[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]
CYBER SECURITY: THE CHALLENGES FACING OUR NATION IN CRITICAL
INFRASTRUCTURE PROTECTION
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
POLICY, INTERGOVERNMENTAL RELATIONS AND
THE CENSUS
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
FIRST SESSION
__________
APRIL 8, 2003
__________
Serial No. 108-13
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
______
87-230 U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON GOVERNMENT REFORM
TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri
CHRIS CANNON, Utah DIANE E. WATSON, California
ADAM H. PUTNAM, Florida STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee LINDA T. SANCHEZ, California
JOHN SULLIVAN, Oklahoma C.A. ``DUTCH'' RUPPERSBERGER,
NATHAN DEAL, Georgia Maryland
CANDICE S. MILLER, Michigan ELEANOR HOLMES NORTON, District of
TIM MURPHY, Pennsylvania Columbia
MICHAEL R. TURNER, Ohio JIM COOPER, Tennessee
JOHN R. CARTER, Texas CHRIS BELL, Texas
WILLIAM J. JANKLOW, South Dakota ------
MARSHA BLACKBURN, Tennessee BERNARD SANDERS, Vermont
(Independent)
Peter Sirh, Staff Director
Melissa Wojciak, Deputy Staff Director
Randy Kaplan, Senior Counsel/Parliamentarian
Teresa Austin, Chief Clerk
Philip M. Schiliro, Minority Staff Director
Subcommittee on Technology, Information Policy, Intergovernmental
Relations and the Census
ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan WM. LACY CLAY, Missouri
DOUG OSE, California DIANE E. WATSON, California
TIM MURPHY, Pennsylvania STEPHEN F. LYNCH, Massachusetts
MICHAEL R. TURNER, Ohio
Ex Officio
TOM DAVIS, Virginia HENRY A. WAXMAN, California
Bob Dix, Staff Director
John Hambel, Counsel
Chip Walker, Professional Staff Member
Ursula Wojciechowski, Clerk
David McMillen, Minority Professional Staff Member
C O N T E N T S
----------
Page
Hearing held on April 8, 2003.................................... 1
Statement of:
Clarke, Richard, former special advisor to the President for
Cyberspace Security; Michael A. Vatis, director, Institute
for Security Technology Studies at Dartmouth College and
chairman, Institute for Information Infrastructure
Protection; and Mark A. Forman, Associate Director,
Information Technology and Electronic Government, Office of
Management and Budget...................................... 9
MacLean, Rhonda, senior vice president and director of
corporate information security for Bank of America, sector
coordinator for the Financial Services Industry Public/
Private Partnership on Critical Infrastructure Protection
and Homeland Security; Robert F. Dacey, Director,
Information Security Issues, U.S. General Accounting
Office; and Thomas Pyke, Chief Information Officer,
Department of Commerce..................................... 52
Letters, statements, etc., submitted for the record by:
Clarke, Richard, former special advisor to the President for
Cyberspace Security, prepared statement of................. 11
Dacey, Robert F., Director, Information Security Issues, U.S.
General Accounting Office, prepared statement of........... 79
Forman, Mark A., Associate Director, Information Technology
and Electronic Government, Office of Management and Budget,
prepared statement of...................................... 33
MacLean, Rhonda, senior vice president and director of
corporate information security for Bank of America, sector
coordinator for the Financial Services Industry Public/
Private Partnership on Critical Infrastructure Protection
and Homeland Security, prepared statement of............... 55
Putnam, Hon. Adam H., a Representative in Congress from the
State of Florida, prepared statement of.................... 4
Pyke, Thomas, Chief Information Officer, Department of
Commerce, prepared statement of............................ 72
Vatis, Michael A., director, Institute for Security
Technology Studies at Dartmouth College and chairman,
Institute for Information Infrastructure Protection,
prepared statement of...................................... 22
CYBER SECURITY: THE CHALLENGES FACING OUR NATION IN CRITICAL
INFRASTRUCTURE PROTECTION
----------
TUESDAY, APRIL 8, 2003
House of Representatives,
Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 9:30 a.m., in
room 2247, Rayburn House Office Building, Hon. Adam Putnam
(chairman of the subcommittee) presiding.
Present: Representatives Putnam and Clay.
Staff present: Bob Dix, staff director; John Hambel, senior
counsel; Chip Walker, Scott Klein, and Lori Martin,
professional staff members; Ursula Wojciechowski, clerk; David
McMillen, minority professional staff; and Jean Gosa and Early
Green, minority clerks.
Mr. Putnam. A quorum being present, this hearing of the
Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census will come to order.
Good morning, and welcome to a series of planned hearings
on cyber security, a topic that is critically important and one
that has largely been neglected both in congressional debate,
private sector action, and administrative action. It is a
pleasure to have a distinguished panel of witnesses with us
this morning.
Virtually every aspect of our lives is in some way, shape,
or form connected to computers. Networks that stretch from
coast to coast or around the world connect these computers to
one another. In the traditional sense, we have thought of our
security as a Nation in the physical--bridges, power plants,
water supplies, airports, etc. Security of our physical
infrastructures has been a high priority and a particularly
visible priority since September 11, 2001.
The military, customs, and border patrol are charged with
protecting and securing our borders. The Coast Guard protects
our waterways. Federal, State, and local law enforcement
officials protect our bridges, railways, and streets and
provide for our own personal protection. But in this day and
age, this type of one-dimensional thought is no longer
adequate. Our critical infrastructure of the cyber kind must
have the same level of protection if we are to be secure as a
Nation from random hacker intrusions, malicious viruses, or
worse--serious cyber terrorism.
There are several things unique to cyber attacks that make
the task of preventing them particularly difficult. Cyber
attacks can occur from anywhere around the globe; from the
caves of Afghanistan to the war fields of Iraq, from the most
remote regions of the world or simply right here in our own
back yard, perhaps in the bedroom of some 16-year-old who is
particularly gifted in computers and electronics. The
technology used for cyber attacks is readily available and
changes continuously. And perhaps most dangerous of all is the
failure of many people, critical to securing these networks and
information from attack, to take the threat seriously, to
receive adequate training, and to take the steps needed to
secure their networks. I am happy to say today that all of the
witnesses here are on the forefront of this war--on cyber
terrorism--and I am looking forward to their insightful
testimony.
In May 1998, President Clinton released Presidential
Decision Directive No. 63. This Directive set up groups within
the Federal Government to develop and implement plans that
would protect Government-operated infrastructures and called
for a dialog between Government and the private sector to
develop a National Infrastructure Assurance Plan that would
protect all of the Nation's critical infrastructures by 2003.
The Directive has since been supplemented by Executive Order
13231, which established President Bush's Critical
Infrastructure Protection Board and the President's National
Strategy for Homeland Security.
Since January 2001, efforts to improve Federal information
security have accelerated at individual agencies and at the
Government-wide level. For example, implementation of
Government Information Security Reform Act [GISRA] legislation,
enacted by the Congress in October 2000 was a significant step
in improving Federal agencies' information security programs
and addressing their serious, pervasive information security
weaknesses. In implementing GISRA, agencies have noted
benefits, including increased management attention to and
accountability for information security. Although improvements
are under way, recent GAO audits of 24 of the largest Federal
agencies continue to identify significant information security
weaknesses that put critical Federal operations and assets in
each of those agencies at risk.
On December 17, 2002, the Federal Information Security
Management Act [FISMA], was enacted as Title III of the E-
Government Act of 2002. FISMA permanently authorizes and
strengthens the information security program, evaluation, and
reporting requirements established by GISRA. Among its
provisions, it also requires the National Institute of
Standards and Technology to develop standards that provide
mandatory minimum information security requirements for Federal
information security systems.
While securing Federal information systems is critical, so
is securing the critical infrastructure of the Nation--80
percent of which is privately controlled. Reports of computer
attacks abound. The 2002 report of the Computer Crime and
Security Survey conducted by the Computer Security Institute
and FBI's San Francisco Computer Intrusion Squad showed that 90
percent of the respondents, mostly large corporations and
Federal agencies, had detected computer security breaches
within the last 12 months; 90 percent. In addition, the number
of computer security incidents reported to the CERT
Coordination Center rose from over 9,800 in 1999 to over 52,000
in 2001 and over 82,000 in 2002. And these are only the attacks
that are reported.
The director for CERT Centers, operated by Carnegie Mellon
University, stated that he estimates as much as 80 percent of
actual security incidents go unreported. In most cases, this is
because either the organization was unable to recognize its
systems have been penetrated or there were no indications of
penetration or attack, or the organization was just reluctant
to report.
Our own GAO has found a disturbing trend among Federal
agencies. In both 2001 and 2002, GAO continued their analysis
of audit reports for 24 major departments and agencies. The
audits identified significant information security weaknesses
in each that put critical Federal operations and assets at
risk.
While the Federal Government and private sectors have made
improvements in cyber critical infrastructure protection, there
is still much work to be done. In July 2002, GAO identified at
least 50 Federal organizations that have various national or
multiagency responsibilities related to cyber critical
infrastructure protection. The interrelationship of these
organizations is vital to a successful cyber CIP strategy.
These organizations also interrelate and coordinate with even
more private sector organizations as well as the State and
local governments.
The ability of all of these groups to communicate well, to
understand the risks involved, accept common goals and minimum
standards, and accept full accountability will be the keys to a
successful national effort to protect the Nation's critical
infrastructures and our Government networks.
This subcommittee accepts the serious nature of the
oversight responsibility related to this topic, and this
hearing today is simply the beginning of what will be a series
of hearings that examine and measure the progress toward
achieving true cyber security.
We are delighted to be accompanied by the gentleman from
Missouri, the ranking member, Mr. Clay. I recognize you for any
opening remarks. Thank you for joining us.
[The prepared statement of Hon. Adam H. Putnam follows:]
[GRAPHIC] [TIFF OMITTED] T7230.001
[GRAPHIC] [TIFF OMITTED] T7230.002
[GRAPHIC] [TIFF OMITTED] T7230.003
Mr. Clay. Good morning. Thank you, Mr. Chairman, for
calling this hearing. I would like to welcome the witnesses who
are going to testify before us today. The issue before us
today, as the chairman has pointed out, is as critical as any
national security issue. Unfortunately, it is even more complex
than most.
There are really two issues before us today. First, as the
title of this hearing implies, we must examine the processes in
place for protecting our Nation's critical infrastructures,
like the telephone system, financial systems, the supply of
electricity, natural gas, water, and emergency services.
Second, and equally important, we must examine the security of
the computer systems that run our Government from day to day.
Just last November, this committee issued a report on
computer security where only 3 agencies got grades of C or
above and 14 agencies failed. Some of the answers to these
questions are the same. Computer security takes place in the
trenches. If the man or woman sitting at the desk does not do
the proper thing, then our systems will not be secure. If the
system administrator does not install the proper patches when
they become available, then our systems will not be secure. If
the procurement officer does not examine software for security
features before recommending or approving a purchase, then our
system will not be secure. All of the security plans in the
world will not make our systems secure unless those at the
heart of the system do their job.
As we have learned, computer security has not been a
priority at agencies. Over the past 4 years, Congress has
steadily turned up the heat. Former Representative Horn issued
a number of report cards, each one showing the situation was
worse than we realized. One of the lessons from that experience
was that when we asked agencies to evaluate themselves, they
are often overly optimistic. Last year, the report cards, based
primarily on audit report from the Inspector General, were the
worst ever.
