[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]




     CYBER SECURITY: THE CHALLENGES FACING OUR NATION IN CRITICAL 
                       INFRASTRUCTURE PROTECTION

=======================================================================

                                HEARING

                               before the

                SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
                POLICY, INTERGOVERNMENTAL RELATIONS AND
                               THE CENSUS

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             FIRST SESSION

                               __________

                             APRIL 8, 2003

                               __________

                           Serial No. 108-13

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                                 ______

87-230              U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON GOVERNMENT REFORM

                     TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana                  HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California                 DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri
CHRIS CANNON, Utah                   DIANE E. WATSON, California
ADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California
JOHN SULLIVAN, Oklahoma              C.A. ``DUTCH'' RUPPERSBERGER, 
NATHAN DEAL, Georgia                     Maryland
CANDICE S. MILLER, Michigan          ELEANOR HOLMES NORTON, District of 
TIM MURPHY, Pennsylvania                 Columbia
MICHAEL R. TURNER, Ohio              JIM COOPER, Tennessee
JOHN R. CARTER, Texas                CHRIS BELL, Texas
WILLIAM J. JANKLOW, South Dakota                 ------
MARSHA BLACKBURN, Tennessee          BERNARD SANDERS, Vermont 
                                         (Independent)

                       Peter Sirh, Staff Director
                 Melissa Wojciak, Deputy Staff Director
              Randy Kaplan, Senior Counsel/Parliamentarian
                       Teresa Austin, Chief Clerk
              Philip M. Schiliro, Minority Staff Director

   Subcommittee on Technology, Information Policy, Intergovernmental 
                        Relations and the Census

                   ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan          WM. LACY CLAY, Missouri
DOUG OSE, California                 DIANE E. WATSON, California
TIM MURPHY, Pennsylvania             STEPHEN F. LYNCH, Massachusetts
MICHAEL R. TURNER, Ohio

                               Ex Officio

TOM DAVIS, Virginia                  HENRY A. WAXMAN, California
                        Bob Dix, Staff Director
                          John Hambel, Counsel
                 Chip Walker, Professional Staff Member
                      Ursula Wojciechowski, Clerk
           David McMillen, Minority Professional Staff Member


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on April 8, 2003....................................     1
Statement of:
    Clarke, Richard, former special advisor to the President for 
      Cyberspace Security; Michael A. Vatis, director, Institute 
      for Security Technology Studies at Dartmouth College and 
      chairman, Institute for Information Infrastructure 
      Protection; and Mark A. Forman, Associate Director, 
      Information Technology and Electronic Government, Office of 
      Management and Budget......................................     9
    MacLean, Rhonda, senior vice president and director of 
      corporate information security for Bank of America, sector 
      coordinator for the Financial Services Industry Public/
      Private Partnership on Critical Infrastructure Protection 
      and Homeland Security; Robert F. Dacey, Director, 
      Information Security Issues, U.S. General Accounting 
      Office; and Thomas Pyke, Chief Information Officer, 
      Department of Commerce.....................................    52
Letters, statements, etc., submitted for the record by:
    Clarke, Richard, former special advisor to the President for 
      Cyberspace Security, prepared statement of.................    11
    Dacey, Robert F., Director, Information Security Issues, U.S. 
      General Accounting Office, prepared statement of...........    79
    Forman, Mark A., Associate Director, Information Technology 
      and Electronic Government, Office of Management and Budget, 
      prepared statement of......................................    33
    MacLean, Rhonda, senior vice president and director of 
      corporate information security for Bank of America, sector 
      coordinator for the Financial Services Industry Public/
      Private Partnership on Critical Infrastructure Protection 
      and Homeland Security, prepared statement of...............    55
    Putnam, Hon. Adam H., a Representative in Congress from the 
      State of Florida, prepared statement of....................     4
    Pyke, Thomas, Chief Information Officer, Department of 
      Commerce, prepared statement of............................    72
    Vatis, Michael A., director, Institute for Security 
      Technology Studies at Dartmouth College and chairman, 
      Institute for Information Infrastructure Protection, 
      prepared statement of......................................    22

 
     CYBER SECURITY: THE CHALLENGES FACING OUR NATION IN CRITICAL 
                       INFRASTRUCTURE PROTECTION

                              ----------                              


                         TUESDAY, APRIL 8, 2003

                  House of Representatives,
   Subcommittee on Technology, Information Policy, 
        Intergovernmental Relations and the Census,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 9:30 a.m., in 
room 2247, Rayburn House Office Building, Hon. Adam Putnam 
(chairman of the subcommittee) presiding.
    Present: Representatives Putnam and Clay.
    Staff present: Bob Dix, staff director; John Hambel, senior 
counsel; Chip Walker, Scott Klein, and Lori Martin, 
professional staff members; Ursula Wojciechowski, clerk; David 
McMillen, minority professional staff; and Jean Gosa and Early 
Green, minority clerks.
    Mr. Putnam. A quorum being present, this hearing of the 
Subcommittee on Technology, Information Policy, 
Intergovernmental Relations and the Census will come to order.
    Good morning, and welcome to a series of planned hearings 
on cyber security, a topic that is critically important and one 
that has largely been neglected both in congressional debate, 
private sector action, and administrative action. It is a 
pleasure to have a distinguished panel of witnesses with us 
this morning.
    Virtually every aspect of our lives is in some way, shape, 
or form connected to computers. Networks that stretch from 
coast to coast or around the world connect these computers to 
one another. In the traditional sense, we have thought of our 
security as a Nation in the physical--bridges, power plants, 
water supplies, airports, etc. Security of our physical 
infrastructures has been a high priority and a particularly 
visible priority since September 11, 2001.
    The military, customs, and border patrol are charged with 
protecting and securing our borders. The Coast Guard protects 
our waterways. Federal, State, and local law enforcement 
officials protect our bridges, railways, and streets and 
provide for our own personal protection. But in this day and 
age, this type of one-dimensional thought is no longer 
adequate. Our critical infrastructure of the cyber kind must 
have the same level of protection if we are to be secure as a 
Nation from random hacker intrusions, malicious viruses, or 
worse--serious cyber terrorism.
    There are several things unique to cyber attacks that make 
the task of preventing them particularly difficult. Cyber 
attacks can occur from anywhere around the globe; from the 
caves of Afghanistan to the war fields of Iraq, from the most 
remote regions of the world or simply right here in our own 
back yard, perhaps in the bedroom of some 16-year-old who is 
particularly gifted in computers and electronics. The 
technology used for cyber attacks is readily available and 
changes continuously. And perhaps most dangerous of all is the 
failure of many people, critical to securing these networks and 
information from attack, to take the threat seriously, to 
receive adequate training, and to take the steps needed to 
secure their networks. I am happy to say today that all of the 
witnesses here are on the forefront of this war--on cyber 
terrorism--and I am looking forward to their insightful 
testimony.
    In May 1998, President Clinton released Presidential 
Decision Directive No. 63. This Directive set up groups within 
the Federal Government to develop and implement plans that 
would protect Government-operated infrastructures and called 
for a dialog between Government and the private sector to 
develop a National Infrastructure Assurance Plan that would 
protect all of the Nation's critical infrastructures by 2003. 
The Directive has since been supplemented by Executive Order 
13231, which established President Bush's Critical 
Infrastructure Protection Board and the President's National 
Strategy for Homeland Security.
    Since January 2001, efforts to improve Federal information 
security have accelerated at individual agencies and at the 
Government-wide level. For example, implementation of 
Government Information Security Reform Act [GISRA] legislation, 
enacted by the Congress in October 2000 was a significant step 
in improving Federal agencies' information security programs 
and addressing their serious, pervasive information security 
weaknesses. In implementing GISRA, agencies have noted 
benefits, including increased management attention to and 
accountability for information security. Although improvements 
are under way, recent GAO audits of 24 of the largest Federal 
agencies continue to identify significant information security 
weaknesses that put critical Federal operations and assets in 
each of those agencies at risk.
    On December 17, 2002, the Federal Information Security 
Management Act [FISMA], was enacted as Title III of the E-
Government Act of 2002. FISMA permanently authorizes and 
strengthens the information security program, evaluation, and 
reporting requirements established by GISRA. Among its 
provisions, it also requires the National Institute of 
Standards and Technology to develop standards that provide 
mandatory minimum information security requirements for Federal 
information security systems.
    While securing Federal information systems is critical, so 
is securing the critical infrastructure of the Nation--80 
percent of which is privately controlled. Reports of computer 
attacks abound. The 2002 report of the Computer Crime and 
Security Survey conducted by the Computer Security Institute 
and FBI's San Francisco Computer Intrusion Squad showed that 90 
percent of the respondents, mostly large corporations and 
Federal agencies, had detected computer security breaches 
within the last 12 months; 90 percent. In addition, the number 
of computer security incidents reported to the CERT 
Coordination Center rose from over 9,800 in 1999 to over 52,000 
in 2001 and over 82,000 in 2002. And these are only the attacks 
that are reported.
    The director for CERT Centers, operated by Carnegie Mellon 
University, stated that he estimates as much as 80 percent of 
actual security incidents go unreported. In most cases, this is 
because either the organization was unable to recognize its 
systems have been penetrated or there were no indications of 
penetration or attack, or the organization was just reluctant 
to report.
    Our own GAO has found a disturbing trend among Federal 
agencies. In both 2001 and 2002, GAO continued their analysis 
of audit reports for 24 major departments and agencies. The 
audits identified significant information security weaknesses 
in each that put critical Federal operations and assets at 
risk.
    While the Federal Government and private sectors have made 
improvements in cyber critical infrastructure protection, there 
is still much work to be done. In July 2002, GAO identified at 
least 50 Federal organizations that have various national or 
multiagency responsibilities related to cyber critical 
infrastructure protection. The interrelationship of these 
organizations is vital to a successful cyber CIP strategy. 
These organizations also interrelate and coordinate with even 
more private sector organizations as well as the State and 
local governments.
    The ability of all of these groups to communicate well, to 
understand the risks involved, accept common goals and minimum 
standards, and accept full accountability will be the keys to a 
successful national effort to protect the Nation's critical 
infrastructures and our Government networks.
    This subcommittee accepts the serious nature of the 
oversight responsibility related to this topic, and this 
hearing today is simply the beginning of what will be a series 
of hearings that examine and measure the progress toward 
achieving true cyber security.
    We are delighted to be accompanied by the gentleman from 
Missouri, the ranking member, Mr. Clay. I recognize you for any 
opening remarks. Thank you for joining us.
    [The prepared statement of Hon. Adam H. Putnam follows:]

