[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]





 WHO MIGHT BE LURKING AT YOUR CYBER FRONT DOOR? IS YOUR SYSTEM REALLY 
 SECURE? STRATEGIES AND TECHNOLOGIES TO PREVENT, DETECT AND RESPOND TO 
             THE GROWING THREAT OF NETWORK VULNERABILITIES

=======================================================================

                                HEARING

                               before the

                SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
                POLICY, INTERGOVERNMENTAL RELATIONS AND
                               THE CENSUS

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             SECOND SESSION

                               __________

                              JUNE 2, 2004

                               __________

                           Serial No. 108-232

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
96-992                      WASHINGTON : 2004
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON GOVERNMENT REFORM

                     TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana                  HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California                 DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri
CHRIS CANNON, Utah                   DIANE E. WATSON, California
ADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California
NATHAN DEAL, Georgia                 C.A. ``DUTCH'' RUPPERSBERGER, 
CANDICE S. MILLER, Michigan              Maryland
TIM MURPHY, Pennsylvania             ELEANOR HOLMES NORTON, District of 
MICHAEL R. TURNER, Ohio                  Columbia
JOHN R. CARTER, Texas                JIM COOPER, Tennessee
MARSHA BLACKBURN, Tennessee          ------ ------
PATRICK J. TIBERI, Ohio                          ------
KATHERINE HARRIS, Florida            BERNARD SANDERS, Vermont 
                                         (Independent)

                    Melissa Wojciak, Staff Director
       David Marin, Deputy Staff Director/Communications Director
                      Rob Borden, Parliamentarian
                       Teresa Austin, Chief Clerk
          Phil Barnett, Minority Chief of Staff/Chief Counsel

   Subcommittee on Technology, Information Policy, Intergovernmental 
                        Relations and the Census

                   ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan          WM. LACY CLAY, Missouri
DOUG OSE, California                 STEPHEN F. LYNCH, Massachusetts
TIM MURPHY, Pennsylvania             ------ ------
MICHAEL R. TURNER, Ohio

                               Ex Officio

TOM DAVIS, Virginia                  HENRY A. WAXMAN, California
                        Bob Dix, Staff Director
                  Dan Daly, Professional Staff Member
                         Juliana French, Clerk
            Adam Bordes, Minority Professional Staff Member


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on June 2, 2004.....................................     1
Statement of:
    Beinhorn, Dubhe, vice president, Juniper Federal Systems; 
      Scott Culp, senior security strategist, Microsoft Corp.; 
      Louis Rosenthal, executive vice president, ABN Amro 
      Services Co., Inc.; Marc Maiffret, chief hacking officer, 
      eEye Digital Security; and Steve Solomon, chief executive 
      officer, Citadel Security Software, Inc....................    92
    Evans, Karen, Administrator, E-Government and Information 
      Technology, Office of Management and Budget; Robert Dacey, 
      Director, Information Security Issues, U.S. General 
      Accounting Office; Amit Yoran, Director, National Cyber 
      Security Division, Department of Homeland Security; Dawn 
      Meyerriecks, Chief Technology Officer, Defense Information 
      Systems Agency, Department of Defense; and Daniel Mehan, 
      Assistant Administrator, Information Services and Chief 
      Information Officer, Federal Aviation Administration.......    11
Letters, statements, etc., submitted for the record by:
    Beinhorn, Dubhe, vice president, Juniper Federal Systems, 
      prepared statement of......................................    95
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................    79
    Culp, Scott, senior security strategist, Microsoft Corp., 
      prepared statement of......................................   102
    Dacey, Robert, Director, Information Security Issues, U.S. 
      General Accounting Office, prepared statement of...........    21
    Evans, Karen, Administrator, E-Government and Information 
      Technology, Office of Management and Budget, prepared 
      statement of...............................................    14
    Maiffret, Marc, chief hacking officer, eEye Digital Security, 
      prepared statement of......................................   134
    Mehan, Daniel, Assistant Administrator, Information Services 
      and Chief Information Officer, Federal Aviation 
      Administration, prepared statement of......................    70
    Meyerriecks, Dawn, Chief Technology Officer, Defense 
      Information Systems Agency, Department of Defense, prepared 
      statement of...............................................    56
    Putnam, Hon. Adam H., a Representative in Congress from the 
      State of Florida, prepared statement of....................     6
    Rosenthal, Louis, executive vice president, ABN Amro Services 
      Co., Inc., prepared statement of...........................   125
    Solomon, Steve, chief executive officer, Citadel Security 
      Software, Inc., prepared statement of......................   153
    Yoran, Amit, Director, National Cyber Security Division, 
      Department of Homeland Security, prepared statement of.....    44

 
 WHO MIGHT BE LURKING AT YOUR CYBER FRONT DOOR? IS YOUR SYSTEM REALLY 
 SECURE? STRATEGIES AND TECHNOLOGIES TO PREVENT, DETECT AND RESPOND TO 
             THE GROWING THREAT OF NETWORK VULNERABILITIES

