHN B. SHADEGG, Arizona               U.S. Virgin Islands
MARK E. SOUDER, Indiana              BOB ETHERIDGE, North Carolina
MAC THORNBERRY, Texas                CHARLES GONZALEZ, Texas
JIM GIBBONS, Nevada                  KEN LUCAS, Kentucky
KAY GRANGER, Texas                   JAMES R. LANGEVIN, Rhode Island
PETE SESSIONS, Texas                 KENDRICK B. MEEK, Florida

                      JOHN GANNON, Chief of Staff

         UTTAM DHILLON, Chief Counsel and Deputy Staff Director

               DAVID H. SCHANZER, Democrat Staff Director

                    MICHAEL S. TWINCHEK, Chief Clerk


  Subcommittee on Cybersecurity, Science, and Research and Development

                    MAC THORNBERRY, Texas, Chairman

PETE SESSIONS, Texas, Vice Chairman  ZOE LOFGREN, California
LAMAR SMITH, Texas                   ROBERT E. ANDREWS, New Jersey
CURT WELDON, Pennsylvania            SHEILA JACKSON-LEE, Texas
DAVE CAMP, Michigan                  DONNA M. CHRISTENSEN,
ROBERT W. GOODLATTE, Virginia          U.S. Virgin Islands
PETER KING, New York                 BOB ETHERIDGE, North Carolina
JOHN LINDER, Georgia                 KEN LUCAS, KENTUCKY
MARK SOUDER, Indiana                 JAMES R. LANGEVIN, Rhode Island
JIM GIBBONS, Nevada                  KENDRICK B. MEEK, Florida
KAY GRANGER, Texas                   CHARLES GONZALEZ, Texas
CHRISTOPHER COX, California, ex      JIM TURNER, TEXAS, ex officio





The Honorable Mac Thornberry, a Representative in Congress From 
  the State of Texas, and Chairman, Cybersecurity, Science, and 
  Research and Development.......................................     1
The Honorable Zoe Lofgren, a Representative in Congress From the 
  State of California, and Ranking Member, Cybersecurity, 
  Science, and Research and Development
  Oral Statement.................................................     2
  Prepared Statement.............................................     5
The Honorable Donna M. Christensen, a Delegate From the U.S. 
  Virgin Islands.................................................    24
The Honorable Jennifer Dunn, a Representative in Congress From 
  the State of Washington........................................     4
The Honorable Bob Etheridge, a Representative in Congress From 
  the State of North Carolina....................................    20
The Honorable James R. Langevin, a Representative in Congress 
  From the State of Rhode Island
  Oral Statement.................................................    33
  Prepared Statement.............................................     6
The Honorable Sheila Jackson-Lee, a Representative in Congress 
  From the State of Texas
  Oral Statement.................................................    29
  Prepared Statement.............................................     6
The Honorable John Linder, a Representative in Congress From the 
  State of Georgia...............................................    23
The Honorable Ken Lucas, a Representative in Congress From the 
  State of Kentucky..............................................    26
The Honorable Kendrick B. Meek, a Representative in Congress From 
  the State of Florida...........................................    37
The Honorable Pete Sessions, a Representative in Congress From 
  the State of Texas.............................................    27


The Honorable Robert Liscouski, Assistant Secretary, 
  Infrastructure Protection Directorate, Department of Homeland 
  Oral Statement.................................................     7
  Prepared Statement.............................................     9

                         CYBERSPACE MORE SECURE


                      Tuesday, September 16, 2003

                          House of Representatives,
                             Subcommittee on Cybersecurity,
                     Science, and Research and Development,
                     Select Committee on Homeland Security,
                                                    Washington, DC.
    The committee met, pursuant to call, at 9:30 a.m., in Room 
2118, Rayburn House Office Building, Hon. Mac Thornberry 
[chairman of the subcommittee] presiding.
    Present: Representatives Thornberry, Sessions, Linder, 
Lofgren, Jackson-Lee, Christensen, Etheridge, Lucas, Langevin, 
and Meek.
    Also Present: Representative Dunn.
    Mr. Thornberry. The hearing will come to order. I would 
like to welcome our witness and guests to today's hearing, 
entitled The Invisible Battleground: What the Department of 
Homeland Security is Doing to Make America's Cybersecurity More 
    Over the past several months this subcommittee has received 
a number of perspectives on cybersecurity. We have held 
classified and unclassified briefings and hearings. We have 
heard from witnesses from academia, think tanks, technology 
industry, government agency, users, and others. Our goal has 
been to deepen our understanding of the issues involved and to 
gain a truer perspective on how and where cybersecurity fits 
into homeland security.
    Now, today, we will hear a progress report from the new 
Department of Homeland Security.
    From the first bills introduced in Congress to create a 
Department of Homeland Security, cybersecurity was one of those 
critical elements that was given to the new department, one of 
the functions where a number of government agencies would be 
brought together with greater emphasis and broader 
responsibilities. It was clear that if we were really going to 
modernize and strengthen Homeland Security, cybersecurity had 
to be a part of it.
    The final legislation, in fact, did that. It did not set 
cybersecurity apart, as some proposed, but included it as one 
of the critical infrastructures placed under the Directorate 
for Information Analysis and Infrastructure Protection.
    Since the Department began operations in March this year, 
it has brought some key people on board, although sometimes it 
has seemed to have taken a while. In June, it announced the 
creation of a National Cybersecurity Division; just yesterday a 
director was announced for that division. Yesterday, also, an 
emergency response partnership with Carnegie Mellon University 
and a US-CERT was announced. So significant steps have been 
    In its strategy, released in February, the administration 
acknowledged that cyberspace is the nervous system of the other 
infrastructures, the control system of the country. Thus, the 
healthy functioning of cyberspace is essential to our economy 
and our national security.
    In our hearings so far, we have heard that cyber attacks 
are growing in number and complexity and in severity of the 
consequences. The recent bout with viruses and worms have shown 
that once they are launched, they are not easily contained; and 
as recently as last week, our hearing on the recent blackouts 
have shown again the interconnectiveness of various 
infrastructures. And yet there has been a lingering concern 
that cybersecurity has not been given the priority it deserves 
from the Department.
    Today, we are ready to hear from the administration on some 
answers to these important questions, such as: Where are we in 
implementing each of the five priorities contained in the 
national strategy;
    What can and should the Federal Government do to require or 
encourage better security for all of the IT infrastructure 
which is in private hands; and
    What about the human element where we have received 
testimony that up to two-thirds of the problems that are 
created are created by the interface of human beings with 
    In today's world, our computers and cyber networks are not 
just a place to do business and conduct research and 
communicate with our friends. Cyberspace is an invisible 
battleground that we must secure and defend, for attacks are 
being launched against us every day attacks against the central 
nervous system of the country and against our economy and our 
security. We must be ready. And today we hope to hear from our 
witness that we are in better shape than we have been in the 
    Before we turn to our witness, I am going to yield to our 
distinguished ranking member, my partner in this effort, Ms. 
    Ms. Lofgren. Thank you, Chairman Thornberry, for holding 
this hearing and for your continued outstanding leadership of 
this committee.
    I think the chairman did a great job in summarizing the 
work that this subcommittee has done to date. All the members 
of the subcommittee have taken the time to study this 
incredibly complex set of issues involving cybersecurity, and 
we certainly know more now than we did when we began our 
    I think all of us agree that the Nation's cyber 
infrastructure remains vulnerable and that the Federal 
Government must provide leadership to better secure our systems 
in both the public and private sectors. My concerns about the 
Department of Homeland Security are that it is not providing 
sufficient leadership in the cyber arena, particularly in the 
following five areas:
    Reducing vulnerabilities: The Department is tasked with 
reducing vulnerabilities to government in critical asset 
computers as well as responding to cyber incidents. The number 
of cyber attacks and resulting damage, however, continues to 
increase. This past August was the worst ever for computer 
viruses. The Blaster, Welchia, and SoBigF viruses, along with 
other attacks, caused more than $32.8 billion in economic 
damages according to one digital risk assessments company.
    Two, coordination: Is the National Cybersecurity Division 
coordinating with the private sector, other government 
agencies, and State and local governments to identify 
vulnerabilities? Has the NCSD begun a national risk assessment? 
If so, when will it be complete? I am concerned that the 
Department is not providing quick leadership in this area.
    Departures from the administration: In the last 6 months 
the most senior Bush administration cyber officials have left 
the government. These individuals include Richard Clarke, the 
Special Advisor to the President for Cybersecurity; Howard 
Schmidt, the Vice Chair of the President's Critical 
Infrastructure Board, and Clarke's replacement; Ron Dick, the 
Director of the National Infrastructure Protection Center; and 
John Tritak, Director of the Critical Infrastructure Assurance 
Office. I am concerned about these departures and that the 
National Cybersecurity Division may lack sufficient personnel 
and resources to operate effectively.
    Cyber priorities at DHS: Clearly, as the chairman has 
mentioned, cybersecurity is enormously important to the 
infrastructure of the Nation. I am worried that cybersecurity 
has been demoted in importance in the administration with the 
lead official for cyber issues reduced from a Special Advisor 
to the President, working in the White House, to a directorship 
very deep within the Department of Homeland Security. The 
Nation's cyber chief must have both the access and resources to 
do the job, the cyber chief at DHS.
    It took the Department over 3 months to announce its choice 
for a leader of the NCSD. This delay is troublesome, and I am 
curious as to why it took the Department so long to settle on a 
candidate. I am also concerned about the number of other jobs 
that seem to be empty and vacant within NCSD, how many desks 
are empty. Is there anyone there to answer the phone?
    With these concerns in mind, I am very encouraged by the 
person chosen to lead the NCSD. Mr. Yoran currently serves as 
the Vice President of Managed Security Services Operation at 
Semantech Corporation, the Internet security firm headquartered 
in Cupertino, California, near my home.
    I am very familiar with the work of Semantech. It is one of 
the true bright spots in Silicon Valley, and its CEO, John 
Thompson, is a talented and thoughtful leader. I am hopeful 
that our new guy will provide needed leadership at the NCSD, 
and once he is on the job, I am going to tell him that he must 
candidly tell the chairman and me if he has the access and 
resources needed to accomplish his mission. If he is unable to 
do his job, Secretary Ridge should expect to hear from me and, 
I think, the chairman directly.
    As you can see, we have many concerns about the cyber 
program of the Department of Homeland Security. I am pleased 
that we finally today will hear directly from the top official 
at DHS on our efforts. And the Assistant Secretary for 
Infrastructure has served as the acting chief since it was 
established on June 6, so I am sure he will address the 
concerns that I have raised; and I hope he will be able to 
reassure me that cybersecurity is, in fact, a priority at the 
    I thank the chairman for yielding.
    Mr. Thornberry. Thank the gentlelady.
    Without objection, the distinguished vice chair of the full 
committee will sit with the subcommittee today, and the Chair 
would yield to the gentlelady from Washington for any opening 
statement she would like to make.
    Ms. Dunn. Thank you very much, Mr. Chairman.
    Mr. Liscouski, I am looking forward to your testimony. 
Thank you for joining us here today. We are eager to learn 
about the Department of Homeland Security's most recent 
efforts, in fact, in June of this year to protect an important 
part of our Nation's critical infrastructure, our cyber 
    In the wake of September 11, the leaders of this Nation 
have realized that securing our homeland against terrorist 
attacks also means that we need to think creatively about where 
our targets might be. We have visual reminders of many targets 
every single day. When we board an airplane, when we drive over 
a bridge, when we have our bags searched at football games.
    But we also have targets that are far less visible. The 
power grid is one such example. Cyberspace is another. And that 
is why we are here today.
    Your division, Mr. Liscouski, faces no small task. Securing 
cyberspace is an international issue, something I realized with 
greater awareness this summer when I addressed a group in 
London on cybersecurity, and was very happy to learn how 
involved the people of the British Government are in making 
sure we get this right.
    Also, we know that a cyber attack from overseas cannot be 
intercepted at the border, or at least is very difficult to be 
intercepted at any border, since there are no borders in the 
cyber world.
    This issue is also one that requires intense partnership 
with the private sector. The key to achieving a desired level 
of cybersecurity is utilizing and supporting the relationships 
that we have formed with the private sector, those on the 
ground doing research and development. Companies like 
Microsoft, which I represent here in the United States 
Congress, have realized that many of its priorities in business 
are in line with our Homeland Security priorities here in 
Congress. We are all working to prevent a situation where 
critical technological infrastructure is brought down.
    This committee has spent a significant amount of time 
looking into the successful public-private and cross-industry 
partnerships that already exist. I hope the Department 
continues to work closely with the private sector to reach a 
clear understanding of what a safe network system looks like.
    As the Department works to protect America's technological 
infrastructure, it also must keep in mind the interconnectivity 
these cyber connections have with the world's financial 
markets, transportation and communications systems.
    I am very happy the Department is taking this charge 
seriously, and I look forward to your testimony.
    Mr. Thornberry. Thank the gentlelady. Does any other member 
wish to offer an opening statement at this time?
    Without objection, any member may submit an opening 
statement for the record.
    [The information follows:]

   Prepared Statement of the Honorable Zoe Lofgren, Ranking Member, 
  Subcommittee on Cybersecurity, Science, and Research and Development

    Thank you Chairman Thornberry for holding this hearing and for your 
continued outstanding leadership of this subcommittee.
    Chairman Thornberry did a terrific job in summarizing the work that 
this subcommittee has done to date. All Members of this subcommittee 
should be commended for taking the time to study the incredible complex 
set of issues involving cybersecurity.
    We have learned a lot since this subcommittee first met at the 
beginning of the year. I think all would agree that our nation's cyber 
infrastructure remains vulnerable, and that the federal government must 
provide leadership to better secure our systems in both the public and 
private sector.
    My concerns about the Department of Homeland Security are that it 
is just not providing sufficient leadership in the cyber arena, 
particularly in the following five areas.
         Reducing Vulnerabilities: The Department is tasked 
        with reducing vulnerabilities to government and critical asset 
        computers, as well as responding to cyber incidents. The number 
        of cyber attacks, and resultant damage, however, continues to 
        increase. This past August was the worst month ever for 
        computer viruses. The Blaster, Welchia, and SoBig.F viruses, 
        along with other attacks, caused more than $32.8 billion in 
        economic damages, according to one digital risk assessment 
         Coordination: Is the National Cyber Security Division 
        (NCSD) coordinating with the private sector, other government 
        agencies, and state and local governments to identify 
        vulnerabilities? Has the NCSD begun a national risk assessment? 
        If so, when will it be complete? I am very concerned that the 
        Department is just not providing leadership in this area.
         Bush Administration Departures: In the last six 
        months, the most senior Bush Administration cyber officials 
        have left the government. These individuals include Richard 
        Clarke, the special advisor to the president for cyber 
        security; Howard Schmidt, the vice chair of the president's 
        critical infrastructure board and Clarke's replacement; Ron 
        Dick, the director of the National Infrastructure Protection 
        Center; and John Tritak, director of the Critical 
        Infrastructure Assurance Office.
    I am very concerned about these departures and that the National 
Cyber Security Division may lack sufficient personnel and resources to 
operate effectively
         Cyber priorities at DHS: Clearly, cyber security has 
        been demoted in importance in the Administration with the lead 
        official for cyber issues reduced from a special advisor to the 
        President working in the White House, to a Directorship buried 
        deep within the Department of Homeland Security. The nation's 
        cyber chief must have the both the access and resources to do 
        the job.
         Cyber Chief at DHS: In addition, it took the 
        department over 3 months to announce its choice for a leader of 
        the NCSD. This delay is troublesome, and I am curious as to why 
        it took the department so long to settle on a candidate. I am 
        also concerned about the number of other jobs that need to be 
        filled within the NCSD. How many desks are empty? Is there 
        anyone there to answer the phone?
         With these concerns in mind, I am very encouraged by 
        the person chosen to lead the NCSD. Mr. Amit Yoran currently 
        serves as the Vice President of Managed Security Services 
        Operations at Symantec Corporation, the internet security firm 
        headquartered in Cupertino, California. I am very familiar with 
        the work of Symantec. It remains one of the true bright spots 
        in Silicon Valley, and its CEO, John Thompson is a talented and 
        thoughtful leader.
         I am hopeful that Mr. Yoran will provide needed 
        leadership in the NCSD. Once he in on the job, I am going to 
        tell him that he must candidly tell me if he has the access and 
        resources needed to do his job. If he is unable to do his job, 
        Secretary Ridge should expect to hear directly from me.
    As you can see, I have many concerns about the cyber program at the 
Department of Homeland Security. I am pleased that we finally get to 
hear directly from a top official at DHS today on its efforts. Robert 
Liscouski, Assistant Secretary for Infrastructure Protection, has 
served as the acting chief of the National Cyber Security Division 
(NCSD) since it was established on June 6, 2003.
    I hope that Mr. Liscouski will address my many concerns and 
reassure me that cyber security is in fact a priority at the Department 
of Homeland Security.