We may have turned the corner. Last year, we passed the
Federal Information Security Management Act [FISMA], which is a
significant step forward in setting out requirements for
computer security that agencies must follow. Now we must assure
that those requirements are implemented. It is my understanding
that OMB has yet to issue the guidance required under FISMA. I
hope that Mr. Forman will tell us that OMB has renewed its
efforts to assure that the requirements of FISMA are
implemented.
We have a long way to go but I believe we are on the right
track to secure our Government's day to day computer system. I
am not sure I can say the same thing about protecting our
critical infrastructure. While I believe we are making progress
in this arena, it is very slow. It has been almost 7 years
since President Clinton established the President's Commission
on Critical Infrastructure Protection and almost 5 years since
President Clinton issued Presidential Decision Directive No.
63, to assure critical infrastructure protection. I expect our
witnesses today will report on how we are progressing toward
the goals established in that Directive.
What concerns me, however, is that we have entered an era
where things like critical infrastructure protection and
Homeland Security are being used to erode our open Government.
Just last week, USA Today reported that we are facing the
biggest rollback of open Government laws since those laws were
passed 30 years ago. What is tragic is that this renewed
emphasis on secrecy is unnecessary. In the 19th century, the
cryptographer August Kirkovs set down a principle that is the
most advanced work in cryptography today: ``In good systems,
the system should not depend on secrecy and it should be able
to fall into the enemy's hands without disadvantage.'' Put
another way, the knowledge that American citizens are going to
jump anyone who tries to hijack a plane does more to prevent
hijacking than all of the secret plans at the Transportation
Security Agency. If we sacrifice the fundamental principles of
our society in the name of security, we have won neither
security nor freedom. Thank you, Mr. Chairman.
Mr. Putnam. Thank you very much.
At this time we will begin with our witnesses. All of you
have been very gracious to provide thorough written testimony.
As you know, we ask that you limit your oral presentation to 5
minutes. There is a light box on your table; the green light
means that you may begin your remarks, and the red, we ask you
to begin to sum up because the time has expired. We do have
several witnesses and some panel members who are on a tight
time schedule and we will attempt to be as thorough and as
efficient as possible.
As you know, it is the policy of this committee that we
swear in witnesses. So please rise and raise your right hands.
[Witnesses sworn.]
Mr. Putnam. Note for the record that all of the witnesses
responded in the affirmative.
I would like to begin the first panel with Richard Clarke.
Richard Clarke is an internationally recognized expert on
security, including homeland security, national security, cyber
security, and counter-terrorism.
He has served the last three Presidents as a senior White
House advisor. Over the course of a record setting 11
consecutive years of White House service, he has held the
titles of special assistant to the President for global
affairs, national coordinator for security and counter-
terrorism, and special advisor to the President for cyber
security.
Prior to his White House years, Mr. Clarke served for 19
years in the Pentagon, the Intelligence Community, and State
Department. During the Reagan administration, he was Deputy
Assistant Secretary of State for Intelligence. During the first
Bush administration, he was Assistant Secretary of State for
political-military affairs and coordinated diplomatic efforts
to support the first Gulf war and the subsequent security
arrangements.
Today Mr. Clark consults on a range of issues, including:
corporate security risk management, information security
technology, dealing with the Federal Government on security and
IT issues, and counter-terrorism. Clearly, he is a well-
qualified witness for this subcommittee hearing.
We are delighted to have you with us, Mr. Clarke. With
that, you are recognized for 5 minutes.
STATEMENTS OF RICHARD CLARKE, FORMER SPECIAL ADVISOR TO THE
PRESIDENT FOR CYBERSPACE SECURITY; MICHAEL A. VATIS, DIRECTOR,
INSTITUTE FOR SECURITY TECHNOLOGY STUDIES AT DARTMOUTH COLLEGE
AND CHAIRMAN, INSTITUTE FOR INFORMATION INFRASTRUCTURE
PROTECTION; AND MARK A. FORMAN, ASSOCIATE DIRECTOR, INFORMATION
TECHNOLOGY AND ELECTRONIC GOVERNMENT, OFFICE OF MANAGEMENT AND
BUDGET
Mr. Clarke. Thank you, Mr. Chairman, Mr. Clay. Mr.
Chairman, first let me start by commending you for having this
hearing and recognizing the importance of this issue. Your
remarks were right on point. I am not surprised that you are on
top of this issue. I recall very well that long before
September 11th, you asked me when I was the Counter-Terrorism
Czar to come up and brief you on al-Qaeda before most Members
of the Congress knew what al-Qaeda was. So I am not surprised
that you are on top of this issue before other people.
I would hope that with cyber security we could do more to
raise our defenses before we have a major disaster. With al-
Qaeda, unfortunately, we had to wait until we had a major
disaster for people to get it and for people to act on that
understanding. It would be nice if, for once, we were able to
get the Congress and the administration and the corporate world
to understand the issue before the disaster occurs.
The problems that we have had to date in cyber security are
minor when compared to the potential. And the mistake a lot of
people make is that they look at the past as a predictor of the
future, that the past $17 billion a year worth of damage by
cyber security they think is just a minor nuisance.
Unfortunately, as long as we have major vulnerabilities in
cyberspace and we do not address those major vulnerabilities,
we run the potential for somebody doing us much more severe
damage than has been done to date. So people who look at the
cost of cyberspace security problems today and say those
problems are not significant should instead be looking to the
future and what could happen based on the vulnerabilities that
exist.
Mr. Chairman, I have suggested in my written testimony 10
things which I think this committee and the Congress could do
in general. Let me quickly go over them in the time allowed.
First and foremost, I think the Department of Homeland
Security must be the focus, the location in the executive
branch that has clear responsibility for cyberspace security.
That is the intent of President Bush's National Strategy.
Unfortunately, the department in its early days, and I admit
these are early days, has not organized itself to take on that
heavy responsibility, has not created a Cyberspace Security
Center, has not recruited senior recognized cyberspace security
experts. Until it does, we will continue to have a major
problem.
Second, we still lack a Chief Information Security Officer
for the Federal Government. I have the utmost respect for my
friend and colleague Mark Forman, but he is not the Chief
Information Security Officer. We do not have one. You would
think that since Congress has given to OMB by law the
responsibility for managing the IT security of the Federal
agencies, except for the Defense Department and the
Intelligence Community, that they would have a large staff of
people dedicated fully to this issue. They do not. And until
they do, we are likely to continue to have 14 agencies getting
Fs and no agencies getting better than C. No matter what laws
we pass, no matter what acronyms we adopt--FISMA, GISRA--until
there is a clear full-time responsible official in the White
House with a full-time responsible staff that is sufficiently
large and sufficiently qualified, we will not be able to
implement these laws.
Third, the Congress passed last year the Cyber Security
Research Act. I think it is important that authorization be
matched with an appropriate appropriation this year.
Fourth, I think the committee ought to look at the
mechanisms of the Internet itself, the things which are owned
in common, not by the Government, not by a particular company,
but the Internet mechanisms for traffic flow, all of which are
highly vulnerable as was proved by the attack on the Domain
Name System last year.
Fifth, I think rather than asking GAO to do periodic onsite
inspections and come up with reports, GAO should be authorized
by this committee to buy the devices which are now available to
allow auditing and scanning of major enterprises for the 2,800
known vulnerabilities on a daily basis. The technology is
deployed in the private sector. It allows companies' CEOs,
COOs, on a daily or weekly basis, to see every machine in their
network and to see whether or not it is fixed, whether or not
it is vulnerable. GAO should have that technology and it should
have it deployed in all of the major Government agencies, so
you, Mr. Chairman, members of this committee can get a weekly
report, a monthly report, rather than having these one-off GAO
inspections every year, which are costly and which do not give
you the same results as this kind of automated auditing against
the 2,800 known vulnerabilities.
Sixth, the General Services Administration has put into
place a Patch Management System. And as Mr. Clay said, there is
a real problem in this Government with a lack of people fixing
patches. That Patch Management System is a great place to
invest additional dollars, the best place where we can invest
in order to improve security.
Let me stop there, Mr. Chairman, as my time is up.
[The prepared statement of Mr. Clarke follows:]
[GRAPHIC] [TIFF OMITTED] T7230.004
[GRAPHIC] [TIFF OMITTED] T7230.005
[GRAPHIC] [TIFF OMITTED] T7230.006
[GRAPHIC] [TIFF OMITTED] T7230.007
[GRAPHIC] [TIFF OMITTED] T7230.008
[GRAPHIC] [TIFF OMITTED] T7230.009
[GRAPHIC] [TIFF OMITTED] T7230.010
[GRAPHIC] [TIFF OMITTED] T7230.011
[GRAPHIC] [TIFF OMITTED] T7230.012
Mr. Putnam. Thank you very much.
At this time we are pleased to welcome to the Subcommittee
Michael Vatis. Mr. Vatis is Director of the Institute for
Security Technology Studies at Dartmouth College and the
Chairman of the Institute for Information Infrastructure
Protection, or I3P. ISTS is a principal national center for
research, development, and analysis of counter-terrorism and
cyber security technology. I3P is a consortium of major
research organizations, whose mission is to develop a national
R&D agenda for information infrastructure protection, promote
collaboration among researchers, and facilitate and fund
research in areas of national priority.
Between 1998 and 2001, Mr. Vatis founded and served as the
first director of the National Infrastructure Protection Center
in Washington, now part of the Department of Homeland Security.
NIPC was the lead Federal agency responsible for detecting,
warning of, and responding to cyber attacks, including computer
crime, cyber-terrorism, and cyber-espionage.
Mr. Vatis has also served in the U.S. Departments of
Justice and Defense. As Associate Deputy Attorney General and
Deputy Director of the Executive Office of National Security,
he coordinated the Justice Department's national security
activities and advised the Attorney General and Deputy Attorney
General on issues relating to counter-terrorism, high-tech
crime, counter-intelligence, and infrastructure protection. He
is a graduate of Princeton and Harvard.
Welcome, Mr. Vatis.
Mr. Vatis. Thank you, Mr. Chairman. It is a pleasure to be
here this morning to testify before you and the subcommittee
along with my distinguished colleagues. I would like to
wholeheartedly endorse the substance of both your own statement
and that of Mr. Clay, as well as that of my colleague, Dick
Clarke, because I think all of those statements summarize very
well the nature of the problem and where we are today in terms
of our capability to deal with an increasingly serious issue.
I would like to limit my oral remarks today to the part of
my written testimony that deals with where I think the
principal shortcomings are. I think it should be said that
there are many good initiatives going on right now in
individual agencies. And GSRA and FISMA were significant
advances on Congress' part in dealing with the problem. But I
think we have in some respects actually regressed in recent
months in our ability to deal with this issue.
One of the areas has to do with the fact that with the
dismantling of the President's Critical Infrastructure
Protection Board and the Office of Cyberspace Security in the
White House--Mr. Clarke's former office--there is at the moment
a serious void in the executive branch's leadership. There is
no central locus right now for policymaking and for
coordination of efforts across all of the agencies at the
policy level. I think that will significantly impede the
Government's ability to move forward on this issue.
Many of the responsibilities that had been carried out by
the Board and by Mr. Clarke's former office are supposed to be
carried out now by the new Department of Homeland Security. But
most of the officials who are supposed to take on those
responsibilities have, to my knowledge, not yet been formally
nominated, let alone confirmed. And so that void is likely to
continue at the leadership level for several months.
At the operational level, I think we see a similar void.