                              ----------                              


                        WEDNESDAY, JUNE 2, 2004

                  House of Representatives,
   Subcommittee on Technology, Information Policy, 
        Intergovernmental Relations and the Census,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 1:40 p.m., in 
room 2154, Rayburn House Office Building, Hon. Adam H. Putnam 
(chairman of the subcommittee) presiding.
    Present: Representatives Putnam and Clay.
    Staff present: Bob Dix, staff director; John Hambel, senior 
counsel; Dan Daly, professional staff member and deputy 
counsel; Juliana French, clerk; Felipe Colon, fellow; Kaitlyn 
Jahrling and Collin Samples, interns; Adam Bordes and David 
McMillen, minority professional staff members; and Jean Gosa, 
minority assistant clerk.
    Mr. Putnam. A quorum being present, this hearing of the 
Subcommittee on Technology, Information Policy, 
Intergovernmental Relations and the Census will come to order.
    Good afternoon. Welcome back. I hope everyone had a nice 
Memorial Day respite from dealing with Congress.
    Today's subcommittee hearing is entitled, ``Who Might be 
Lurking at Your Cyber Front Door? Is Your System Really Secure? 
Strategies and Technologies to Prevent, Detect and Respond to 
the Growing Threat of Network Vulnerabilities'' Today, we 
continue our in-depth review of cyber security issues affecting 
our Nation.
    The Internet has created a global network of systems that 
have improved the quality of our lives, created unprecedented 
communications capabilities and increased productivity. The 
interdependent nature of these systems has also unleashed the 
potential for worldwide cyber attacks that can affect hundreds 
of thousands of computers in mere hours. Since 1999, the number 
of cyber attacks has grown and continues to grow at an alarming 
rate. The cost of preventing and responding to these attacks is 
staggering. Some estimate that the economic impact from digital 
attacks in 2004 will be in the billions. While opinions may 
differ on the cost of the impact, there is clear evidence that 
the effect on private and public sectors is significant.
    Preventing cyber attacks and damages caused pose unique and 
menacing challenges. Our critical infrastructure and government 
systems can be and are being attacked from everywhere at any 
time. Cyber criminals, disgruntled insiders, hackers, enemy 
states and those who wish us harm are constantly seeking to 
steal confidential information, hijack vulnerable computers and 
turn them into zombies that can be used to carry out malicious 
activities. This is a global, 24/7 challenge. There can be no 
down time when it comes to protecting our Nation's critical 
infrastructure.
    Of greater concern, we know that various terrorist groups 
possess advanced vulnerability scanning capabilities and are 
very sophisticated and becoming more so each day. The 
combination of a cyber attack in conjunction with a physical 
attack could magnify the effects of the physical destruction 
and create greater mayhem. We all have a role and 
responsibility in taking appropriate measures to reduce the 
risk and improve our overall information security profile.
    In preparation for this hearing, the subcommittee traveled 
to the NSA yesterday and continued to be impressed with the 
work that is going on out there. We appreciate the efforts of 
that agency.
    As a Nation, we have taken dramatic steps to increase our 
physical security but protecting our information networks has 
not progressed at the same pace, either in the public or in the 
private sector. The Department of Homeland Security is working 
to make strides in this area. I acknowledge the efforts of the 
National Cyber Security Division but I remain concerned that we 
are collectively not moving fast enough to protect the American 
people and the U.S. economy from the real threats that exist 
today. Make no mistake, the threat is serious, the 
vulnerabilities are extensive and the time for action is now.
    New vulnerabilities in software and hardware products are 
discovered constantly. According to the CERT Coordination 
Center at the end of 2003, there were over 12,000 known 
vulnerabilities that could be exploited. They span across 
thousands of products from a number of different vendors. With 
the increasing complexity and size of software programs, we 
likely will never reach a point where no new vulnerabilities 
are discovered. However, we need to continue to strive to 
improve and develop more advanced tools for testing and 
evaluating code.
    The problem of newly discovered vulnerabilities is 
compounded by the fact that the window the good guys have is 
closing. Attackers are exploiting published vulnerabilities 
faster than ever. The recent Sasser worm outbreak occurred just 
17 days after the patch was released. Although it was largely 
contained, it still caused significant disruptions around the 
globe.
    In addition to the shrinking period from patch to exploit, 
attackers are finding faster ways to exploit existing 
vulnerabilities previously deemed low risk. In April of this 
year, a researcher reported he was able to exploit quickly a 
previously known flaw in some of the underlying Internet 
traffic technology. It was thought to take between 4 and 142 
years to exploit this flaw. The researcher cut the exploit time 
down to a matter of seconds.
    The rise of mobile computing further complicates the 
vulnerability issue. Laptops that were not connected to a 
network when the latest patches were released, can pick up a 
worm or virus and become time bombs waiting to go off when 
reconnected to the network. Remote access presents its own set 
of new and growing vulnerability challenges. Not only is the 
sheer quantity of patches and systems overwhelming for 
administrators to keep up with, but also patches can have 
unexpected side effects on other system components resulting in 
losses of system availability. As a result, after a patch is 
released, system administrators often take a long time to fix 
other vulnerable computer systems. Configuration management is 
a key element of vulnerability management and it is more 
challenging in the Federal Government, which has a number of 