     Prepared Opening Statement of the Honorable James Langevin, a 
       Representative in Congress from the State of Rhode Island

    Thank you, Mr. Chairman. I would like to welcome Assistant 
Secretary Liscouski, and express my appreciation for your willingness 
to come here for what I expect will be a very informative and 
productive hearing. We have heard so much from both the private and 
academic sectors about the state of information security and their 
hopes and fears about the Department of Homeland Security's plans, and 
now we can find out about those plans directly from the source.
    Mr. Chairman, my greatest concern by far is the fact that no 
information has been forthcoming from DHS until now. While I am pleased 
to finally get the chance to discuss how information security fits into 
the overall plan for critical infrastructure protection, I must express 
my disappointment at how long it has taken.
    I believe it is the duty of this Subcommittee to determine what is 
being done, and what more can be done, to safeguard our critical 
infrastructure. While it is true that much of our information 
infrastructure lies with private industry, that should in no way reduce 
DHS's efforts to secure and protect it.
    I am especially interested to hear Mr. Liscouski's opinion on 
whether or not the structure and resources being devoted to 
cybersecurity at DHS are sufficient to handle the tasks for which it is 
now responsible. In addition, I hope to learn what, if any, attention 
is being paid to home users and their security, an important group that 
is often left out of ``big picture'' views of information security. 
Most importantly, this Subcommittee needs to know how DHS can best work 
in conjunction with our computer industry partners and other agencies 
in order to raise the bar for information security for all users.
    Again, I greatly appreciate Assistant Secretary Liscouski taking 
time to be here to discuss these vital issues with us.
    Thank you, Mr. Chairman.

   Prepared Opening Statement of the Honorable Sheila Jackson-Lee, a 
           Representative in Congress from the State of Texas

    Mr. Chairman, Thank you for calling this important and provocative 
hearing. With the recent blackouts, and the viruses which have been 
plaguing the House computer systems, our infrastructure networks--and 
our dependence on them--is abundantly clear. It will be good to explore 
what the Administration is doing to make them more secure.
    Obviously, national security is foremost on everyon's minds these 
days. As we work to improve our country's security, it is important 
that we take inventory of all systems that are vital to the functioning 
of the nation, and do all we can to protect them. This certainly 
includes our computer networks systems that can be attacked anonymously 
and from far away. These networks are the glue that holds our nation's 
infrastructure together. An attack from cyberspace could jeopardize 
electric power grids, railways, hospitals and financial services, to 
name a few. The recent blackouts made it clear how fragile and 
vulnerable our infrastructure may be.
    We are all aware of the growing number of internet security 
incidents. These incidents can come in many flavors: annoying attacks 
through emails, involving such things as computer viruses, denial of 
service attacks, and defaced web sites; or cyber-crime, such as 
identity theft. Such events have disrupted business and government 
activities, and have sometimes resulted in significant recovery costs.
    Despite the risks, our hospitals and power grids, our 
communications, our transportation systems, will probably always be 
critically dependent on computers and information flow and the 
satellites above us. A terrorist or other criminal tampering with those 
systems could devastate entire industries and potentially cost lives. 
While we have been fortunate so far in avoiding a catastrophic cyber 
attack, Richard Clarke, the President's cyber-terrorism czar from last 
year, I guess I should say ``two czars ago,'' said that the government 
must make cybersecurity a priority or face the possibility of a 
``Digital Pearl Harbor''.
    This was truly a frightening prospect. On paper, it seems we are 
taking bold steps toward securing cyberspace: we now have a National 
Cyber Security Division (NCSD) at the DHS, and its new U.S. Computer 
Emergency Response Team (US-CERT). I would like to thank Mr. Liscouski 
for taking the time away from the challenges that face him at the DHS 
to enlighten us on the progress the Department and the Administration 
are making on this important front.
    We have been working on this subject for the past year in the 
Science Committee as well. One thing I have been disturbed by is the 
lack of good data on the threats that face us, and the absence of a 
solid assessment of the risks we face. How can we know how much to 
invest, and where, if we do not know those basics?
    I want to know the magnitude of the threat out there, and how 
Americans are dealing with it. What is the role of the private sector, 
and of private citizens, and of the federal government? Are we putting 
adequate resources and energy into fulfilling that role?
    I look forward to the dialogue. Thank you.

    Mr. Thornberry. With that, we will turn to our witness. We 
want to welcome, Robert P. Liscouski, Assistant Secretary for 
Infrastructure Protection of the Department of Homeland 
    I understand this is your first opportunity to testify in 
front of Congress. We appreciate your being here and you are 
recognized. Your full statement will be made part of the 
record, and you are recognized to summarize it as you wish.

                       HOMELAND SECURITY

    Mr. Liscouski. Thank you and good morning, Chairman 
Thornberry and members of the committee. I am pleased to appear 
before you this morning to discuss some of our efforts to 
protect and secure our Nation's critical infrastructure.
    From the beginning of DHS, IAIP and the Infrastructure 
Protection Office for which I am responsible recognized the 
equal importance of protecting physical as well as cyber 
assets. Thus, we created the National Cybersecurity Division on 
June 6 of this year. Today, I am here to give you a progress 
report on where we are now and where we will be going in the 
future to implement the President's national strategy to secure 
    Mr. Thornberry. Excuse me, Mr. Liscouski, would you pull 
the microphone just a little closer to you. It will be easier 
for us to hear. Thank you.
    Mr. Liscouski. All right.
    I am pleased to announce this morning that Amit Yoran has 
been formally named as the Director of the NCSD, effective 
today. Mr. Yoran is a strategic thinker, a disciplined leader, 
who understands the unique threats and vulnerabilities 
manifested in cyberspace and is the individual who will further 
accelerate our efforts in building a full NCSD team and 
increasing the strength of our public and private sector 
    Building upon the formation of the NCSD, the Department has 
worked to assemble a consolidated and coordinated team of 
cybersecurity professionals. Despite the many organizational 
and cultural challenges associated with integrating these 
elements into one entity, our initial efforts have yielded very 
effective positive and tangible results. The creation of the 
NCSD has enabled the initial consolidation of three 24x7 cyber 
watch capabilities; formulation of standardized incident 
handling procedures for responding to cybersecurity events; and 
the creation of a single national focal point for cybersecurity 
leadership for prevention, protection, and response to 
    The most recent accomplishments of the NCSD is the creation 
of the National Computer Emergency Response Team or the US-
CERT. The US-CERT, in collaboration with the private sector and 
leading response organizations, will improve warning and 
response time to security incidents by fostering the 
development of detection tools and utilizing common commercial 
incident and vulnerability reporting protocols. This will 
increase the flow of critical security information throughout 
the Internet community.
    I would like to take a moment to address our rationale 
behind the decision to integrate physical and cybersecurity 
within the IAIP directorate. I believe that this approach is 
the correct one for three reasons.
    First, cybersecurity cannot stand alone. The critical 
interdependencies between cyber and physical domains demand 
that we coordinate our intelligence and our protection efforts.
    Second, with the creation of the NCSD, we have for the 
first time implemented a single point of contact for 
cybersecurity within the Federal Government that will interact 
with other agencies, private security, the resource communities 
and State and local governments on a 24x7 basis.
    Third, though the director of the NCSD serves as a 
technical and operational lead for cybersecurity issues, 
cybersecurity will also be championed by Under Secretary Frank 
Libutti and myself. And we are committed to the implementation 
and the full funding of the NCSD as one of the top priorities 
for the IAIP directorate and for DHS at large.
    As demonstrated by recent events, the consequences of cyber 
attack can manifest with little or no warning, on a widespread 
scale, with tremendous speed. Impacts can quickly escalate 
across multiple infrastructures, resulting in widespread 
disruption of essential services, significant economic losses, 
and potentially endangering public safety and national 
security. The NCSD, therefore, is implementing its objectives 
for the timely execution of three key mission areas--outreach, 
prevention, and remediation.
    The NCSD is aggressively pursuing an outreach agenda that 
will provide education tools for children, parents, teachers, 
business owners, and business operators. NCSD, through the 
development of partnerships with government agencies such as 
the Federal Trade Commission, nonprofits like the National 
Cybersecurity Alliance and Internet service providers, will 
work to establish and enhance awareness programs for all users 
at all levels. We will be making announcements on our progress 
in the coming weeks.
    NCSD partnerships with industry, academia, and government 
will be the foundation for program implementation for 
protective and preventive measures to reduce America's 
vulnerabilities to cyber attacks. It is crucial that we improve 
existing public and private partnerships whose missions are 
consistent with the NCSD.
    A prime example is the National Cybersecurity Alliance 
whose members have committed their time and resources to 
regularly educating the home consumer and small businesses on 
good security practices. Proactive response and recovery 
efforts associated with the recent Blaster worm and SoBig virus 
offer the best evidence of the value of partnerships. SoBig 
spread faster and more aggressively than any previous e-mail 
virus, affecting millions of residential business and 
government computers worldwide.
    We recognize a cyber attack could easily cascade across 
multiple infrastructures, causing widespread, rapid disruption 
of essential services and impacting our national economy, 
public safety, and national security. The NCSD is committed to 
closely working with other government and law enforcement 
agencies, private industry, as well as academia, to help secure 
our cyberspace from future and potentially more serious 
malicious exploitation.
    To this end, I am pleased to announce that we are beginning 
to organize a National Cybersecurity Summit for later this fall 
in order to assemble key industry and government leaders to 
energize decisions like several key national cybersecurity 
    The Internet and cyber technologies have greatly improved 
both the quality of life for our citizens and the efficiency 
and the productivity of our business and our government. These 
societal and economic benefits are not without their costs. 
Malicious actors are devising new and ingenious ways to exploit 
vulnerabilities in our cyber world, to disrupt our quality of 
life, and threaten our national and economic security. Much 
like the larger global war on terrorism, this effort will take 
time, resources, dedication, energy, and hard work. But in the 
few short months we have been in existence, we have made great 
strides and we look forward to working with the Members of 
Congress, this committee, our government partners, the private 
sector, and the international community in this endeavor.
    I come before you today to dedicate ourselves to this 
common goal: one team, one fight, one mission, to protect the 
United States of America.
    I appreciate the opportunity to testify before you today 
and I look forward to your questions. Thank you.
    [The statement of Mr. Liscouski follows:]

            Prepared Statement of the Hon. Robert Liscouski

    Good morning Chairman Thornberry and Members of the committee. My 
name is Robert Liscouski, I am the Assistant Secretary for 
Infrastructure Protection and Acting Director of the National Cyber 
Security Division (NCSD) within the Department of Homeland Security. I 
am pleased to appear before your Subcommittee to discuss some of our 
efforts to protect and secure our Nation's critical infrastructure.
    Last week's observances of the two-year anniversary of the 
September 11th attacks offer a stark reminder of the threats and 
vulnerabilities we as a Nation still confront. The Department's 
Information Analysis and Infrastructure Protection Directorate (IAIP) 
was established by the Homeland Security Act to lead the Nation's 
efforts to prepare for, prevent, respond to, and recover from terrorist 
attacks like those perpetrated on 9/11. These terrorist acts may 
manifest in many forms, including physical and cyber attacks against 
our critical infrastructure, key assets, and national icons. Both 
physical and cyber assets have vulnerabilities that may be exploited by 
our enemies. The highly interconnected nature of our infrastructure 
makes these physical and cyber weaknesses impossible to separate--and 
difficult to address separately. Our protection methodology leverages 
an integrated physical/cyber protection approach to reduce 
vulnerabilities and to optimize our response when an attack does occur.
    From the beginning of DHS, the IAIP directorate which includes the 
Infrastructure Protection Office for which I am responsible, has 
implemented a dedicated organization committed to protecting physical 
assets. The organization is called the Protective Security Division 
(PSD). Recognizing the equal importance of protecting cyber assets, we 
created the National Cyber Security Division on June 6 of this year. 
These organizations within the Infrastructure Protection Office work 
together to implement the integrated protection methodology that I 
previously discussed. Today, I am here to give you a progress report on 
where we are now, and what we have in store for the coming months and 
years to implement the President's National Strategy to Secure 
    I am pleased to announce that Amit Yoran has been formally named as 
the Director of the NCSD effective today. Mr. Yoran is a strategic, 
disciplined leader who understands the unique threats and 
vulnerabilities manifested in cyberspace and is an individual capable 
of managing a diverse, highly technical organization Mr.Yoran was most 
recently the Vice President for Managed Security Services at Symantec 
Corporation where he was primarily responsible for managing security 
infrastructures in 40 different countries. Before working with 
Symantec, Mr. Yoran was the Founder, President and CEO of Riptech, 
Inc., a leader in outsourced information security management and 
monitoring. Before working in the private sector, he was the Director 
of the Vulnerability Assessment Program within the Computer Emergency 
Response Team at the Department of Defense and the Network Security 
Manager and the Department of Defense where he was responsible for 
maintaining operations of the Pentagon's network Mr. Yoran's leadership 
and respect within the information security industry will further 
accelerate our efforts in building the full NCSD team, and increasing 
the strength of our public and private sector partnerships.
    Since its formal establishment in June, the National Cyber Security 
Division has worked closely with our partners in the private sector, 
including coordinating response and mitigation of the Blaster worm and 
SoBig virus. Without these coordinated efforts, the significant 
economic impact of these attacks could have been much worse. In each 
situation, the Department's cyber security experts demonstrated the 
ability to quickly reach out to the security community, rapidly assess 
emerging threats, and provide timely warnings to government, industry, 
and the general public. These initial efforts were crucial--they 
allowed the NCSD to establish its credibility and demonstrate its value 
to the national and international cyber security community.
    Since June, IAIP has been assembling a consolidated and coordinated 
team of cyber security professionals. These experts were integrated 
from portions of the National Infrastructure Protection Center (NIPC), 
Critical Infrastructure Assurance Office (CIAO), Energy Assurance 
Office (EAO), and the Federal Computer Incident Response Center 
(FedCIRC). Despite the many organizational and cultural challenges 
associated with integrating these elements into one entity, our initial 
efforts have yielded effective and tangible results. Creation of the 
NCSD has enabled:

         Planning for consolidation of three 24x7 cyber watch 

         Formulation of a standardized incident handling 
        procedure for responding to cybersecurity events; and

         Creation of a single national focal point for 
        cybersecurity leadership for prevention, protection, and 
        response to incidents.
    The most recent accomplishment of the NCSD is the creation of the 
National Computer Emergency Response Team (US-CERT). The US-CERT, in 
collaboration with the private sector and leading response 
organizations, will improve warning and response time to security 
incidents by fostering the development of detection tools and utilizing 
common commercial incident and vulnerability reporting protocols. This 
will increase the flow of critical security information throughout the 
Internet community by leveraging the extensive resources and brand of 
the Federal Government and Carnegie Mellon's CERT/Coordination Center. 
The CERT/CC is a part of the Software Engineering Institute (SEI) and 
is affiliated with Carnegie Mellon's new Cyber Security Laboratory. A 
key enabler of this partnership is the 19 years of leadership 
demonstrated by the U.S. Department of Defense in its sponsorship of 
the SEI, a federally funded research & development center. By 
integrating capabilities from the Government (FedCIRC), Academia (The 
CERT/CC), and the private sector (vendors of security products and 
services), the US-CERT will provide a coordination center that, for the 
first time, links public and private response capabilities to 
facilitate communication across all infrastructure sectors.
    Before detailing our future programs and initiatives, I would like 
to begin by providing rationale behind the decision to treat physical 
and cyber security on part with one another, within the IAIP 
directorate. I believe that this approach is the correct one for three 
    First, cyber security cannot be a ``stand alone'' effort. As I 
described earlier in my statement, the success of DHS as a Department, 
and IAIP specifically, depends on our ability to protect the entire 
critical infrastructure against physical and cyber attacks together. We 
realize the dominant components common to all 13 critical 
infrastructures are physical and cyber components. To best protect the 
country against attack, careful integration of both components is 
required to achieve a holistic view of critical infrastructure 
vulnerabilities. In fact, this view is validated by a common criticism 
voiced by the private sector and security experts preceding the 
creation of the Department: physical and cyber security were being 
addressed by the government independently. We believe the physical and 
cyber domains are inextricably linked and vulnerabilities cannot be 
effectively analyzed independently. Placing both responsibilities under 
one Under Secretary and one Assistant Secretary has ensured successful 
    Second, the NCSD will identify, analyze, and reduce cyber threats 
and vulnerabilities; disseminate threat warning information, coordinate 
incident response; and provide technical assistance in Continuity of 
operations and recovery planning. With the creation of the NCSD, we 
have for the first time, implemented a single point of contact for the 
prevention, protection, and coordination of response to incidents, that 
will interact with all federal agencies, private industry, the research 
community, State and local governments, and other partners on a 24x7 
    Third, while the Director of the NCSD serves as the technical and 
operational lead for cybersecurity issues, it is important to remember 
that the cyber security issue will now be championed within IAIP by 
Under Secretary Frank Libutti, and myself. The Under Secretary and I 
have already demonstrated our commitment to developing a world-class 
cyber security capability within the Department and believe the 
continued implementation and full funding of the NCSD is one of the top 
priorities for the IAIP Directorate. Furthermore, cyber security 
research and development will be conducted in partnership with the 
Department's Science and technology Directorate under the leadership of 
Under Secretary Charles McQueary.
Now I would like to focus the remainder of my testimony on our plans 
for building on our accomplishments of the last three months to fully 
implement the operational NCSD in the coming months.