Many different entities in the Government that had some
responsibility for cyber security--including parts of my former
organization, the NIPC; the Critical Infrastructure Assurance
Office; and FedCIRC--all were moved into the Department of
Homeland Security on the theory that the efforts of these
organizations should be consolidated to achieve greater
efficiency and effectiveness. The problem, however, is that for
at least some of those entities, in fact, the consolidation is
less than meets the eye.
My former organization, the NIPC, was supposed to
contribute over 300 of the positions in the new department that
would be focusing on intelligence analysis and infrastructure
protection. In fact, though, if you examine what actually
occurred, it was a transfer of vacant FTEs, not of actual
people, because most of the people stayed at the FBI or found
other jobs elsewhere in the Federal Government. And so, in
fact, now DHS has a tall order: filling hundreds of job
vacancies. And the capabilities that were built up at the NIPC
over the 5-years since its inception have essentially been
dismantled or ramped down considerably because of the lack of
personnel. So, again, given the length of time that hiring of
Federal employees takes, particularly when you add in the need
for background investigations, it is my view unfortunately,
that it could take over a year before we even get back to where
we were in terms of our capability to detect, warn of, and
respond to major cyber attacks.
The other issue I think that needs to be focused on is at
the policy level: what is the Government's policy with regard
to the privately owned critical infrastructures and how can it
induce greater security of those critical infrastructures? Both
the Clinton administration and the Bush administration, in my
view, have primarily relied on what I call the ``soapbox
strategy,'' having officials--like Mr. Clarke, like myself when
I was in the Government, like Mr. Forman--get up on a
proverbial soapbox and talk about the seriousness of this
problem and urge the owners and operators of infrastructures to
take the problem seriously and do something about it. I think
those efforts have been partially successful in raising
awareness, in getting more attention focused on the problem.
But I think at the end of the day those efforts clearly are not
enough. More needs to be done.
And so I would urge this subcommittee to consider some more
imaginative and more aggressive approaches; perhaps regulation
modelled after HIPAA for health care providers, or the Graham-
Leach-Bliley Act for financial service companies; and perhaps
other, what I would call, softer approaches to incent the
marketplace, to create incentives for companies to make more
secure products and for owners and operators of infrastructures
to take security more seriously. Rather than simply saying we
do not want to regulate in this high-tech area, we should at
least give serious consideration to measures that would move us
beyond the soapbox strategy. Thank you very much.
[The prepared statement of Mr. Vatis follows:]
[GRAPHIC] [TIFF OMITTED] T7230.013
[GRAPHIC] [TIFF OMITTED] T7230.014
[GRAPHIC] [TIFF OMITTED] T7230.015
[GRAPHIC] [TIFF OMITTED] T7230.016
[GRAPHIC] [TIFF OMITTED] T7230.017
[GRAPHIC] [TIFF OMITTED] T7230.018
[GRAPHIC] [TIFF OMITTED] T7230.019
[GRAPHIC] [TIFF OMITTED] T7230.020
Mr. Putnam. Thank you very much.
Our next witness is Mark Forman. Mr. Forman is the Chief
Information Officer for the Federal Government. Under his
leadership, the U.S. Federal Government has received broad
recognition for its successful use of technology and E-
Government. He is charged with managing over $58 billion in IT
investments and leading the President's E-Government initiative
to create a more productive, citizen-centric Government.
He is also the leader in the development and implementation
of the Federal information technology policy, and is
responsible for a variety of oversight functions statutorily
assigned to the Office of Management and Budget. He also
oversees Executive branch CIOs and directs the activities of
the Federal CIO Council, as well as chairing or being a member
of several key IT-related boards including the President's
Critical Infrastructure Board. To improve results from Federal
IT spending, Mr. Forman created a framework that couples cross-
agency teamwork and leadership with a Government-wide IT budget
decision process built around a results-driven modernization
blueprint.
Mr. Forman is a frequent witness before this subcommittee
and his insight is always very helpful. We are delighted to
have you again with us this morning. Welcome.
Mr. Forman. Thank you, Mr. Chairman. Good morning. I want
to take a moment just to commend Mr. Clarke on what I think is
a truly outstanding career in public service that, as you know,
he has recently retired from. I think his career serves as
really a benchmark for those of us in public service. Clearly,
his dedication to the country, the security of Americans is
remarkable and outstanding, and as an American and personally,
I just appreciate his service so much.
I want to thank you for inviting me to discuss the status
of the Federal Government's IT security. Cyber security is a
top priority in the administration's IT and counter-terrorism
efforts. The challenge, as you pointed out, is to provide the
maximum protection while ensuring the free flow of information
and commerce and protecting privacy. I am going to briefly
summarize my statement.
First of all, I am pleased to report to you today that the
Federal Government has made substantial improvements in
securing the information and information systems that we
protect. Let me do this by explaining the difference between
where we were on September 10, 2001, and where we were 1 year
later in September 2002.
September 2001, only 40 percent of Federal systems had up
to date security plans; 1 year later, that was up to 61
percent. Similarly, the number of Federal systems certified and
accredited was at 27 percent in 2001; 1 year later, that was up
to 47 percent. The number of systems with contingency plans, 30
percent in September 2001; September of last year, 53 percent.
There are other significant improvements, and I had a table
with that data in my written testimony, but items such as
agencies using plans of actions and milestones as the
authoritative management tool to ensure that program and system
level IT security weaknesses are prioritized, tracked, and
corrected. These measures reveal in some cases over 50 percent
measured performance improvements since 2001. But they also
identify an awful lot of work to be done.
The administration plans to make significant progress again
this year. In our Clinger-Cohen report, which was Chapter 22 of
the Analytical Perspectives of the President's 2004 budget, we
included targets for improvement in critical IT security
weaknesses by the end of this calendar year. Some of the key
targets: All agencies shall have an adequate process in place
for developing and implementing the plans of actions and
milestones to ensure that program and system level IT security
weaknesses are identified, tracked, and corrected.
Eighty percent of Federal IT systems shall be certified and
accredited.
Eighty percent of the Federal Government's fiscal year 2004
major IT investments shall appropriately integrate security
into the lifecycle of their investments.
I would like to talk a little bit about funding. Our
analysis for the second year in a row shows that there is not a
direct correlation between how much agencies spend on IT
security and the quality of their results. That said, spending
on IT security has increased 70 percent since 2002. Federal
agencies plan to spend $4.25 billion this year on IT security,
that is 7 percent of the Federal Government's overall IT budget
and a 57 percent increase from the $2.7 billion spent last
fiscal year. In next fiscal year, agencies plan to spend $4.7
billion on IT security, and that will rise to 8 percent of the
overall Federal Government IT budget.
I would like to talk very briefly about some of the
improvements and changes in handling cyber security incidents.
Last year when I testified before the Government Reform
Committee, I pointed out that we need to move to respond to
threats within 24 hours. And so we have taken fairly aggressive
action to do that.
OMB and the CIO Council have developed and deployed a
process to rapidly identify and respond to cyber threats and
critical vulnerabilities. CIOs are advised by a conference call
as well as followup e-mail of specific actions needed to
protect agency systems when a threat has been identified.
Agencies must then report to OMB on the implementation of the
required countermeasures. This emergency notification and
response process has been used three times since the beginning
of the year. We started out with the first vulnerability with a
90 minute cycle time to get the message out and get affirmative
contact back that the process had begun--first for the Slammer
Worm and then for the Sendmail and the IIS vulnerabilities. As
a result of these early alerts, agencies have been able to
rapidly close vulnerabilities that otherwise might have been
exploited.
I would also like to talk a little bit about the
integration of FedCIRC, the National Infrastructure Protection
Center and the Critical Infrastructure Assurance Office [CIAO],
under one department. That represents an opportunity for the
administration to strengthen the Government-wide processes for
intrusion detection and response through maximizing and
leveraging the important resources of these previously separate
offices. Now this has only been in effect for a little over a
month. So I think as they produce the results of their
planning, you will see that there will be significant action.
Experts agree though, and I would just like to conclude
with a final thought, it is virtually impossible to ensure
perfect security of IT systems. Therefore, we must maintain
constant vigilance while also maintaining the focus, as my
colleagues have said, on business continuing plans. Thank you.
[The prepared statement of Mr. Forman follows:]
[GRAPHIC] [TIFF OMITTED] T7230.021
[GRAPHIC] [TIFF OMITTED] T7230.022
[GRAPHIC] [TIFF OMITTED] T7230.023
[GRAPHIC] [TIFF OMITTED] T7230.024
[GRAPHIC] [TIFF OMITTED] T7230.025
[GRAPHIC] [TIFF OMITTED] T7230.026
[GRAPHIC] [TIFF OMITTED] T7230.027
[GRAPHIC] [TIFF OMITTED] T7230.028
[GRAPHIC] [TIFF OMITTED] T7230.029
[GRAPHIC] [TIFF OMITTED] T7230.030
Mr. Putnam. Thank you very much, Mr. Forman. I thank all of
our panelists. We will get right to the questions.
All of you have touched on the simple fact that most of the
critical infrastructure is controlled by the private sector.
Mr. Vatis, in particular, singled out the need for an
aggressive innovative approach that goes beyond merely the
soapbox to incent or coerce greater accountability and
compliance, greater focus on cyber security in the private
sector. Could you elaborate a little bit more, beginning with
Mr. Vatis, and then the other two as well, on the best way for
the Federal Government to approach the regulation of and the
incentivizing of better cyber security in the private sector.
Mr. Vatis. Mr. Chairman, thank you. I do not have any
particular silver bullet that I think is the answer to the
problem. But I think there are a number of ideas that have been
discussed but over the past few years have basically been
dismissed out of hand because of the fear of even getting into
anything that might smack of regulation. So what I am really
urging is a considered study of several different options. The
fact of the matter is we do have some instances of direct
regulation, of coercion, if you will, that are already in place
but which were not instituted for security's sake, per se, but
more out of a concern for privacy: of HIPAA and Graham-Leach-
Bliley, for example.
So I think one thing that should be done is to study those
acts as they are implemented to see if they actually result in
a net increase of security, and if so, at what cost, in terms
of efficiency or other things. I think there are other ideas
that have been talked about, such as requiring disclosure of
security plans for security breaches by companies that suffer
breaches so that there is a further incentive to take security
seriously. Because what we have seen over the years again and
again and again is that many companies are simply sweeping the
problem under rug so that it does not become public. I think if
there were some sort of disclosure requirement, as the State of
California, for example, is now instituting for companies that
do business in that State, as of this summer, that could create
an additional incentive. Requiring disclosure of plans in a 10k
form for publicly traded companies is another idea that has
been talked about. Tax incentives for upgrading of technology
to address security is another idea. Best practices for
hardware and software manufacturers.
So there are many ideas. I think the wonderful
congressional staff that are out there are a good resource to
look into these ideas. And some of the Federal R&D moneys
should be devoted not just to technical R&D, but to research
into the legal, policy, and economic factors that affect the
implementation of technical security requirements.
Those are some of the things that I would urge.
Mr. Putnam. Mr. Clarke.
Mr. Clarke. Mr. Chairman, I think we want to avoid
regulation here. The thought of having a Federal cyber security
regulation agency and a Federal cyber security police scares me
to death. But I think there are some things we can do to
stimulate the private sector without regulation. One, Michael
just mentioned, is we can have the SEC do what it did for Y2K,
which is to require that publicly traded companies have in
their reports a report against some set of auditing standards
that the auditing industry could come up with, a report on
their performance. Now we do not want their security plans
revealed publicly and we do not want them to have to report
individual incidents. But they ought to get a grade from an
outside auditing firm, IT security auditing firm, and that
ought to be reported as part of their public annual disclosure.