legacy systems running customized applications that can be 
difficult to patch when a new vulnerability arises.
    Clearly the challenge of vulnerability management is great. 
We must ensure that current systems are cleaned and protected 
while at the same time ensuring that new systems do not become 
victims. There are tools and strategies available to help 
achieve these goals. According to at least one estimate, 95 
percent of all network intrusions could be avoided by keeping 
systems secure through effective use of vulnerability 
management strategies. We need to focus our vulnerability 
management efforts on three key ingredients: prevention, 
detection and response.
    For prevention, we need to do our best to reduce the impact 
of inevitable software and hardware vulnerabilities. That means 
having systems appropriately identified, configured and 
patched. It means producing more secure software and hardware. 
It means using new technologies, processes and protocols to 
stop attacks dead in their tracks before intrusion occurs.
    Detection, even with a strong program of protection, 
network intrusions are likely to continue. Detection requires 
laser focus. We must always be on our guard so that no 
intrusion goes unnoticed. This means a program that includes 
vulnerability scanning and intrusion detection capabilities.
    Response, once we have detected an attack, we need to have 
ways to isolate the intrusion attempt, trigger an incident 
response plan when appropriate and limit the potential impact. 
Vulnerability management is especially important in Federal 
systems. This subcommittee has aggressively overseen 
implementation and compliance with requirements of FISMA. FISMA 
provides a comprehensive risk management framework for 
information security in Federal departments and agencies. At 
the end of last year, we released a report card detailing the 
largest Federal departments and agencies progress in 
implementing FISMA. In 2003, the overall Federal Government 
received a grade of ``D,'' a slight improvement over the grade 
of ``F'' it received in 2002. The reports behind the grade 
reveals troubling signs of weakness within the Federal 
Government's information security. Of the 24 largest 
departments and agencies, only 5 had completed inventories of 
their critical IT assets, leaving 19 without. This is troubling 
considering we are 4 years into this process and still have far 
too many agencies with incomplete inventories.
    As we have said in the past, you can't secure what you 
don't know you have. You can't claim to have completed the 
certification and accreditation process without a reliable 
inventory of assets. Cyber attackers specifically target the 
Federal Government because of the high value of penetrating or 
taking over government systems. A myriad of automated attack 
tools are operating around the clock scanning the Internet for 
systems to be taken over. Experts suggest that some Federal 
systems have already been compromised and are being used as 
attack tools even as we speak. I am concerned not only how 
future systems will be protected but also how the Federal 
Government will take the necessary steps to improve the 
security and integrity of current systems. These gaps will 
persist until Federal agencies are able to appropriately track 
the vulnerability status of all of their systems using accurate 
and complete inventories.
    For the future, we will continue to monitor the agencies' 
implementation of FISMA and OMB's guidance to agencies on 
implementing FISMA. Specifically, I would like to see more 
detailed guidance and enforcement of FISMA's configuration 
management provisions. Also, with the termination of the 
Federal Patch Service [FPS], in February 2004, I am looking to 
OMB as well as the Department of Homeland Security for their 
thoughts about the feasibility of providing centralized patch 
management services to civilian agencies as part of an overall 
vulnerability management strategy.
    In conjunction with oversight of Federal information 
security, I remain deeply concerned about the state of 
information security in the private sector. Eighty-five percent 
of the Nation's critical infrastructure is owned or controlled 
by the private sector, thus, maintaining its integrity and 
availability is critical to the continued success of the 
Nation's economy and protection of the American people.
    Worms, viruses, hacking, identify theft, fraud, extortion 
and industrial espionage continue to rise exponentially in 
frequency, severity and cost. Last year alone, cyber attacks 
cost the U.S. financial sector nearly $1 billion according to 
BITS, a non-profit financial service industry consortium. 
Business leaders are responsible for doing their part to 
improve the security of information systems. I have called on 
businesses of all sizes throughout the country to consider the 
matter of information security as it relates to their business. 
Some businesses are clearly elements of the Nation's critical 
infrastructure and require a more robust risk management plan. 
However, every business has a responsibility to practice at 
least basic information security hygiene and do their part to 
contribute to the overall security of computers and networks in 
this Nation.
    Vulnerabilities in software and worms and viruses that 
exploit them have become a fact of life for the Internet. The 
Government, law enforcement, researchers and private industry 
must join together to protect the vital structure of the 
Internet and cyber criminals must be rooted out and brought to 
justice. Some progress is being made but security is a journey 
that never ends.
    Today's hearing is an opportunity to examine the challenges 
in managing information system vulnerabilities, strategies to 
assess and reduce the risk created by these vulnerabilities, 
the pace of the Government and private sector's employment of 
these strategies in securing their own systems and how 
automated tools should be employed in applying those 
strategies.
    We look forward to the expert testimony that our 
distinguished panels of leaders in information security will 
provide as well as the opportunity to discuss the challenges 
that lie ahead.
    [The prepared statement of Hon. Adam H. Putnam follows:]