The Mission: Outreach, Prevention, and Remediation
    As demonstrated by recent events, the consequences of a cyber 
attack can manifest with little or no warning, on a widespread scale, 
and with tremendous speed. Impacts can quickly cascade across multiple 
infrastructures, resulting in widespread disruptions of essential 
services, significant economic losses, and potentially endangering 
public safety and national security. The National Cyber Security 
Division, therefore, is implementing its objectives through the timely 
execution of three key mission areas--Outreach, Prevention, and 

    The NCSD will create, in coordination with the Office of Personnel 
Management and the National Institute of Standards and Technology, 
cyber security awareness and education programs and partnerships with 
consumers, businesses, governments, academia and international 
    An effective outreach program lays the foundation for the ultimate 
success of all mission areas of the NCSD. Accordingly, the NCSD 
championing the implementation of awareness efforts and campaigns that 
use a multi-level approach to provide awareness/educational tools for 
all users; for the home, awareness tools for children, parents and 
teens; customized approaches for small, medium, and large businesses; 
and for government agencies. Every level of user must realize they have 
an equally important role in the security of cyberspace. The end user, 
for example, needs to be informed about the technical aspects of 
security and about their role as gatekeepers in a larger data and 
information sharing community.
    The NCSD is aggressively pursuing an outreach agenda that will 
target groups of citizens by providing education tools for children, 
parents, teachers and business owners and operators. There are many 
effective existing programs and the NCSD is developing partnerships 
with government agencies, such as the Federal Trade Commission, non-
profits like the National Cyber Security Alliance, and the Internet 
Service Providers to establish and enhance awareness programs for all 
users. We are working to build on existing public/private outreach 
groups to assist the spectrum of users in securing their systems 
through implementation of effective security practices.
    One quick example is establishing National Cyber Security Days. As 
Americans change their clocks twice a year, to Daylight Savings and 
Standard times, the partnership of the NCSD and the National Cyber 
Security Alliance's StaySafeOnline Campaign asks consumers to use the 
days as reminders to assess their own computer security. Computer 
security needs to be a regular consideration when protecting a home. 
Just as consumers remember to lock their doors, so too should they 
remember to secure their computers. As a result of this partnership 
with the NCSD many other partners in the business and government 
communities are starting to design their national ad campaigns around 
these two dates to further amplify this important message.
    At the same time, the NCSD is partnering with other federal 
agencies, including, Commerce, NSA and DOD, state and local government, 
private industry, and academia to promote a well-trained IT security 

    Consistent with law and policy, NCSD will coordinate closely with 
the Office of Management and Budget and NIST regarding the security of 
Federal systems and coordinate with Federal law enforcement 
authorities, as appropriate. NCSD will leverage other DHS components 
including the Science and Technology Directorate, the U.S. Secret 
Service and the Department's privacy officer.
    To achieve its mission, the NCSD is working with State and local 
governments, and the private sector to conduct infrastructure 
vulnerability field assessments, while providing the best and most 
cost-effective prevention and protection strategies for ``at risk'' 
infrastructure facilities, assets, and personnel. Due to the diversity 
of the critical infrastructure, cyber protection strategies for each 
sector must be customized based on the unique geographical and business 
operating models of that sector. Due to the highly interconnected yet 
physically distributed nature of our critical infrastructure, 
prevention and protection strategies are prioritized based on regional, 
State, and local needs and on the need for cross-sector coordination.
    We recognize that collaborating with industry, academia, and 
Government is a key focus of our NCSD activities. With partnerships as 
the foundation for program implementation, the NCSD will coordinate 
implementation of protective and preventative measures to reduce 
America's vulnerability to cyber attacks. It is crucial that we improve 
existing public-private partnerships whose missions are consistent with 
NCSD functions. A prime example is the National Cyber Security 
Alliance, whose members have committed their time and resources to 
regularly educating the home consumer and small businesses on good 
security practices.
    With nearly all of the backbone of cyberspace owned by the private 
sector, it is imperative that the NCSD strengthen its relationships 
with them. Fortunately, there are mechanisms already in place to 
facilitate cooperation between industry and government on cyber 
security, most notably the National Coordinating Center (NCC) for 
Telecommunications and its Telecommunications Information Sharing and 
Analysis Center (ISAC), which are each part of the National 
Communications System (NCS) and IAIP. These entities provide the 
Department with direct access to leading industry operational and 
security experts whose knowledge and insights may prove crucial in 
managing a cyber incident. The NCSD, as part of IAIP, also helps to 
support two CEO-level advisory committees--The National Security 
Telecommunications Advisory Committee (NSTAC) and the National 
Infrastructure Advisory Council (NIAC),--which provide advice and 
counsel on national security telecommunications and critical 
infrastructure matters, including cyber security issues.
    By acting as a champion for creating a national and international 
culture of cyber security, we aim to promote a security culture at the 
CEO-level and demonstrate to corporate leaders that cyber security 
ultimately promotes the resiliency of their infrastructures, protects 
the interests of their shareholders and corporate brand, and preserves 
value and competitive advantage for businesses that implement security 
best practices.

    As I discussed earlier, the proactive response and recovery efforts 
associated with the Blaster worm and SoBig computer virus offer the 
best evidence of the value of partnerships. SoBig spread faster and 
more aggressively than any previous email virus, affecting millions of 
residential, business, and government computers worldwide. Internet 
traffic was substantially affected by these two events, causing a 25 
percent increase in internet traffic and infecting over 600,000 
computers. It had a significant impact on cross-sector communication 
and impacted productivity.
    In August, when the Blaster worm surfaced on the Internet, the NCSD 
issued a timely warning to security professionals, suggesting that 
Internet service providers and other corporate network administrators 
shut off inbound traffic to ports 135, 139, and 445 to block the 
spreading of the Blaster infection. Blaster took advantage of a known 
vulnerability in a Windows operating system component that handles 
messages sent using the remote procedure call (RPC) protocol. RPC is a 
common protocol that software programs use to request services from 
other programs running on servers in a networked environment. 
Vulnerable systems were compromised automatically without any 
interaction from users. Through the advisory, users were instructed to 
install the appropriate software patches to prevent their computers 
from being infected. In the following weeks, the NCSD continued to 
issue advisories warning security professionals that a variant of the 
Blaster worm, dubbed ``nachi,'' ``welchia'' or ``msblast.D,'' was 
    Working with Internet security researchers and experts from private 
industry and academia, the Division and the FBI uncovered malicious 
code hidden within the SoBig worm on twenty master machines that was 
programmed to launch a massive denial of service attack. Federal 
authorities located the twenty computers infected with this variant of 
the worm and asked their Internet service providers to shut down their 
Internet access. As a consequence, the second wave of attacks never 
    The NCSD recognizes that a cyber attack could cascade across 
multiple infrastructures, causing widespread rapid disruption of 
essential services, and impacting our national economy, public safety, 
and national security. While this generation of worms has not yet 
resulted in irreversible damage (albeit slowing communication, 
overstuffing e-mail inboxes, and reducing productivity), the NCSD is 
committed to working closely with other government and law enforcement 
agencies, private industry, as well as academia to help secure our 
cyberspace from future, and potentially more serious malicious 
    To this end, I am pleased to announce that we are beginning to 
organize a National Cyber Security Summit for later this fall, in order 
to assemble key industry and government leaders to energize decisions 
on several key National cyber security issues. Key goals of the summit 
are to--.
         Produce a common threat and vulnerability reporting 
        protocol to enhance prevention and response capabilities and to 
        drive a standards-based system for communicating threats and 
        vulnerabilities across the Nation;
         Develop a Vulnerability Reduction Initiative to 
        significantly reduce vulnerabilities based upon improved 
        evaluation standards, tools and measures for software, new 
        tools and methods for rapid patch deployment, and best practice 
        adoption of security for cyber systems across the critical 
        infrastructure in partnership with industry and the leading 
        research universities in the United States;
         Create an outreach and education partnership to offer 
        training and awareness to 50 million home users and small 
        businesses in cyber security within one year; and
         Formulate and ratify a National Cyber Security Road 
        Map that defines milestones, work streams, and metrics for 
        ``raising the bar'' of cyber security across the United States 
        and identify work stream leads from government and industry.
    Since its inception, the National Cyber Security Division has 
delivered on its commitment to provide a centralized coordination point 
for the collection and dissemination of protective measures to reduce 
vulnerabilities and risks to the cyber infrastructure through 
implementation of the Cyber Security Tracking Analysis and Response 
Center (CSTARC). As announced in our press release on Monday morning, 
CSTARC, through a partnership with Carnegie Mellon University's CERT/
Coordination Center, will evolve to a new capacity as a national 
Computer Emergency Response Team (US-CERT). The US-CERT will enhance 
our Nation's prevention of and response to cyber threats and 
vulnerabilities. There are currently over two hundred private sector 
groups, public sector groups, and universities that operate computer 
emergency response teams (CERTs) within the United States. Many of 
these groups have varying levels of informal and formal partnerships 
with each other and with the US-CERT. This initiative will harness this 
massive capability to significantly increase America's ability to 
protect against, and respond to, massive scale cyber attacks.
    We view the US-CERT as a fundamental element of the DHS strategy to 
ensure timely notification of all types of attacks, working toward 
having, within a year, an average of a 30-minute response to any 
attack. Moreover, the US-CERT will provide a coordination center that, 
for the first time, links all public and private response capabilities 
and facilitates communication across all sectors. US-CERT will also 
lead collaboration with the private sector to develop and distribute 
new tools and methods for detecting and identifying vulnerabilities in 
an effort to significantly reduce vulnerabilities. Lastly, US-CERT will 
help improve incident prevention methods and technologies by 
identifying and disseminating best practices and working with the 
private security industry to improve warning sensor data collection and 

    The Internet and cyber technologies have greatly improved both the 
quality of life for our citizens and the efficiency and productivity of 
our businesses and our government. These societal and economic benefits 
are not without their costs. Malicious actors are devising new and 
ingenious ways to exploit vulnerabilities in those cyber systems, to 
disrupt our quality of life and to threaten our national and economic 
security. Our ever-growing reliance on the Internet and cyber systems 
compels us to counter these threats and vulnerabilities by building 
productive partnerships with key stakeholder communities in cyberspace, 
improving how we share information, and developing and fielding 
innovative technical solutions. As the focal point for the prevention, 
protection and coordination of response to incidents, the NCSD must 
achieve its mission of ensuring the security of cyberspace. We know 
this will not be an easy assignment. Much like the larger global war on 
terrorism, this effort will take time, resources, dedication, energy, 
and hard work to succeed. But in a few short months, we have made great 
strides and are excited about the possibilities that the future offers. 
With the appointment of the new Director of the NCSD, we have focused 
leadership to guide us forward, to forge new alliances and 
partnerships, to implement new tools and capabilities, and to provide a 
vision for cyberspace security.
    Again, I appreciate the opportunity to testify before you today. I 
would be pleased to answer any questions that you have at this time.