    [GRAPHIC] [TIFF OMITTED] T7230.001
    
    [GRAPHIC] [TIFF OMITTED] T7230.002
    
    [GRAPHIC] [TIFF OMITTED] T7230.003
    
    Mr. Clay. Good morning. Thank you, Mr. Chairman, for 
calling this hearing. I would like to welcome the witnesses who 
are going to testify before us today. The issue before us 
today, as the chairman has pointed out, is as critical as any 
national security issue. Unfortunately, it is even more complex 
than most.
    There are really two issues before us today. First, as the 
title of this hearing implies, we must examine the processes in 
place for protecting our Nation's critical infrastructures, 
like the telephone system, financial systems, the supply of 
electricity, natural gas, water, and emergency services. 
Second, and equally important, we must examine the security of 
the computer systems that run our Government from day to day.
    Just last November, this committee issued a report on 
computer security where only 3 agencies got grades of C or 
above and 14 agencies failed. Some of the answers to these 
questions are the same. Computer security takes place in the 
trenches. If the man or woman sitting at the desk does not do 
the proper thing, then our systems will not be secure. If the 
system administrator does not install the proper patches when 
they become available, then our systems will not be secure. If 
the procurement officer does not examine software for security 
features before recommending or approving a purchase, then our 
system will not be secure. All of the security plans in the 
world will not make our systems secure unless those at the 
heart of the system do their job.
    As we have learned, computer security has not been a 
priority at agencies. Over the past 4 years, Congress has 
steadily turned up the heat. Former Representative Horn issued 
a number of report cards, each one showing the situation was 
worse than we realized. One of the lessons from that experience 
was that when we asked agencies to evaluate themselves, they 
are often overly optimistic. Last year, the report cards, based 
primarily on audit report from the Inspector General, were the 
worst ever.
    We may have turned the corner. Last year, we passed the 
Federal Information Security Management Act [FISMA], which is a 
significant step forward in setting out requirements for 
computer security that agencies must follow. Now we must assure 
that those requirements are implemented. It is my understanding 
that OMB has yet to issue the guidance required under FISMA. I 
hope that Mr. Forman will tell us that OMB has renewed its 
efforts to assure that the requirements of FISMA are 
implemented.
    We have a long way to go but I believe we are on the right 
track to secure our Government's day to day computer system. I 
am not sure I can say the same thing about protecting our 
critical infrastructure. While I believe we are making progress 
in this arena, it is very slow. It has been almost 7 years 
since President Clinton established the President's Commission 
on Critical Infrastructure Protection and almost 5 years since 
President Clinton issued Presidential Decision Directive No. 
63, to assure critical infrastructure protection. I expect our 
witnesses today will report on how we are progressing toward 
the goals established in that Directive.
    What concerns me, however, is that we have entered an era 
where things like critical infrastructure protection and 
Homeland Security are being used to erode our open Government. 
Just last week, USA Today reported that we are facing the 
biggest rollback of open Government laws since those laws were 
passed 30 years ago. What is tragic is that this renewed 
emphasis on secrecy is unnecessary. In the 19th century, the 
cryptographer August Kirkovs set down a principle that is the 
most advanced work in cryptography today: ``In good systems, 
the system should not depend on secrecy and it should be able 
to fall into the enemy's hands without disadvantage.'' Put 
another way, the knowledge that American citizens are going to 
jump anyone who tries to hijack a plane does more to prevent 
hijacking than all of the secret plans at the Transportation 
Security Agency. If we sacrifice the fundamental principles of 
our society in the name of security, we have won neither 
security nor freedom. Thank you, Mr. Chairman.
    Mr. Putnam. Thank you very much.
    At this time we will begin with our witnesses. All of you 
have been very gracious to provide thorough written testimony. 
As you know, we ask that you limit your oral presentation to 5 
minutes. There is a light box on your table; the green light 
means that you may begin your remarks, and the red, we ask you 
to begin to sum up because the time has expired. We do have 
several witnesses and some panel members who are on a tight 
time schedule and we will attempt to be as thorough and as 
efficient as possible.
    As you know, it is the policy of this committee that we 
swear in witnesses. So please rise and raise your right hands.
    [Witnesses sworn.]
    Mr. Putnam. Note for the record that all of the witnesses 
responded in the affirmative.
    I would like to begin the first panel with Richard Clarke. 
Richard Clarke is an internationally recognized expert on 
security, including homeland security, national security, cyber 
security, and counter-terrorism.
    He has served the last three Presidents as a senior White 
House advisor. Over the course of a record setting 11 
consecutive years of White House service, he has held the 
titles of special assistant to the President for global 
affairs, national coordinator for security and counter-
terrorism, and special advisor to the President for cyber 
security.
    Prior to his White House years, Mr. Clarke served for 19 
years in the Pentagon, the Intelligence Community, and State 
Department. During the Reagan administration, he was Deputy 
Assistant Secretary of State for Intelligence. During the first 
Bush administration, he was Assistant Secretary of State for 
political-military affairs and coordinated diplomatic efforts 
to support the first Gulf war and the subsequent security 
arrangements.
    Today Mr. Clark consults on a range of issues, including: 
corporate security risk management, information security 
technology, dealing with the Federal Government on security and 
IT issues, and counter-terrorism. Clearly, he is a well-
qualified witness for this subcommittee hearing.
    We are delighted to have you with us, Mr. Clarke. With 
that, you are recognized for 5 minutes.

  STATEMENTS OF RICHARD CLARKE, FORMER SPECIAL ADVISOR TO THE 
PRESIDENT FOR CYBERSPACE SECURITY; MICHAEL A. VATIS, DIRECTOR, 
INSTITUTE FOR SECURITY TECHNOLOGY STUDIES AT DARTMOUTH COLLEGE 
    AND CHAIRMAN, INSTITUTE FOR INFORMATION INFRASTRUCTURE 
PROTECTION; AND MARK A. FORMAN, ASSOCIATE DIRECTOR, INFORMATION 
TECHNOLOGY AND ELECTRONIC GOVERNMENT, OFFICE OF MANAGEMENT AND 
                             BUDGET

    Mr. Clarke. Thank you, Mr. Chairman, Mr. Clay. Mr. 
Chairman, first let me start by commending you for having this 
hearing and recognizing the importance of this issue. Your 
remarks were right on point. I am not surprised that you are on 
top of this issue. I recall very well that long before 
September 11th, you asked me when I was the Counter-Terrorism 
Czar to come up and brief you on al-Qaeda before most Members 
of the Congress knew what al-Qaeda was. So I am not surprised 
that you are on top of this issue before other people.
    I would hope that with cyber security we could do more to 
raise our defenses before we have a major disaster. With al-
Qaeda, unfortunately, we had to wait until we had a major 
disaster for people to get it and for people to act on that 
understanding. It would be nice if, for once, we were able to 
get the Congress and the administration and the corporate world 
to understand the issue before the disaster occurs.
    The problems that we have had to date in cyber security are 
minor when compared to the potential. And the mistake a lot of 
people make is that they look at the past as a predictor of the 
future, that the past $17 billion a year worth of damage by 
cyber security they think is just a minor nuisance. 
Unfortunately, as long as we have major vulnerabilities in 
cyberspace and we do not address those major vulnerabilities, 
we run the potential for somebody doing us much more severe 
damage than has been done to date. So people who look at the 
cost of cyberspace security problems today and say those 
problems are not significant should instead be looking to the 
future and what could happen based on the vulnerabilities that 
exist.
    Mr. Chairman, I have suggested in my written testimony 10 
things which I think this committee and the Congress could do 
in general. Let me quickly go over them in the time allowed.
    First and foremost, I think the Department of Homeland 
Security must be the focus, the location in the executive 
branch that has clear responsibility for cyberspace security. 
That is the intent of President Bush's National Strategy. 
Unfortunately, the department in its early days, and I admit 
these are early days, has not organized itself to take on that 
heavy responsibility, has not created a Cyberspace Security 
Center, has not recruited senior recognized cyberspace security 
experts. Until it does, we will continue to have a major 
problem.
    Second, we still lack a Chief Information Security Officer 
for the Federal Government. I have the utmost respect for my 
friend and colleague Mark Forman, but he is not the Chief 
Information Security Officer. We do not have one. You would 
think that since Congress has given to OMB by law the 
responsibility for managing the IT security of the Federal 
agencies, except for the Defense Department and the 
Intelligence Community, that they would have a large staff of 
people dedicated fully to this issue. They do not. And until 
they do, we are likely to continue to have 14 agencies getting 
Fs and no agencies getting better than C. No matter what laws 
we pass, no matter what acronyms we adopt--FISMA, GISRA--until 
there is a clear full-time responsible official in the White 
House with a full-time responsible staff that is sufficiently 
large and sufficiently qualified, we will not be able to 
implement these laws.
    Third, the Congress passed last year the Cyber Security 
Research Act. I think it is important that authorization be 
matched with an appropriate appropriation this year.
    Fourth, I think the committee ought to look at the 
mechanisms of the Internet itself, the things which are owned 
in common, not by the Government, not by a particular company, 
but the Internet mechanisms for traffic flow, all of which are 
highly vulnerable as was proved by the attack on the Domain 
Name System last year.
    Fifth, I think rather than asking GAO to do periodic onsite 
inspections and come up with reports, GAO should be authorized 
by this committee to buy the devices which are now available to 
allow auditing and scanning of major enterprises for the 2,800 
known vulnerabilities on a daily basis. The technology is 
deployed in the private sector. It allows companies' CEOs, 
COOs, on a daily or weekly basis, to see every machine in their 
network and to see whether or not it is fixed, whether or not 
it is vulnerable. GAO should have that technology and it should 
have it deployed in all of the major Government agencies, so 
you, Mr. Chairman, members of this committee can get a weekly 
report, a monthly report, rather than having these one-off GAO 
inspections every year, which are costly and which do not give 
you the same results as this kind of automated auditing against 
the 2,800 known vulnerabilities.
    Sixth, the General Services Administration has put into 
place a Patch Management System. And as Mr. Clay said, there is 
a real problem in this Government with a lack of people fixing 
patches. That Patch Management System is a great place to 
invest additional dollars, the best place where we can invest 
in order to improve security.
    Let me stop there, Mr. Chairman, as my time is up.
    [The prepared statement of Mr. Clarke follows:]

    [GRAPHIC] [TIFF OMITTED] T7230.004
    
    [GRAPHIC] [TIFF OMITTED] T7230.005
    
    [GRAPHIC] [TIFF OMITTED] T7230.006
    
    [GRAPHIC] [TIFF OMITTED] T7230.007
    
    [GRAPHIC] [TIFF OMITTED] T7230.008
    
    [GRAPHIC] [TIFF OMITTED] T7230.009
    
    [GRAPHIC] [TIFF OMITTED] T7230.010
    
    [GRAPHIC] [TIFF OMITTED] T7230.011
    
    [GRAPHIC] [TIFF OMITTED] T7230.012
    
    Mr. Putnam. Thank you very much.
    At this time we are pleased to welcome to the Subcommittee 
Michael Vatis. Mr. Vatis is Director of the Institute for 
Security Technology Studies at Dartmouth College and the 
Chairman of the Institute for Information Infrastructure 
Protection, or I3P. ISTS is a principal national center for 
research, development, and analysis of counter-terrorism and 
cyber security technology. I3P is a consortium of major 
research organizations, whose mission is to develop a national 
R&D agenda for information infrastructure protection, promote 
collaboration among researchers, and facilitate and fund 
research in areas of national priority.
    Between 1998 and 2001, Mr. Vatis founded and served as the 
first director of the National Infrastructure Protection Center 
in Washington, now part of the Department of Homeland Security. 
NIPC was the lead Federal agency responsible for detecting, 
warning of, and responding to cyber attacks, including computer 
crime, cyber-terrorism, and cyber-espionage.
    Mr. Vatis has also served in the U.S. Departments of 
Justice and Defense. As Associate Deputy Attorney General and 
Deputy Director of the Executive Office of National Security, 
he coordinated the Justice Department's national security 
activities and advised the Attorney General and Deputy Attorney 
General on issues relating to counter-terrorism, high-tech 
crime, counter-intelligence, and infrastructure protection. He 
is a graduate of Princeton and Harvard.
    Welcome, Mr. Vatis.
    Mr. Vatis. Thank you, Mr. Chairman. It is a pleasure to be 
here this morning to testify before you and the subcommittee 
along with my distinguished colleagues. I would like to 
wholeheartedly endorse the substance of both your own statement 
and that of Mr. Clay, as well as that of my colleague, Dick 
Clarke, because I think all of those statements summarize very 
well the nature of the problem and where we are today in terms 
of our capability to deal with an increasingly serious issue.
    I would like to limit my oral remarks today to the part of 
my written testimony that deals with where I think the 
principal shortcomings are. I think it should be said that 
there are many good initiatives going on right now in 
individual agencies. And GSRA and FISMA were significant 
advances on Congress' part in dealing with the problem. But I 
think we have in some respects actually regressed in recent 
months in our ability to deal with this issue.
    One of the areas has to do with the fact that with the 
dismantling of the President's Critical Infrastructure 
Protection Board and the Office of Cyberspace Security in the 
White House--Mr. Clarke's former office--there is at the moment 
a serious void in the executive branch's leadership. There is 
no central locus right now for policymaking and for 
coordination of efforts across all of the agencies at the 
policy level. I think that will significantly impede the 
Government's ability to move forward on this issue.
    Many of the responsibilities that had been carried out by 
the Board and by Mr. Clarke's former office are supposed to be 
carried out now by the new Department of Homeland Security. But 
most of the officials who are supposed to take on those 
responsibilities have, to my knowledge, not yet been formally 
nominated, let alone confirmed. And so that void is likely to 
continue at the leadership level for several months.
    At the operational level, I think we see a similar void. 
Many different entities in the Government that had some 
responsibility for cyber security--including parts of my former 
organization, the NIPC; the Critical Infrastructure Assurance 
Office; and FedCIRC--all were moved into the Department of 
Homeland Security on the theory that the efforts of these 
organizations should be consolidated to achieve greater 
efficiency and effectiveness. The problem, however, is that for 
at least some of those entities, in fact, the consolidation is 
less than meets the eye.
    My former organization, the NIPC, was supposed to 
contribute over 300 of the positions in the new department that 
would be focusing on intelligence analysis and infrastructure 
protection. In fact, though, if you examine what actually 
occurred, it was a transfer of vacant FTEs, not of actual 
people, because most of the people stayed at the FBI or found 
other jobs elsewhere in the Federal Government. And so, in 
fact, now DHS has a tall order: filling hundreds of job 
vacancies. And the capabilities that were built up at the NIPC 
over the 5-years since its inception have essentially been 
dismantled or ramped down considerably because of the lack of 
personnel. So, again, given the length of time that hiring of 
Federal employees takes, particularly when you add in the need 
for background investigations, it is my view unfortunately, 
that it could take over a year before we even get back to where 
we were in terms of our capability to detect, warn of, and 
respond to major cyber attacks.
    The other issue I think that needs to be focused on is at 
the policy level: what is the Government's policy with regard 
to the privately owned critical infrastructures and how can it 
induce greater security of those critical infrastructures? Both 
the Clinton administration and the Bush administration, in my 
view, have primarily relied on what I call the ``soapbox 
strategy,'' having officials--like Mr. Clarke, like myself when 
I was in the Government, like Mr. Forman--get up on a 
proverbial soapbox and talk about the seriousness of this 
problem and urge the owners and operators of infrastructures to 
take the problem seriously and do something about it. I think 
those efforts have been partially successful in raising 
awareness, in getting more attention focused on the problem. 
But I think at the end of the day those efforts clearly are not 
enough. More needs to be done.
    And so I would urge this subcommittee to consider some more 
imaginative and more aggressive approaches; perhaps regulation 
modelled after HIPAA for health care providers, or the Graham-
Leach-Bliley Act for financial service companies; and perhaps 
other, what I would call, softer approaches to incent the 
marketplace, to create incentives for companies to make more 
secure products and for owners and operators of infrastructures 
to take security more seriously. Rather than simply saying we 
do not want to regulate in this high-tech area, we should at 
least give serious consideration to measures that would move us 
beyond the soapbox strategy. Thank you very much.
    [The prepared statement of Mr. Vatis follows:]