    [GRAPHIC] [TIFF OMITTED] T6992.001
    
    [GRAPHIC] [TIFF OMITTED] T6992.002
    
    [GRAPHIC] [TIFF OMITTED] T6992.003
    
    [GRAPHIC] [TIFF OMITTED] T6992.004
    
    [GRAPHIC] [TIFF OMITTED] T6992.005
    
    Mr. Putnam. We will await the distinguished ranking 
member's testimony and insert it in the record at the 
appropriate time. With that, we will go ahead and ask the first 
panel and anyone accompanying you to provide corollary 
information to the subcommittee to please rise for the 
administration of the oath.
    [Witnesses sworn.]
    Mr. Putnam. I would note for the record all the witnesses 
responded in the affirmative. We will begin the testimony of 
panel I with Ms. Evans. On September 3, 2003, Karen Evans was 
appointed by President Bush to be Administrator of the Office 
of Electronic Government and Information Technology at the 
Office of Management and Budget. Prior to joining OMB, Ms. 
Evans was Chief Information Officer of the Department of Energy 
and served as vice chairman of the CIO Council. Before that, 
she served at the Department of Justice as Assistant and 
Division Director for Information Systems Management.
    Welcome to the subcommittee. You are recognized.

  STATEMENTS OF KAREN EVANS, ADMINISTRATOR, E-GOVERNMENT AND 
INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET; ROBERT 
  DACEY, DIRECTOR, INFORMATION SECURITY ISSUES, U.S. GENERAL 
    ACCOUNTING OFFICE; AMIT YORAN, DIRECTOR, NATIONAL CYBER 
   SECURITY DIVISION, DEPARTMENT OF HOMELAND SECURITY; DAWN 
  MEYERRIECKS, CHIEF TECHNOLOGY OFFICER, DEFENSE INFORMATION 
   SYSTEMS AGENCY, DEPARTMENT OF DEFENSE; AND DANIEL MEHAN, 
    ASSISTANT ADMINISTRATOR, INFORMATION SERVICES AND CHIEF 
      INFORMATION OFFICER, FEDERAL AVIATION ADMINISTRATION

    Ms. Evans. Good afternoon, Mr. Chairman. Thank you for 
inviting me to speak about vulnerability management strategies 
and technologies.
    In the past few years, threats in cyber space have risen 
dramatically. Hackers routinely attempt to access networks and 
to disrupt business operations by exploiting software flaws. 
Because of this threat, Federal CIOs devote considerable 
resources to the remediation of software vulnerabilities. 
Currently, due to the large number of vulnerabilities 
discovered each year, agencies must correctly determine which 
patches to implement immediately and which to schedule for the 
next maintenance cycle, while sustaining their current service 
levels for their customers. Given the rise in the number of 
identified vulnerabilities, this task is becoming more and more 
of a challenge. As agencies' information technology security 
programs mature, the Federal Government is moving away from a 
reactive remediation approach for dealing with IT security 
vulnerabilities. Through implementation of guidance and 
policies that promote sound risk management, the use of 
automated tools and development of a culture where security is 
ingrained in planning and development of systems life cycles, 
the Federal Government is evolving toward a more proactive 
approach to deal with vulnerabilities existing within 
information technology applications systems and networks. As a 
result, we will be able to focus resources on analytical trend 
analysis, the use of benchmarks, leveraging buying power and 
cooperative work with industry leaders to ensure software 
development meets our needs and is safer out of the box.
    The Federal Government uses several preemptive strategies 
to assess and reduce the risk created by software 
vulnerabilities before vulnerabilities are exploited. First, 
CIOs are required by the Paperwork Reduction Act to maintain a 
current and complete inventory of the agencies' information 
resources. Each system identified in the inventory must undergo 
a threat assessment and a certification and accreditation [C&A] 
consistent with national standards and guidance.
    In addition to a system inventory and required system 
C&A's, agencies must institute a configuration management 
process. This process is intended to be closely tied to the 
system inventory, establishing an initial baseline of the 
configurations associated with existing hardware and software. 
The purpose of a configuration management process is to 
facilitate change to the baseline by ensuring security 
configurations are addressed in a standardized manner. This 
helps to prevent misconfigurations leading to vulnerability 
exploits. Configuration of mobile devices and perimeter 