    Mr. Thornberry. Thank you. And I can assure you that this 
subcommittee shares your goal of working together to help the 
country be safer. Let me just ask one brief question before 
yielding to Ms. Lofgren.
    It seems as though that the Department has made several 
significant announcements yesterday and today. The 
establishment of the US-CERT, the naming of the Director for 
the Cybersecurity Division, and now this National Cybersecurity 
Summit, which will take place later this fall.
    Why is it all coming down now? What has been your decision-
making process, and why are we just having these decisions 
    Mr. Liscouski. Well, Mr. Chairman, it is a function of our 
timing is, we have been working very hard since June, and as 
you well know, we have engaged in a lot of other activities in 
standing up the division.
    One of the things I have been working hard at over the past 
few months is putting the right team in place to ensure we 
could actually carry out the things that we announced just 
these past couple of days. So it is one.
    We could have announced them, or at least our intention is 
to execute on these objectives, earlier; but the framework from 
which we are operating is really one in which we plan 
carefully, but quickly, and then with the ability to execute.
    So I am here before you today to say that our announcements 
are timed with our ability to execute, not so much as anything 
else, but just a function of the ability that we are working 
very hard, and we have got a good plan together, and we finally 
have our teams together to be able to execute on the strategies 
we have identified.
    Mr. Thornberry. Yield to Ms. Lofgren.
    Ms. Lofgren. Thank you, Mr. Chairman. I have just a few 
    As I mentioned in my opening statement, the President had a 
Special Advisor on Cybersecurity, but that position has been 
eliminated. Will the director of the Cybersecurity Division 
have direct contact with the President or with Secretary Ridge 
on cybersecurity issues? What kind of access will this 
individual have?
    This is kind of a nerdy subject we all know that and yet it 
is very important; and it is important that the decision 
makers, who are not necessarily living and breathing computer, 
be contacted and be aware of the scope of the issues.
    Mr. Liscouski. Yes, ma'am. Mr. Yoran--first of all let me 
    Our management style at DHS is, one, a very direct one. 
Working for Under Secretary Libutti and Secretary Ridge 
requires one to be constantly engaged to ensure that the 
leadership knows what is going on. I mean, this is a constant 
dialogue we have at senior management levels, particularly as 
it relates to infrastructure protection. Information analysis, 
because of the very uniqueness of what IAIP brings to the 
Department in terms of a function, is one which is heavily 
relied upon by the senior management of DHS. So I can tell you 
from personal experience that Secretary Ridge, Under Secretary 
Libutti reach down into the organization at any level that they 
think they need to get the answers to questions that they have, 
and we are very responsive.
    To that end, Secretary Ridge has been personally involved 
in not just overseeing the implementation or the creation of 
this division, but engaged with me in identifying the type of 
leadership we need and what we need to do to be successful in 
this endeavor. So if Mr. Yoran is going to have the the 
pleasure, because it is indeed a pleasure to work with the 
senior leadership, but more importantly the responsibility of 
reporting directly. My management style, Under Secretary 
Libutti's management style, is not one in which we say, You 
have got to go through a, quote, unquote, ``chain of command.'' 
Ours is pretty much, You are the expert, you have got the con, 
you take the lead, answer the questions, take the initiatives.
    Ms. Lofgren. Okay. That is very reassuring. Thank you.
    One of the questions I was mentioning to the chairman, 
there is modeling going on around the country, university 
based, and I am interested in whether the Cybersecurity 
Division will be working with the Science and Technology 
Directorate on modeling in simulation issues and whether cyber 
threats are going to be integrated into these efforts. Can you 
give us a progress update on that?
    Mr. Liscouski. Yes, ma'am. Let me take the partnership with 
S&T first because I think that is where it starts.
    The Cyber Division has got a direct nexus into Under 
Secretary McCrery's S&T organization, the Directorate. We have 
a deputy director named in the research center in S&T. So we 
are directly partnering by driving requirements in S&T that we 
have identified from the field, not just from our own efforts, 
but through our partnerships with State and local governments, 
with the industry, with our international partners. We are 
taking those requirements and driving them into S&T. That is 
point number one.
    As it relates to the universities, our relationship with 
the US-CERT at Carnegie Mellon clearly is one example. We have 
many other relationships with universities and labs to do 
modeling. We have got the benefit of having the opportunity of 
reaching out to lab relationships we have currently that came 
over to us when we formed DHS earlier this year, so we have 
already been working on computer simulations for different 
types of modeling for attacks and for things that relate to 
cybersecurity as well as other parts of our infrastructure.
    Ms. Lofgren. Can I ask you about this US-CERT? I saw the 
announcement. We have the Federal Government has been a partner 
with CERT at Carnegie Mellon for many years. And how is US-CERT 
going to be different than regular old CERT?
    Mr. Liscouski. Well, I would like to recognize the 
Department of Defense obviously for taking the initiative back 
some almost 20 years ago, after the Morris worm, to establish 
the CERT/CC capability. That relationship has allowed many 
parts of the Federal Government to take advantage of the CERT 
    CERT, as you well know, remains one of the premier 
capabilities in the world, and to that end, the partnership 
that DHS is establishing is a key one for us because we are 
increasing our level of financing to the CERT. So therefore we 
are increasing the resources available directly to DHS, vis-a-
vis the CERT, to do things not just around the incident 
response area, but also looking at establishing a malicious 
code lab there, as well as other enhancements through 
financing, through partnerships, through positioning people at 
the CERT, working closely with them to ensure that US-CERT can 
mature to a capability that is going to serve the National 
Strategy for Cyberspace.
    Ms. Lofgren. Finally, one of the responsibilities of your 
office is to coordinate outreach to State and local 
governments, and I am interested in how you are doing that. Is 
there an office that is responsible for outreach? Is outreach 
institutionalized? And in particular I am interested not just 
in what we might think of as cybersecurity, but the physical 
infrastructure that allows the cyber world to exist; and I 
continue to be concerned about the level of information and 
coordination between the Federal Government and State and 
local, especially local police officials, in terms of 
vulnerabilities that exist to the physical infrastructure.
    Because we are very concerned with the viruses and worms 
and cyber attack, but the model for terrorists remains some 
maniac with a bomb; and so we have vulnerabilities in that area 
that I am not yet convinced we have addressed adequately. And 
really our first line of defense is going to be local, not 
Federal officers.
    So can you address that issue for me?
    Mr. Liscouski. Yes, ma'am. And I agree with you; I don't 
think we have addressed it adequately yet either. We are 
working hard to do that. We have got a number of mechanisms for 
outreach, and let me just articulate those.
    We have a branch in the NCSD dedicated to outreach. It is 
headed up by a very seasoned professional. Sally McDonald, who 
came to us from the Fed CERT, has done a tremendous amount of 
effort in outreach and has got a lot of experience in this 
area, so we are relying upon Ms. McDonald to really take the 
programs where we need to go.
    We have a number of programs currently established at the 
NCSD. StaySafeOnline Campaign is one of the dominant ones in 
which we are using that to reach many different levels of 
constituents in the cyber world. That is just one example.
    We are partnering up as you may know, we have got 
relationships with ISACS, the Information Sharing Analysis 
Centers. There is an IT ISAC, but there is a cyber component in 
every ISAC we use for outreach.
    We have our advisory systems in which we put out notices 
about threats or incidents and events relating to the cyber 
    We are going to continue to use the private sector for 
outreach. Our partnerships with the private sector are 
absolutely key for us to ensure that we have got the right 
things, the right awareness, going on because, as you are fully 
aware, this problem is not necessarily just a technological 
problem. In fact, most computer security professionals would 
articulate that the problem is typically not the technology; it 
is the implementation of proper standards and procedures to 
ensure that the technology is used accordingly, patches are 
made, remediation work is being done. And those are process 
issues; those are not technological issues.
    It is all about awareness training, so we are reaching out 
using universities, using the private sector, using our own 
outreach capabilities to ensure we have multilevel awareness 
programs going on; and these are in development, and we are 
welcoming suggestions from any of those out there, anybody who 
has got an interest in this area to ensure we are doing the 
right thing.
    As I mentioned in my statement, we are working with ISPs to 
ensure that we have got the right awareness going on for users 
of broadband connections to ensure that they understand the 
dangers of getting on line and in open systems without taking 
the appropriate precautions, so--.
    Ms. Lofgren. Thank you. I will reserve my other questions 
for the next second round.
    Mr. Liscouski. Thank you.
    Mr. Thornberry. I think the Chair will use the clock not 
just as a guide for members, not as a hard and fast rule; and 
Ms. Lofgren and I have agreed that we will have as many rounds 
as members have questions, with Mr. Liscouski's indulgence.
    The Chair would now recognize the gentlelady from 
    Ms. Dunn. I thank the chairman.
    Mr. Liscouski, this committee has made it a priority to 
understand how communications and information are being shared 
across Federal agencies. How will the Cyber Division work 
within the larger Information Analysis Division responsible for 
analysis and warnings to the Homeland Security community and, 
if necessary in an extreme case, to the public?
    Mr. Liscouski. Let me describe first our relationship with 
the Information Analysis Office. That is the IA component of 
IAIP. We are tightly knit together. The IAIP Directorate, 
combined of those two offices, was created with the intention 
of ensuring that we had overlap of our functions and our 
thinking within the structure to ensure that we always had a 
very close look at the intelligence components of the threats 
mapping vulnerabilities, whether they be physical 
vulnerabilities or logical or cyber vulnerabilities.
    And in this case, the NCSD plays sort of a unique role. 
While it is not an intelligence function, it is a capability-
oriented, technical capability. And we lend ourselves to the IA 
function to understand how technical exploits can be used to 
conduct cyber terrorist attacks, while the IA function has 
clearly got the intelligence requirements to understand how 
terrorist groups may, or what their intentions may be to use 
technologies to conduct a cyber attack. They are a portal to 
the Intelligence Community.
    We drive our requirements through the information analysis 
component to ensure that they maintain that constant look and 
their constant contextual piece around what we are worried 
about from a vulnerability standpoint and what the Intelligence 
Community needs to be looking at from an intelligence 
standpoint. So we are tightly integrated. We drive 
requirements. We have--the IA analysts are frequently as 
knowledgeable about the technology, at least at a top level, as 
our folks are to understand what the vulnerabilities are. So 
when they see intelligence pieces they understand the relevance 
of intelligence to a particular infrastructure component.
    Ms. Dunn. Will you find yourself working with TTIC, with or 
through TTIC, during any of the process?
    Mr. Liscouski. Yes, ma'am. We would be working with TTIC, 
and we do now quite actively through our IA counterparts; and 
my colleague, Bill Parrish, the Acting Assistant Secretary for 
Information Analysis can go into that much more deeply. But I 
am very familiar with our relationships there. We use them 
quite robustly.
    But, again, we drive those through the IA component, ma'am.
    Ms. Dunn. Do you--in your Cyber Division, do you believe 
now you have adequate resources to conduct all your activities? 
Are there areas where you see specific needs our committee 
ought to be focusing on?
    Mr. Liscouski. I think, for the present, we have the 
resources we need. As you know, we are staffing up. We 
currently have approximately 65 people in the division, and we 
are looking to staff up to somewhere, I would say about 100 or 
so for fiscal year 2004 is our plan.
    From my perspective, I think we are adequately staffed. I 
think we have got the resources we need, particularly with the 
partnership with the US-CERT. I think downstream, as we learn 
more about the vulnerabilities and particularly the initiatives 
we want to take and the resource areas in the short terms areas 
that we need to make improvements, we will probably be coming 
back to this committee and articulating what those needs are.
    Ms. Dunn. I am not seeing any timing clock. Do you have 
one, Mr. Chairman?
    Mr. Thornberry. The green light is down in front of the 
    Ms. Dunn. Got it.
    As I mentioned in my opening statement, we all fully 
appreciate cyberspace has no borders. How will you find 
yourself working with international organizations in your role?
    Mr. Liscouski. The international component is a very 
critical one for us. As you know, we have some informal 
arrangements. We are working closely with the British 
Government, with the Australians, the Germans, the Canadians.
    It is critical for us to expand our relationships for 
international cooperation. We are working with the Department 
of State to formalize those agreements. Bilateral and 
multilateral agreements are very key for us.
    The national strategy articulated the need for signing for 
the--I am sorry--the European convention on cybersecurity. That 
is not the exact term, but we fully support that.
    We need to work with the international community to ensure 
that we have got uniform laws across international boundaries 
to enforce violations, to ensure that we have got good thinking 
about best practices.
    To your point, there are no boundaries. A vulnerability in 
Slovakia is as critical as a vulnerability in the United 
States. If a company is a Fortune 50 company operating around 
the world, we have to be very cognizant of those 
vulnerabilities. We are working hard with our partners to bring 
them up a level of capability, as well.
    Ms. Dunn. And does that include cooperative working when 
responding to something?
    Mr. Liscouski. Yes, ma'am. The US-CERT is going to be nexus 
for that capability. We are going to be using the US-CERT as a 
model for CERTs around the world to--and this has clearly been 
the model.
    So to your point, yes.
    Ms. Dunn. What about--is your division considering and in 
cooperation with the private sector, considering setting up a 
code of standards, best practices, that would be in place both 
for the private sector, which you, in your testimony, mentioned 
had something over 80 percent of all of the cyber work that we 
need to be dealing with and also the public sector?
    Mr. Liscouski. Yes, ma'am. And best practices occur at many 
different levels.
    We are trying to articulate identify and articulate best 
practices for home users, for small businesses, universities, 
big businesses. We have got to work in cooperation with the 
industry to ensure that best practices are effective, 
implementable, cost-effective, measurable, all the elements 
that you would want to have programs to identify what the right 
level of security is.
    This is a big area, a big body of work, and we are 
spending, we have been spending time, and we are spending much 
more a lot more time in the future on this. We are working with 
our councils. We have got the NIAC, the National Infrastructure 
Advisory Council, you are familiar with, I am sure; the NSTAC, 
the National Security Telecommunications Advisory Council. Both 
of those bodies have been involved in helping us identify 
    We are working with the private sector to determine what 
additional standards may be necessary. We are going to make 
these standards publicly available on our Web sites as we 
promulgate them. So this is all part of our outreach program.
    Ms. Dunn. And you can do that, you believe, without 
    Mr. Liscouski. Yes, ma'am. And I think at this point in 
time, we have got the industry with the support of the 
Congress, with the support of this administration, attuned to 
the need that security is more than just something which you 
can spend a dollar for and say, I have got adequate security.
    The biggest challenge in the business community is, again, 
ensuring you can identify what the appropriate level is and 
what the right level of investment for a dollar of security, 
does it get you anything in return. The cost and the return on 
investment is always a key component in the private sector.
    The business case here in terms of why businesses should be 
spending money on security in advance of legislation, I think, 
is one which is based upon competitive advantage. The more we 
can educate consumers, either at the basic consumer level, 
those who might shop at Amazon.com on line or those who 
implement multimillion dollar programs in their businesses, 
should know that they have choices about what the right choices 
are to make for security, for levels of security in the 
technology that they are buying; and the more we can make 
those--that awareness known to the consumer groups, the more 
pressure they will put on the private sector to ensure that 
security is baked into their programs.
    Ms. Dunn. Good. Thank you very much.
    Thanks, Mr. Chairman.
    Mr. Liscouski. Thank you.
    Mr. Thornberry. Thank the gentlelady. The gentleman from 
North Carolina.
    Mr. Etheridge. Thank you, Mr. Chairman, and thank you for 
holding this hearing. I think it is we all know how important 
it is.
    Mr. Liscouski, when we think in terms of cybersecurity, a 
lot of folks, when they first hear it, they think of it as how 
we protect computers. The truth is, as you know, it is much 
broader than that, because so much of our productivity and our 
economic fiber of this country is tied to the whole integration 
system that we have; and over the last 10, 20 years we have 
seen tremendous amounts.
    So let me get back to the risk assessment, and I am going 
to try not to cover something that hasn't been covered, but 
maybe get a little better perspective on it. Because realizing 
that a department is just gearing up, and thinking about just 
the amount of problems we have had that was mentioned by our 
ranking member just this past August, the economic damage that 
was done to business and others by independent assessments, by 
some of the digital risk companies are saying it was about $32 
to $33 billion. So obviously, this whole issue of cybersecurity 
is a huge issue.
    What progress has the Department of Homeland Security made 
in identifying cyber threats and vulnerabilities? And in 
conjunction with that, how have you been able to share this 
information with State and local organizations, which I think 
is critical? You know, just because they have the information 
doesn't really do us a whole lot of good unless we can figure 
out how we can get it, to get some results in the assessment 
    Mr. Liscouski. It is an excellent question because it is 
the heart of what a good protection program is all about: 
understanding the risks, the vulnerabilities to those risks, 
and the right practices in which you can engage to mitigate or 
reduce those risks or alleviate them.
    To that end, a major component of what we have done there 
are a number of them. We have got one effort as part of our 
responsibility for securing the Federal Government, which is 
initiated through the Fed CERT. That is the responsibility, to 
ensure that the proper warning alerts, incident notices, are 
going out across the Federal Government.
    That program has been in place for a while, originally 
established with GSA, now moved over to DHS, and is, at the 