    [GRAPHIC] [TIFF OMITTED] T7230.013
    
    [GRAPHIC] [TIFF OMITTED] T7230.014
    
    [GRAPHIC] [TIFF OMITTED] T7230.015
    
    [GRAPHIC] [TIFF OMITTED] T7230.016
    
    [GRAPHIC] [TIFF OMITTED] T7230.017
    
    [GRAPHIC] [TIFF OMITTED] T7230.018
    
    [GRAPHIC] [TIFF OMITTED] T7230.019
    
    [GRAPHIC] [TIFF OMITTED] T7230.020
    
    Mr. Putnam. Thank you very much.
    Our next witness is Mark Forman. Mr. Forman is the Chief 
Information Officer for the Federal Government. Under his 
leadership, the U.S. Federal Government has received broad 
recognition for its successful use of technology and E-
Government. He is charged with managing over $58 billion in IT 
investments and leading the President's E-Government initiative 
to create a more productive, citizen-centric Government.
    He is also the leader in the development and implementation 
of the Federal information technology policy, and is 
responsible for a variety of oversight functions statutorily 
assigned to the Office of Management and Budget. He also 
oversees Executive branch CIOs and directs the activities of 
the Federal CIO Council, as well as chairing or being a member 
of several key IT-related boards including the President's 
Critical Infrastructure Board. To improve results from Federal 
IT spending, Mr. Forman created a framework that couples cross-
agency teamwork and leadership with a Government-wide IT budget 
decision process built around a results-driven modernization 
blueprint.
    Mr. Forman is a frequent witness before this subcommittee 
and his insight is always very helpful. We are delighted to 
have you again with us this morning. Welcome.
    Mr. Forman. Thank you, Mr. Chairman. Good morning. I want 
to take a moment just to commend Mr. Clarke on what I think is 
a truly outstanding career in public service that, as you know, 
he has recently retired from. I think his career serves as 
really a benchmark for those of us in public service. Clearly, 
his dedication to the country, the security of Americans is 
remarkable and outstanding, and as an American and personally, 
I just appreciate his service so much.
    I want to thank you for inviting me to discuss the status 
of the Federal Government's IT security. Cyber security is a 
top priority in the administration's IT and counter-terrorism 
efforts. The challenge, as you pointed out, is to provide the 
maximum protection while ensuring the free flow of information 
and commerce and protecting privacy. I am going to briefly 
summarize my statement.
    First of all, I am pleased to report to you today that the 
Federal Government has made substantial improvements in 
securing the information and information systems that we 
protect. Let me do this by explaining the difference between 
where we were on September 10, 2001, and where we were 1 year 
later in September 2002.
    September 2001, only 40 percent of Federal systems had up 
to date security plans; 1 year later, that was up to 61 
percent. Similarly, the number of Federal systems certified and 
accredited was at 27 percent in 2001; 1 year later, that was up 
to 47 percent. The number of systems with contingency plans, 30 
percent in September 2001; September of last year, 53 percent.
    There are other significant improvements, and I had a table 
with that data in my written testimony, but items such as 
agencies using plans of actions and milestones as the 
authoritative management tool to ensure that program and system 
level IT security weaknesses are prioritized, tracked, and 
corrected. These measures reveal in some cases over 50 percent 
measured performance improvements since 2001. But they also 
identify an awful lot of work to be done.
    The administration plans to make significant progress again 
this year. In our Clinger-Cohen report, which was Chapter 22 of 
the Analytical Perspectives of the President's 2004 budget, we 
included targets for improvement in critical IT security 
weaknesses by the end of this calendar year. Some of the key 
targets: All agencies shall have an adequate process in place 
for developing and implementing the plans of actions and 
milestones to ensure that program and system level IT security 
weaknesses are identified, tracked, and corrected.
    Eighty percent of Federal IT systems shall be certified and 
accredited.
    Eighty percent of the Federal Government's fiscal year 2004 
major IT investments shall appropriately integrate security 
into the lifecycle of their investments.
    I would like to talk a little bit about funding. Our 
analysis for the second year in a row shows that there is not a 
direct correlation between how much agencies spend on IT 
security and the quality of their results. That said, spending 
on IT security has increased 70 percent since 2002. Federal 
agencies plan to spend $4.25 billion this year on IT security, 
that is 7 percent of the Federal Government's overall IT budget 
and a 57 percent increase from the $2.7 billion spent last 
fiscal year. In next fiscal year, agencies plan to spend $4.7 
billion on IT security, and that will rise to 8 percent of the 
overall Federal Government IT budget.
    I would like to talk very briefly about some of the 
improvements and changes in handling cyber security incidents. 
Last year when I testified before the Government Reform 
Committee, I pointed out that we need to move to respond to 
threats within 24 hours. And so we have taken fairly aggressive 
action to do that.
    OMB and the CIO Council have developed and deployed a 
process to rapidly identify and respond to cyber threats and 
critical vulnerabilities. CIOs are advised by a conference call 
as well as followup e-mail of specific actions needed to 
protect agency systems when a threat has been identified. 
Agencies must then report to OMB on the implementation of the 
required countermeasures. This emergency notification and 
response process has been used three times since the beginning 
of the year. We started out with the first vulnerability with a 
90 minute cycle time to get the message out and get affirmative 
contact back that the process had begun--first for the Slammer 
Worm and then for the Sendmail and the IIS vulnerabilities. As 
a result of these early alerts, agencies have been able to 
rapidly close vulnerabilities that otherwise might have been 
exploited.
    I would also like to talk a little bit about the 
integration of FedCIRC, the National Infrastructure Protection 
Center and the Critical Infrastructure Assurance Office [CIAO], 
under one department. That represents an opportunity for the 
administration to strengthen the Government-wide processes for 
intrusion detection and response through maximizing and 
leveraging the important resources of these previously separate 
offices. Now this has only been in effect for a little over a 
month. So I think as they produce the results of their 
planning, you will see that there will be significant action.
    Experts agree though, and I would just like to conclude 
with a final thought, it is virtually impossible to ensure 
perfect security of IT systems. Therefore, we must maintain 
constant vigilance while also maintaining the focus, as my 
colleagues have said, on business continuing plans. Thank you.
    [The prepared statement of Mr. Forman follows:]