security devices such as firewalls and intrusion detection 
systems are especially important since configurations help to 
mitigate risk at points where the agency's network is 
vulnerable to threats from outside their own network.
    All IT systems should be configured in accordance with 
security benchmarks. Working with the agencies and other 
industry security experts, organizations such as the Center for 
Internet Security produce security benchmarks to reduce the 
likelihood of successful intrusions. Likewise, NSA provides 
security configuration guides to the Department of Defense and 
other Government agencies. The Cyber Security Research and 
Development Act formally tasks the National Institute of 
Standards and Technology to develop security settings for each 
hardware and software system that is or is likely to be used 
within the Federal Government. The Federal Information Security 
Management Act [FISMA], is a critical mechanism used to drive 
protection of Federal systems. According to fiscal year 2003 
FISMA data, a number of departments and agencies in some cases 
had incomplete inventories of hardware and software assets. 
OMB's fiscal year 2004 FISMA reporting guidance asks the 
agency's inspector generals to comment on whether agencies are 
updating their inventory at least annually and whether the 
agency and the IG agree on the total number of systems.
    FISMA requires each agency to develop and enforce 
compliance with specific system configurations. This year both 
the CIO and the IG must report on the status of agency-wide 
policies regarding standard security configurations. 
Additionally, agencies will be asked to list the specific 
benchmarks which are in use. Because worms and viruses can 
cause substantial damage, Federal agencies must take proactive 
measures to lessen the number of successful attacks. Agencies 
use antivirus software with automatic updates in order to 
detect and block malicious code. DHS' Computer Emergency 
Readiness Team reports only a few agencies were impacted by the 
recent Sasser worm. In general, the Federal Government has 
withstood cyber attacks with minimum impact on citizens. Patch 
management is an essential part of the agency's information 
security program and although fiscal year 2003 FISMA data 
demonstrates that most agencies had a formal process in place 
for the dissemination of security patches, in several cases IGs 
had concerns with the timeliness of the distribution of 
patches. OMB's fiscal year 2004 FISMA reporting guidance asks 
whether agency configuration requirements address the patching 
of security vulnerabilities.
    Federal agencies are required to test the technical 
controls of every system identified in the agency's inventory. 
Last year, the 24 largest agencies reported that they had 
tested an average of 64 percent of their systems. As part of 
OMB's fiscal year 2004 FISMA guidance, agencies will be asked 
to specifically report on the use of vulnerability scans and 
penetration testing. Many agencies rely on automated inventory 
tools to accurately collect hardware and software information 
from computers across the enterprise. These tools record the 
presence of unauthorized software as well as outdated software 
versions. Automated inventory tools reduce the expenditure of 
staff time and simplify the process of gathering information 
from computers in multiple locations. Departments and agencies 
frequently use system and network vulnerability scanners to 
quickly identify known weaknesses in their infrastructures. 
Software scanners locate the vulnerabilities using the data 
base of already catalogued system weaknesses.
    Agencies are constantly refining their management processes 
to assure risks and threats from vulnerabilities are being 
handled in a strategic and proactive manner. This is being 
accomplished through the adherence to guidance and standards, 
configuration management, implementation of benchmarking and 
the increased use of automated tools to detect and preempt 
exploits of vulnerabilities. By taking a proactive approach, 
the Federal Government will be poised to deal with threats 
posed from cyber space. OMB will continue to work with the 
agencies and the Congress to ensure appropriate vulnerability 
management strategies and technologies are in place. These 
measures will minimize disruption and service and preserve the 
integrity and the availability of Federal systems.
    I am pleased to take questions at this time.
    [The prepared statement of Ms. Evans follows:]