heart, the NCSD. It is a very robust program. Part of that is 
also a patch remediation capability which goes back to the 
reduction of vulnerabilities and spreading that word.
    As it relates to the private sector and State and local 
governments, I think that is where much of our work is required 
to be done yet. We have got great relationships in the private 
sector in providing us information about vulnerabilities. Our 
relationships with Microsoft, with Cisco recently, have enabled 
us to be able to respond very quickly to vulnerability 
information and exploits and put notices out there to the 
general public and the State and local governments as well. 
They are all on the same alert system, so therefore they have 
the opportunity of receiving this information very quickly.
    It is our goal, with the establishment of the US-CERT and 
the leadership that we are establishing in the NCSD, to reduce 
these notification times from hours, currently, to, hopefully 
by the end of fiscal year 2004, an average of 30 minutes. We 
are looking to get robust communications capabilities out there 
beyond what we have now working, establishing networks with 
State and local governments.
    We have got some efforts under way right now, which I would 
like to keep at a top level, in terms of working very closely 
with State initiatives to develop communication networks, and 
then ultimately to establish State CERTs again, using the US-
CERT as a model to reach down into the State governments to 
help them set up their own capabilities for incident response 
and incident warnings.
    So there are a number of initiatives we have got going in 
the pipeline. Again, we have only been working here for 3 
months, so we are moving from the thinking and planning stages 
into the execution stages in the next quarter.
    Mr. Etheridge. Let me follow that up, if I might, please, 
because I think you moved into the advisory and warning area, 
which I think is very critical as you deal with the assessed 
risk assessment.
    You have started a long--but as the Department looks at 
this whole area of integrating warnings about the possible 
problems of cybersecurity, and you have talked about what you 
are doing across the Federal Government to get it done on the 
security advisory system, talk to us a little bit more, if you 
will, please, about how are you reaching out to locals. You 
have talked about it in general terms. Because I think it is 
important, because most of the people who are going to be 
called upon to respond to such an attack are not traditional 
first responders, as we think, in terms of the agency reaching 
out to first responders--our fire, police or rescue; they are 
important because they have to receive it too--but you are also 
talking about a whole new group of first responders.
    How about talking about how those two are integrated, 
because I think it is critical to know, and what the Department 
is doing on it? Because if all you do is go to the end user, 
that will help, but you have really got to get upstream; and I 
hope that is what you are talking about.
    Mr. Liscouski. Yes, sir. And if I understand your question 
correctly, this is again a multilevel approach.
    Mr. Ethridge. Absolutely, because you have also got the 
private sector category there.
    Mr. Liscouski. That is correct.
    The first responder category in the cyber world is every 
user. I mean, it starts with prevention, as you well know, and 
ensuring we have got the right procedures in place to protect 
our systems; and that is just through basic security practices.
    Part of our outreach program is intended to continue to 
elevate the level of awareness and understanding and security 
posture within our--across the entire Nation by getting the 
average user or the business user to understand what they must 
do to protect themselves. In response mode, I think the Blaster 
and the SoBig virus are a example of how our response needs to 
be enhanced. I think we did a very admirable job responding and 
putting the advisories out, and we got a significant reach 
across our community to do that, both horizontally and 
vertically within the State and local government community, as 
well as in the private sector.
    But the home user was the one that I believe probably 
lacked the ability to understand what the implication of the--
they clearly understood the implication, primarily because they 
couldn't get on the Internet. It was--remediating from that 
problem was where we saw the biggest challenge to be.
    So we are looking at many creative ways to put out the 
word. We are working with the major media, establishing 
relationships with the major media to put the word out to make 
sure we have got a consistent message across there. Information 
sharing is the primary goal of DHS.
    It is often said, you know, it is not need to know, but it 
is need to share, and we are looking for as many ways as we can 
to put the information out there--on best practices, on 
vulnerabilities, on threats--that we possibly can, irrespective 
of whether they are in the physical world or the cyber world. 
We are not differentiating those things.
    The only thing I would add, and I can probably get into 
this a little bit later, is the speed at which the cyber world 
works. As you well know, it requires a little bit of a 
different sort of ops tempo, so to speak, or posture in 
ensuring that we have got a consistent, a thorough and a 
consistent look across all the infrastructure to ensure that we 
are aware of what is going on in the cyber world.
    I can address that later.
    Mr. Ethridge. Mr. Chairman, I know my time is up, but may I 
follow up with one final, since we are on this point, because I 
think it is so critical as we do this.
    I hope at some point we have in the system a measurement to 
know at least when we have we have had some measure of success. 
You know, it is one thing to do the assessment, another to 
notify. But unless we have a measurement down the road we talk 
about what business does in terms of measuring inputs and 
outputs. But we have to find a way to know, because this 
pressures us to speed up our process in the decision-making 
process to save those multitudes of billions of dollars down 
the road.
    Mr. Liscouski. You are absolutely right, sir. It is about 
metrics. It is about ensuring we can find those measurable 
programs and those factors within our programs to determine if, 
in fact, we are doing the right thing. That is precisely the 
business approach that we are taking.
    Again, going back to the leadership--and the comments 
earlier, ma'am, about, you know, why it took so long to find 
our director--the only response on that is, we wanted to make 
sure--we are only going to get a chance of doing this right 
once, and finding the person with the right capabilities and 
qualifications that can understand working in an 
entrepreneurial environment.
    How do you build an organization and who do you be able to 
quickly execute against the requirements you have and this type 
of highly threatened environment to make those --to measure 
those successes is the type of person we were looking for and 
is precisely the reason we were looking for them. It is all 
about metrics.
    Mr. Etheridge. Thank you, Mr. Chairman.
    Mr. Thornberry. Thank the gentleman.
    The gentleman from Georgia.
    Mr. Linder. Thank you, Mr. Chairman. I only have a couple 
of questions on this idea of sharing intelligence and 
    I think we are beyond the stage where our intelligence 
agencies are not sharing with each other. Is that fair to say?
    Mr. Liscouski. Yes, if I heard you say, we are beyond the 
point where we are not sharing.
    Mr. Linder. Yeah.
    Mr. Liscouski. Implying we really are sharing the 
information. Yes, sir, you are correct.
    Mr. Linder. How good are we at analyzing what we are 
    Mr. Liscouski. At what level, at the physical level or the 
traditional threat level or at the cyber level, sir?
    Mr. Linder. The threat level.
    Mr. Liscouski. At the traditional threats level, I think we 
are very good at analyzing it.
    This is an extremely difficult problem, and I can speak to 
it some, but I really defer to my colleague, Bill Parrish, the 
Assistant Secretary for Information Analysis, in his domain. 
But I have operated in this space for quite a long time, and 
our capabilities for analyzing information have only increased 
over the years. I mean, we have gotten very good as a whole, as 
the Intelligence Community, to analyze information.
    It is an extremely complex problem because you never have 
the perfect information. You can never do the perfect analysis. 
You can only do it in hindsight and retrospect. It is an 
extremely difficult problem to solve. But I think the 
capability is the people we have attracted into the 
Intelligence Community, particularly in DHS, are really some of 
the finest minds out there to be able to understand these 
complex problems.
    Mr. Linder. And lastly, how cautious or how careful are you 
in sharing this with first responders? There was a time when 
they were being overburdened with unanalyzed intelligence right 
after September 11 to the point they just set it all aside, and 
it had no value whatsoever. I think you have to be careful what 
you give to them, that it has to have some specificity, some 
analysis, and that it is right down their alley.
    Mr. Liscouski. Yes, sir. In fact, our focus is not on first 
responders, and I don't mean this in any other way than calling 
them first preventors.
    When we are sharing intelligence information, it is really 
intended to prevent the act from occurring, and we will err on 
the side of sharing probably too much sometimes. Of course, not 
in the sense of sharing classified information inappropriately. 
But working with TTIC, IA, the FBI, we have been very 
aggressive in assuring we can quickly declassify information to 
share out to the field, to our consumer base, as quickly and as 
effectively as we can.
    That is a challenge we are always going face. Sources and 
methods, as you well know, are one of those things--that is 
something that has to be guarded very carefully. But I 
believe--and I have seen it in practice--that we will err on 
the side of maybe sharing too much information sometimes, 
because the frustration you can create by sharing general 
information without specifics, and particularly with specific 
activities to follow, sometimes can create a frustration. But, 
nonetheless, I think as we all mature in this process, 
particularly as our end users understand the context during 
this threat environment, they themselves will raise up their 
capabilities as well.
    Mr. Linder. Thank you.
    Mr. Liscouski. Thank you, sir.
    Mr. Thornberry. Thank the gentleman.
    Gentlelady from the Virgin Islands.
    Mrs. Christensen. Thank you, Mr. Chairman.
    I want to welcome the Assistant Secretary and thank the 
chairman and ranking member for holding this hearing, given the 
recent attacks, like the Blaster worm, and the concerns that 
even a worse attack could occur within several hours or days 
and the fact that so much of our physical infrastructure is 
dependent--is so cyber dependent.
    It is an important hearing, and I want to applaud you, Mr. 
Assistant Secretary, for your focus on ensuring that 
cybersecurity and physical infrastructure security are linked 
in your operation, as it is important as they are linked in 
    I have a couple of questions. One of the--we have been 
concerned about the slowness of the Department in getting 
started and being able to plan and address many issues; and one 
of the obstacles to that has been the fact that we were 
bringing together 22 agencies and trying to blend them into a 
smooth operational unit. The NCSD brings together about five 
different parts of five different agencies--FBI, Commerce, 
Defense--as well as a center. Are you pretty comfortable that 
some of the obstacles of bringing different agencies with 
different cultures together has been addressed and that you are 
able to move forward smoothly now?
    Mr. Liscouski. Yes, ma'am. I will tell you why that is a 
great question.
    I am satisfied because--I mean, that has been tremendously 
challenging. I mean, bringing these organizations together 
under one roof has been something that I don't think any person 
who even architected this in the planning stages understood the 
complexity of it.
    I can speak for my own area within IAIP. As you pointed 
out, we brought five different organizations into the NCSD and 
IAIP. I just remind everyone respectfully that we have been in 
business for 6 months, and the challenge we face in trying to 
overcome some of those organizations has been pretty daunting; 
I've got to be honest with you. I mean, when I came in from the 
private sector to do this, it set me back a little bit when I 
thought about, How are we going to do this and how are we going 
to do this in the context that we have a real threat we are 
facing every single day?
    If you recall, when we did this, we were at war; and we had 
to organize ourselves around work to respond to very real 
threats in addition to bringing people on, creating 
organization. It was pretty challenging.
    The leadership at DHS, the senior leadership of DHS, 
provided the right latitude in order to make mistakes. And that 
is what we are going to be doing. I mean, clearly, as we start 
out with this organization what it looks like today, in 2003, 
will probably be a lot different in 2005, 2010. And hopefully 
if we are succeeding we are going to continue the path of 
evolution that will eventually evolve DHS into the robust 
organization it really does need to be.
    But we are on that path. It is a long road, but it has been 
good. I mean, I can tell you in my private-sector experience 
the thing that has been kind of very helpful to me is knowing 
that we are going to make mistakes. But we don't have the 
luxury of not making them. In fact, when we tell people when 
they come on board--and I have said this before, I think, 
before the committee--that we have got sort of one thinking. It 
is a think big, act small scale, fast.
    We know we are going to make mistakes. We know we have to 
learn and we are going to evolve. It has been gratifying when 
you look at it; and we were, on the way over here, reminding 
ourselves it has only been 3 months for the division and it is 
been 6 months for the DHS. In dog years it seems like it has 
been a lifetime.
    I can tell you that right now, it has been pretty 
challenging, but we are making some very tremendous progress.
    Mrs. Christensen. The other concern that I have is, the 
officials who have left the positions over the few months; and 
is, related to this, the difficulty in bringing the Department 
together? Have you identified what the fault is, what were the 
problems that would cause these officials to leave?
    As you were looking for a Director of the NCSD several 
candidates had indicated they weren't interested because it was 
too far down the chain; they didn't have a direct link to the 
    Have you identified what it is that needed to be fixed? 
Because the continuity of leadership is critical.
    Mr. Liscouski. Yeah. I would suggest that I am not so sure 
it needed to be fixed as much as we just had to find the right 
person that understood this is about execution.
    The challenge we had was taking a strategy, a highly 
articulate and well-developed National Strategy to Secure 
Cyberspace, and then putting implementation plans for that 
strategy for execution. Two different types of people are 
required for that job. And it is really difficult to be a 
strategist at one level and an implementer at another level; 
and we needed an implementer, and we needed a start-up person 
that could take something where, to be quite candid with you, 
is now somewhat of a chaotic environment, when you start things 
up and just make some very short-term, measurable progress. And 
that is the type of person we were looking for.
    So I don't think there was a problem as much as there was 
finding the right talent to fit that. And it is a challenge, 
and it is a very risky challenge, because, you know, Mr. Yoran 
is coming in to us with very definable goals. We have got high 
expectations. It is very visible. And the risk to him--is you 
know, at a personal level in terms of potentially not 
succeeding, as well as to the Department is great.
    So it is--when you are out there publicly like that, not 
many people really want to take that challenge on.
    Mrs. Christensen. Okay. One last question in this round. 
Reading some of the articles in our background material--and it 
is also my feeling that the Federal Government should lead by 
example in cybersecurity--where are we in identifying the risks 
and vulnerabilities of the government's cyber assets? Are we 
leading by example?
    Mr. Liscouski. Leading by example; I think we are probably 
on a path to leading by example. I suspect there is always a 
lot of room for improvement. We do have efforts underway to do 
that. I think FISMA--the law has provided us tremendous 
guidance and leadership or a framework from which we can 
operate to ensure we are doing the rights things. So from that 
perspective I think, frankly, FISMA is a wonderful example to 
look at as a guide across the board. So I suggest the 
government is leading by example on that, in that realm.
    In our purchasing requirements, our ability to justify our 
programs based upon good security practice, are things that I 
think are very rational approaches to take as it relates to 
cybersecurity. So I would argue, yes, I would think that the 
government is leading by example.
    We can be doing better. Cataloging our infrastructures, 
understanding the interdependencies, those are things we are 
trying to do across the board, and we have got programs in 
place to do that. I think we will be getting better as we move 
    Mrs. Christensen. Thank you.
    Mr. Thornberry. I thank the gentlelady.
    The gentleman from Kentucky, Mr. Lucas.
    Mr. Lucas. Thank you, Mr. Chairman.
    Mr. Secretary, in June you had detailed the plans for 
Consolidated Cybersecurity Tracking Analysis and Response 
Center that would detect and respond to Internet incidents, 
track potential threats and vulnerabilities, and coordinate 
cybersecurity and incident response for the Federal, State, 
local governments, private sector, and international partners.
    What has been the status of the center?
    Mr. Liscouski. Sir, the CSTARC, the Cybersecurity Tracking 
Analysis Center, has evolved into the US-CERT. That was a 
preliminary step for us to be able to organize ourselves around 
this effort, consolidate the watch centers and the efforts we 
had within the other organizations that came to us when DHS was 
created--those organizations being the NIPC, the CIAO, elements 
of the NCS, the FedCIRC--into one organization. And that CSTARC 
represented the first iteration of what we knew was going to 
become the US-CERT. With the CSTARC we were able to very 
capably manage a number of significant incidents, the SoBig, 
the Blaster virus, the Cisco vulnerability. And then that, as I 
indicated, provided the framework for us to be able to build on 
that to create the CERT, the US-CERT.
    Mr. Lucas. This is a hypothetical. In the event that we had 
a terrorist incident today, a cyberterrorist event, could you 
just explain to me what process we would use today to notify 
all these different interested agencies?
    Mr. Liscouski. Yes, sir. In the hypothetical example, 
suppose we were notified in the private sector that they first 
identified a particular exploit, and that exploit resulted in 
our analysis to determine that that might be something that 
would be used or may be the focus of a terrorist attack. The 
combination of resources we have across the Federal Government 
currently, if it comes to DHS first, our analysis capabilities, 
leveraging on the US-CERT to understand those exploits is our 
first stopping point. The US-CERT then quickly engages with 
other components of the Federal Government, the JTF, CNO, for 
cooperation and additional analysis. We would reach out to the 
private sector to do additional analysis. And as quickly as we 
get our analysis completed to determine what the vulnerability 
or the threat might be, then DHS has got the advisory 
capability of putting warnings out very quickly to the entire 
community vis-a-vis its alert system as well as the ISACs to 
ensure that we have got thorough coverage.
    And, again, it is a work in progress. I am not suggesting 
it works the way it should work all the time or it is as 
thorough as it should be. Over time, our goal is to ensure that 
we increase that coverage.
    Mr. Lucas. I understand you said you were staffing up. You 
have about 65 now, and you are hoping to have 100-plus.
    Mr. Liscouski. Yes, sir.
    Mr. Lucas. So, do I take it from that that you feel that 
you have the financial resources you need to carry out your 
mission? Or, if you had additional financial resources, how 
would you utilize them?
    Mr. Liscouski. You could always use money, but I am not so 