    [GRAPHIC] [TIFF OMITTED] T7230.021
    
    [GRAPHIC] [TIFF OMITTED] T7230.022
    
    [GRAPHIC] [TIFF OMITTED] T7230.023
    
    [GRAPHIC] [TIFF OMITTED] T7230.024
    
    [GRAPHIC] [TIFF OMITTED] T7230.025
    
    [GRAPHIC] [TIFF OMITTED] T7230.026
    
    [GRAPHIC] [TIFF OMITTED] T7230.027
    
    [GRAPHIC] [TIFF OMITTED] T7230.028
    
    [GRAPHIC] [TIFF OMITTED] T7230.029
    
    [GRAPHIC] [TIFF OMITTED] T7230.030
    
    Mr. Putnam. Thank you very much, Mr. Forman. I thank all of 
our panelists. We will get right to the questions.
    All of you have touched on the simple fact that most of the 
critical infrastructure is controlled by the private sector. 
Mr. Vatis, in particular, singled out the need for an 
aggressive innovative approach that goes beyond merely the 
soapbox to incent or coerce greater accountability and 
compliance, greater focus on cyber security in the private 
sector. Could you elaborate a little bit more, beginning with 
Mr. Vatis, and then the other two as well, on the best way for 
the Federal Government to approach the regulation of and the 
incentivizing of better cyber security in the private sector.
    Mr. Vatis. Mr. Chairman, thank you. I do not have any 
particular silver bullet that I think is the answer to the 
problem. But I think there are a number of ideas that have been 
discussed but over the past few years have basically been 
dismissed out of hand because of the fear of even getting into 
anything that might smack of regulation. So what I am really 
urging is a considered study of several different options. The 
fact of the matter is we do have some instances of direct 
regulation, of coercion, if you will, that are already in place 
but which were not instituted for security's sake, per se, but 
more out of a concern for privacy: of HIPAA and Graham-Leach-
Bliley, for example.
    So I think one thing that should be done is to study those 
acts as they are implemented to see if they actually result in 
a net increase of security, and if so, at what cost, in terms 
of efficiency or other things. I think there are other ideas 
that have been talked about, such as requiring disclosure of 
security plans for security breaches by companies that suffer 
breaches so that there is a further incentive to take security 
seriously. Because what we have seen over the years again and 
again and again is that many companies are simply sweeping the 
problem under rug so that it does not become public. I think if 
there were some sort of disclosure requirement, as the State of 
California, for example, is now instituting for companies that 
do business in that State, as of this summer, that could create 
an additional incentive. Requiring disclosure of plans in a 10k 
form for publicly traded companies is another idea that has 
been talked about. Tax incentives for upgrading of technology 
to address security is another idea. Best practices for 
hardware and software manufacturers.
    So there are many ideas. I think the wonderful 
congressional staff that are out there are a good resource to 
look into these ideas. And some of the Federal R&D moneys 
should be devoted not just to technical R&D, but to research 
into the legal, policy, and economic factors that affect the 
implementation of technical security requirements.
    Those are some of the things that I would urge.
    Mr. Putnam. Mr. Clarke.
    Mr. Clarke. Mr. Chairman, I think we want to avoid 
regulation here. The thought of having a Federal cyber security 
regulation agency and a Federal cyber security police scares me 
to death. But I think there are some things we can do to 
stimulate the private sector without regulation. One, Michael 
just mentioned, is we can have the SEC do what it did for Y2K, 
which is to require that publicly traded companies have in 
their reports a report against some set of auditing standards 
that the auditing industry could come up with, a report on 
their performance. Now we do not want their security plans 
revealed publicly and we do not want them to have to report 
individual incidents. But they ought to get a grade from an 
outside auditing firm, IT security auditing firm, and that 
ought to be reported as part of their public annual disclosure. 
That had a great effect during Y2K and we ought to think 
seriously about asking the SEC to look into that.
    Similarly, cyber insurance could have a big effect. The 
insurance industry could set standards for cyber security 
insurance and the rates that they charge could reflect how good 
a company is doing. Requiring certain kinds of companies that 
are doing business with the Federal Government, not small 
businesses, but larger businesses to have cyber security 
insurance would have an enormous effect on the market.
    Mr. Putnam. Before we go to Mr. Forman, let me followup on 
that. You mentioned as part of your 10 point plan in your 
testimony the need for any congressional action on terrorism 
risk insurance to include a cyber insurance provision. 
Presumably, that would have some type of Federal backstop or 
subsidy in that risk insurance, and you mentioned that alone 
would raise the bar of security on the cyber side. But you 
differ from Mr. Vatis in saying that companies should not have 
to report breaches of security. Why is that?
    Mr. Clarke. I do not think you want to have specific 
breaches of security reported because I think it gives too much 
information to the people who want to do the breaches. I think 
what you want is an overall grade. All too often when there is 
one minor security violation that gets into the press because 
it has been reported, a company suffers disproportionately from 
what its real security problem is. So I do not think you want 
to force companies to report individual security violations, 
but to report an overall grade on performance.
    The Cyber Risk Insurance Act, of course, has passed. The 
committee language suggests it covers cyber security. That is 
not clear in the language of the bill. But the real problem 
with cyber insurance right now is it is not clear that there is 
a Federal backstop against catastrophic terrorism as there is 
for other forms of terrorism, and there really is not a decent 
actuarial data base yet that allows underwriters to decide on 
what policy should be. So if the Government could collect 
information, statistics, or, better yet, get someone like Mike 
to do it, not have a Government agency do it, but somebody, 
Carnegie Mellow, Dartmouth, someone to collect enough 
information so that the underwriters in the insurance industry 
would feel better writing more policy, and requiring when they 
do write policy that companies live up to certain standards and 
best practices, that would go a long way.
    Mr. Putnam. How would you have an actuarially sound policy 
if breaches are not required to be reported?
    Mr. Clarke. Not reported publicly. I think they should be 
reported perhaps in an anonymized way to a third party.
    Mr. Putnam. Mr. Forman.
    Mr. Forman. I think you have to look at a couple of 
factors. First of all, you have got to ask what is the market 
failure here. We believe that normal market approaches would 
not suggest regulation if there is something holding the 
companies accountable in the marketplace. In other words, if a 
company loses customers because they are not protecting their 
security well, then we expect normal marketplace forces to 
work. And I think there is pretty strong evidence of that. If 
you look at a couple years ago, we had firewalls, we had 
antivirus technology. By looking at the growth over the last 
year and the trends in the marketplace on how to protect 
against cyber threats, well, threat management systems and 
software, and then highly reliable redundant systems that 
leverage the architecture of the internet so it is moved out of 
the security technology realm into hosting and other 
architecture tools; companies such as Akamai growing 
terrifically fast. So it is clear the marketplace will respond.
    I would give you a couple of thoughts on the issue. First 
of all, are the issues essentially related to criminal type 
threats. Those may not be made public for a number of reasons. 
But that may be something to deal with and look at as a 
tradeoff between how do we associate law enforcement 
structures, is that right for the internet age. And the other 
is what do you do about organized cyber terrorism. You have 
different Government roles and responsibilities issues there. 
That should basically guide, we believe, the regulatory answer 
to the question of whether regulation is even needed in the 
first place.
    Mr. Putnam. Mr. Clarke and Mr. Vatis both alluded to or 
specifically said that we do not have a centralized mechanism 
in the Federal Government for overseeing cyber security 
compliance, cyber security coordination and collaboration. So 
are you satisfied with the current framework that calls for its 
placement in Homeland Security, or is it still too diffused 
between FBI and Homeland Security and OMB and other agencies?
    Mr. Forman. There are two parts of the picture I think that 
you have to look at. First of all, we do spend an awful lot of 
money. We are the world's largest buyer of information 
technology. So have we got enough central focus and the right 
structures in place, I am very confident now, and I think the 
data show, we are able to track and measure the gaps in cyber 
security, we are able to hit the cycle time that we are looking 
for.
    I do not know that private sector industries have anything 
like that. We can focus because we do have an organizational 
structure. So the question is when you get into the other 
industries, should it be dealt with on an industry by industry 
approach, should it be dealt with on a company by company 
approach. And there is a real question on what that structure 
should be. I think that was thoroughly vetted in creation of 
the Information Integration and Infrastructure Assurance under 
secretariat, it was vetted within the administration, it was 
vetted within the House and the Senate.
    Now one thing that I should correct for the record. The 
under secretary is a confirmed position. But the assistant 
secretary that has key responsibilities here is an appointed 
position. And that person is in his job now, Bob Wiskowski, and 
he has been there a couple of weeks. He comes from Coca Cola 
and, of course, people would say the formula for Coke is one of 
the most protected secrets in the world today. So there is an 
interesting background that he brings. But, again, the 
department has only been up for several weeks now. I think when 
you see their go forward plan, you will see how they have 
integrated things, building on the successes and giving some 
innovation to that as well.
    Mr. Putnam. Mr. Vatis, do you want to comment on that?
    Mr. Vatis. I am hopeful, Mr. Chairman, that Mr. Forman will 
prove to be right and that once the key personnel are in place 
in the new department we will see things start to roll. But I 
think, to be realistic, it will take some time, because the 
operational personnel are not likely to be in place for over a 
year, and there are so many vacant positions now that are 
responsible for infrastructure protection and intelligence 
analysis.
    I would make one other point about something that worries 
me. And that is what appears to be the administration's policy 
that cyber security is a subset of critical infrastructure 
protection as a whole, including physical vulnerabilities of 
our critical infrastructures. I think there is definitely a 
logic to that view in that we do need to look at the 
infrastructures as a whole and consider all the different 
vulnerabilities. But the worry I have is that if an official or 
a subset of DHS is looking at both physical and cyber 
vulnerabilities and threats, cyber will always get short-
shrift, especially in these years so soon after September 11th 
when so much focus is on the vulnerability to physical 
terrorist attack. I think we have seen that happen in prior 
years. When we tried to do both things through the same 
offices, through the same people, cyber always got less 
attention than it was due. So that is another thing I think we 
need to keep an eye on, to make sure that does not happen.
    Mr. Putnam. Mr. Clarke, when you analyze the threat 
environment out there, what particular nations or particular 
non-state actors are out there that have made cyber security a 
priority as their way of getting at capitalism or the United 
States or western civilization or whatever?
    Mr. Clarke. Mr. Chairman, there is a classified answer to 
that in terms of what we know about other nations that have 
created offensive cyber security organizations. Suffice it to 
say in an open hearing there are nations, including our own, 
that have created cyber security offensive organizations. And 
there are terrorist groups, organized criminal groups that are 
interested in this. I am not very good at predicting the who 
here. And I think we make a mistake by focusing on who is going 
to do it to us.
    I think rather than focus on the who, we should focus on 
the what, what are they going to do. And it is real simple. As 
long as we have major cyber security vulnerabilities that would 
allow someone who does not like us to screw up our economy, 
then someone will. It may not happen this year. We may not be 
able to guess who it is in advance. But it is a very high 
probability that as long as we have very well known major 
vulnerabilities that are cheaply exploited, somebody will do 
it. And I do not think the emphasis ought to be on trying to 
figure out who that is in advance and getting them before they 
do it, because someone else will do it. What we should try to 
do is raise the barrier.
    And in answer to your last question about DHS and OMB, I 
think the question answers itself when you ask who is the 
highest level official in the Department of Homeland Security 
whose full-time job is cyber security. What office in the 
Department of Homeland Security does nothing but cyber 
security? Who is the highest ranking person in OMB who does 
nothing but cyber security? How many people in OMB, the 
organization to which the Congress has given the full 
responsibility for cyber security in the Federal Government, 
how many people in OMB have that as their full-time 
responsibility? The answers to those questions are pretty 
frightening I think.
    Mr. Putnam. Mr. Forman, do you want to answer those 
questions?
    Mr. Forman. We have an interesting change going on in our 
society. I think from a policy perspective as it relates to 
Federal IT, we cannot differentiate the work that we need to do 
in our architectures from cyber security. I certainly have 
spent a lot of time, but I think we as an administration have 
spent an awful lot of time making sure that we get the 
communications between the CIOs and the cyber security 
community. These are two separated communities that have to 
talk to each other. So, for example, when we have denial 
service attacks, we find increasingly over the last few months 
people organize over the Web and they will target the White 
House Web site because in areas outside of America people feel 