    [GRAPHIC] [TIFF OMITTED] T6992.006
    
    [GRAPHIC] [TIFF OMITTED] T6992.007
    
    [GRAPHIC] [TIFF OMITTED] T6992.008
    
    [GRAPHIC] [TIFF OMITTED] T6992.009
    
    [GRAPHIC] [TIFF OMITTED] T6992.010
    
    Mr. Putnam. Thank you, Ms. Evans.
    Our next witness is Robert Dacey. Mr. Dacey is currently 
Director of Information Security Issues, U.S. General 
Accounting Office. His responsibilities include evaluating 
information system security in Federal agencies and 
corporations, assessing the Federal infrastructure for managing 
information security, evaluating the Federal Government's 
efforts to protect our Nation's private and public critical 
infrastructure from cyber threats and identifying best security 
practices of leading organizations and promoting their adoption 
by Federal agencies.
    In addition to many years of information security auditing, 
Mr. Dacey has also previously led several GAO financial audits.
    You are recognized for 5 minutes. Welcome to the 
subcommittee.
    Mr. Dacey. Mr. Chairman, members of the subcommittee, I am 
pleased to be here today to discuss patch management and steps 
agencies can take to mitigate information security risks 
resulting from software vulnerabilities. Today we are releasing 
our more detailed report on this subject which was requested by 
this subcommittee as well as the full committee. As you 
requested, I will briefly summarize my written statement.
    The exploitation of software vulnerabilities by hackers and 
others can result in significant damage to both Federal and 
non-Federal operations and assets ranging from Web site to 
defacement to gaining the ability to read, modify or delete 
sensitive information, destroy systems, disrupt operations or 
launch attacks against other organizations. Such risks continue 
to grow with the increasing volume of reported security 
vulnerabilities, the increasing complexity and size of computer 
programs, the increasing sophistication and availability of 
easy to use hacking tools, the decreasing length of time from 
the announcement of a vulnerability until it is exploited, 
which is evidenced by the chart on the easel. As you can see, 
that has been steadily decreasing to the point where we will 
have exploits within a day of the announcement of 
vulnerability, so-called zero day exploits and those are 
becoming more commonplace as we go forward. Another risk factor 
is the decreasing length of time for attacks to propagate 
throughout the Internet.
    There have been a number of Federal efforts to address 
patch management which Ms. Evans summarized, including the 
FISMA reporting requirements as well as guidance. Also, a 
number of commercial tools and services are available to assist 
agencies in performing patch management functions more 
efficiently and effectively.
    In our testimony last September before this subcommittee, 
we described several key elements of an effective patch 
management program, including standardizing policies, 
procedures and tools, performing risk assessments and testing 
patches, and monitoring system status. Responses to our survey 
of 24 major Federal agencies included the reported status of 
agency information and implementation of these key patch 
management practices.
    All 24 agencies consistently reported having adopted 
certain of these practices, including involving senior 
management, developing system inventories, and providing 
information security training. However, agency implementation 
of other key practices varied. For example, one-third reported 
not having developed agencywide patch management policies and 
about 40 percent reported having no agencywide patch management 
procedures in place.
    Two, just under half of the 24 agencies said they performed 
documented risk assessments of all major systems to determine 
whether to apply a patch or work around, while others reported 
they considered various factors before implementing the patch. 
While all 24 agencies reported that they test some patches 
before deployment, only about 40 percent reported testing all 
and only 4 of the 24 reported they monitor all of their systems 
on a regular basis to assess their networks and patch status, 
while others indicated they performed some level of monitoring 
activities. Without consistent implementation of patch 
management practices, agencies are at increased risk of attacks 
that can exploit software vulnerabilities in their systems.
    Security experts and agency officials identified several 
challenges to implementing effective patch management 
practices, including the high volume and frequency of patches, 
the patching of heterogeneous systems typically found in 
Federal agencies, ensuring mobile systems receive the latest 
patches, patching high availability systems and dedicating 
sufficient resources to patch management. In our report with 
which OMB generally agreed, we recommend that OMB instruct 
agencies to provide more refined information on patch 
management practices in their FISMA reports and to determine 
the feasibility of providing selected centralized patch 
management services to assist Federal agencies.
    In addition to implementing effective patch management 
practices, our report also identifies several additional steps 
that can be taken to address software vulnerabilities 
including, one, employing more rigorous software engineering 
practices to reduce the number of potential vulnerabilities; 
two, deploying a layered defense in-depth strategy against 
attacks; three, ensuring strong configuration management and 
contingency planning practices; and four, researching and 
developing new technologies to better prevent, detect and 
recover from attacks as well as to identify perpetrators.
    Mr. Chairman and members of the subcommittee, this 
concludes my statement. I would be pleased to answer any 
questions you or other members of the subcommittee may have at 
this time.
    [The prepared statement of Mr. Dacey follows:]