That had a great effect during Y2K and we ought to think
seriously about asking the SEC to look into that.
Similarly, cyber insurance could have a big effect. The
insurance industry could set standards for cyber security
insurance and the rates that they charge could reflect how good
a company is doing. Requiring certain kinds of companies that
are doing business with the Federal Government, not small
businesses, but larger businesses to have cyber security
insurance would have an enormous effect on the market.
Mr. Putnam. Before we go to Mr. Forman, let me followup on
that. You mentioned as part of your 10 point plan in your
testimony the need for any congressional action on terrorism
risk insurance to include a cyber insurance provision.
Presumably, that would have some type of Federal backstop or
subsidy in that risk insurance, and you mentioned that alone
would raise the bar of security on the cyber side. But you
differ from Mr. Vatis in saying that companies should not have
to report breaches of security. Why is that?
Mr. Clarke. I do not think you want to have specific
breaches of security reported because I think it gives too much
information to the people who want to do the breaches. I think
what you want is an overall grade. All too often when there is
one minor security violation that gets into the press because
it has been reported, a company suffers disproportionately from
what its real security problem is. So I do not think you want
to force companies to report individual security violations,
but to report an overall grade on performance.
The Cyber Risk Insurance Act, of course, has passed. The
committee language suggests it covers cyber security. That is
not clear in the language of the bill. But the real problem
with cyber insurance right now is it is not clear that there is
a Federal backstop against catastrophic terrorism as there is
for other forms of terrorism, and there really is not a decent
actuarial data base yet that allows underwriters to decide on
what policy should be. So if the Government could collect
information, statistics, or, better yet, get someone like Mike
to do it, not have a Government agency do it, but somebody,
Carnegie Mellow, Dartmouth, someone to collect enough
information so that the underwriters in the insurance industry
would feel better writing more policy, and requiring when they
do write policy that companies live up to certain standards and
best practices, that would go a long way.
Mr. Putnam. How would you have an actuarially sound policy
if breaches are not required to be reported?
Mr. Clarke. Not reported publicly. I think they should be
reported perhaps in an anonymized way to a third party.
Mr. Putnam. Mr. Forman.
Mr. Forman. I think you have to look at a couple of
factors. First of all, you have got to ask what is the market
failure here. We believe that normal market approaches would
not suggest regulation if there is something holding the
companies accountable in the marketplace. In other words, if a
company loses customers because they are not protecting their
security well, then we expect normal marketplace forces to
work. And I think there is pretty strong evidence of that. If
you look at a couple years ago, we had firewalls, we had
antivirus technology. By looking at the growth over the last
year and the trends in the marketplace on how to protect
against cyber threats, well, threat management systems and
software, and then highly reliable redundant systems that
leverage the architecture of the internet so it is moved out of
the security technology realm into hosting and other
architecture tools; companies such as Akamai growing
terrifically fast. So it is clear the marketplace will respond.
I would give you a couple of thoughts on the issue. First
of all, are the issues essentially related to criminal type
threats. Those may not be made public for a number of reasons.
But that may be something to deal with and look at as a
tradeoff between how do we associate law enforcement
structures, is that right for the internet age. And the other
is what do you do about organized cyber terrorism. You have
different Government roles and responsibilities issues there.
That should basically guide, we believe, the regulatory answer
to the question of whether regulation is even needed in the
first place.
Mr. Putnam. Mr. Clarke and Mr. Vatis both alluded to or
specifically said that we do not have a centralized mechanism
in the Federal Government for overseeing cyber security
compliance, cyber security coordination and collaboration. So
are you satisfied with the current framework that calls for its
placement in Homeland Security, or is it still too diffused
between FBI and Homeland Security and OMB and other agencies?
Mr. Forman. There are two parts of the picture I think that
you have to look at. First of all, we do spend an awful lot of
money. We are the world's largest buyer of information
technology. So have we got enough central focus and the right
structures in place, I am very confident now, and I think the
data show, we are able to track and measure the gaps in cyber
security, we are able to hit the cycle time that we are looking
for.
I do not know that private sector industries have anything
like that. We can focus because we do have an organizational
structure. So the question is when you get into the other
industries, should it be dealt with on an industry by industry
approach, should it be dealt with on a company by company
approach. And there is a real question on what that structure
should be. I think that was thoroughly vetted in creation of
the Information Integration and Infrastructure Assurance under
secretariat, it was vetted within the administration, it was
vetted within the House and the Senate.
Now one thing that I should correct for the record. The
under secretary is a confirmed position. But the assistant
secretary that has key responsibilities here is an appointed
position. And that person is in his job now, Bob Wiskowski, and
he has been there a couple of weeks. He comes from Coca Cola
and, of course, people would say the formula for Coke is one of
the most protected secrets in the world today. So there is an
interesting background that he brings. But, again, the
department has only been up for several weeks now. I think when
you see their go forward plan, you will see how they have
integrated things, building on the successes and giving some
innovation to that as well.
Mr. Putnam. Mr. Vatis, do you want to comment on that?
Mr. Vatis. I am hopeful, Mr. Chairman, that Mr. Forman will
prove to be right and that once the key personnel are in place
in the new department we will see things start to roll. But I
think, to be realistic, it will take some time, because the
operational personnel are not likely to be in place for over a
year, and there are so many vacant positions now that are
responsible for infrastructure protection and intelligence
analysis.
I would make one other point about something that worries
me. And that is what appears to be the administration's policy
that cyber security is a subset of critical infrastructure
protection as a whole, including physical vulnerabilities of
our critical infrastructures. I think there is definitely a
logic to that view in that we do need to look at the
infrastructures as a whole and consider all the different
vulnerabilities. But the worry I have is that if an official or
a subset of DHS is looking at both physical and cyber
vulnerabilities and threats, cyber will always get short-
shrift, especially in these years so soon after September 11th
when so much focus is on the vulnerability to physical
terrorist attack. I think we have seen that happen in prior
years. When we tried to do both things through the same
offices, through the same people, cyber always got less
attention than it was due. So that is another thing I think we
need to keep an eye on, to make sure that does not happen.
Mr. Putnam. Mr. Clarke, when you analyze the threat
environment out there, what particular nations or particular
non-state actors are out there that have made cyber security a
priority as their way of getting at capitalism or the United
States or western civilization or whatever?
Mr. Clarke. Mr. Chairman, there is a classified answer to
that in terms of what we know about other nations that have
created offensive cyber security organizations. Suffice it to
say in an open hearing there are nations, including our own,
that have created cyber security offensive organizations. And
there are terrorist groups, organized criminal groups that are
interested in this. I am not very good at predicting the who
here. And I think we make a mistake by focusing on who is going
to do it to us.
I think rather than focus on the who, we should focus on
the what, what are they going to do. And it is real simple. As
long as we have major cyber security vulnerabilities that would
allow someone who does not like us to screw up our economy,
then someone will. It may not happen this year. We may not be
able to guess who it is in advance. But it is a very high
probability that as long as we have very well known major
vulnerabilities that are cheaply exploited, somebody will do
it. And I do not think the emphasis ought to be on trying to
figure out who that is in advance and getting them before they
do it, because someone else will do it. What we should try to
do is raise the barrier.
And in answer to your last question about DHS and OMB, I
think the question answers itself when you ask who is the
highest level official in the Department of Homeland Security
whose full-time job is cyber security. What office in the
Department of Homeland Security does nothing but cyber
security? Who is the highest ranking person in OMB who does
nothing but cyber security? How many people in OMB, the
organization to which the Congress has given the full
responsibility for cyber security in the Federal Government,
how many people in OMB have that as their full-time
responsibility? The answers to those questions are pretty
frightening I think.
Mr. Putnam. Mr. Forman, do you want to answer those
questions?
Mr. Forman. We have an interesting change going on in our
society. I think from a policy perspective as it relates to
Federal IT, we cannot differentiate the work that we need to do
in our architectures from cyber security. I certainly have
spent a lot of time, but I think we as an administration have
spent an awful lot of time making sure that we get the
communications between the CIOs and the cyber security
community. These are two separated communities that have to
talk to each other. So, for example, when we have denial
service attacks, we find increasingly over the last few months
people organize over the Web and they will target the White
House Web site because in areas outside of America people feel
that is similar to attacking the administration.
Mr. Putnam. That is the whitehouse.gov Web site?
Mr. Forman. That is correct. As opposed to others that may
be out there that I have never known about. So these people
will organize and they are known. They will run advertisements
in the newspaper, they will run advertisements on the Internet.
Essentially, the characterization will be come to our Web site
if you want to attack President Bush for some action. The cyber
security community will be aware of that and never communicate
that to the CIO of the White House, the CIO of the Energy
Department, and others. We have worked pretty hard over the
last 2 months to correct that problem. And the integration of
these two communities is absolutely critical; we cannot
separate them.
Mr. Putnam. And you are satisfied that integration will
occur under the new structure of Homeland Security once they
are up and running?
Mr. Forman. Absolutely. In fact, as I pointed out in my
oral and put in more detail in the written testimony, as it
relates to Federal cyber security, we have had to make that
happen. As I pointed out, we have had three major events this
year. We started out with a 90 minute cycle time and we have
been able to shrink that down even more so.
But there is the longer term issue of how we secure the
infrastructure. There is the fast response issue of what do we
do. And to give you a feel, I tend to think of this as three
dimensions. We have literally thousands of vulnerabilities.
Anybody who could know all the vulnerabilities and make sure
the patches are deployed is truly detail oriented, and, as Dick
said, there is software that does that for you. You have to
rely on the technology to manage the technology. The second
dimension are the threats. There are people out there, some of
whom are organized, some of whom will leverage the Internet to
organize very rapidly. And the third thing is what will it mean
for the actual technology, your architecture that you have
deployed as a department.
So, as an example, we worried and fast responded to the
Slamer threat. But as you recall, the Congress was affected by
this. There was a cyber sit-in where people called and used the
Internet as a way to show their response to the
administration's policy in the war in Iraq. Our policy decision
on that was that was not a cyber security threat; that was e-
democracy moving into the Internet age. The cyber security
community view on that was that was a cyber threat. So if we do
not meld these two groups together and look at this from the
standpoint of the CIO overall, as was laid out going back to
the Clinger-Cohen Act, we will not be able to get that decision
properly placed as a policy decision.
Mr. Putnam. Correct me if I am wrong or if I am heading in
the wrong direction on this. But from my perspective, the OMB
role would be an internal Federal IT management role,
protecting and preserving the sanctity of Federal systems, of
the Federal networks, of containing the costs of a breach that
would spread agency-wide or department-wide or Government-wide.
The role of Homeland Security would be analyzing the threats,
detecting as quickly as possible when a virus or some other
cyber attack has occurred, and then distributing that word as
quickly as possible to the public and private sector--State,
local governments, the remainder of the Federal Government, and
critical infrastructure. So how well is Homeland Security
equipped to handle that, not from an internal Federal IT
perspective, but from the external perspective?
Mr. Forman. Again, a lot of this may change, but let me
tell you because there is an area of overlap between the
Federal and the external. FedCIRC maintains the catalogue, if
you will, of the vulnerabilities and the patches that are
associated with fixing that vulnerability. Generally, when we
see a threat materialize that we have to respond quickly to,
the threat targets a certain vulnerability. And if the patch
gets rapidly deployed or if it had already been deployed, there
is no impact. And so we have been fairly effective, certainly
this year we have been 100 percent effective, in making sure
that when the threat is identified FedCIRC puts out, in
coordination with the CIO Council, the link to the patch and
the characterization of that vulnerability, the threat, etc.