that is similar to attacking the administration.
    Mr. Putnam. That is the whitehouse.gov Web site?
    Mr. Forman. That is correct. As opposed to others that may 
be out there that I have never known about. So these people 
will organize and they are known. They will run advertisements 
in the newspaper, they will run advertisements on the Internet. 
Essentially, the characterization will be come to our Web site 
if you want to attack President Bush for some action. The cyber 
security community will be aware of that and never communicate 
that to the CIO of the White House, the CIO of the Energy 
Department, and others. We have worked pretty hard over the 
last 2 months to correct that problem. And the integration of 
these two communities is absolutely critical; we cannot 
separate them.
    Mr. Putnam. And you are satisfied that integration will 
occur under the new structure of Homeland Security once they 
are up and running?
    Mr. Forman. Absolutely. In fact, as I pointed out in my 
oral and put in more detail in the written testimony, as it 
relates to Federal cyber security, we have had to make that 
happen. As I pointed out, we have had three major events this 
year. We started out with a 90 minute cycle time and we have 
been able to shrink that down even more so.
    But there is the longer term issue of how we secure the 
infrastructure. There is the fast response issue of what do we 
do. And to give you a feel, I tend to think of this as three 
dimensions. We have literally thousands of vulnerabilities. 
Anybody who could know all the vulnerabilities and make sure 
the patches are deployed is truly detail oriented, and, as Dick 
said, there is software that does that for you. You have to 
rely on the technology to manage the technology. The second 
dimension are the threats. There are people out there, some of 
whom are organized, some of whom will leverage the Internet to 
organize very rapidly. And the third thing is what will it mean 
for the actual technology, your architecture that you have 
deployed as a department.
    So, as an example, we worried and fast responded to the 
Slamer threat. But as you recall, the Congress was affected by 
this. There was a cyber sit-in where people called and used the 
Internet as a way to show their response to the 
administration's policy in the war in Iraq. Our policy decision 
on that was that was not a cyber security threat; that was e-
democracy moving into the Internet age. The cyber security 
community view on that was that was a cyber threat. So if we do 
not meld these two groups together and look at this from the 
standpoint of the CIO overall, as was laid out going back to 
the Clinger-Cohen Act, we will not be able to get that decision 
properly placed as a policy decision.
    Mr. Putnam. Correct me if I am wrong or if I am heading in 
the wrong direction on this. But from my perspective, the OMB 
role would be an internal Federal IT management role, 
protecting and preserving the sanctity of Federal systems, of 
the Federal networks, of containing the costs of a breach that 
would spread agency-wide or department-wide or Government-wide. 
The role of Homeland Security would be analyzing the threats, 
detecting as quickly as possible when a virus or some other 
cyber attack has occurred, and then distributing that word as 
quickly as possible to the public and private sector--State, 
local governments, the remainder of the Federal Government, and 
critical infrastructure. So how well is Homeland Security 
equipped to handle that, not from an internal Federal IT 
perspective, but from the external perspective?
    Mr. Forman. Again, a lot of this may change, but let me 
tell you because there is an area of overlap between the 
Federal and the external. FedCIRC maintains the catalogue, if 
you will, of the vulnerabilities and the patches that are 
associated with fixing that vulnerability. Generally, when we 
see a threat materialize that we have to respond quickly to, 
the threat targets a certain vulnerability. And if the patch 
gets rapidly deployed or if it had already been deployed, there 
is no impact. And so we have been fairly effective, certainly 
this year we have been 100 percent effective, in making sure 
that when the threat is identified FedCIRC puts out, in 
coordination with the CIO Council, the link to the patch and 
the characterization of that vulnerability, the threat, etc.
    There is a partner organization, the National 
Infrastructure Protection Center, that was not totally but the 
key elements moved from the FBI to that same office to 
integrate this together better. They produce a daily report. I 
expect that will continue. I do not know that for a fact. We 
will see I think some innovation there. But that tells you the 
threats that are current, the patches that are current, hot 
links, and so forth. So I think that part is focusing fairly 
well on the topical threats.
    In the area outside of Government, the longer term 
remediation and maintenance of the architectures is an area 
where I think there is a big question as to how to proceed. 
There is a multifaceted approach laid out in the President's 
National Cyberspace Strategy. And that was thoroughly vetted, 
as in Dick Clarke's testimony. So I am fairly comfortable we 
are going to see a good implementation plan for that as Bob has 
the time to make that work at Department of Homeland Security 
and they are ready to release their implementation plan for 
that strategy.
    Mr. Putnam. I know that there has been a great deal of 
focus on this and I know that it is a daunting task. But in the 
latest report in 2002, after 4 solid years of focused, specific 
attention to this issue of cyber security, we only had 3 out of 
24 agencies that received a report card grade that was better 
than a D, and 14 of the 24 got an F. What are we doing wrong? 
What is Congress' role? That is just unacceptable, obviously. 
And while it does not reflect a lack of effort on the part of 
OMB perhaps to manage this, it certainly reflects a lack of 
success on the part of agencies to improve outcomes. So I will 
let you get situated and then answer that.
    Mr. Forman. I share 100 percent this focus. First of all, 
we did have differences in scores and ratings between what Mr. 
Horn scored the agencies on and how we scored them in 2001. I 
will say 2001 was the first year that we actually measured 
progress and that set the benchmark. So it was not until the 
end of 2001 that we even knew quantitatively how bad it was and 
subsequent to that put in place a process, these plans of 
actions and milestones, that laid out the workload to fix that.
    Last year, we had pretty much quarterly oversight for both 
OMB as well as Congress. I would ask that we maintain that 
because I think we made a lot of progress. It is documented in 
the data that we shared in the testimony, in some more detailed 
data we shared with the staff and GAO in the 2002 GISRA report, 
and we will be able to see to the agency. But the progress of 
going from 27 percent to 53 percent, is 53 percent acceptable? 
Absolutely not. By the end of this year, we believe, it is a 
slight stretch goal, but with the constant vigilance, we 
believe we get up to 80 percent on a couple of these security 
measures and 100 percent on putting in place a process. That is 
going to take a lot of continued oversight throughout this year 
to get there. But at that point we are talking about 
significantly improved security. And I would put that up 
against any company and you will find very few that hit those 
benchmarks.
    Mr. Putnam. Just very briefly, would you put that up 
against any other country?
    Mr. Forman. I think that there are a couple--I have not 
really thought about that. But certainly our view is that the 
United States spends the most, we have to protect our citizens 
and the information, and so we are going to be the best not 
because we are competing with other countries, but because it 
is the right thing to do for Americans.
    Mr. Putnam. Mr. Clarke, Mr. Vatis, what other countries out 
there are ahead of us on protecting critical infrastructure 
from cyber attack?
    Mr. Clarke. The good news, Mr. Chairman, is that nobody is 
ahead of us. The bad news is that we are pretty bad. I disagree 
with Mark in saying that the Federal Government is as good as 
any company. That just is not true. The private sector is way 
ahead of the Federal Government.
    Mr. Putnam. So who do I need--I do not mean to interrupt, I 
am going to let you finish--what company's CIO do I need to 
bring in to our next hearing?
    Mr. Clarke. Rhonda MacLean, from Bank of America, will tell 
you, if you ask her the right questions, how she is doing it. 
She is doing a great job. Bank of America is better than any 
Federal Government agency in terms of its IT security. That is 
true of most major banks in the United States. They are doing a 
much better job. Why? Because they have got someone who is a 
senior person who is full-time in charge of IT security. I did 
not hear in Mark's answer who is the senior OMB official who is 
full-time in charge of IT security and nothing else. I did not 
hear who in the Department of Homeland Security is in charge of 
cyber security and nothing else full-time. I did not hear how 
many people we have in OMB full-time working on cyber security.
    I think there is another big mistake we are making, and 
that is we are trying to get the departments to do this 
themselves essentially. And with all due respect to civil 
servants, I was one for 30 years, you are not going to get this 
done without outsourcing it. There is a real reluctance in 
Federal departments to outsource IT security. But there is a 
solution. Take the Department of Labor, take the Department of 
Agriculture and have it contract to any of the big integrators 
or any of the IT security firms and then hold them responsible 
and fine them in terms of their contract if there is not 
performance. Instead of just bringing the CIO of Labor or 
Agriculture up here and berating them that they got an F again, 
have them outsource it to a company that has penalties in its 
contract if that grade is an F again.
    Mr. Putnam. Does the law currently preclude them from doing 
that?
    Mr. Clarke. No, it does not.
    Mr. Putnam. Mr. Vatis.
    Mr. Vatis. I agree 100 percent with what----
    Mr. Putnam. With which one, Mr. Clarke or Mr. Forman?
    Mr. Vatis. With Mr. Clarke. I think he is exactly right on 
the lack of sufficient high level personnel devoted to this 
issue. I think the cyber issue will always get short-shrift. I 
think the idea that we need a hammer to truly make progress 
happen within the agencies is also exactly right. I served in 
the FBI for a few years and lived within an infrastructure 
that, despite some efforts over those years to improve it, 
never really got anywhere. And I think that is a case study of 
how not to manage information systems in a crucial Federal 
agency.
    Mr. Putnam. Sort of a recurring theme in these E-Government 
issues in our subcommittee hearings is that we have a cultural 
challenge, a human capital challenge throughout the Federal 
Government in dealing with this issue.
    We could go on, but I have a second panel. I want to thank 
all of you for your very insightful and thoughtful testimony. I 
will give each of you 1 minute to say whatever is on your heart 
that I did not ask you about or to rebut or give a counterpoint 
to something that somebody else has said. We want to be as 
thorough and as fair as possible.
    We will begin with Mr. Forman. You have 1 minute to say 
whatever you would like to say to conclude.
    Mr. Forman. Thank you, Mr. Chairman. I just want to 
congratulate you again for this hearing. Oversight of progress 
has been and will continue to be incredibly important to our 
success. I will pledge to you that the administration is 
focused on this all the way to the highest levels, that we are 
holding deputy secretaries and secretaries accountable. And I 
would ask for your cooperation and support in doing the same.
    Mr. Putnam. You have it. Mr. Vatis.
    Mr. Vatis. I think from our testimony you can gather that 
how the DHS evolves is going to be critical, especially at the 
operational level. So I think one thing that this committee 
could fruitfully do is keep the heat on to make sure that DHS 
devotes the requisite attention to cyber security and that they 
do not let it get lost in the shuffle of dealing with physical 
terrorism and reducing our vulnerability to physical terrorist 
attacks. Make sure that they hire people as quickly as 
possible, and that the consolidation actually achieves the 
promises that have been made about new efficiencies among all 
these entities that were formerly separate. Without some heat 
from Congress, it will not be done nearly quickly enough or 
well enough.
    Mr. Putnam. Mr. Clarke.
    Mr. Clarke. Mr. Chairman, just again to thank you for your 
recognition of this issue. And to echo Mike Vatis, you 
personally have a great opportunity here to be a pain in the 
rear end to the administration, and I encourage you to do that.
    Mr. Putnam. That is very kind of you, Mr. Clarke. 
[Laughter.]
    The first panel is dismissed.
    The subcommittee will stand in recess for about 2 minutes 
while we set up the second panel.
    [Recess.]
    Mr. Putnam. I will reconvene the subcommittee hearing.
    We would like to welcome our second panel of witnesses. As 
is the custom with the committee, we swear in our witnesses. So 
please rise and raise your right hands and repeat after me.
    [Witnesses sworn.]
    Mr. Putnam. Note for the record that all of the witnesses 
have responded in the affirmative.
    We welcome you to the subcommittee. You have had an 
opportunity to hear the testimony of the first panel and some 
of the interchange. Following the ladies first rule, we will 
begin with Ms. MacLean, who has received a warm introduction 
and very high praise in the first panel.
    Rhonda MacLean is senior vice president and director of 
corporate information security for Bank of America. Ms. MacLean 
joined Bank of America in 1996 as the director of corporate 
information security and is responsible for providing global 
leadership for information security policy, procedures, risk 
management, security technology implementation, cyber 
investigations/forensics, and general information security 
awareness. In addition, she is responsible for enterprise 
business continuity planning and the company's regional 
recovery centers.
    In May 2002, the Department of the Treasury appointed Ms. 
MacLean as the private sector coordinator for the financial 
services industry public/private partnership on critical 
infrastructure protection and homeland security. She will act 
in concert with Treasury's private sector liaison to draw 
together industry initiatives related to critical 
infrastructure protection and homeland security. In addition, 
she was elected to the Board of Directors for the Partnership 
for Critical Infrastructure Security, which brings together 
leaders from across multiple critical sectors such as energy, 
telecommunications, finance, etc.
    We welcome you to the panel, and recognize you for 5 
minutes for your opening statement.