sure if adding more money at any point in time is necessarily 
the quickest solution. The biggest thing you have got to do is 
build the right framework in the right organization in which to 
put people in in the partnerships.
    I think we are adequately funded right now. I think we have 
got the right path to go on. We can come back and address that 
downstream in fiscal year 2005.
    Mr. Lucas. Those are my questions.
    Mr. Thornberry. I thank the gentleman. The Chair recognizes 
the Vice Chairman of the subcommittee, Mr. Sessions.
    Mr. Sessions. I thank the Chairman and appreciate him 
holding this hearing today, along with the Ranking Member.
    Mr. Liscouski, welcome. We are delighted to have you here 
today. And I would say to you, and I think you have heard this 
from members, we appreciate your private sector experience and 
the things which you learned there and the focus that that 
brings to you and the DHS; I think that the Federal Government 
will be better off because of those lessons that you have 
    I would like to focus my questions today; I just heard you 
use the word ``framework.'' Some people could also say the word 
``business plan'' might fit in the middle of that, framework 
business plan.
    On page 2 of your testimony, there are six different pieces 
that are called status of integrating organizations and 
functions below into DHS. And it talks about the elements of 
the National Infrastructure protection center--formerly housed 
in the Federal Bureau of Investigation--DOD, FEMA, Department 
of Commerce, Energy, and General Services, GSA, into functions 
that you are evidently going to be responsible for.
    I am interested in your discussion with us about the word 
``framework,'' about how you are going to bring these functions 
in to make sure--I guess the best word is to say, ``to measure 
twice and saw once'' for the efficiency and the effectiveness 
so that we are not recreating something 7 or 8 or 10 months 
down the line because of your need just to rush into service.
    Would you mind discussing those things, those activities of 
those six different pieces.
    Mr. Liscouski. Sure. And this is broader than cyber, sir. 
This really relates to the entire Infrastructure Protection 
Office. And I would be happy to address that because I think I 
have got to talk about that, and then the framework for the 
other divisions fall out of that.
    Generally speaking--and I will go back to the very 
beginning when I came to DHS back in March--as I indicated, it 
was obviously brand new. We had been involved-- when I got 
there it was about 3 weeks old. So--and we were in the middle 
of a war and we were staffing up to respond to the threats we 
    It was immediately apparent that the work that we were 
engaged in could not change substantively, because the same 
elements that came to us from the Energy assurance office, from 
the NIPC, from the CIAO, from the NCS, those elements were the 
very elements that were responding to the threats of the 
present day. So we had to be very careful as we were building 
this framework and identifying what our bigger mission 
requirements were that we didn't break anything. So that was 
job one, and make sure that we responded to those threats.
    So in our current-day thinking, what we did was basically 
establish a capability that would operate at one level, which 
was just putting one foot in front of the other to make sure we 
were not stepping on a land mine, so to speak, and we were 
executing against the goals that we had against that particular 
    Now, by the same token, we had to also think in a bigger 
picture to understand what did the organization need to look 
like over the 6, 12, or 18 months? So we began to develop an 
organization based upon the work that we were in. And that was 
the first question: What business were we in? You know, were we 
out there doing vulnerability assessments; were we just out 
there thinking great thoughts about protection strategies we 
should be doing? How do we create a capability that could 
address critical infrastructure vulnerabilities across 13 
critical infrastructures, 5 key assets, the cyber environment, 
in a way that we could put coherence around this?
    So we were able to organize ourselves at the first level to 
understand what the organization needed to look like. It 
started off with a very basic line of block chart with two 
organizations in it. We added a third. We kind of mixed it up. 
I mean, we really learned as we were going.
    To your point, we wanted to ensure that we acted quickly to 
identify the immediate needs but as we built an organization 
for the longer term. We are exactly in that process right now. 
I now have four divisions in my organization, because we have 
identified the need to build it out but yet stay integrated; 
not specialize too much, but orient ourselves according to sort 
of our business approach.
    And I can get into some more detail if you would like. But 
effectively what we started doing was a supply chain analysis. 
We looked at our client base and we looked at the private 
sector, the Federal sector, State and local governments, the 
territories. We looked at all those client bases and determined 
what was it we were delivering, what was it they needed, and 
how do we deliver it and what were the inputs into that 
delivery system, into the production system. And that is 
precisely what we are doing.
    So we are still going through that process. I suggest it is 
going to take a few more months before we really figure out the 
exact processes we need in terms of an organization. And then, 
as I said earlier, this organization is probably going to 
evolve as we learn more about our businesses as we go along. It 
will be a continuous work in process, I can promise you that.
    Mr. Sessions. You know, I think some of my comments--and I 
don't presume to know the things which are important 
necessarily to each one of these elements, not being aware of 
all the databases; but it is my hope that you would be able to 
develop in some efficient factor a database with firewalls with 
the elements that you need to avoid six database 
administrators, six of everything to accomplish these things.
    And that kind of goes back to the framework that the 
house--the sandbox you are going to build. And it is my hope 
that really your private sector vision would allow you and the 
assistant secretary that luxury to please make sure when you 
build that, whatever it is, that you do it within that 
framework. And I guess my last comment is very plain. And that 
is, we heard testimony last week where the people who were in 
charge didn't communicate what they were in charge of, didn't 
tell anybody what they needed to be doing, and there was a 
failure from top to bottom, command-and-control structure. And 
it is my hope that you really do follow up with those things of 
integrating yourself with business leaders and commercial 
leaders in this country to make sure they know not only what 
you stand for but the lessons learned; because I think that the 
key to this is avoiding or being prepared to avoid a strike 
that would cripple this great Nation.
    Thank you for your service. And we appreciate your being 
here today.
    Mr. Liscouski. Thank you, sir.
    Mr. Thornberry. The gentlelady from Texas.
    Ms. Jackson-Lee. I thank the Chairman and Ranking Member 
again for holding a very vital and important hearing. And Mr. 
Liscouski, thank you for your willingness to accept what I 
think is a larger-than-life challenge. It is something that I 
hear when we travel. We had some hearings, field hearings in 
Los Angeles and Long Beach, looking at the ports; and 
cybersecurity technology permeates every aspect of the needs of 
homeland security. And I am hoping that you are getting that 
sense by the position. And I am going to take a line of very 
rapid-fire questions and a series of them, and then if you 
could try to respond.
    One of the questions already asked about being able to 
coordinate, if there was a cybersecurity or cyber attack, 
coordinate with respect to our own Federal agencies. My pointed 
question is: Do you feel confident that you have the authority, 
in essence the power, to be able to command forces that deal 
with cyber issues in a time of a cyber attack? And I really 
want you to be pointed on the question of authority, because 
that is our responsibility. How can we assist you to do that? 
Because it certainly is telling that we have had a trail of 
back--the back of people's backs--and that is departures--
respecting their reasons for doing so, but that is what has 
occurred. So it is a great concern to me that you be vested 
with the authority to do the job.
    One of the things that the Federal Government has as its 
assets--it has many assets, but it has several that relate to 
homeland security and terrorist attacks. Certainly it is a role 
model in action. So goes the Federal Government, so goes the 
rest of the community in terms of looking to how we respond.
    They watched us on 9/11, and I think we are quite grateful 
that we were able to muster our senses about us and maintain 
the continuity of government. The Pentagon was excellent in the 
face of tragedy, and we all tried to support them and go 
forward. But that was looked upon.
    We also have the bully pulpit as to how we can encourage 
communities to pull up their boot straps and get going on some 
important issues. So I want to know specifically about the 
    Let me also say that--have we made and do you have under 
your belt the enunciated vulnerabilities of the Federal 
Government; specifically know where the cracks in our armor is? 
We wanted to come and either have you delineate those--and you 
might give them to me generally--but if we wanted to have a 
closed-door session where you said, really pointed out some of 
the large gaping holes, could you today, September the 16, 
2003, list those for us? Very vital. Because as I said, if the 
government collapsed in the midst of a tragedy, we are 
certainly sending a bad signal out to those who are struggling 
to overcome whatever the problem is.
    Rapid fire, I continue. Have you found any connection to 
cyber problems with respect to the massive blackout? Are you 
engaged in a collaborative effort in that investigation?
    What would be your response to the fact that we are raising 
brighter and more inquisitive teenagers? I cite the 17-year-old 
in the western State who was part of the virus epidemic. Of 
course, everybody is talking about what a great young man he 
is; he didn't mean it. But they are everywhere.
    How are we dealing with the potential of this bright 
emerging army of detractors? And do we do an outreach campaign?
    Do we work with schools? How can Homeland Security be of 
help to you on that? Do we have a doctor in the House? Are we 
able to have our researchers and doctors look at--and when I 
say ``doctors,'' I put quotes around it--look at the next virus 
on the scene? Why are we only reacting? Our Nation is going to 
look to us to be preventative medicine, so why are we in the 
same boat as my BlackBerry ran away with itself a couple of 
weeks ago with it is coming, it is coming, it is coming? No 
solution, but it is coming. I think we need to be in the 
business of preventative medicine. Who are we retaining? What 
kind of resources do you need to be able to be the predictor of 
what is to come?
    And, finally, we did something in a bipartisan manner last 
week that I am very proud of, and that is the Fair Credit Act, 
I believe. But a big piece of that was the protection against 
identity theft. But we can't do it alone with an authorization 
bill under financial services.
    I believe that identity threat is a threat to the homeland 
security because why? Terrorists can steal your identity and 
walk around and be as unpredictable as possible. What are we 
doing with respect to identity theft which comes a lot through 
the computer? And I thank you for responding to these rapid-
fire questions.
    Mr. Liscouski. Thank you, ma'am. If I took them down right, 
I will be able to respond to them intelligently, hopefully. 
First, I have to be able to read my own handwriting.
    With respect to coordination, and specifically with respect 
to the question of authority, I want to clarify one point. DHS 
has got authority, protection authority. By statute, the 
Homeland Security Act has set DHS up to be the promulgator of 
protection strategies. From an investigative standpoint, we 
partner up with the FBI, with the Secret Service, which is 
clearly part of DHS. But the FBI has got the lead in many of 
these cases to-- and this is where we probably need to get in a 
little bit of a closed-door session, I think. But at the top 
level, the authorities that we have, clearly I would say we 
have adequate authorities to ensure that we have protection on 
our cyberspace. And I say that in a thinking mode primarily 
because we are just in the execution phase of our strategy. And 
I think time will tell whether we have the appropriate--whether 
we are impeded from executing fully the strategy that we need, 
as has been articulated in the strategy and as we have 
identified it. But I would say right now, yes, DHS has been 
provided the full authority that we need, there are some 
excellent programs we have in place and that we have in plan, 
that are not appropriate for this session, that I think really 
can articulate what those authorities are and how we are 
meeting those things.
    As it relates to responding to an attack and what that 
might imply for other activities the U.S. Government would be 
engaged in to prevent or actually to intercede or interdict a 
cyber attack, those are resources which are not just owned by 
DHS but other components of the Federal Government. So again, 
that might be a more appropriate discussion for a closed 
session, if you can indulge me on that.
    On the second point: Have we made a full analysis of our 
vulnerabilities? Again, I can tell you it is a work in 
progress. I don't think we will ever know. I mean, the context 
of a full analysis of our vulnerabilities implies that we can 
get our arms around these things. And in the dynamic and ever-
changing environment in the technology world, new 
vulnerabilities are always going to be coming out. And the 
challenge we have is not just articulating or clearly 
identifying and articulating those vulnerabilities in a steady 
state. But there is no such thing as a steady state in the 
technology world you identify with the vulnerability of a 
nuclear power plant, because typically that technology doesn't 
change. The threats to the nuclear power plant are not 
necessarily static, but there are only so many ways you can 
attack it. In the cyber world, it is very dynamic. So that will 
be a continuous work in progress.
    We have our hands on what I think is a good fund of 
information that articulates what our vulnerabilities are in 
the government, and clearly we are working hard on that. Again, 
that might be more appropriate discussion for a closed session.
    With respect to the blackout, again I have to apologize. In 
fact, I guess I will be coming back tomorrow at a different 
committee hearing to discuss the blackout. I am not at liberty 
to say what we have found in terms of root cause and what the 
respective relationships are in the cyber components. That 
report will be coming out. I believe there will be an interim 
report here in October, and that will be published by DOE and 
the task force. I will have to indulge you on that question as 
    An interesting point you brought up about the teenagers and 
those who are propagating viruses and the relative ease they 
have with which they can do that is a serious concern. You have 
got a number of different types of viruses that can be created 
out there. One is just basic tool sets that people pick up off 
the Internet. They get bored with--they decide they want to 
cobble them together, and they create a virus, and that can 
happen fairly quickly. There is a different one, a different 
set, different mind-set of people who decide they want to do 
this, and then just quietly make them available to those in the 
quote -unquote teenage realm here that you described, that they 
are not even smart enough to maybe make their own viruses; they 
might evolve them a little bit, but they are not the original 
architects, and then all of a sudden these viruses find their 
way into the public domain. I think our authorities, I think 
the law enforcement community needs to aggressively pursue 
these people.
    I think this is similar to a discussion I had with some 
advocates in the private sector who operate in the security 
space, that they really want to see the government, the law 
enforcement community, go after folks who provide the basic 
tool sets, the basic knowhow to anybody on how to propagate a 
virus. This is similar to becoming a conspirator in a crime.
    Somebody mentioned an excellent example. If you are the 
driver of a getaway car in a bank robbery and a passenger, your 
codefendant, decides to shoot somebody and kills them, you are 
equally as guilty as the shooter, just being the driver. We 
should probably take the same attitude toward people who 
propagate viruses. This is serious. And when you talk about 
billions of dollars' worth of damage and losses to the private 
sector and the government, these are no light matters. We need 
to take this seriously.
    The doctor in the house, the capability that we have in the 
research community of developing the right talent, I think DHS 
partnered up with others in the community, DOD in particular, 
creating centers of excellence, providing scholarship programs 
for cyber--you know, in the information security world. It is a 
tremendous step forward. Do we need more people? We absolutely 
need more people. And I think we are making the right steps to 
address those needs.
    And your final question: The Fair Credit Act and what are 
we doing to protect against that? Again, I think there are good 
efforts going on in that space. I think the FTC, and I know 
Orson Swindle in particular, has been very aggressive in 
putting the word out about what consumers need to do to protect 
themselves. The Secret Service operates in the identity theft 
    I agree with you, it is a very, very important issue. It 
gets back to the issue about privacy and how you protect 
privacy, and that is a central component of information 
security. You cannot have privacy without good information 
    So,I appreciate your questions.
    Mr. Thornberry. The gentleman from Rhode Island.
    Mr. Langevin. Thank you, Mr. Chairman. And I want to join 
with my colleagues in thanking the Chairman and the Ranking 
Member for organizing this hearing. And, Mr. Secretary, thank 
you for being here as well.
    If I could, you had said that home and broadband users are 
one of the groups you would like to focus on outreach and 
education. And certainly, without a doubt, they are one of the 
greatest neglected weaknesses in our national plan to secure 
cyberspace. Can you give us a better sense of how DHS is 
planning to address this? And would it be appropriate to work 
with, for example, the Federal Trade Commission, which, as you 
may know, is also mounting its own ``stay safe on-line 
campaign''? And do you feel that a large-scale public awareness 
campaign needs to be launched? And, in particular, and 
following up with one of the points my colleague from Texas 
made in terms of reaching out to young people, and maybe 
through demonstration programs, how we can involve young people 
in these awareness campaigns and kind of harness their energy 
and natural ability to work with computers? I think that would 
be a good place to start.
    And one other point I would like to address, and this may 
have to be addressed in closed session, but I think it is an 
important point of focus. And that is in your vulnerability 
assessment on our national assets and other areas. We have seen 
a trend in recent years worldwide among terrorist attacks, that 
terrorists focus on high-casualty, high-shock value events. And 
I am curious and I think we all need to be attentive to what 
those areas are in the world of cybersecurity that fall into 
that realm. There may be only a few areas that would compare to 
the use of a WMD in the cyber world, but those are the things 
that I think we need to have high priority and focus on.
    And I would like to at some point, even if we can't do it 
here in open session, to follow up on that. And I think that 
would be important. Thank you.
    Mr. Liscouski. Thank you. I am just trying to read my own 
handwriting--your first question.
    Mr. Langevin. It was on your comment earlier that home and 
broadband users--.
    Mr. Liscouski. Do we need a large-scale--exactly. With 
respect to the broadband, one of the things we are working with 
the National Cybersecurity Alliance. Among those 
representatives on the Alliance are ISPs, AOL, and others. And 
they are taking an individual responsibility to educate home 
users to the challenges and security challenges they face in 
broadband connections. I would like to see that expanded. I 
think there is no question that the broadband community, you 