There is a partner organization, the National
Infrastructure Protection Center, that was not totally but the
key elements moved from the FBI to that same office to
integrate this together better. They produce a daily report. I
expect that will continue. I do not know that for a fact. We
will see I think some innovation there. But that tells you the
threats that are current, the patches that are current, hot
links, and so forth. So I think that part is focusing fairly
well on the topical threats.
In the area outside of Government, the longer term
remediation and maintenance of the architectures is an area
where I think there is a big question as to how to proceed.
There is a multifaceted approach laid out in the President's
National Cyberspace Strategy. And that was thoroughly vetted,
as in Dick Clarke's testimony. So I am fairly comfortable we
are going to see a good implementation plan for that as Bob has
the time to make that work at Department of Homeland Security
and they are ready to release their implementation plan for
that strategy.
Mr. Putnam. I know that there has been a great deal of
focus on this and I know that it is a daunting task. But in the
latest report in 2002, after 4 solid years of focused, specific
attention to this issue of cyber security, we only had 3 out of
24 agencies that received a report card grade that was better
than a D, and 14 of the 24 got an F. What are we doing wrong?
What is Congress' role? That is just unacceptable, obviously.
And while it does not reflect a lack of effort on the part of
OMB perhaps to manage this, it certainly reflects a lack of
success on the part of agencies to improve outcomes. So I will
let you get situated and then answer that.
Mr. Forman. I share 100 percent this focus. First of all,
we did have differences in scores and ratings between what Mr.
Horn scored the agencies on and how we scored them in 2001. I
will say 2001 was the first year that we actually measured
progress and that set the benchmark. So it was not until the
end of 2001 that we even knew quantitatively how bad it was and
subsequent to that put in place a process, these plans of
actions and milestones, that laid out the workload to fix that.
Last year, we had pretty much quarterly oversight for both
OMB as well as Congress. I would ask that we maintain that
because I think we made a lot of progress. It is documented in
the data that we shared in the testimony, in some more detailed
data we shared with the staff and GAO in the 2002 GISRA report,
and we will be able to see to the agency. But the progress of
going from 27 percent to 53 percent, is 53 percent acceptable?
Absolutely not. By the end of this year, we believe, it is a
slight stretch goal, but with the constant vigilance, we
believe we get up to 80 percent on a couple of these security
measures and 100 percent on putting in place a process. That is
going to take a lot of continued oversight throughout this year
to get there. But at that point we are talking about
significantly improved security. And I would put that up
against any company and you will find very few that hit those
benchmarks.
Mr. Putnam. Just very briefly, would you put that up
against any other country?
Mr. Forman. I think that there are a couple--I have not
really thought about that. But certainly our view is that the
United States spends the most, we have to protect our citizens
and the information, and so we are going to be the best not
because we are competing with other countries, but because it
is the right thing to do for Americans.
Mr. Putnam. Mr. Clarke, Mr. Vatis, what other countries out
there are ahead of us on protecting critical infrastructure
from cyber attack?
Mr. Clarke. The good news, Mr. Chairman, is that nobody is
ahead of us. The bad news is that we are pretty bad. I disagree
with Mark in saying that the Federal Government is as good as
any company. That just is not true. The private sector is way
ahead of the Federal Government.
Mr. Putnam. So who do I need--I do not mean to interrupt, I
am going to let you finish--what company's CIO do I need to
bring in to our next hearing?
Mr. Clarke. Rhonda MacLean, from Bank of America, will tell
you, if you ask her the right questions, how she is doing it.
She is doing a great job. Bank of America is better than any
Federal Government agency in terms of its IT security. That is
true of most major banks in the United States. They are doing a
much better job. Why? Because they have got someone who is a
senior person who is full-time in charge of IT security. I did
not hear in Mark's answer who is the senior OMB official who is
full-time in charge of IT security and nothing else. I did not
hear who in the Department of Homeland Security is in charge of
cyber security and nothing else full-time. I did not hear how
many people we have in OMB full-time working on cyber security.
I think there is another big mistake we are making, and
that is we are trying to get the departments to do this
themselves essentially. And with all due respect to civil
servants, I was one for 30 years, you are not going to get this
done without outsourcing it. There is a real reluctance in
Federal departments to outsource IT security. But there is a
solution. Take the Department of Labor, take the Department of
Agriculture and have it contract to any of the big integrators
or any of the IT security firms and then hold them responsible
and fine them in terms of their contract if there is not
performance. Instead of just bringing the CIO of Labor or
Agriculture up here and berating them that they got an F again,
have them outsource it to a company that has penalties in its
contract if that grade is an F again.
Mr. Putnam. Does the law currently preclude them from doing
that?
Mr. Clarke. No, it does not.
Mr. Putnam. Mr. Vatis.
Mr. Vatis. I agree 100 percent with what----
Mr. Putnam. With which one, Mr. Clarke or Mr. Forman?
Mr. Vatis. With Mr. Clarke. I think he is exactly right on
the lack of sufficient high level personnel devoted to this
issue. I think the cyber issue will always get short-shrift. I
think the idea that we need a hammer to truly make progress
happen within the agencies is also exactly right. I served in
the FBI for a few years and lived within an infrastructure
that, despite some efforts over those years to improve it,
never really got anywhere. And I think that is a case study of
how not to manage information systems in a crucial Federal
agency.
Mr. Putnam. Sort of a recurring theme in these E-Government
issues in our subcommittee hearings is that we have a cultural
challenge, a human capital challenge throughout the Federal
Government in dealing with this issue.
We could go on, but I have a second panel. I want to thank
all of you for your very insightful and thoughtful testimony. I
will give each of you 1 minute to say whatever is on your heart
that I did not ask you about or to rebut or give a counterpoint
to something that somebody else has said. We want to be as
thorough and as fair as possible.
We will begin with Mr. Forman. You have 1 minute to say
whatever you would like to say to conclude.
Mr. Forman. Thank you, Mr. Chairman. I just want to
congratulate you again for this hearing. Oversight of progress
has been and will continue to be incredibly important to our
success. I will pledge to you that the administration is
focused on this all the way to the highest levels, that we are
holding deputy secretaries and secretaries accountable. And I
would ask for your cooperation and support in doing the same.
Mr. Putnam. You have it. Mr. Vatis.
Mr. Vatis. I think from our testimony you can gather that
how the DHS evolves is going to be critical, especially at the
operational level. So I think one thing that this committee
could fruitfully do is keep the heat on to make sure that DHS
devotes the requisite attention to cyber security and that they
do not let it get lost in the shuffle of dealing with physical
terrorism and reducing our vulnerability to physical terrorist
attacks. Make sure that they hire people as quickly as
possible, and that the consolidation actually achieves the
promises that have been made about new efficiencies among all
these entities that were formerly separate. Without some heat
from Congress, it will not be done nearly quickly enough or
well enough.
Mr. Putnam. Mr. Clarke.
Mr. Clarke. Mr. Chairman, just again to thank you for your
recognition of this issue. And to echo Mike Vatis, you
personally have a great opportunity here to be a pain in the
rear end to the administration, and I encourage you to do that.
Mr. Putnam. That is very kind of you, Mr. Clarke.
[Laughter.]
The first panel is dismissed.
The subcommittee will stand in recess for about 2 minutes
while we set up the second panel.
[Recess.]
Mr. Putnam. I will reconvene the subcommittee hearing.
We would like to welcome our second panel of witnesses. As
is the custom with the committee, we swear in our witnesses. So
please rise and raise your right hands and repeat after me.
[Witnesses sworn.]
Mr. Putnam. Note for the record that all of the witnesses
have responded in the affirmative.
We welcome you to the subcommittee. You have had an
opportunity to hear the testimony of the first panel and some
of the interchange. Following the ladies first rule, we will
begin with Ms. MacLean, who has received a warm introduction
and very high praise in the first panel.
Rhonda MacLean is senior vice president and director of
corporate information security for Bank of America. Ms. MacLean
joined Bank of America in 1996 as the director of corporate
information security and is responsible for providing global
leadership for information security policy, procedures, risk
management, security technology implementation, cyber
investigations/forensics, and general information security
awareness. In addition, she is responsible for enterprise
business continuity planning and the company's regional
recovery centers.
In May 2002, the Department of the Treasury appointed Ms.
MacLean as the private sector coordinator for the financial
services industry public/private partnership on critical
infrastructure protection and homeland security. She will act
in concert with Treasury's private sector liaison to draw
together industry initiatives related to critical
infrastructure protection and homeland security. In addition,
she was elected to the Board of Directors for the Partnership
for Critical Infrastructure Security, which brings together
leaders from across multiple critical sectors such as energy,
telecommunications, finance, etc.
We welcome you to the panel, and recognize you for 5
minutes for your opening statement.
STATEMENTS OF RHONDA MACLEAN, SENIOR VICE PRESIDENT AND
DIRECTOR OF CORPORATE INFORMATION SECURITY FOR BANK OF AMERICA,
SECTOR COORDINATOR FOR THE FINANCIAL SERVICES INDUSTRY PUBLIC/
PRIVATE PARTNERSHIP ON CRITICAL INFRASTRUCTURE PROTECTION AND
HOMELAND SECURITY; ROBERT F. DACEY, DIRECTOR, INFORMATION
SECURITY ISSUES, U.S. GENERAL ACCOUNTING OFFICE; AND THOMAS
PYKE, CHIEF INFORMATION OFFICER, DEPARTMENT OF COMMERCE
Ms. MacLean. Thank you, Chairman Putnam, and thank you for
inviting me here today to testify at the hearing. I am very
honored to speak on behalf of the financial services sector in
my role as the Department of Treasury-appointed private sector
coordinator for critical infrastructure protection.
In listening to the testimony this morning, something
struck me that I wanted to add to this statement. This
challenge that we have before us takes vision, leadership,
execution, and accountability. I want to touch on those things
today with the information that I provide you about the
financial services industry's involvement in critical
infrastructure protection, the current work of our financial
services sector coordinating council, and discuss some of the
opportunities where I think Government and industry really can
partner to address some of the challenges we have in securing
our cyber space.
The administration's National Strategy to Secure Cyber
Space identified the critical infrastructures as consisting of
physical and cyber assets of the public and private sector and
institutions. Though the basic approach of security must
fundamentally address people, process, and technology aspects
of the infrastructure, I do want to iterate that there is no
single solution to this challenge. Creating the appropriate
balance of these elements is based on an operational risk
management consideration that addresses the critical nature of
the systems as well as the exposures to which they can be
subjected.
I would like to talk about the sector's critical
infrastructure protection efforts, and specifically about our
Council. At the time of my appointment, there was no integrated
entity that could represent the entire financial services
sector. Individual associations were actively and effectively
working on their Members' behalf and provided much leadership
for our critical infrastructure protection efforts. To ensure
coordination across the sector, with the public sector's
support and encouragement, and with the leadership of the
Department of Treasury, we formed the Financial Services Sector
Coordinating Council. Today, we have 24 organizations
consisting of key national exchanges, clearing organizations,
trade associations in banking, securities, bond and insurance
segments of our industry, and we are working together to
improve the critical infrastructure protection for our sector
as well as others on which we depend.
Through our Council members, we engage nearly all financial
service sector entities. Let me highlight three of the five
strategic areas on which we have focused.