    STATEMENTS OF RHONDA MACLEAN, SENIOR VICE PRESIDENT AND 
DIRECTOR OF CORPORATE INFORMATION SECURITY FOR BANK OF AMERICA, 
 SECTOR COORDINATOR FOR THE FINANCIAL SERVICES INDUSTRY PUBLIC/
 PRIVATE PARTNERSHIP ON CRITICAL INFRASTRUCTURE PROTECTION AND 
   HOMELAND SECURITY; ROBERT F. DACEY, DIRECTOR, INFORMATION 
  SECURITY ISSUES, U.S. GENERAL ACCOUNTING OFFICE; AND THOMAS 
    PYKE, CHIEF INFORMATION OFFICER, DEPARTMENT OF COMMERCE

    Ms. MacLean. Thank you, Chairman Putnam, and thank you for 
inviting me here today to testify at the hearing. I am very 
honored to speak on behalf of the financial services sector in 
my role as the Department of Treasury-appointed private sector 
coordinator for critical infrastructure protection.
    In listening to the testimony this morning, something 
struck me that I wanted to add to this statement. This 
challenge that we have before us takes vision, leadership, 
execution, and accountability. I want to touch on those things 
today with the information that I provide you about the 
financial services industry's involvement in critical 
infrastructure protection, the current work of our financial 
services sector coordinating council, and discuss some of the 
opportunities where I think Government and industry really can 
partner to address some of the challenges we have in securing 
our cyber space.
    The administration's National Strategy to Secure Cyber 
Space identified the critical infrastructures as consisting of 
physical and cyber assets of the public and private sector and 
institutions. Though the basic approach of security must 
fundamentally address people, process, and technology aspects 
of the infrastructure, I do want to iterate that there is no 
single solution to this challenge. Creating the appropriate 
balance of these elements is based on an operational risk 
management consideration that addresses the critical nature of 
the systems as well as the exposures to which they can be 
subjected.
    I would like to talk about the sector's critical 
infrastructure protection efforts, and specifically about our 
Council. At the time of my appointment, there was no integrated 
entity that could represent the entire financial services 
sector. Individual associations were actively and effectively 
working on their Members' behalf and provided much leadership 
for our critical infrastructure protection efforts. To ensure 
coordination across the sector, with the public sector's 
support and encouragement, and with the leadership of the 
Department of Treasury, we formed the Financial Services Sector 
Coordinating Council. Today, we have 24 organizations 
consisting of key national exchanges, clearing organizations, 
trade associations in banking, securities, bond and insurance 
segments of our industry, and we are working together to 
improve the critical infrastructure protection for our sector 
as well as others on which we depend.
    Through our Council members, we engage nearly all financial 
service sector entities. Let me highlight three of the five 
strategic areas on which we have focused.
    The first area is in information dissemination and 
information sharing. Our goal is to ensure that a universal 
service to disseminate trusted and timely information will be 
made available to all sector participants.
    Second, crisis and response management needs to be 
implemented. When events occur with broad sector or national 
impact, a planned and adopted approach for communicating and 
responding as a sector, including coordination with Government 
entities, is the focus of this particular effort.
    Third, we are leading the sector's efforts to revise our, 
the financial services sector's, national strategy component in 
response to the two national strategies released in February by 
the President. We believe this is our opportunity to define 
strategic as well as tactical, actionable, and measurable 
actions as part of our sector-wide critical infrastructure and 
homeland security efforts.
    In my chairperson role for the Financial Services Sector 
Coordinating Council, I work closely with the lead agency, the 
Department of Treasury, and specifically the Office of Critical 
Infrastructure Protection and Compliance which was created by 
the Treasury Assistant Secretary Wayne Abernathy and led by 
Deputy Assistant Secretary Michael Dawson. Together, they lead 
the Financial and Banking Information Infrastructure Committee. 
That council is really the public side of what I would call the 
public-private partnership. It is through council members and 
our Government partners' cooperative efforts that we are able 
to maximize our resources and achieve our objectives to ensure 
protection of our critical infrastructures to the benefit of 
the economy and to the financial services customers.
    Let me transition the discussion to some opportunities for 
continuing the progress that has been made both by the 
government and the private sector.
    First, let us talk a little bit more about information 
analysis and information infrastructure protection. The need 
for synergy between information analysis and infrastructure 
protection has clearly been recognized in the assignment of 
those responsible to the undersecretary within the Department 
of Homeland Security. We expect this to provide a much more 
robust alerting, threat warning, and information flow from the 
public sector based on the vast resources that they have made 
available through their integration.
    Second is understanding the threat. Based on the 
Government's visibility of threats to the private sector, a 
clear understanding of the protection needs must exist between 
the public and the private sector. Gaps between the private 
sector's protection efforts and the Government's view of the 
necessary protections must be defined and clearly understood. 
There may be situations where, unknown to the private sector, 
normal business practices will not adequately address the level 
of threat understood by the Government. Where market focus does 
not provide the appropriate incentives to provide these 
protections, augmentation of market mechanisms, such as 
incentives, may be appropriate.
    Third, product security. Because the private sector mainly 
employs commercial products, services, and software to 
implement cyber security protection and monitoring, those 
efforts that improve the security of such products have broad 
benefit. As a sector, we work closely with our vendors to 
achieve higher levels of security. BITS, or the Bankers' 
Information Technology Secretariat--the technology group for 
the Financial Services Round Table--and a member of our 
Coordinating Council, has implemented a product certification 
program as a prime example of our industry's efforts in this 
area.
    And finally, the voluntary sharing of threat and incident 
information. We must continue to encourage processes that 
accommodate companies' voluntary sharing of sensitive 
information, such as the provisions outlined in the Homeland 
Security Act of 2002.
    In closing, Mr. Chairman, and members of the committee, we 
believe the strong public-private sector partnership that is 
emerging is the right approach. And it is finally with that 
vision, leadership, and execution, we believe that we can 
continue to make progress in this important area.
    [The prepared statement of Ms. MacLean follows:]

    [GRAPHIC] [TIFF OMITTED] T7230.104
    
    [GRAPHIC] [TIFF OMITTED] T7230.105
    
    [GRAPHIC] [TIFF OMITTED] T7230.106
    
    [GRAPHIC] [TIFF OMITTED] T7230.107
    
    [GRAPHIC] [TIFF OMITTED] T7230.108
    
    [GRAPHIC] [TIFF OMITTED] T7230.109
    
    [GRAPHIC] [TIFF OMITTED] T7230.110
    
    [GRAPHIC] [TIFF OMITTED] T7230.111
    
    [GRAPHIC] [TIFF OMITTED] T7230.112
    
    [GRAPHIC] [TIFF OMITTED] T7230.113
    
    [GRAPHIC] [TIFF OMITTED] T7230.114
    
    [GRAPHIC] [TIFF OMITTED] T7230.115
    
    [GRAPHIC] [TIFF OMITTED] T7230.116
    
    [GRAPHIC] [TIFF OMITTED] T7230.117
    
    Mr. Putnam. Thank you very much.
    I now recognize Tom Pyke. As Chief Information Office of 
the U.S. Department of Commerce, Mr. Pyke is responsible for 
guiding the Department's effective use of information 
technology and managing the Department's IT resources, with an 
annual budget of over $1.5 billion. His responsibilities 
include IT policy, planning, and capital investment review, IT 
security and critical infrastructure protection, IT 
architecture, information quality, E-Government, information 
dissemination through the Internet and the Next Generation 
Internet, and the oversight of IT operations.
    He has been a senior manager of information technology in 
the Commerce Department for over 30 years, most recently 
serving as CIO and Director for Higher Performance Computing 
and Communications of the National Oceanic and Atmospheric 
Administration and Director of the GLOBE program.
    Welcome. You are recognized.
    Mr. Pyke. Thank you, Mr. Chairman. I am pleased to be here 
this morning to share with the subcommittee a summary of the 
actions that the Commerce Department has taken over the last 2 
years to strengthen our information security posture.
    The Department's actions to improve its management of 
information security started at the top. Secretary Don Evans, 
in June 2001, directed all Commerce agency heads to focus their 
personal attention on establishing information technology or IT 
security as a priority. He directed them to allocate the 
necessary resources to ensure that the Department's data and 
information systems are adequately protected against risks 
resulting from misuse or unauthorized access. This important 
action ensures accountability for IT security by all of the 
Department's senior managers, and both the Secretary as well as 
Deputy Secretary Sam Bodman have emphasized this personal 
responsibility of Commerce agency heads as they have 
communicated with these senior managers in the Department about 
the importance of IT security over the past 2 years.
    The Secretary also instituted a Department-wide IT 
management restructuring plan that empowered the Department's 
CIOs by providing them with the necessary authority to manage 
IT security as well as other aspects of information technology 
planning and operations and IT capital investment review. As 
the Department CIO, I issue security policy and provide IT 
security guidance to the Commerce agency heads and to the 
Commerce agency CIOs. I participate in the annual review of the 
performance of each of the Commerce agency CIOs, which bolsters 
the authority that my staff and I have at the Department level 
as we oversee the management of the expenditure of $1.5 billion 
in information technology each year on a Department-wide basis. 
This $1.5 billion, by the way, includes the resources that we 
devote to protecting our systems and information assets through 
our Department-wide IT security program.
    We have issued this January a comprehensive Department-wide 
IT security policy, as well as minimum standards for 
management, operational, and technical controls, and other key 
aspects of implementing this policy. We also issued a Password 
Management Policy and a Remote Access Security Policy. Policy 
implementation guides have been issued that address critical 
corrective action plans to identify and correct security 
weaknesses, to document security and privacy in the IT capital 
asset planning process, and to maintain complete inventories of 
all of our systems relative to their security status.
    The Department instituted a compliance monitoring process 
in 2002, through which we determine Commerce agency compliance 
with Department IT security policies, standards, and guidance. 
This process includes tests of all management, operational, and 
technical controls, including tests of systems and networks to 
ensure that they are adequately protected against unauthorized 
access. We also established an IT security training program, 
through which every Commerce employee and every contractor 
employee has received IT security awareness training, and is 
receiving updated training every year. Specialized training for 
IT security personnel, managers, and system administrators is 
also being provided.
    The Department has established a computer incident response 
capability that supports actions to protect systems and data 
when incidents do occur, and facilitates proper reporting of 
incidents. A Department-wide IT security alert capability has 
also been established, that ensure 24 x 7 transmittal of IT 
security alerts throughout the Department and activation of 
Commerce agency IT security emergency mobilization plans, as 
appropriate.
    Especially since the Commerce Department has been coming 
from behind as it has implemented this comprehensive IT 
security program, numerous corrective actions have been 
identified that need special attention to correct IT security 
weaknesses. A Department-wide data base of needed corrective 
actions has been created and is being maintained. It includes 
every IT security action that has resulted from GAO and 
Commerce Office of Inspector General audits, as well as actions 
that have resulted from Department IT security compliance 
reviews and from self-assessments by the Commerce agencies 
themselves. We expect to complete by this September all of the 
corrective actions that were open at the beginning of fiscal 
year 2003. Over 74 percent of these actions are already 
completed. We expect to have completed by the end this fiscal 
year all but 2 of the over 200 corrective actions that have 
been identified during this fiscal year.
    The top level measure we use to manage IT security across 
the Department is what we call IT security program maturity. By 
the end of fiscal year 2003, we expect that every Commerce 
agency will be operating at ease at a level 3 maturity, which 
requires that all IT systems have implemented policies and 
procedures. We have identified our national critical and 
mission critical IT assets and the IT system components of 
those assets, and we expect to have certification and 
accreditation for full operation of these systems completed by 
the end of this fiscal year.
    I would like to tell you very briefly how we are doing 
against some of the performance measures that Mark Forman 
introduced in his testimony this morning, in which he provided 
Government-wide data. At Commerce, we have assessed 96 percent 
of our systems for risk, 90 percent of our systems have 
contingency plans, 92 percent are certified and accredited, and 
98 percent of our systems have up to date IT security plans.
    Thank you for this opportunity to tell you about what we 
have done in the Commerce Department to improve our information 
security posture. We have come a long way in these last 2 
years, and we are working hard to complete the next steps that 
are essential to provide adequate protection of our data and 
systems. We understand, however, that IT security is a never-
ending process, and we are committed to maintaining a high 
level of vigilance to ensure that the Department is able to 
carry out its mission without disruption caused by cyber 
threats.
    [The prepared statement of Mr. Pyke follows:]