know, the commercial space there needs to be really--from my 
point of view, I need to use the bully pulpit to get them to 
understand their responsibility that, as they sell broadband 
connections, they have got to provide better awareness notices 
to their users about the potential damage that can be done.
    Because it doesn't just affect the individual. As you are 
well aware, the individual user--these viruses propagate very 
quickly, and consequently can spread across--using zombies or 
using personal computers that are accessible via broadband 
connections and then propagate these attacks. So there is a 
real, I would suggest almost fiduciary responsibility on their 
behalf. But that might be a little bit too aggressive. But at 
the end of the day, we need to put that awareness and that 
responsibility with the ISPs and the broadband connections, 
cable companies, et cetera. So I do certainly agree with that.
    The educational efforts, the outreach efforts, from our 
point of view are geared toward educating the consumer. Your 
point about young people and education, I liken that to, you 
know, the DARE program, the Drug Abuse Resistance Education 
program that has been around for--must be 20 years now.
    Educating kids--and this is clearly a different 
perspective. We are moving from self-esteem to responsibility 
and how do you act. But I agree. I mean, it scares me to death 
to know that young kids are on these Internet connections not 
knowing about the dangers that they face through going to chat 
rooms and the vulnerabilities that they have there. I mean, 
just the vulnerabilities of kids being on the Internet is 
something that scares me. And that is something that we can 
address through good education programs in the schools.
    DHS is going to be working hard to figure out how we do 
that and reaching out to the schools to provide good awareness 
and good education programs. Fortunately, the NIPC did this 
previously. We have inherited those programs so we have got a 
basis for doing that, and I think they have been successful. 
They have got poster programs. But we need to expand that. It 
is a high priority for me personally.
    The vulnerability assessments, the trend in recent years 
that you have articulated. Clearly, you know, I can get into 
depth in this in a closed session, but at a top level we do 
worry about the combination of a physical and cyber attack. You 
know, a cyber attack preceding a physical attack, taking out a 
9/11 system and then combining that with a physical attack. You 
know, it is a scare. Is it doable? I would say at this point 
anything is doable. And it is something we worry about a lot. 
And we are working down--I can tell you one thing we are 
working very aggressively on is--and the categories of all the 
critical infrastructure we really worry about--we look at what 
the nexus would be with a cyber attack to see how that might be 
enhanced or what that sequence might look like.
    Mr. Langevin. Thank you.
    Mr. Thornberry. I thank the gentleman.
    Mr. Liscouski, I would like to--first let me ask this. 
Before you took office, the administration put forward this 
document, which is the National Strategy to Secure Cyberspace, 
dated February 2003. So far, have you discovered a major gap or 
something that--where you think the emphasis was not placed, 
the proper emphasis was not placed in this document? Or is this 
something that you can still go by today?
    Mr. Liscouski. No, sir. It is still a very valid document. 
A lot of good thinking went into that, and I think the private 
sector's input into that became particularly valuable to me as 
we thought about how we needed to create our national 
cybersecurity division.
    Mr. Thornberry. Well, I would like to just briefly--and 
this will entail a little bit of repetition from what you have 
already talked about--but I would like to go through those five 
priorities and ask you to kind of give us a snapshot of where 
we are with each of them.
    For example, the first priority listed in that document was 
a National Cyberspace Security Response System. And they talked 
about a public/private architecture where you would analyze 
attacks and warn and manage incidents and then respond. It 
sounds to me like that is essentially what US-CERT is going to 
be doing. Is that the primary way that we are going to 
implement that priority?
    Mr. Liscouski. Yes, sir. It is the foundation for it. The 
US-CERT is clearly the linchpin for that effort.
    Mr. Thornberry. And then what more needs to be done?
    Mr. Liscouski. Well, we need to--clearly, building 
relationships at the private sector. I think the US-CERT is an 
excellent start at that foundation. And we have engaged in 
discussions with the private sector, the Nortons and the 
McAfees of the world, to determine how we can integrate their 
contributions to this effort. I think there is a lot of good 
work that can be done there.
    The private sector is doing a tremendous amount of good 
information collection and analysis on viruses and 
vulnerabilities that we would like to be able to integrate more 
robustly. And then extending the information out--as we spoke 
earlier, the National Response System is not just national but 
it is international as well. So we have a lot of work to do 
there as well, sir.
    Mr. Thornberry. The second priority is a National 
Cyberspace Security Threat and Vulnerability reduction program, 
where the National Strategy talks about reducing the threat, 
identifying vulnerabilities, and then trying to develop systems 
with fewer vulnerabilities. Give me a snapshot of our efforts 
to implement priority No. 2.
    Mr. Liscouski. Again, and you know, the dominant theme here 
is private sector. And we have to again work with the major 
manufacturers and the smaller manufacturers of both hardware 
and software technologies to ensure that when they produce 
technology, it is according to guidelines and expectations that 
they have fewer and fewer security vulnerabilities. And if we 
can--and to be candid with you, companies are stepping up to 
that challenge. You know, pointing out to Microsoft and the 
things that they have done, they have taken this 
responsibility. I know they have been subject to a lot of 
criticism, but at the end of the day they are--their chief 
security officer is responsible for overseeing many of the 
programs that they have. They have taken very good steps here.
    It is a good example of what we need to be doing with the 
private sector. Those who produce it have to understand that 
they have the responsibility of producing good technology the 
first time around. Security defaults should not be off. I mean, 
this is the classic thinking of just basic things that need to 
be done. They are making good inroads there.
    The other point is to continually look at the 
infrastructures, you know,the vulnerabilities that we create by 
implementing technologies. I mean, this is a bigger discussion, 
to be quite candid with you, but we are doing a lot of analysis 
as converging technologies come in. I mean, we look at the 
convergence between the IP world and the telecom world and the 
vulnerabilities that are inherent there, because of--and 
forgive me for going too deep into this. But just as an 
interesting example, one of the advances of technologies, 
because they become more efficient, they themselves bring about 
vulnerabilities because now one device can do the work of 10. 
Where you had redundancy before, now you are down to a critical 
path of one device as being a key vulnerability. So we are 
constantly looking at those things as well.
    Mr. Thornberry. Talking about the private sector, at this 
point, do you have an opinion about whether market forces are 
going to be enough to elicit the kind of response from hardware 
and software vendors that the country must have?
    Mr. Liscouski. I am optimistic that the market forces will 
be sufficient. But I am prepared to say that if they are not, 
we need to quickly adapt our thinking.
    Mr. Thornberry. And as part of that reduction of 
vulnerability, is the Department looking at physical 
infrastructure related to cybersecurity as part of our 
vulnerabilities and part of what we need to assess?
    Mr. Liscouski. Yes, sir. And, unfortunately, this has been 
going on prior to even the establishment or the articulation of 
a national strategy. The NCS, the National Communication 
System, which was previously a DOD component, did a significant 
amount of work on vulnerability analysis of the telecom 
industry and then the IP backbones. So we have got a 
significant amount of data here that already allows us to be 
able to identify these vulnerabilities, and we are continuing 
to expand that.
    Mr. Thornberry. It seems to me greater work is going to be 
needed in that area, and we can discuss that at another time.
    Mr. Liscouski. Yes, sir.
    Mr. Thornberry. Let me briefly go through. The third 
priority was a Cybersecurity Awareness and Training Program; a 
number of questions have dealt with that so far. Is that going 
to be the focus of your summit in the fall?
    Mr. Liscouski. That is a key component of it--for us, 
understanding how we can better reach the community. And our 
summit is going to include not just those in the technology 
industry, but across industries, so we have a broad approach to 
understanding the problems. So, yes, sir.
    Mr. Thornberry. The fourth priority was securing 
government's own cyberspace. You have been asked about that 
before. But I am unclear, frankly, as to how much authority or 
influence you have in bringing the rest of the Federal 
Government along. My understanding is that that has been 
primarily OMB's responsibility. And just about every witness we 
have had before this subcommittee says that the government is 
nowhere near where they should be, and that if the government 
would lead, it is such a big consumer and has such market 
power, that it brings the rest of the country along with it. 
But what is your role exactly in bringing the rest of the 
government along?
    Mr. Liscouski. Our role is really to support the OMB. OMB 
does have the initial lead to ensure that, through FISMA and 
through the regulations that they provide and the oversight, 
that the government is responding to their responsibilities to 
provide security. DHS's role in this is really to coordinate 
the incident response and warning through the FedCIRC through 
the Federal Government, and I think that could be expanded to 
understanding more about the vulnerabilities.
    As I indicated earlier, we do have the patch for 
remediation responsibility through the PATC to ensure that the 
right tools are available to the government. So we have a 
responsibility there, sir.
    Mr. Thornberry. The final priority was national security 
and international security cooperation. I don't know--you have 
alluded to those things briefly before in your testimony. I 
suppose that is an area where there are an ongoing efforts and 
will have to continue to be ongoing. Let me ask you to do this. 
Rate where you believe international cooperation is on 
cybersecurity at this point.
    Mr. Liscouski. I had said in the beginning stages, it is 
tough to put a numerical code on it. I would say we are really 
in the beginning stages of understanding--well, we clearly know 
what we need to do, but we are just in the very beginning 
stages of really making some progress and establishing the 
relationships that are so necessary for us. There is a lot of 
opportunity there for us. It is a big world. I mean, there is a 
lot. And as you pointed out earlier, this technology is 
ubiquitous. It is not necessarily discriminating by economic 
income in terms of gross national product. I mean, you can get 
cheap technology out there and create these vulnerabilities. So 
we have a lot of work ahead of us to do, and I think we are 
positioned to do it.
    Mr. Thornberry. Thank you.
    The Chair recognizes the distinguished gentleman from 
Florida, Mr. Meek.
    Mr. Meek. Thank you, Mr. Chairman. Thank you, Mr. 
Secretary, for being here.
    Speaking of the private sector, and I guess when we speak 
of the private sector we are just not talking about domestic 
private sector, because the cybersecurity is a huge issue. 
Recently, as you know, with the New York blackout you had 
thousands of New Yorkers in subways and you had folks in 
Detroit and auto plants that were shut down, and it halted 
after-hours trading as it relates to Wall Street. A lot of 
things took place. What exercise did the Department go through 
to find out was it or was it not a cyber attack? That is one.
    Two, what happened in the private sector as it relates to 
that, especially in our energy industry and those that handle 
their cyber needs? What took place as it relates to checking, 
making sure that we weren't under a cyber terrorist attack?
    Mr. Liscouski. Okay. If you can indulge me, I have to speak 
in general terms.
    Mr. Meek. Sure.
    Mr. Liscouski. We are in the process of investigating that 
component. I chair the Security Working Group for the 
Electricity Task Force. So, in that capacity, I have got to be 
careful what I can say and what I can't say. We are going to 
have a hearing tomorrow on this and we are going to be 
publishing reports downstream, so I want to be a little bit 
circumspect. But what I can do is discuss what we did as DHS 
during the blackout, and I might add some clarity about how 
this process works a little bit, because I think it is clearly 
relevant and it is not going to be disclosing anything that 
can't be disclosed.
    I am quite proud--I mean, DHS should be very proud of how 
we came together to respond to the blackout along with the rest 
of the Federal Government. But DHS in particular was sort of 
the point in contact in understanding what was going on in the 
industry. We immediately reached out, upon learning what was 
going on, to the industry to determine what was their 
perspective. I mean, it is the unique thing that DHS has the 
ability to reach, through the ISAACS, to the private sector, in 
this case the NERC, to determine what is going on and what is 
the situational awareness component that we need to respond to. 
Do we have a terrorist event? Because precisely how we are 
positioned to respond is, you look at an event like that, then 
you immediately go to the next step of saying what can occur 
next? Is this a terrorist event? And even if it is not, A, 
could it be exploited? Or, B, if it is a terrorist event, what 
is the next step? And we immediately have the capability to do 
    So DHS was able to come together very quickly across its 
directorates, ask those questions, gain situational awareness, 
and provide direct advice to the Secretary and subsequently to 
the President about where we were. And then working with the 
FBI, the combination between DHS and FBI, we were able to 
quickly conclude from an initial perspective that there was no 
terrorist nexus there.
    Mr. Meek. So were you pleased with the checking process as 
it relates to is it terrorism or is it not terrorism amongst 
many departments and even the private sector?
    Mr. Liscouski. Yes, sir.
    Mr. Meek. So this report is going to be based upon trying 
to better what is good already? Or what areas will you be 
looking at?
    Mr. Liscouski. Well, the report is not examining how DHS or 
the Federal community acted. We are really looking at the root 
cause of the blackout.
    Mr. Meek. And its potential for taking place again?
    Mr. Liscouski. Correct. That is correct.
    Mr. Meek. As you know, with the World Trade Center, there 
were many attempts and sometimes folks get great ideas. Will 
there be any discussion on how to not only share with New 
Yorkers but Americans when an attack like that takes place--as 
you know, the power was out, there was no cable television for 
folks to look at, there was really no communications 
whatsoever. Will that be something that DHS will be looking at, 
to see how can we contact--I mean, everyone you hear, oh, New 
Yorkers, they did their thing, things went very smoothly, 
people knew where to go. But there was a lot of street 
hollering on the corner on how do you get out of Manhattan.
    Does the Department's looking into reaching out and to 
individuals need to be through two-way pagers, through the 
telephone, through things that were working?
    Mr. Liscouski. Yes, sir. In fact, that is really within the 
domain of Emergency Preparedness and Response Directorate under 
Secretary Mike Brown. They are looking, they are doing a deep 
look about that type of communication requirement, first 
responders, et cetera. I would really defer to them.
    Mr. Meek. Okay. One last question, Mr. Secretary, or I 
guess a concern of mine. I just want to make sure that cyber 
partners that we do have that are working with us against this 
effort in terrorism, that they are working as hard as possible 
and together. I look at what--your job is almost similar to 
almost the Intelligence Community. It is kind of hard to share 
information. You have competition, you have private sector 
needs and technology needs and things that they want to keep to 
themselves. But if is not put on the table on behalf of 
security as it relates to the cyber world here in the United 
States, we may very well have problems. And when we have a 
problem, that means that things will be legislated and 
decisions will be made in haste that individuals may not like. 
And I think it is important that we encourage them to work.
    I wish you well on your report. I am looking forward to 
seeing and hearing more about it.
    Mr. Liscouski. Thank you.
    Mr. Meek. Thank you, Mr. Chairman.
    Mr. Thornberry. I thank the gentleman, and want to mention, 
again, that this subcommittee as well as the Border 
Subcommittee will hold our second hearing tomorrow on this 
interdependency of infrastructures. And Mr. Liscouski will be 
one of the witnesses, as well as others from the Department, 
because I agree with the gentleman from Florida; these are 
critical issues and we need to learn the lessons when it 
happens the first time so that we are not put at a 
    The Chair would recognize the Ranking Member.
    Ms. Lofgren. Thank you, Mr. Chairman. A lot of the 
questions I thought I would ask have already been asked, so I 
really just have two issues that I want to raise. One has to do 
with the ISACs. You mentioned them in your testimony. And the 
feedback I have received from the private sector is that some 
of them are performing a lot better than others. And that, in 
particular, telecom actually seems to be working pretty well, 
IT; but, in the other sectors, that they are basically not 
functioning. And--and I don't know if this is true or not, but 
this is what some of the private sector people have said--and 
the problem may be a lack of funding support. At least that is 
what some of the private sector people identified.
    Do you think that that assessment about some of these ISACs 
is correct? And what should we do to pump them up a bit?
    Mr. Liscouski. Yes, I think it is fair. I think your 
characterization of the telecoms and the IT-ISAC as well as 
others--I think the energy ISAC is another good example, oil 
and gas. We are looking at them. I guess the easiest answer is 
that we are examining the best model.
    I think currently it is sort of a one-size-fits-all model 
and it is really not the appropriate one. I think the more we 
learn about the way information sharing needs to be propagated 
across the sectors, they are so diverse, many of them are very 
diverse and not technically connected. We need to look at that 
more quickly, and we are going through that examination process 
right now.
    Ms. Lofgren. When will that be completed, do you think?
    Mr. Liscouski. You know, completion is probably--I mean, I 
am really looking at changing the model fairly quickly. The 
funding model is one of those things. I don't want to give you 
specific data. I would like to get back to you with more of an 
intelligent answer about what that is going to look like. I 
think what I would like to do and what I am planning on doing 
is actually starting a couple of different types of pilots to 
see what does work. And I would be happy to share that with you 
in more detail at a later time when we have pretty much our 
plans finalized.
    Ms. Lofgren. I would be interested in that, if you could 
keep us posted. I am sure the whole committee would like to 
know about it. And if there is a requirement to change the 
funding stream--I don't know whether we need legislation to do 
that or not--but I would be interested in that recommendation 
from you.
    Mr. Liscouski. Sure.
    Ms. Lofgren. And additionally, in addition to the 
functioning of the ISACs, internally I have heard criticism 
that there is sort of--they are piped, and that there really 
needs to be some communication among them as well. So I assume 
that you are--.
    Mr. Liscouski. Yes, ma'am, that is precisely the point we 
are looking.
    Ms. Lofgren. All right. The final question I have has to do 
with the vacancy rate in your Department. And when you were 
talking about how challenging it was to come in, I am sure it 