The first area is in information dissemination and
information sharing. Our goal is to ensure that a universal
service to disseminate trusted and timely information will be
made available to all sector participants.
Second, crisis and response management needs to be
implemented. When events occur with broad sector or national
impact, a planned and adopted approach for communicating and
responding as a sector, including coordination with Government
entities, is the focus of this particular effort.
Third, we are leading the sector's efforts to revise our,
the financial services sector's, national strategy component in
response to the two national strategies released in February by
the President. We believe this is our opportunity to define
strategic as well as tactical, actionable, and measurable
actions as part of our sector-wide critical infrastructure and
homeland security efforts.
In my chairperson role for the Financial Services Sector
Coordinating Council, I work closely with the lead agency, the
Department of Treasury, and specifically the Office of Critical
Infrastructure Protection and Compliance which was created by
the Treasury Assistant Secretary Wayne Abernathy and led by
Deputy Assistant Secretary Michael Dawson. Together, they lead
the Financial and Banking Information Infrastructure Committee.
That council is really the public side of what I would call the
public-private partnership. It is through council members and
our Government partners' cooperative efforts that we are able
to maximize our resources and achieve our objectives to ensure
protection of our critical infrastructures to the benefit of
the economy and to the financial services customers.
Let me transition the discussion to some opportunities for
continuing the progress that has been made both by the
government and the private sector.
First, let us talk a little bit more about information
analysis and information infrastructure protection. The need
for synergy between information analysis and infrastructure
protection has clearly been recognized in the assignment of
those responsible to the undersecretary within the Department
of Homeland Security. We expect this to provide a much more
robust alerting, threat warning, and information flow from the
public sector based on the vast resources that they have made
available through their integration.
Second is understanding the threat. Based on the
Government's visibility of threats to the private sector, a
clear understanding of the protection needs must exist between
the public and the private sector. Gaps between the private
sector's protection efforts and the Government's view of the
necessary protections must be defined and clearly understood.
There may be situations where, unknown to the private sector,
normal business practices will not adequately address the level
of threat understood by the Government. Where market focus does
not provide the appropriate incentives to provide these
protections, augmentation of market mechanisms, such as
incentives, may be appropriate.
Third, product security. Because the private sector mainly
employs commercial products, services, and software to
implement cyber security protection and monitoring, those
efforts that improve the security of such products have broad
benefit. As a sector, we work closely with our vendors to
achieve higher levels of security. BITS, or the Bankers'
Information Technology Secretariat--the technology group for
the Financial Services Round Table--and a member of our
Coordinating Council, has implemented a product certification
program as a prime example of our industry's efforts in this
area.
And finally, the voluntary sharing of threat and incident
information. We must continue to encourage processes that
accommodate companies' voluntary sharing of sensitive
information, such as the provisions outlined in the Homeland
Security Act of 2002.
In closing, Mr. Chairman, and members of the committee, we
believe the strong public-private sector partnership that is
emerging is the right approach. And it is finally with that
vision, leadership, and execution, we believe that we can
continue to make progress in this important area.
[The prepared statement of Ms. MacLean follows:]
[GRAPHIC] [TIFF OMITTED] T7230.104
[GRAPHIC] [TIFF OMITTED] T7230.105
[GRAPHIC] [TIFF OMITTED] T7230.106
[GRAPHIC] [TIFF OMITTED] T7230.107
[GRAPHIC] [TIFF OMITTED] T7230.108
[GRAPHIC] [TIFF OMITTED] T7230.109
[GRAPHIC] [TIFF OMITTED] T7230.110
[GRAPHIC] [TIFF OMITTED] T7230.111
[GRAPHIC] [TIFF OMITTED] T7230.112
[GRAPHIC] [TIFF OMITTED] T7230.113
[GRAPHIC] [TIFF OMITTED] T7230.114
[GRAPHIC] [TIFF OMITTED] T7230.115
[GRAPHIC] [TIFF OMITTED] T7230.116
[GRAPHIC] [TIFF OMITTED] T7230.117
Mr. Putnam. Thank you very much.
I now recognize Tom Pyke. As Chief Information Office of
the U.S. Department of Commerce, Mr. Pyke is responsible for
guiding the Department's effective use of information
technology and managing the Department's IT resources, with an
annual budget of over $1.5 billion. His responsibilities
include IT policy, planning, and capital investment review, IT
security and critical infrastructure protection, IT
architecture, information quality, E-Government, information
dissemination through the Internet and the Next Generation
Internet, and the oversight of IT operations.
He has been a senior manager of information technology in
the Commerce Department for over 30 years, most recently
serving as CIO and Director for Higher Performance Computing
and Communications of the National Oceanic and Atmospheric
Administration and Director of the GLOBE program.
Welcome. You are recognized.
Mr. Pyke. Thank you, Mr. Chairman. I am pleased to be here
this morning to share with the subcommittee a summary of the
actions that the Commerce Department has taken over the last 2
years to strengthen our information security posture.
The Department's actions to improve its management of
information security started at the top. Secretary Don Evans,
in June 2001, directed all Commerce agency heads to focus their
personal attention on establishing information technology or IT
security as a priority. He directed them to allocate the
necessary resources to ensure that the Department's data and
information systems are adequately protected against risks
resulting from misuse or unauthorized access. This important
action ensures accountability for IT security by all of the
Department's senior managers, and both the Secretary as well as
Deputy Secretary Sam Bodman have emphasized this personal
responsibility of Commerce agency heads as they have
communicated with these senior managers in the Department about
the importance of IT security over the past 2 years.
The Secretary also instituted a Department-wide IT
management restructuring plan that empowered the Department's
CIOs by providing them with the necessary authority to manage
IT security as well as other aspects of information technology
planning and operations and IT capital investment review. As
the Department CIO, I issue security policy and provide IT
security guidance to the Commerce agency heads and to the
Commerce agency CIOs. I participate in the annual review of the
performance of each of the Commerce agency CIOs, which bolsters
the authority that my staff and I have at the Department level
as we oversee the management of the expenditure of $1.5 billion
in information technology each year on a Department-wide basis.
This $1.5 billion, by the way, includes the resources that we
devote to protecting our systems and information assets through
our Department-wide IT security program.
We have issued this January a comprehensive Department-wide
IT security policy, as well as minimum standards for
management, operational, and technical controls, and other key
aspects of implementing this policy. We also issued a Password
Management Policy and a Remote Access Security Policy. Policy
implementation guides have been issued that address critical
corrective action plans to identify and correct security
weaknesses, to document security and privacy in the IT capital
asset planning process, and to maintain complete inventories of
all of our systems relative to their security status.
The Department instituted a compliance monitoring process
in 2002, through which we determine Commerce agency compliance
with Department IT security policies, standards, and guidance.
This process includes tests of all management, operational, and
technical controls, including tests of systems and networks to
ensure that they are adequately protected against unauthorized
access. We also established an IT security training program,
through which every Commerce employee and every contractor
employee has received IT security awareness training, and is
receiving updated training every year. Specialized training for
IT security personnel, managers, and system administrators is
also being provided.
The Department has established a computer incident response
capability that supports actions to protect systems and data
when incidents do occur, and facilitates proper reporting of
incidents. A Department-wide IT security alert capability has
also been established, that ensure 24 x 7 transmittal of IT
security alerts throughout the Department and activation of
Commerce agency IT security emergency mobilization plans, as
appropriate.
Especially since the Commerce Department has been coming
from behind as it has implemented this comprehensive IT
security program, numerous corrective actions have been
identified that need special attention to correct IT security
weaknesses. A Department-wide data base of needed corrective
actions has been created and is being maintained. It includes
every IT security action that has resulted from GAO and
Commerce Office of Inspector General audits, as well as actions
that have resulted from Department IT security compliance
reviews and from self-assessments by the Commerce agencies
themselves. We expect to complete by this September all of the
corrective actions that were open at the beginning of fiscal
year 2003. Over 74 percent of these actions are already
completed. We expect to have completed by the end this fiscal
year all but 2 of the over 200 corrective actions that have
been identified during this fiscal year.
The top level measure we use to manage IT security across
the Department is what we call IT security program maturity. By
the end of fiscal year 2003, we expect that every Commerce
agency will be operating at ease at a level 3 maturity, which
requires that all IT systems have implemented policies and
procedures. We have identified our national critical and
mission critical IT assets and the IT system components of
those assets, and we expect to have certification and
accreditation for full operation of these systems completed by
the end of this fiscal year.
I would like to tell you very briefly how we are doing
against some of the performance measures that Mark Forman
introduced in his testimony this morning, in which he provided
Government-wide data. At Commerce, we have assessed 96 percent
of our systems for risk, 90 percent of our systems have
contingency plans, 92 percent are certified and accredited, and
98 percent of our systems have up to date IT security plans.
Thank you for this opportunity to tell you about what we
have done in the Commerce Department to improve our information
security posture. We have come a long way in these last 2
years, and we are working hard to complete the next steps that
are essential to provide adequate protection of our data and
systems. We understand, however, that IT security is a never-
ending process, and we are committed to maintaining a high
level of vigilance to ensure that the Department is able to
carry out its mission without disruption caused by cyber
threats.
[The prepared statement of Mr. Pyke follows:]
[GRAPHIC] [TIFF OMITTED] T7230.099
[GRAPHIC] [TIFF OMITTED] T7230.100
[GRAPHIC] [TIFF OMITTED] T7230.101
[GRAPHIC] [TIFF OMITTED] T7230.102
[GRAPHIC] [TIFF OMITTED] T7230.103
Mr. Putnam. Thank you, Mr. Pyke.
At this time, the subcommittee recognizes Robert Dacey. Mr.
Dacey is currently Director of Information Security Issues at
the U.S. General Accounting Office. His responsibilities
include evaluating information systems security in Federal
agencies and corporations, including the development of related
methodologies; assessing the Federal infrastructure for
managing information security; evaluating the Federal
Government's efforts to protect our Nation's private and public
critical infrastructure from cyber threats; and identifying the
best security practices at leading organizations and promoting
their adoption by Federal agencies.
Previously, Mr. Dacey led GAO's annual audits of the
consolidated financial statements of the U.S. Government,
audits I think which revealed about the same grades as they
have been getting on their IT scorecards; GAO's financial audit
quality assurance efforts, including methodology and training;
and other GAO financial statement audit efforts, including HHS
and the IRS.
Welcome to the subcommittee. You are recognized for 5
minutes.
Mr. Dacey. Thank you, Mr. Chairman, Mr. Clay. I am pleased
to be here today to discuss the challenges our Nation faces
concerning Federal information security and critical
infrastructure protection. CIP involves activities that enhance
the security of our Nation's cyber and physical public and
private infrastructures that are essential to national
security, economic security, and/or public health and safety.
As you requested, I will briefly summarize my written statement
which provides details on the status and progress of efforts to
address these challenges.
We have identified and made numerous recommendations over
the last several years concerning Federal information security
and CIP challenges that need to be addressed. For each of these
challenges, improvements have been made and continuing efforts
are in progress. However, much more is needed to fully address
them. These challenges include: One, addressing pervasive
weaknesses in Federal information security. Our analysis of
audit and evaluation reports in November of last year continued
to show significant pervasive weaknesses in Federal
unclassified computer systems for all 24 major agencies
reviewed that put critical operations and assets at risk. The
implementation of GISRA continues to play a significant role in
the improvement of Federal information security. Second year
agency GISRA reports indicate agency progress, provide
comparative performance information and an improved performance
baseline, and highlight areas where additional efforts are
necessary. The administration has taken important actions to
address information security, such as integrating it into the
President's Management Agenda Scorecard.