    [GRAPHIC] [TIFF OMITTED] T7230.099
    
    [GRAPHIC] [TIFF OMITTED] T7230.100
    
    [GRAPHIC] [TIFF OMITTED] T7230.101
    
    [GRAPHIC] [TIFF OMITTED] T7230.102
    
    [GRAPHIC] [TIFF OMITTED] T7230.103
    
    Mr. Putnam. Thank you, Mr. Pyke.
    At this time, the subcommittee recognizes Robert Dacey. Mr. 
Dacey is currently Director of Information Security Issues at 
the U.S. General Accounting Office. His responsibilities 
include evaluating information systems security in Federal 
agencies and corporations, including the development of related 
methodologies; assessing the Federal infrastructure for 
managing information security; evaluating the Federal 
Government's efforts to protect our Nation's private and public 
critical infrastructure from cyber threats; and identifying the 
best security practices at leading organizations and promoting 
their adoption by Federal agencies.
    Previously, Mr. Dacey led GAO's annual audits of the 
consolidated financial statements of the U.S. Government, 
audits I think which revealed about the same grades as they 
have been getting on their IT scorecards; GAO's financial audit 
quality assurance efforts, including methodology and training; 
and other GAO financial statement audit efforts, including HHS 
and the IRS.
    Welcome to the subcommittee. You are recognized for 5 
minutes.
    Mr. Dacey. Thank you, Mr. Chairman, Mr. Clay. I am pleased 
to be here today to discuss the challenges our Nation faces 
concerning Federal information security and critical 
infrastructure protection. CIP involves activities that enhance 
the security of our Nation's cyber and physical public and 
private infrastructures that are essential to national 
security, economic security, and/or public health and safety. 
As you requested, I will briefly summarize my written statement 
which provides details on the status and progress of efforts to 
address these challenges.
    We have identified and made numerous recommendations over 
the last several years concerning Federal information security 
and CIP challenges that need to be addressed. For each of these 
challenges, improvements have been made and continuing efforts 
are in progress. However, much more is needed to fully address 
them. These challenges include: One, addressing pervasive 
weaknesses in Federal information security. Our analysis of 
audit and evaluation reports in November of last year continued 
to show significant pervasive weaknesses in Federal 
unclassified computer systems for all 24 major agencies 
reviewed that put critical operations and assets at risk. The 
implementation of GISRA continues to play a significant role in 
the improvement of Federal information security. Second year 
agency GISRA reports indicate agency progress, provide 
comparative performance information and an improved performance 
baseline, and highlight areas where additional efforts are 
necessary. The administration has taken important actions to 
address information security, such as integrating it into the 
President's Management Agenda Scorecard.
    The successful implementation of FISMA, which permanently 
authorizes and strengthens GISRA requirements, is essential to 
sustaining these agency efforts to identify and correct 
significant weaknesses. As FISMA is implemented, it will be 
important to continue efforts to certify, accredit, and 
regularly test systems to identify and correct vulnerabilities 
in all agency systems; two, to complete development and test 
contingency plans to ensure that critical systems can resume 
after an emergency; three, to validate agency reported 
information through independent evaluation; and four, to 
achieve other FISMA requirements.
    The second major challenge is the development of a national 
CIP strategy. A more complete strategy is still needed that 
addresses specific roles, responsibilities, and relationships 
for all CIP entities, that clearly defines interim objectives 
and milestones and sets timeframes for achieving them, and 
establishes appropriate performance measures and a monitoring 
process. The President's National Homeland Security strategy, 
the President's cyber and physical CIP strategies, and the 
Homeland Security Act call for a comprehensive national 
infrastructure plan.
    The third major challenge is improving information sharing 
on threats and vulnerabilities. Information sharing needs to be 
enhanced both within the Federal Government and between the 
Federal Government and the private sector and State and local 
governments. The President's national strategies identify 
partnering with non-Federal entities as a major initiative. 
Information sharing and analysis centers continue to play a key 
role in this strategy.
    The fourth major challenge is improving analysis and 
warning capabilities. More robust warning and analysis 
capabilities are needed to identify threats and provide timely 
warning. Such capabilities need to address both cyber and 
physical threats. Again, the President's national strategies 
call for major initiatives in this area.
    The fifth challenge is encouraging non-Federal entities to 
increase their CIP efforts. The Federal Government needs to 
assess whether additional incentives, such as grants or 
regulation, are needed to encourage non-Federal entities to 
increase their efforts to implement suggested CIP activities.
    The Homeland Security Act and the President's national 
strategies acknowledge the need to address many of these 
challenges. However, much work remains to effectively respond 
to them. Until a comprehensive and coordinated strategy is 
developed, our Nation risks not having a consistent and 
appropriate structure to deal with the growing threat of 
attacks on its Federal systems and on its critical 
infrastructures.
    Mr. Chairman, Mr. Clay, this concludes my oral statement. I 
would be pleased to answer any questions at this time.
    [The prepared statement of Mr. Dacey follows:]