    [GRAPHIC] [TIFF OMITTED] T6992.011
    
    [GRAPHIC] [TIFF OMITTED] T6992.012
    
    [GRAPHIC] [TIFF OMITTED] T6992.013
    
    [GRAPHIC] [TIFF OMITTED] T6992.014
    
    [GRAPHIC] [TIFF OMITTED] T6992.015
    
    [GRAPHIC] [TIFF OMITTED] T6992.016
    
    [GRAPHIC] [TIFF OMITTED] T6992.017
    
    [GRAPHIC] [TIFF OMITTED] T6992.018
    
    [GRAPHIC] [TIFF OMITTED] T6992.019
    
    [GRAPHIC] [TIFF OMITTED] T6992.020
    
    [GRAPHIC] [TIFF OMITTED] T6992.021
    
    [GRAPHIC] [TIFF OMITTED] T6992.022
    
    [GRAPHIC] [TIFF OMITTED] T6992.023
    
    [GRAPHIC] [TIFF OMITTED] T6992.024
    
    [GRAPHIC] [TIFF OMITTED] T6992.025
    
    [GRAPHIC] [TIFF OMITTED] T6992.026
    
    [GRAPHIC] [TIFF OMITTED] T6992.027
    
    [GRAPHIC] [TIFF OMITTED] T6992.028
    
    [GRAPHIC] [TIFF OMITTED] T6992.029
    
    [GRAPHIC] [TIFF OMITTED] T6992.030
    
    Mr. Putnam. Thank you, Mr. Dacey.
    Our next witness is Amit Yoran, the Director of the 
National Cyber Security Division, Department of Homeland 
Security. This division provides security services such as 
cyber space analysis and vulnerability alerts and warnings to 
both the public and private sector.
    Before taking this position, Mr. Yoran served as the vice 
president of Worldwide Managed Security Services at the 
Symantec Corp. He also served as an officer in the U.S. 
military, as the Vulnerability Assessment Program Director for 
the U.S. Department of Defense's Computer Emergency Response 
Team and supported security efforts for the Office of the 
Assistant Secretary of Defense.
    He is a graduate of the U.S. Military Academy at West Point 
and received a Masters of Computer Science from George 
Washington University.
    Welcome to the subcommittee.
    Mr. Yoran. Good afternoon, Chairman Putnam and 
distinguished members of the subcommittee. I am pleased to have 
an opportunity to appear before this committee to discuss DHS' 
initiatives focusing on vulnerability management.
    Today's infrastructures' interdependence on computer and 
control systems represents significant challenges in managing 
system risk. Many vulnerability management efforts can be 
characterized as a cat and mouse game of discovery, system 
patching, exploitation and incident response. We have several 
efforts well underway to best leverage Federal resources and 
collaborate with the private sector. While I am proud of our 
efforts to date, I also recognize that this is only the very 
beginning of an ever maturing process. My experiences continue 
to strengthen my conviction that fundamental changes in 
software and hardware architecture are required for us to break 
out of this cat and mouse cycle and change the fundamental 
paradigms of cyber security.
    A major element of successful vulnerability management 
include dynamic 24-7 situational awareness capabilities and the 
mechanisms for response. The Department of Homeland Security in 
partnership with Carnegie Mellon University's CERTCC has 
created the U.S. CERT to serve as a national focal point for 
response and partnership among and between public and private 
sectors. Already the U.S. CERT has created a national cyber 
alert system.
    Only through an active and productive working relationship 
with the private sector can we hope to achieve the type of 
situational awareness necessary and core capability required 
for our Nation to respond and recover from cyber incidents. To 
that end, U.S. CERT has over the past few months developed 
coordination activities and 24-7 interactions with the 
operational elements of the 14 ISACs of our Nation's critical 
infrastructures. We are actively growing these relationships to 
foster trust and gain a better appreciation for one another's 
capabilities, relative strengths, and understanding for how we 
might be able to work together during time of crisis. This 
initial operational interaction with the ISACs has been very 
warmly received and represents a fundamental building block for 
the public/private partnership.
    We have also increased our efforts interacting with cyber 
experts in the private industry who might be able to provide 
great value to the Nation in interpreting cyber activities as 
they unfold. I commend those entities in the private sector 
which have already stepped up to the plate in helping the U.S. 
CERT in this ongoing and collaborative effort.
    It is our goal that this will result in a more structured 
partnership program this summer. The U.S. CERT Partner Program 
will become the cornerstone of national cyber security 
coordination for preparedness, analysis, warning and response 
efforts across the public and private sectors. Such a 
partnership and early warning network has already been 
specifically called for by the National Cyber Security 
Partnership's Early Warning Task Force recommendations and 
other advisory bodies and entities.
    The U.S. CERT is developing a focused control system center 
to specifically look at cyber vulnerabilities, exploits, 
protective measures and coordinate response activities within 
the critical infrastructure control systems. This Control 
System Center will work with the control systems and SCADA 
vendor communities, ISACs and operators to increase awareness 
of and attention to security considerations in the operation of 
our Nation's critical infrastructures. The Control System 
Center will also include the development of a control system 
test bed facility.
    Over the past 3 months, we have helped the public sector 
better organize itself in the area of cyber security, first, 
through the creation of the Government Forum of Incident 
Response and Security Teams. Those individuals and 
organizations responsible for cyber incident response within 
the Federal community are sharing information and better 
coordinating their defensive efforts. Second, we have created 
the Chief Information Security Officer Forum for the CISOs of 
the Federal Government to share common experiences, challenges, 
techniques, programs and capabilities. Those CISOs, the 
operators responsible for securing the information systems in 
the Federal Government, have specific efforts underway in the 
areas of FISMA, patching and configuration management and 
incident reporting and response.
    In addition to helping the Government better secure its 
cyber space, we are preparing the Federal Government to bring 
its resources to bear in a more coordinated fashion during time 
of cyber crisis. Through the creation of the Cyber Interagency 
Incident Management Group, departments and agencies with 
significant security operating capabilities and authorities to 
operate in the cyber realm are already preparing coordinated 
Federal action.
    The efforts I have mentioned constitute only a portion of 
the national programs underway, not only within the Department 
of Homeland Security and the Federal Government but most 
importantly within the private sector to address cyber 
vulnerabilities. While these efforts are improving our 
preparedness, the most effective step toward vulnerability 
management must occur through the prevention step. A clear 
focus on improved software assurance must become a cornerstone 
for the public/private partnership. The Software Assurance Task 
Force of December's Cyber Security Summit has made numerous 
specific recommendations to improve the quality of code 
throughout the software development life cycles. Those 
recommendations and others underway are fundamental for the 
private sector to mitigate risks and assure software integrity, 
reducing the numbers and impact of vulnerabilities we will face 
in the future.
    Industry leaders such as Microsoft and others have enhanced 
their development processes. Their adoption of best practices 
may lead to a decline of vulnerabilities in server software and 
corresponding reduction in the number of patches for their 
customers. Oracle and others are committed to more secure 
products and have undergone numerous security evaluation 
efforts of their products. We commend those who are making 
security improvements a clear priority for their development 
practices and for their business.
    Thank you for the opportunity to testify before you today 
and I would be happy to answer any questions you may have at 
this time.
    [The prepared statement of Mr. Yoran follows:]