The successful implementation of FISMA, which permanently
authorizes and strengthens GISRA requirements, is essential to
sustaining these agency efforts to identify and correct
significant weaknesses. As FISMA is implemented, it will be
important to continue efforts to certify, accredit, and
regularly test systems to identify and correct vulnerabilities
in all agency systems; two, to complete development and test
contingency plans to ensure that critical systems can resume
after an emergency; three, to validate agency reported
information through independent evaluation; and four, to
achieve other FISMA requirements.
The second major challenge is the development of a national
CIP strategy. A more complete strategy is still needed that
addresses specific roles, responsibilities, and relationships
for all CIP entities, that clearly defines interim objectives
and milestones and sets timeframes for achieving them, and
establishes appropriate performance measures and a monitoring
process. The President's National Homeland Security strategy,
the President's cyber and physical CIP strategies, and the
Homeland Security Act call for a comprehensive national
infrastructure plan.
The third major challenge is improving information sharing
on threats and vulnerabilities. Information sharing needs to be
enhanced both within the Federal Government and between the
Federal Government and the private sector and State and local
governments. The President's national strategies identify
partnering with non-Federal entities as a major initiative.
Information sharing and analysis centers continue to play a key
role in this strategy.
The fourth major challenge is improving analysis and
warning capabilities. More robust warning and analysis
capabilities are needed to identify threats and provide timely
warning. Such capabilities need to address both cyber and
physical threats. Again, the President's national strategies
call for major initiatives in this area.
The fifth challenge is encouraging non-Federal entities to
increase their CIP efforts. The Federal Government needs to
assess whether additional incentives, such as grants or
regulation, are needed to encourage non-Federal entities to
increase their efforts to implement suggested CIP activities.
The Homeland Security Act and the President's national
strategies acknowledge the need to address many of these
challenges. However, much work remains to effectively respond
to them. Until a comprehensive and coordinated strategy is
developed, our Nation risks not having a consistent and
appropriate structure to deal with the growing threat of
attacks on its Federal systems and on its critical
infrastructures.
Mr. Chairman, Mr. Clay, this concludes my oral statement. I
would be pleased to answer any questions at this time.
[The prepared statement of Mr. Dacey follows:]
[GRAPHIC] [TIFF OMITTED] T7230.031
[GRAPHIC] [TIFF OMITTED] T7230.032
[GRAPHIC] [TIFF OMITTED] T7230.033
[GRAPHIC] [TIFF OMITTED] T7230.034
[GRAPHIC] [TIFF OMITTED] T7230.035
[GRAPHIC] [TIFF OMITTED] T7230.036
[GRAPHIC] [TIFF OMITTED] T7230.037
[GRAPHIC] [TIFF OMITTED] T7230.038
[GRAPHIC] [TIFF OMITTED] T7230.039
[GRAPHIC] [TIFF OMITTED] T7230.040
[GRAPHIC] [TIFF OMITTED] T7230.041
[GRAPHIC] [TIFF OMITTED] T7230.042
[GRAPHIC] [TIFF OMITTED] T7230.043
[GRAPHIC] [TIFF OMITTED] T7230.044
[GRAPHIC] [TIFF OMITTED] T7230.045
[GRAPHIC] [TIFF OMITTED] T7230.046
[GRAPHIC] [TIFF OMITTED] T7230.047
[GRAPHIC] [TIFF OMITTED] T7230.048
[GRAPHIC] [TIFF OMITTED] T7230.049
[GRAPHIC] [TIFF OMITTED] T7230.050
[GRAPHIC] [TIFF OMITTED] T7230.051
[GRAPHIC] [TIFF OMITTED] T7230.052
[GRAPHIC] [TIFF OMITTED] T7230.053
[GRAPHIC] [TIFF OMITTED] T7230.054
[GRAPHIC] [TIFF OMITTED] T7230.055
[GRAPHIC] [TIFF OMITTED] T7230.056
[GRAPHIC] [TIFF OMITTED] T7230.057
[GRAPHIC] [TIFF OMITTED] T7230.058
[GRAPHIC] [TIFF OMITTED] T7230.059
[GRAPHIC] [TIFF OMITTED] T7230.060
[GRAPHIC] [TIFF OMITTED] T7230.061
[GRAPHIC] [TIFF OMITTED] T7230.062
[GRAPHIC] [TIFF OMITTED] T7230.063
[GRAPHIC] [TIFF OMITTED] T7230.064
[GRAPHIC] [TIFF OMITTED] T7230.065
[GRAPHIC] [TIFF OMITTED] T7230.066
[GRAPHIC] [TIFF OMITTED] T7230.067
[GRAPHIC] [TIFF OMITTED] T7230.068
[GRAPHIC] [TIFF OMITTED] T7230.069
[GRAPHIC] [TIFF OMITTED] T7230.070
[GRAPHIC] [TIFF OMITTED] T7230.071
[GRAPHIC] [TIFF OMITTED] T7230.072
[GRAPHIC] [TIFF OMITTED] T7230.073
[GRAPHIC] [TIFF OMITTED] T7230.074
[GRAPHIC] [TIFF OMITTED] T7230.075
[GRAPHIC] [TIFF OMITTED] T7230.076
[GRAPHIC] [TIFF OMITTED] T7230.077
[GRAPHIC] [TIFF OMITTED] T7230.078
[GRAPHIC] [TIFF OMITTED] T7230.079
[GRAPHIC] [TIFF OMITTED] T7230.080
[GRAPHIC] [TIFF OMITTED] T7230.081
[GRAPHIC] [TIFF OMITTED] T7230.082
[GRAPHIC] [TIFF OMITTED] T7230.083
[GRAPHIC] [TIFF OMITTED] T7230.084
[GRAPHIC] [TIFF OMITTED] T7230.085
[GRAPHIC] [TIFF OMITTED] T7230.086
[GRAPHIC] [TIFF OMITTED] T7230.087
[GRAPHIC] [TIFF OMITTED] T7230.088
[GRAPHIC] [TIFF OMITTED] T7230.089
[GRAPHIC] [TIFF OMITTED] T7230.090
[GRAPHIC] [TIFF OMITTED] T7230.091
[GRAPHIC] [TIFF OMITTED] T7230.092
[GRAPHIC] [TIFF OMITTED] T7230.093
[GRAPHIC] [TIFF OMITTED] T7230.094
[GRAPHIC] [TIFF OMITTED] T7230.095
[GRAPHIC] [TIFF OMITTED] T7230.096
[GRAPHIC] [TIFF OMITTED] T7230.097
[GRAPHIC] [TIFF OMITTED] T7230.098
Mr. Putnam. Thank you very much, Mr. Dacey. We appreciate
all of the remarks of the panel.
I will recognize Mr. Clay for his questions.
Mr. Clay. Thank you, Mr. Chairman. Mr. Dacey, Mr. Clarke
suggested that GAO should develop the capacity to give Congress
real-time security reports on all executive agencies' computer
systems. Is GAO prepared to undertake this responsibility?
Mr. Dacey. Not as of today. I would say that we have been
doing reviews, and, in fact, while Mr. Pyke did not say prior
to his appointment as CIO, we had done a review of Commerce and
I am very pleased to hear of the progress they have made in the
last 2 years since that. We certainly have a suite of tools,
and there are tools available commercially, that can be used to
assess security in systems, to scan them, so to speak. We use
them, other people in the commercial sector use them to do
testing of networks. So in terms of technologies, those types
of systems are available. Now, what we run into routinely when
we go to agencies is we have to figure out how to run them on
their systems and how to interface, and how to use them on
their networks and how their networks are configured, which
actually takes a large amount of our time to do that.
So I guess the question of active monitoring, GAO has and
continues to support that agencies should be regularly
monitoring their systems for these kinds of vulnerabilities,
and there are thousands, I heard a number before but there are
literally thousands of these vulnerabilities. I do know that
NASA has undertaken for the last year or so a project to
actually assess all of their networks for a subset of
vulnerabilities, 20 or 30 odd vulnerabilities, I forget the
exact number, that they actively report on to agency management
in terms of whether those vulnerabilities exist. They have
metrics and measurements performance measures against that.
So, at least with respect to a subset, I think it has been
demonstrated that agencies can do that. I will leave it to
Congress and others to decide who will do that. But certainly
it is very possible to be done.
Mr. Clay. OK. It is my understanding that the National
Institute of Standards and Technology is about to release a
draft of security standards required under FISMA. Have you
reviewed those standards? And if not, what are your plans for
reviewing them?
Mr. Dacey. FISMA required NIST to develop basically risk
levels and minimum security standards for each risk level.
Separately, as part of the Cyber Research and Development Act,
NIST is required to develop checklists for settings on
technologies that are widely used or will be widely used in the
Federal Government. FISMA made as one of its requirements that
NIST consult with GAO on this issue, and they have consulted
with us thus far. They are still actively developing those
standards. What we have done is to basically look at what we
use in terms of our audit process, what do we audit against and
trying to ensure that their standards would at least include at
a minimum the kind of things that we look for when we do our
audits. So that process is taking place. I cannot say exactly
when those standards will be developed, but they are intended I
understand to be developed for public exposure and comment.
Mr. Clay. Thank you. Mr. Pyke, in the last panel, Mr.
Clarke suggested that IT security be contracted to private
firms with penalties on the contractor for breaches. I would
like to hear your thoughts on that suggestion.
Mr. Pyke. Mr. Clay, I respectfully disagree with that
particular recommendation, although I think that there is
plenty of room for us to outsource many of the capabilities we
need to have a complete and effective IT security program. As
we have done in Commerce from the Secretary on down, I think it
is very important to have personal accountability of our
managers for the management of IT security. I also think it is
important to have a high level individual or individuals
responsible for IT security within the organization. When I was
the CIO of the National Oceanic and Atmospheric Administration,
I raised IT security to the top level within the CIO office. At
the Commerce Department, we have IT security and critical
infrastructure protection at the top level within the Commerce
CIO office. I should add that we have full-time individuals
responsible for each of these important functions.
So I do not think the responsibility for IT security within
any Federal agency can be delegated by outsourcing. But I do
think, especially since we all face a shortfall of the scarce
resources necessary to keep on top of IT security, I do think
that it is an excellent idea to take advantage of outsourcing
to get the job done.
Mr. Clay. Mr. Pyke, let me also ask you about the Census
Bureau. Do they have an enterprise architecture for the
modernization of its geographic system, and has your office
reviewed that architecture?
Mr. Pyke. Yes. The Census Bureau does have an architecture,
and their overall architecture for the agency as a whole and
for moving ahead toward the next decennial census is a part of
the overall enterprise architecture that we have for the entire
Department of Commerce.
Mr. Clay. What is the cost of this modernization project?
Mr. Pyke. Are you talking about the census modernization?
Mr. Clay. Yes.
Mr. Pyke. If I may, sir, I would like to provide that
number for you for the record.
Mr. Clay. That will be fine. Thank you.
Ms. MacLean, the last question. Has the banking industry
been concerned about sharing information with the Federal
Government? And does the FOIA exclusion passed as part of
Homeland Security address those concerns?
Ms. MacLean. That is a very great question. The financial
services sector as a whole believes strongly that FOIA
protection is critical to our ability to share information with
the Federal Government. Being able to share that information
without fear of disclosure of specifics I think is very, very
important. So, keeping with that FOIA protection another aspect
of that, if we go back to Y2K and the way that Y2K protection
was handled with the FOIA; also, liability protection is
another aspect that we feel is important.