    [GRAPHIC] [TIFF OMITTED] T7230.031
    
    [GRAPHIC] [TIFF OMITTED] T7230.032
    
    [GRAPHIC] [TIFF OMITTED] T7230.033
    
    [GRAPHIC] [TIFF OMITTED] T7230.034
    
    [GRAPHIC] [TIFF OMITTED] T7230.035
    
    [GRAPHIC] [TIFF OMITTED] T7230.036
    
    [GRAPHIC] [TIFF OMITTED] T7230.037
    
    [GRAPHIC] [TIFF OMITTED] T7230.038
    
    [GRAPHIC] [TIFF OMITTED] T7230.039
    
    [GRAPHIC] [TIFF OMITTED] T7230.040
    
    [GRAPHIC] [TIFF OMITTED] T7230.041
    
    [GRAPHIC] [TIFF OMITTED] T7230.042
    
    [GRAPHIC] [TIFF OMITTED] T7230.043
    
    [GRAPHIC] [TIFF OMITTED] T7230.044
    
    [GRAPHIC] [TIFF OMITTED] T7230.045
    
    [GRAPHIC] [TIFF OMITTED] T7230.046
    
    [GRAPHIC] [TIFF OMITTED] T7230.047
    
    [GRAPHIC] [TIFF OMITTED] T7230.048
    
    [GRAPHIC] [TIFF OMITTED] T7230.049
    
    [GRAPHIC] [TIFF OMITTED] T7230.050
    
    [GRAPHIC] [TIFF OMITTED] T7230.051
    
    [GRAPHIC] [TIFF OMITTED] T7230.052
    
    [GRAPHIC] [TIFF OMITTED] T7230.053
    
    [GRAPHIC] [TIFF OMITTED] T7230.054
    
    [GRAPHIC] [TIFF OMITTED] T7230.055
    
    [GRAPHIC] [TIFF OMITTED] T7230.056
    
    [GRAPHIC] [TIFF OMITTED] T7230.057
    
    [GRAPHIC] [TIFF OMITTED] T7230.058
    
    [GRAPHIC] [TIFF OMITTED] T7230.059
    
    [GRAPHIC] [TIFF OMITTED] T7230.060
    
    [GRAPHIC] [TIFF OMITTED] T7230.061
    
    [GRAPHIC] [TIFF OMITTED] T7230.062
    
    [GRAPHIC] [TIFF OMITTED] T7230.063
    
    [GRAPHIC] [TIFF OMITTED] T7230.064
    
    [GRAPHIC] [TIFF OMITTED] T7230.065
    
    [GRAPHIC] [TIFF OMITTED] T7230.066
    
    [GRAPHIC] [TIFF OMITTED] T7230.067
    
    [GRAPHIC] [TIFF OMITTED] T7230.068
    
    [GRAPHIC] [TIFF OMITTED] T7230.069
    
    [GRAPHIC] [TIFF OMITTED] T7230.070
    
    [GRAPHIC] [TIFF OMITTED] T7230.071
    
    [GRAPHIC] [TIFF OMITTED] T7230.072
    
    [GRAPHIC] [TIFF OMITTED] T7230.073
    
    [GRAPHIC] [TIFF OMITTED] T7230.074
    
    [GRAPHIC] [TIFF OMITTED] T7230.075
    
    [GRAPHIC] [TIFF OMITTED] T7230.076
    
    [GRAPHIC] [TIFF OMITTED] T7230.077
    
    [GRAPHIC] [TIFF OMITTED] T7230.078
    
    [GRAPHIC] [TIFF OMITTED] T7230.079
    
    [GRAPHIC] [TIFF OMITTED] T7230.080
    
    [GRAPHIC] [TIFF OMITTED] T7230.081
    
    [GRAPHIC] [TIFF OMITTED] T7230.082
    
    [GRAPHIC] [TIFF OMITTED] T7230.083
    
    [GRAPHIC] [TIFF OMITTED] T7230.084
    
    [GRAPHIC] [TIFF OMITTED] T7230.085
    
    [GRAPHIC] [TIFF OMITTED] T7230.086
    
    [GRAPHIC] [TIFF OMITTED] T7230.087
    
    [GRAPHIC] [TIFF OMITTED] T7230.088
    
    [GRAPHIC] [TIFF OMITTED] T7230.089
    
    [GRAPHIC] [TIFF OMITTED] T7230.090
    
    [GRAPHIC] [TIFF OMITTED] T7230.091
    
    [GRAPHIC] [TIFF OMITTED] T7230.092
    
    [GRAPHIC] [TIFF OMITTED] T7230.093
    
    [GRAPHIC] [TIFF OMITTED] T7230.094
    
    [GRAPHIC] [TIFF OMITTED] T7230.095
    
    [GRAPHIC] [TIFF OMITTED] T7230.096
    
    [GRAPHIC] [TIFF OMITTED] T7230.097
    
    [GRAPHIC] [TIFF OMITTED] T7230.098
    
    Mr. Putnam. Thank you very much, Mr. Dacey. We appreciate 
all of the remarks of the panel.
    I will recognize Mr. Clay for his questions.
    Mr. Clay. Thank you, Mr. Chairman. Mr. Dacey, Mr. Clarke 
suggested that GAO should develop the capacity to give Congress 
real-time security reports on all executive agencies' computer 
systems. Is GAO prepared to undertake this responsibility?
    Mr. Dacey. Not as of today. I would say that we have been 
doing reviews, and, in fact, while Mr. Pyke did not say prior 
to his appointment as CIO, we had done a review of Commerce and 
I am very pleased to hear of the progress they have made in the 
last 2 years since that. We certainly have a suite of tools, 
and there are tools available commercially, that can be used to 
assess security in systems, to scan them, so to speak. We use 
them, other people in the commercial sector use them to do 
testing of networks. So in terms of technologies, those types 
of systems are available. Now, what we run into routinely when 
we go to agencies is we have to figure out how to run them on 
their systems and how to interface, and how to use them on 
their networks and how their networks are configured, which 
actually takes a large amount of our time to do that.
    So I guess the question of active monitoring, GAO has and 
continues to support that agencies should be regularly 
monitoring their systems for these kinds of vulnerabilities, 
and there are thousands, I heard a number before but there are 
literally thousands of these vulnerabilities. I do know that 
NASA has undertaken for the last year or so a project to 
actually assess all of their networks for a subset of 
vulnerabilities, 20 or 30 odd vulnerabilities, I forget the 
exact number, that they actively report on to agency management 
in terms of whether those vulnerabilities exist. They have 
metrics and measurements performance measures against that.
    So, at least with respect to a subset, I think it has been 
demonstrated that agencies can do that. I will leave it to 
Congress and others to decide who will do that. But certainly 
it is very possible to be done.
    Mr. Clay. OK. It is my understanding that the National 
Institute of Standards and Technology is about to release a 
draft of security standards required under FISMA. Have you 
reviewed those standards? And if not, what are your plans for 
reviewing them?
    Mr. Dacey. FISMA required NIST to develop basically risk 
levels and minimum security standards for each risk level. 
Separately, as part of the Cyber Research and Development Act, 
NIST is required to develop checklists for settings on 
technologies that are widely used or will be widely used in the 
Federal Government. FISMA made as one of its requirements that 
NIST consult with GAO on this issue, and they have consulted 
with us thus far. They are still actively developing those 
standards. What we have done is to basically look at what we 
use in terms of our audit process, what do we audit against and 
trying to ensure that their standards would at least include at 
a minimum the kind of things that we look for when we do our 
audits. So that process is taking place. I cannot say exactly 
when those standards will be developed, but they are intended I 
understand to be developed for public exposure and comment.
    Mr. Clay. Thank you. Mr. Pyke, in the last panel, Mr. 
Clarke suggested that IT security be contracted to private 
firms with penalties on the contractor for breaches. I would 
like to hear your thoughts on that suggestion.
    Mr. Pyke. Mr. Clay, I respectfully disagree with that 
particular recommendation, although I think that there is 
plenty of room for us to outsource many of the capabilities we 
need to have a complete and effective IT security program. As 
we have done in Commerce from the Secretary on down, I think it 
is very important to have personal accountability of our 
managers for the management of IT security. I also think it is 
important to have a high level individual or individuals 
responsible for IT security within the organization. When I was 
the CIO of the National Oceanic and Atmospheric Administration, 
I raised IT security to the top level within the CIO office. At 
the Commerce Department, we have IT security and critical 
infrastructure protection at the top level within the Commerce 
CIO office. I should add that we have full-time individuals 
responsible for each of these important functions.
    So I do not think the responsibility for IT security within 
any Federal agency can be delegated by outsourcing. But I do 
think, especially since we all face a shortfall of the scarce 
resources necessary to keep on top of IT security, I do think 
that it is an excellent idea to take advantage of outsourcing 
to get the job done.
    Mr. Clay. Mr. Pyke, let me also ask you about the Census 
Bureau. Do they have an enterprise architecture for the 
modernization of its geographic system, and has your office 
reviewed that architecture?
    Mr. Pyke. Yes. The Census Bureau does have an architecture, 
and their overall architecture for the agency as a whole and 
for moving ahead toward the next decennial census is a part of 
the overall enterprise architecture that we have for the entire 
Department of Commerce.
    Mr. Clay. What is the cost of this modernization project?
    Mr. Pyke. Are you talking about the census modernization?
    Mr. Clay. Yes.
    Mr. Pyke. If I may, sir, I would like to provide that 
number for you for the record.
    Mr. Clay. That will be fine. Thank you.
    Ms. MacLean, the last question. Has the banking industry 
been concerned about sharing information with the Federal 
Government? And does the FOIA exclusion passed as part of 
Homeland Security address those concerns?
    Ms. MacLean. That is a very great question. The financial 
services sector as a whole believes strongly that FOIA 
protection is critical to our ability to share information with 
the Federal Government. Being able to share that information 
without fear of disclosure of specifics I think is very, very 
important. So, keeping with that FOIA protection another aspect 
of that, if we go back to Y2K and the way that Y2K protection 
was handled with the FOIA; also, liability protection is 
another aspect that we feel is important.
    Mr. Clay. Thank you. Thank you, Mr. Chairman.
    Mr. Putnam. Thank you, Mr. Clay. I would like to followup 
on that question with Ms. MacLean. What would be the threshold 
of breach or the threshold of cyber threat or cyber attack that 
would trigger the need for a public disclosure to the customer 
or client whose information is jeopardized?
    Ms. MacLean. I would like to say it somewhere happens 
naturally. We do share information today as part of our 
Information Sharing and Analysis Center. We have an FSISAC 
where today we share information among institutions. We also 
are required by law and by regulation to notify the Government 
of any major breach through our SAR program at the financial 
institution level.
    I think making things public really just depends on whether 
or not there is that need that would assist us in helping 
resolve the issue. I do not think that it is conducive to make 
that public every time there is a breach. I think one of the 
metrics, and I heard you say earlier in the very beginning 
about the increased numbers of incidents, I actually think that 
is a positive metric. I think we should be looking for those 
reports to go up. But I do not think you necessarily need to 
make those public in order to work the issues and determine 
what vulnerabilities need to be addressed.
    Mr. Putnam. Is there a current Federal law or regulation 
that requires a customer or client whose information may have 
been breached to be notified? If there is not, what is your 
company's policy?
    Ms. MacLean. Yes, from a privacy perspective. And in the 
State of California, I think it was mentioned earlier, that if 
there is a breach where public or private information is 
compromised, you are required to notify that customer. That is 
different than going on CNN and making that public. It is also 
for the protection of those customers that I do believe the 
customer should be notified but not necessarily make all that 
information public because it does violate their privacy from 
another aspect.
    Mr. Putnam. Mr. Pyke, your role as CIO of Commerce, you 
have oversight for critical infrastructure protection, is that 
correct?
    Mr. Pyke. That is correct.
    Mr. Putnam. Not just within the Department itself but 
within the infrastructures that are within the jurisdiction of 
the Department?
    Mr. Pyke. I have responsibility for critical infrastructure 
within the Department. I am the Critical Infrastructure 
Assurance Officer.
    Mr. Putnam. OK. So if there is a substantial cyber threat 
on an industry within the regulation of the Department of 
Commerce, are you the first one notified or is someone in 
Homeland Security the first one notified?
    Mr. Pyke. I am notified only when there is a threat or 
possible threat to our systems and data, not to the sectors of 
industry that we relate to or interact with. My understanding 
is that is where the Department of Homeland Security comes in. 
They are one of the sources of alerts to us about a possible 
threat, and, as Mr. Forman mentioned, we received three very 
helpful alerts fairly recently that we and the other agencies 
across Government have been able to react to. I would hope that 
those kinds of alerts are made available to the private sector 
as well.
    Mr. Putnam. Ms. MacLean, one of the recurring themes today 
has been that there is a high level of reluctance to compel the 
private sector to report and there is also some tremendous 
concern about increasing the regulatory role in setting minimum 
standards. What are your feelings on the minimum standards and 
the approach of regulation? How do we incent that in the 
private sector so that we have the information that we need and 
we are getting the results that we need without an over-
reaching from the regulatory approach?
    Ms. MacLean. Today, our particular sector, the financial 
services sector is highly regulated. So, in some ways, we are 
already the beneficiary of having some of those guidelines in 
place. There are a number of regulations today. I think it was 
mentioned, the Graham-Leach-Bliley Act is one of those 
regulations which incent or require you to put in additional 
controls.
    The second part of that question on how do we make that 
process, should we make that process and do more of that, I 
really do not think additional regulation is conducive to 
actually getting companies to put those controls in place. Risk 
management, in most companies, especially in the financial 
sector, is in the business of selling trust. So it is to our 
advantage to really provide secure services to our customers. 
The customers demand that. And so there is a market force that 
really is at the heart of everything we do. We do it because it 
makes good business sense. And the checks and balances are in 
place, if you will, through the regulatory agencies who oversee 
us.
    Mr. Putnam. Did you agree with the recommendation of the 
first panel that perhaps the way to get at publicly traded 
corporations is to have a certified audit process that is 
reflected in a report to the SEC?
    Ms. MacLean. I do agree with that. And we do that to an 
extent today within the financial services sector. I think that 
would be an effective means. And you are looking more at an 
effective program versus regulating that program.
    Mr. Putnam. One of the challenges that has come up is that 
a number of the issues we deal with are not as much 
technological challenges as they are human challenges or 
cultural challenges. How are you or others in the private 
sector held accountable for protecting your infrastructure from 
security breaches?
    Ms. MacLean. My whole job at Bank of America is to provide 
that leadership, that vision, and I mentioned execution and 
accountability. I think those are four core things that have to 
be in place for any effective program. I think within the 
financial services sector, the way that we have organized with 
the associations is to provide that leadership and guidance to 
all of the financial services sector so that we are consistent 
in our approach.
    The other key to this I think is the outreach 
opportunities, because we are very interdependent on other 
sectors, such as telecommunications and energy and our 
government partners, the Federal Reserve Bank, other people 
with whom we have interdependencies. Making sure that everyone 
within each link of the chain, if you will, those chains, the 
links in the chains are all doing the right things. I think the 
leadership around those best practices and expectations that we 
have are really critical to having a cohesive integrated 
program.
    Mr. Putnam. Let me give you a version of what I asked Mr. 
Pyke. If you get a report that there is something very 
suspicious going on, something that is raising red flags in 
your infrastructure protection systems, is your first instinct 
to call the Comptroller General or the Federal Reserve or 
Homeland Security?
    Ms. MacLean. My first instinct is to call our crisis 
management hotline together which includes all of our 
institutions, and includes our regulators who are a part of 
that process. And that is part of what the council has put into 
place. Having that blast message, if you will, which goes out 
to multiple avenues so that we ensure that we get everybody on 
the phone, would be the first thing that we would do.
    Mr. Putnam. And I would assume that would probably be 
replicated throughout the different sectors--the power 
company's first response would be to notify FERC or DOE; 
telecommunications, their equivalent agency or department of 
jurisdiction. It makes you wonder at what point it finally gets 
to the people who are in charge of that, which would be 
Homeland Security.
    Mr. Dacey, what is the biggest obstacle that you have found 
in the failure of the Federal Government to have adequate 
information security, and is it a human challenge or a 
technological challenge?
    Mr. Dacey. Most of the issue really relates I think to a 
human challenge. We have many technologies to monitor and 
manage these systems and I think it is a matter of getting the 
right amount of attention, focus, responsibility, and 
accountability in place. What we have now is a situation where 
some agencies have done better than others. If you look at our 
written testimony, there are a lot of charts that summarize 
some of the GISRA reporting for the second year and some 
agencies are reporting statistics, such as Mr. Pyke, that are 
quite high and others that are low. And I think the issue is 
really focusing in on what are the reasons why some of these 
agencies are doing better than others.
    There is no silver bullet to any of this. But one of the 
things that Mr. Pyke referred to earlier is the fact that he 
has responsibility for establishing information security 
standards and monitoring those and maintaining accountability 
for people to implement those throughout the agency. In many of 
the agencies that we have looked at, that has not always been 
the case. The CIO at the agency level has certain 
responsibilities but oftentimes the component parts of the 
agency have autonomy to develop and establish their networks 
and their security. And in those environments, if you have a 
situation where one component has weak security, that can 
jeopardize the rest of the agency considering that in most 
cases their systems are interlinked and oftentimes trusted, so 
that getting access to one can readily get you access to 
another.
    So I think those are the primary issues. I think OMB laid 
those out in their first year GISRA report and are continuing 
to work those issues. If you look at the numbers, again, there 
is definitely progress being shown. But if you look at some of 
them, you will see that there is a lot of information we do not 
have yet. We talk about a process for managing vulnerabilities, 
but in many cases systems have not really been fully tested or 
analyzed to identify the vulnerabilities that exist so that it 
can be fixed. So there is a process here that needs to take 
place. But, certainly, the GISRA and now FISMA I think have 
been landmark changes in the way in which information security 
has been viewed by the agencies.
    The last part, which was referred to a little earlier, is 
research and development. I think it is key that continue in a 
cohesive fashion so that we can make sure that we are 
developing the best technologies we have to defend against 
cyber threats.
    Mr. Putnam. Certainly, the current in IT management and 
procurement has been away from the traditional stovepipe system 
and the inherent redundancies and duplication. But presumably a 
positive benefit of those stovepipes and of those redundancies 
is some limited protection from a cyber security threat. For 
all the consequences of not being able to communicate with one 
another, the benefits have been that you had some kind of a 
firewall there. Would you comment on that a little bit. As we 
press these agencies to tear down stovepipes, what consequence 
does that have for cyber security?
    Mr. Dacey. I think many, if not all, of the agencies have 
really gotten to a point where they are highly internetworked 
within themselves. I think, based upon the studies we have done 
where we have actually gone in and assessed security, we have 
generally found that, again, the systems are fairly trusted. 
One of the concerns that we have expressed is not only the 
impact of an external party coming in, but also internal 
parties are a threat to security as well. When you have got 
tens of thousands of users in some of these systems, you really 
have to be careful to manage that.
    What we have not seen in many systems is once we are able 
to get in, we do try as part of our audits to break into 
systems both internally and externally, and are generally 
successful, but when we do that, we typically find that we can 
use that access to gain privileges throughout the entire 
network and other places. So to some extent, I think removing 
the stovepipes in terms of information security is critical or 
you are going to continue to have that. What we have not seen 
is really an effective segmenting of networks so that if one is 
broken into, you cannot get access to other parts. That is 
certainly technologically possible. And if you follow through 
FISMA and the idea that there will be different risk level 
systems, you are going to have to come up with a strategy on 
segmenting them so you have one high level risk system that 
does not connect to a low level risk system without appropriate 
protections.
    Mr. Putnam. Mr. Pyke, we have heard from Ms. MacLean on the 
accountability measures that are in place in the private sector 
to ensure an appropriate commitment to cyber security. What has 
Secretary Evans empowered you to do that has made the 
Department of Commerce a model for success in a situation where 
everyone else is pretty well mired in failure?
    Mr. Pyke. Mr. Chairman, one of the things he has done has 
been not just to empower me as CIO to do my job and do it in a 
full way, but he has empowered and mandated that the Commerce 
agency heads, the under secretaries, assistant secretaries, and 
directors of the individual bureaus or operating units within 
the Department, that they give their time and attention to 
computer security, to protecting the infrastructure. And this 
has opened the way for my staff and me to be able to provide 
policy guidance, to provide direction, and have it received 
well. It has opened the way for us to work with the Commerce 
agencies and have them be responsive when we have an incident 
that we need to handle.
    I might mention with regard to something you asked me 
earlier in terms of incident handling, we have had at least one 
incident that I am aware of where we had an intrusion that we 
reported. When we have an intrusion that we detect we report 
the incident to FedCIRC, to the Federal Computer Incident 
Response Center which is now part of the Department of Homeland 
Security. That particular incident resulted in a Government-
wide alert and I believe an alert that went out to the private 
sector as well with regard to the appropriate measures to take 
to respond to that particular threat.
    Mr. Putnam. Thank you, Mr. Pyke.
    I want to thank all of our witnesses from both panels for 
their outstanding testimony and their ability to help us 
understand what is a very complex issue. It is clear that the 
time to act is now. We have not made the progress that we need 
to make to be as prepared as we should be as a Nation. We must 
all work together to protect our Nation from what could 
certainly be a digital disaster.
    I want to thank Mr. Clay for his input and his support of 
our efforts on the subcommittee. And recognizing that we were 
not able to answer all the questions that people had, I will 
keep the record open for 2 weeks for submitted questions and 
answers.
    Mr. Dacey, Mr. Pyke, Ms. MacLean, we appreciate what you 
do. We appreciate your service to the subcommittee.
    And with that, we stand adjourned.
    [Whereupon, at 11:30 a.m., the subcommittee was adjourned, 
to reconvene at the call of the Chair.]