has been and you want to get good people, you want to get the 
right people; and it is hard to start an organization from 
scratch and try and go 65 miles an hour while you are doing it. 
So I don't want to appear overly critical.
    But I am concerned that the vacancy rate is still very 
high, about 40 percent, I would think. And in a way I have been 
concerned about this, not just with DHS but other Federal 
departments when we have tried to get people with expertise and 
technology to come to work for the Federal Government. I tried 
with the former commissioner of the INS before the creation of 
the Department. I mean, we couldn't get people to come to work 
for the Federal Government, which is disappointing. And 
especially now with the terrible economic situation in the tech 
sector, it seems almost mysterious that we can't do a faster, 
better job of recruiting in this sector.
    So the question is: What are you going to do to fill those 
vacancies? What can we do, if anything, to help you in getting 
staffed up as quickly as possible?
    Mr. Liscouski. Well, I appreciate the concern. And, you 
know, attrition rates and vacancy rates are things that always 
plague every business or every government. So it is not a 
question of that. And I can't speak to the exact number, so I 
apologize. I mean, we can get back to you on that.
    But let me just address it by this. First of all, the 
workforce we are attracting is a talented workforce. I mean, we 
are extremely fortunate with some of the folks that we have 
attracted. And I think, you know, in my experience--I was in 
the government; I left my career with the State Department back 
in 1991 And was very impressed with the folks I worked with and 
my colleagues. I am happy to say I think that workforce has 
continually increased in its capabilities, particularly in DHS; 
I have been gratified to see that, folks particularly in the 
IAIP area. So we have been successful in doing that.
    One of the challenges we have when we recruit people from 
the private sector is going through the clearance process, 
because the clearance process and working at the levels we are 
working at require us to take a 6--to 9-month clearance 
process, and you really can't even work effectively at all 
until you have got those appropriate clearances. So, while we 
may have people identified in positions, they can't occupy 
those positions until they have been vetted and the clearances 
have granted. And that might be contributing to some of the 
vacancies you are hearing about.
    But we are working hard. And, you know, I appreciate your 
comments and I would like to just kind of, I guess, recognize 
that the people that are there today are really working 
extremely hard. I mean, this country is extremely fortunate, 
and I have got the benefit of working with them on a daily 
basis, and they put in some incredible hours and they are 
really dedicated.
    And I can tell you right now, since March 1st, the folks 
that work in our directorate have been working nonstop. I mean, 
literally, you go in there on Saturdays and Sundays, and some 
days you think it is a Wednesday. You know, it is just--it is 
staffed, And people work hard and they are dedicated. So we are 
very fortunate.
    Ms. Lofgren. If I can follow up--and that is good to hear. 
Perhaps the resources that we should apply then might not even 
be in your Department but in the FBI to--maybe additional 
resources to do the clearances. Would that be of assistance? I 
mean, there is no real reason why it has to take 9 months to do 
the clearances, just the work is the lack of personnel to put 
on it.
    Mr. Liscouski. I am not competent to be able to answer that 
question, but I suspect we can probably get back to you on 
    Ms. Lofgren. I would like to know that. And that may be 
something we could help to address, because that is something 
we ought to address, it seems to me.
    And I yield back my time, Mr. Chairman. Thank you.
    Mr. Thornberry. I thank the gentlelady.
    Dr. Christensen.
    Mrs. Christensen. Thank you, Mr. Chairman. Mr. Chairman and 
Ranking Member, it does occur to me, and it came up earlier, 
that there may be reasons for us to ask the assistant secretary 
to meet with us in a closed and classified setting, because 
there may be some questions we might not want to ask in a 
public hearing.
    I have one further question for you, Assistant Secretary. 
One of the objectives of the National Strategy is to foster 
adequate training and education programs to support the 
national security need. You talked about the relationship with 
Carnegie-Mellon and you made reference to relationships with 
other universities. I wonder if you would elaborate on that 
some, and also talk a bit about how you would ensure the 
involvement of historically black colleges and universities and 
other minority-serving institutions.
    Mr. Liscouski. Yes, ma'am. There are a couple of different 
ways we are addressing that. First of all, my colleague, Under 
Secretary McCreary, has got a program--and forgive me for not 
knowing the exact specifics on this--in which they are creating 
partnerships with universities. And I believe it is among those 
major components that the partnerships are to enhance 
educational opportunities for the specific areas that we need. 
So I think it is probably more appropriate to sort of field 
that question to Under Secretary McCreary's area.
    But in our area and working with other partners, you know, 
the NSA sponsoring the centers of excellence and the university 
programs that they have, are geared toward enabling 
opportunity, creating opportunities for educational programs 
and students to get into the information security area in 
particular. It is an area that we have a very keen interest in 
and we are looking to support that.
    I can't speak to the programs themselves in terms of where 
the emphasis is on that program in historically black colleges, 
but I am almost certain I remember a conversation with NSA 
officials that they have established centers of excellence at 
schools that really honor diversity. But, again, I can't speak 
competently to that question, but I would be happy to get back 
to you.
    Mrs. Christensen. Well, given the extensive need for 
personnel who are really--who are well-skilled and trained, and 
the sensitivity of the issues that we are going to be dealing 
with, not allowing us to always go overseas to seek personnel 
for these offices, I think it is important that we build up our 
personnel from within and that we extend and expand it to 
include these institutions as well.
    Mr. Liscouski. I agree.
    Mrs. Christensen. Thank you.
    Mr. Liscouski. Thank you.
    Mr. Thornberry. Ms. Jackson-Lee.
    Ms. Jackson-Lee. Thank you, Mr. Chairman. I again thank you 
for the hearing that we will have tomorrow and the one that we 
are having today.
    I would like to join Congresswoman Christensen on this 
issue of HBCUs and the matching of talent. And I think that 
your point about outreach is extremely important. I would make 
a suggestion that the Secretary be referred to having a meeting 
with the president of at least a number of our HBCUs. They are 
certainly--I think it is definable as to those institutions 
that may even have those disciplines that would be an excellent 
feeding source, or a source of talent. And I would add, of 
course, Hispanic-serving institutions as well. We did that in 
the previous administration with having a roundtable with about 
10 to 20 HBCU presidents, and it really, really is effective in 
terms of getting them focused and working in partnership with 
talented individuals who may not be aware of the opportunities 
and but yet they have great talent.
    So I would appreciate it if we could get a response back on 
that request as to the facilitating of that meeting. And any 
way that we can help to facilitate would be happy to do so.
    Mr. Liscouski. Yes, ma'am, thank you. I think that is a 
great suggestion. And I can tell you, we would like to take you 
up on that, but we will get back to you formally.
    Ms. Jackson-Lee. I appreciate it very much.
    Mr. Liscouski. Thank you.
    Ms. Jackson-Lee. Let me note, if I understand, when I asked 
the question about blackout, just give me your answer again. 
You were saying it is another committee? Or you are going to be 
here tomorrow discussing? I know we have a hearing tomorrow and 
we have that as one of our topics. Is that what you were 
suggesting to me, that you would be able to give more on this 
issue of what impacts cyber had on the blackout tomorrow? Or 
are you waiting on a report?
    Mr. Liscouski. I may be able to speak at a top level 
tomorrow; but in earnest, I have to tell you, we have to really 
conclude the report. We are still going through the analysis. 
So it is really any preliminary conclusions we come to at this 
point can easily be eclipsed by other facts that might lead us 
to a different conclusion. So I will just have to defer to the 
report, ma'am.
    Ms. Jackson-Lee. And that report will be--what is the date 
are we looking at for that?
    Mr. Liscouski. I don't know if it has been published in 
terms of the specific dates. I know the task force is shooting 
for sometime in the late October time frame.
    Ms. Jackson-Lee. Late October.
    Mr. Liscouski. Yes, ma'am.
    Ms. Jackson-Lee. And that is, of course, a public report?
    Mr. Liscouski. Ma'am, I don't know, to be honest with you. 
I will have to find out.
    Ms. Jackson-Lee. All right. Well, will you provide us with 
that information even tomorrow as to the status of that report?
    Mr. Liscouski. Certainly.
    Ms. Jackson-Lee. Let me just pursue briefly the line of 
questioning that I had before about authority and the role of 
DHS. And I think you said to me that the role is to protect 
from cyber terrorism; that DHS protects from cyber terrorism, 
and the FBI is in the business of responding to the attacks or 
really on the aggressive end of it.
    My concern is does it make sense to divide the experts, the 
ones that are telling us the story, and then those who have to 
react to the story? Is there a protocol to have two teams, the 
two teams interact with each other? And then when there is a 
crisis--that is a question I was asking--who is in charge? Now, 
you indicated the FBI. But then how does the component that you 
work with get merged into the FBI? Because when we are in 
crisis, we need all of the thinkers working together, the 
reactors; but those who say I have got a solution, because I 
know on the protection side what we had to do. And a protection 
response, is it making it more difficult to get people in the 
protection side? Because certainly there is a lot more energy 
and excitement maybe on the response side. But I am 
particularly concerned about the authority question and the 
protocol that would merge them, if necessary, and whether there 
is interaction even in the backdrop of the day-to-day work, 
which I think is extremely important.
    Mr. Liscouski. I thank you for the opportunity to clarify, 
because I think I misled you a bit on my remarks earlier. It is 
not unique to the FBI in terms of the enforcement and the 
investigative responsibility. The Secret Service--and, as you 
know, Secret Service is a component of DHS with whom we closely 
work--also has a responsibility to investigate cyber crime. In 
fact, within the financial domain, they are really the 
preeminent experts.
    Ms. Jackson-Lee. That was a new addition to their 
    Mr. Liscouski. Yes, ma'am, and they are effectively 
executing against that. They have some tremendous talent, as 
does the FBI. We are very ecumenical in our approach. We try to 
ensure that we have got the right resources. And I think the 
recent--forgive me, I don't know if it was Blaster or SoBig in 
which both the FBI and the Secret Service jointly investigated, 
and they worked extremely well together; they complemented 
themselves extremely well.
    From my point of view, you can never have enough resources 
to investigate these things. So I think if a little is good, 
more is better in this case. And the unique capabilities that 
are within the domain of the Bureau and the FBI I think both 
complement themselves and overlap where they are necessary; it 
is appropriate. We work very closely.
    And I will just state this: that my intention in creating 
our capability within IAP and the NCSD is to continuously 
increase our reliance upon the Secret Service for their 
capabilities. So, by extension, I would say DHS clearly has the 
authorities we need. When I was discussing this as it relates 
to the protection responsibility, it was really relevant to the 
IAIP mission and the infrastructure protection mission 
specifically. We do not have investigative authority. We don't 
need investigative authority, to be candid with you. We have 
the resources in-house, the DHS, to investigative requirements 
as we identify them.
    Ms. Jackson-Lee. But you feel you have sufficient authority 
to work on the matters that you are working on, but also to 
coordinate with the other agencies when there is a time of 
    Mr. Liscouski. Yes, ma'am. In fact, I think we have been 
able to demonstrate that effectively, as I indicated, through 
the recent Blaster and SoBig viruses, the blackout. All those 
incidents have served to really validate the fact that this 
approach is the appropriate one.
    Ms. Jackson-Lee. Thank you. Thank you, Mr. Chairman.
    Mr. Thornberry. I thank the gentlelady.
    Does Mr. Meek have additional questions?
    Mr. Meek. Just a small one, Mr. Chairman.
    Mr. Secretary, I guess we are going to need at a future 
date--and I don't know, maybe the Chairman and others are 
thinking about it--but a closed hearing; we can ask a few 
aggressive questions as it relates to cybersecurity and as it 
relates to the security of our infrastructure here in the 
United States.
    What level of, would you say, urgency and concern that 
jointly government and the private sector may have as it 
relates to a cyber attack? The reason why I ask that question, 
Mr. Secretary--there may be a quick answer that you can give 
me--is the fact that we know that there are terrorist groups 
that are abroad, and possibly could be domestic, that would 
like to take our ability to be able to live financially and 
socially through the Internet. And since we are doing--seems 
that we are doing a good job as it relates to trying to keep 
terrorists and track them down before they cross our borders, 
and using the approach that they are using in Iraq right now of 
saying why do we have to come to the United States, we can go 
to Iraq and still accomplish our goal--what kind of urgency do 
you see? Because I hear a lot of we are fine, we don't need X, 
Y, and Z, when I know that there are issues out there that need 
to be addressed and there are issues that this subcommittee 
needs to address legislatively. There are issues that the 
Department needs to address rule-wise and administratively. But 
maybe there are some areas that you feel that are important 
that we need to fill the gap. And I am just trying to think of 
the urgency.
    I used to be a law enforcement person, and no one is really 
concerned about the parking lot security outside of any 
hospital until someone gets pushed down and their wallet or 
purse is taken. So I am trying to make sure that what--from a 
scale of 1 to 10, where do you think we are and where do we 
need to be? Or are we in the right position right now? 
Everyone, hands on deck, just like they were for the last 
couple of years? What do you think we need to do here?
    Mr. Liscouski. Well, I mean, let me just clarify my 
statements earlier about where we are. I think we are 
positioned for success. I think we have got the right 
architecture, the right framework to build on. I think we know 
where we have to go. But I did not mean to imply that the world 
out there is not a bad world.
    I agree with you 100 percent; there are some serious 
threats that we face. The cyber community, the cyber world is 
one which we are just really beginning to understand and 
beginning to see the evidence of what those threats can do to 
manifest themselves in our technologies. So in terms of sense 
of urgencies, I don't want to sit here calmly explaining to you 
what we are doing and give you the false perception that I am 
not worried about it. I am worried about it all the time. And 
we need to be worried about it. And the community needs to be 
worried about it, because we are not in control of those 
    The challenge we have on the cyber world, unlike the 
physical world where you can really put your arms around 
somebody and identify the command-and-control structure and the 
capabilities that they may or may not have to conduct an 
attack, the cyber world is a lot easier to work in. And 
although the technologies that you need to do to--there is a 
debate about how technically savvy you have to be to really 
conduct a really effective attack or a long sustainable attack. 
I would argue that I wouldn't want to wait to find that out, 
and we need to move aggressively and we need to be worried 
about it.
    So I am happy to sit calmly before this committee and talk 
about the things we are doing. But we are not sitting back 
calmly back at DHS and other places, just thinking about are we 
doing the right things. We are really trying to move out and 
get urgency around this.
    So I agree with you and I share that, and I appreciate your 
comments of concern, because we are concerned about it. These 
threats are real, they are ubiquitous, they are everything from 
the kid that gets bored and decides that he is going to put a 
virus out there, to organized crime groups that are out there 
exploiting our networks and exploiting our information and 
extorting them.
    Mr. Liscouski. Terrorist groups, state groups, you name it. 
They are out there. Common thieves, common criminals. They all 
have the capabilities of doing these things and doing it all 
the time. We are constantly under attack on the Internet, and 
you know, if you talk to any of the providers out there and you 
talk to the folks who are providing services on the Internet 
community, the backbone, they see threats all the time. They 
see stuff, it just would boggle your mind. Fortunately, you 
know they haven't manifest themselves in anything serious yet. 
And it is the ``yet'' that worries me, the ability to do that 
is out there, so.
    Mr. Meek. Mr. Secretary, if I may, that's where I mean, you 
are hitting exactly where I thought you would hit as it relates 
to the threat. And the threat is real. We have individuals that 
are being robbed right now over the Internet, stuck up, ransom, 
what have you, $50,000 transferred here and no one will ever 
know about it because it has a lot to do with stocks and trades 
and investors and security of their own infrastructure. I just 
want to make sure that we continue to have a sense of urgency. 
It is not about the preparedness. It is about the consistency 
of the preparedness. And I know my job and I know our job is to 
support the Department and the private sector in its efforts, 
but at the same time, make sure not only that DHS has what it 
needs, but we keep the pressure on all players of making sure 
that we do what we have to do, because the last thing that we 
want is for you for me or anyone on this committee to be 
identified as okay. You are okay, I am okay, okay, fine. 
Everything is fine. We need to make sure that you are okay, I 
am okay, how do we move this ball and play offense because they 
are playing offense.
    So I am glad to hear that you are still sitting on the edge 
of your seat personally and that people who serve in your 
capacity in the private sector has that same sitting on the 
edge of the seat hopefully as it relates to playing toward 
overall infrastructure protection. Thank you, Mr. Chairman.
    Mr. Liscouski. Thank you.
    Mr. Thornberry. I thank the gentleman. And I think that 
discussion that he just had with the witness is an appropriate 
way to end our hearing because--and I have some additional 
questions I would like to submit for the record, but I think 
that sense of urgency that he described is difficult to 
maintain, not just with cyber, with the whole range of Homeland 
Security responsibilities. But, yet, we must try to keep that 
sense of urgency because there is so much at stake. Mr. 
Liscouski, I will say for me, personally, I am impressed by the 
actions that you have taken in the cyber field to help bring us 
closer to where we need to be. I am also convinced that you 
maintain this sense of urgency.
    As you said at the end of your opening statement, we are 
partners in this effort. That doesn't mean we are a rubber 
stamp, it doesn't mean we are a cheerleading squad. But we are 
partners with you to try to help maintain the sense of urgency 
and take real concrete steps that help our country be safer. We 
look forward to working with you in the future to do that. And 
again, thank you for your appearance today. I thank the 
gentlelady from California as always for her work and with that 
the hearing stands adjourned.
    [Whereupon, at 11:40 a.m., the subcommittee was adjourned.]