Mr. Clay. Thank you. Thank you, Mr. Chairman.
Mr. Putnam. Thank you, Mr. Clay. I would like to followup
on that question with Ms. MacLean. What would be the threshold
of breach or the threshold of cyber threat or cyber attack that
would trigger the need for a public disclosure to the customer
or client whose information is jeopardized?
Ms. MacLean. I would like to say it somewhere happens
naturally. We do share information today as part of our
Information Sharing and Analysis Center. We have an FSISAC
where today we share information among institutions. We also
are required by law and by regulation to notify the Government
of any major breach through our SAR program at the financial
institution level.
I think making things public really just depends on whether
or not there is that need that would assist us in helping
resolve the issue. I do not think that it is conducive to make
that public every time there is a breach. I think one of the
metrics, and I heard you say earlier in the very beginning
about the increased numbers of incidents, I actually think that
is a positive metric. I think we should be looking for those
reports to go up. But I do not think you necessarily need to
make those public in order to work the issues and determine
what vulnerabilities need to be addressed.
Mr. Putnam. Is there a current Federal law or regulation
that requires a customer or client whose information may have
been breached to be notified? If there is not, what is your
company's policy?
Ms. MacLean. Yes, from a privacy perspective. And in the
State of California, I think it was mentioned earlier, that if
there is a breach where public or private information is
compromised, you are required to notify that customer. That is
different than going on CNN and making that public. It is also
for the protection of those customers that I do believe the
customer should be notified but not necessarily make all that
information public because it does violate their privacy from
another aspect.
Mr. Putnam. Mr. Pyke, your role as CIO of Commerce, you
have oversight for critical infrastructure protection, is that
correct?
Mr. Pyke. That is correct.
Mr. Putnam. Not just within the Department itself but
within the infrastructures that are within the jurisdiction of
the Department?
Mr. Pyke. I have responsibility for critical infrastructure
within the Department. I am the Critical Infrastructure
Assurance Officer.
Mr. Putnam. OK. So if there is a substantial cyber threat
on an industry within the regulation of the Department of
Commerce, are you the first one notified or is someone in
Homeland Security the first one notified?
Mr. Pyke. I am notified only when there is a threat or
possible threat to our systems and data, not to the sectors of
industry that we relate to or interact with. My understanding
is that is where the Department of Homeland Security comes in.
They are one of the sources of alerts to us about a possible
threat, and, as Mr. Forman mentioned, we received three very
helpful alerts fairly recently that we and the other agencies
across Government have been able to react to. I would hope that
those kinds of alerts are made available to the private sector
as well.
Mr. Putnam. Ms. MacLean, one of the recurring themes today
has been that there is a high level of reluctance to compel the
private sector to report and there is also some tremendous
concern about increasing the regulatory role in setting minimum
standards. What are your feelings on the minimum standards and
the approach of regulation? How do we incent that in the
private sector so that we have the information that we need and
we are getting the results that we need without an over-
reaching from the regulatory approach?
Ms. MacLean. Today, our particular sector, the financial
services sector is highly regulated. So, in some ways, we are
already the beneficiary of having some of those guidelines in
place. There are a number of regulations today. I think it was
mentioned, the Graham-Leach-Bliley Act is one of those
regulations which incent or require you to put in additional
controls.
The second part of that question on how do we make that
process, should we make that process and do more of that, I
really do not think additional regulation is conducive to
actually getting companies to put those controls in place. Risk
management, in most companies, especially in the financial
sector, is in the business of selling trust. So it is to our
advantage to really provide secure services to our customers.
The customers demand that. And so there is a market force that
really is at the heart of everything we do. We do it because it
makes good business sense. And the checks and balances are in
place, if you will, through the regulatory agencies who oversee
us.
Mr. Putnam. Did you agree with the recommendation of the
first panel that perhaps the way to get at publicly traded
corporations is to have a certified audit process that is
reflected in a report to the SEC?
Ms. MacLean. I do agree with that. And we do that to an
extent today within the financial services sector. I think that
would be an effective means. And you are looking more at an
effective program versus regulating that program.
Mr. Putnam. One of the challenges that has come up is that
a number of the issues we deal with are not as much
technological challenges as they are human challenges or
cultural challenges. How are you or others in the private
sector held accountable for protecting your infrastructure from
security breaches?
Ms. MacLean. My whole job at Bank of America is to provide
that leadership, that vision, and I mentioned execution and
accountability. I think those are four core things that have to
be in place for any effective program. I think within the
financial services sector, the way that we have organized with
the associations is to provide that leadership and guidance to
all of the financial services sector so that we are consistent
in our approach.
The other key to this I think is the outreach
opportunities, because we are very interdependent on other
sectors, such as telecommunications and energy and our
government partners, the Federal Reserve Bank, other people
with whom we have interdependencies. Making sure that everyone
within each link of the chain, if you will, those chains, the
links in the chains are all doing the right things. I think the
leadership around those best practices and expectations that we
have are really critical to having a cohesive integrated
program.
Mr. Putnam. Let me give you a version of what I asked Mr.
Pyke. If you get a report that there is something very
suspicious going on, something that is raising red flags in
your infrastructure protection systems, is your first instinct
to call the Comptroller General or the Federal Reserve or
Homeland Security?
Ms. MacLean. My first instinct is to call our crisis
management hotline together which includes all of our
institutions, and includes our regulators who are a part of
that process. And that is part of what the council has put into
place. Having that blast message, if you will, which goes out
to multiple avenues so that we ensure that we get everybody on
the phone, would be the first thing that we would do.
Mr. Putnam. And I would assume that would probably be
replicated throughout the different sectors--the power
company's first response would be to notify FERC or DOE;
telecommunications, their equivalent agency or department of
jurisdiction. It makes you wonder at what point it finally gets
to the people who are in charge of that, which would be
Homeland Security.
Mr. Dacey, what is the biggest obstacle that you have found
in the failure of the Federal Government to have adequate
information security, and is it a human challenge or a
technological challenge?
Mr. Dacey. Most of the issue really relates I think to a
human challenge. We have many technologies to monitor and
manage these systems and I think it is a matter of getting the
right amount of attention, focus, responsibility, and
accountability in place. What we have now is a situation where
some agencies have done better than others. If you look at our
written testimony, there are a lot of charts that summarize
some of the GISRA reporting for the second year and some
agencies are reporting statistics, such as Mr. Pyke, that are
quite high and others that are low. And I think the issue is
really focusing in on what are the reasons why some of these
agencies are doing better than others.
There is no silver bullet to any of this. But one of the
things that Mr. Pyke referred to earlier is the fact that he
has responsibility for establishing information security
standards and monitoring those and maintaining accountability
for people to implement those throughout the agency. In many of
the agencies that we have looked at, that has not always been
the case. The CIO at the agency level has certain
responsibilities but oftentimes the component parts of the
agency have autonomy to develop and establish their networks
and their security. And in those environments, if you have a
situation where one component has weak security, that can
jeopardize the rest of the agency considering that in most
cases their systems are interlinked and oftentimes trusted, so
that getting access to one can readily get you access to
another.
So I think those are the primary issues. I think OMB laid
those out in their first year GISRA report and are continuing
to work those issues. If you look at the numbers, again, there
is definitely progress being shown. But if you look at some of
them, you will see that there is a lot of information we do not
have yet. We talk about a process for managing vulnerabilities,
but in many cases systems have not really been fully tested or
analyzed to identify the vulnerabilities that exist so that it
can be fixed. So there is a process here that needs to take
place. But, certainly, the GISRA and now FISMA I think have
been landmark changes in the way in which information security
has been viewed by the agencies.
The last part, which was referred to a little earlier, is
research and development. I think it is key that continue in a
cohesive fashion so that we can make sure that we are
developing the best technologies we have to defend against
cyber threats.
Mr. Putnam. Certainly, the current in IT management and
procurement has been away from the traditional stovepipe system
and the inherent redundancies and duplication. But presumably a
positive benefit of those stovepipes and of those redundancies
is some limited protection from a cyber security threat. For
all the consequences of not being able to communicate with one
another, the benefits have been that you had some kind of a
firewall there. Would you comment on that a little bit. As we
press these agencies to tear down stovepipes, what consequence
does that have for cyber security?
Mr. Dacey. I think many, if not all, of the agencies have
really gotten to a point where they are highly internetworked
within themselves. I think, based upon the studies we have done
where we have actually gone in and assessed security, we have
generally found that, again, the systems are fairly trusted.
One of the concerns that we have expressed is not only the
impact of an external party coming in, but also internal
parties are a threat to security as well. When you have got
tens of thousands of users in some of these systems, you really
have to be careful to manage that.
What we have not seen in many systems is once we are able
to get in, we do try as part of our audits to break into
systems both internally and externally, and are generally
successful, but when we do that, we typically find that we can
use that access to gain privileges throughout the entire
network and other places. So to some extent, I think removing
the stovepipes in terms of information security is critical or
you are going to continue to have that. What we have not seen
is really an effective segmenting of networks so that if one is
broken into, you cannot get access to other parts. That is
certainly technologically possible. And if you follow through
FISMA and the idea that there will be different risk level
systems, you are going to have to come up with a strategy on
segmenting them so you have one high level risk system that
does not connect to a low level risk system without appropriate
protections.
Mr. Putnam. Mr. Pyke, we have heard from Ms. MacLean on the
accountability measures that are in place in the private sector
to ensure an appropriate commitment to cyber security. What has
Secretary Evans empowered you to do that has made the
Department of Commerce a model for success in a situation where
everyone else is pretty well mired in failure?
Mr. Pyke. Mr. Chairman, one of the things he has done has
been not just to empower me as CIO to do my job and do it in a
full way, but he has empowered and mandated that the Commerce
agency heads, the under secretaries, assistant secretaries, and
directors of the individual bureaus or operating units within
the Department, that they give their time and attention to
computer security, to protecting the infrastructure. And this
has opened the way for my staff and me to be able to provide
policy guidance, to provide direction, and have it received
well. It has opened the way for us to work with the Commerce
agencies and have them be responsive when we have an incident
that we need to handle.
I might mention with regard to something you asked me
earlier in terms of incident handling, we have had at least one
incident that I am aware of where we had an intrusion that we
reported. When we have an intrusion that we detect we report
the incident to FedCIRC, to the Federal Computer Incident
Response Center which is now part of the Department of Homeland
Security. That particular incident resulted in a Government-
wide alert and I believe an alert that went out to the private
sector as well with regard to the appropriate measures to take
to respond to that particular threat.
Mr. Putnam. Thank you, Mr. Pyke.
I want to thank all of our witnesses from both panels for
their outstanding testimony and their ability to help us
understand what is a very complex issue. It is clear that the
time to act is now. We have not made the progress that we need
to make to be as prepared as we should be as a Nation. We must
all work together to protect our Nation from what could
certainly be a digital disaster.
I want to thank Mr. Clay for his input and his support of
our efforts on the subcommittee. And recognizing that we were
not able to answer all the questions that people had, I will
keep the record open for 2 weeks for submitted questions and
answers.
Mr. Dacey, Mr. Pyke, Ms. MacLean, we appreciate what you
do. We appreciate your service to the subcommittee.
And with that, we stand adjourned.
[Whereupon, at 11:30 a.m., the subcommittee was adjourned,
to reconvene at the call of the Chair.]