    [GRAPHIC] [TIFF OMITTED] T6992.031
    
    [GRAPHIC] [TIFF OMITTED] T6992.032
    
    [GRAPHIC] [TIFF OMITTED] T6992.033
    
    [GRAPHIC] [TIFF OMITTED] T6992.034
    
    [GRAPHIC] [TIFF OMITTED] T6992.035
    
    [GRAPHIC] [TIFF OMITTED] T6992.036
    
    [GRAPHIC] [TIFF OMITTED] T6992.037
    
    [GRAPHIC] [TIFF OMITTED] T6992.038
    
    [GRAPHIC] [TIFF OMITTED] T6992.039
    
    Mr. Putnam. Thank you, Mr. Yoran.
    Our next witness is Dawn Meyerriecks, the Chief Technology 
Officer, Defense Information Systems Agency and provides 
technical direction for Defense's Global Information Grid 
initiative. Before joining DISA in September 1995, Ms. 
Meyerriecks was the Chief Architect for the Army Global Command 
and Control System.
    She attended Carnegie Mellon University and was awarded a 
Bachelor of Science Degree in electrical engineering with a 
double major in administration and management science. She has 
also received a Master of Science in computer science from 
Loyola Marymount University. Her awards include InfoWorld 2002 
CTO of the Year; Federal Computer Week 2000 Top 100; and the 
Presidential Distinguished Service Award in November 2001.
    Welcome to the subcommittee. You are recognized.
    Ms. Meyerriecks. Thank you, Mr. Chairman. It is my 
privilege to testify for this august body on vulnerability 
management in the Department of Defense today. You do have 
handouts of slides and I would like to speak to those. Because 
we actually put some statistics and reporting on ourselves, it 
would probably be useful for you to glance at those as we go 
through the presentation.
    Let me start with slide 2 to explain where DISA sits in 
terms of the Department of Defense. We are the IT integrator, 
we are the joint acquisition, engineering and operations 
organization within the Department of Defense and 50 percent of 
our 8,000 personnel are deployed to the field at any particular 
point in time. If you look at that particular slide, we put in 
the wide area networks, we run the computing centers and we 
also build the applications stack for joint command and control 
and joint combat support operations, as well as a number of 
other things we do on the righthand side of the slide. We do 
White House communications support to the President and a 
number of related computer science and electrical engineering 
systems engineering things that actually pull the whole 
capability together as the backbone infrastructure that 
supports the Department of Defense. I thought that was 
important to go through that to give you kind of where we sit 
in terms of DOD responsibilities.
    If you will move with me to the next slide on incidents 
reported, you can see by the curves that some interesting 
things are happening. The initial curves are related to the 
fact that this is kind of a relatively new sport but also that 
we got better in terms of detection. You see fairly steep 
curves in terms of year over year, 1997 to 2002. You will 
notice that it flattened a bit between this year and last year 
and we attribute that, based on ongoing analysis, the fact that 
we have tightened our NPPR net/Internet gateways. Our NPPR net 
is the DOD's intranet, if you can envision it as our corporate 
intranet, and we actually tightened up a great deal of the 
protocols that we make available to the Internet community in 
terms of the kinds of traffic that we pass. At least so far 
that looks like that has been a very key strategy for us. It is 
a big part of our Defense in-depth approach. I wanted to 
highlight that as we move into the vulnerability management and 
talk about the servers and computers in the department that we 
don't count on any one of these in order to address the 
problem, we actually are putting in checks and balances in as 
many places as we have opportunity.
    On the next slide, I am going to drill down on the two 
sorts of most onerous access problems we see from a computer 
perspective. We have a whole categorization that we have worked 
across the community and we are going to spend a little time 
assuming with you are familiar with unauthorized root access 
and unauthorized user access, let me give you two examples. 
Unauthorized root access in a command and control application 
would say that somebody who achieved that could actually change 
the position of friendly or enemy forces anyplace on the planet 
if they were at the right server, pretty onerous for us. 
Unauthorized user access would say that if I were the actual 
track manager for my position in terms of the ship if I am on 
ship, I could only change that particular piece for which I 
have legitimate access. Those are the two sorts of things we 
worry about most in terms of impact to mission.
    If you will turn with me to the next slide which is serious 
incidents in DOD, if you keep in mind those two situations then 
you can see the graphs. It is a relatively busy slide but I 
will tell you the trend for user level access is slightly 
downward if we smooth those curves. The trend for CAT1 root or 
administrator access is slightly upward if we smooth those 
curves. The good news is that overall this represents 4 million 
computers in the unclassified environment that the DOD supports 
and the number of incidents actually relates to the number of 
computers that have been compromised at that level. So the good 
thing is in orders of magnitude, clearly 35 is still something 
to be worried about given the magnitude of the work that we do.
    If you will turn to the next slide, No. 6, why did these 
attackers succeed, I think we have shown these slides in the 
past or similar slides that match the statistics my colleagues 
have spoken to, 90 percent, based on the data we collect and we 
run the DOD CERT, are preventable. You can see the progress we 
are making there in terms of 26 percent of those we actually 
are ahead in terms of having issued an information assurance 
vulnerability alert to the department that people are required 
to act on within prescribed time constraints and the 64 percent 
my colleagues have talked about in terms of misconfigurations 
and the configuration management point you made in your opening 
statements, there is still 10 percent that we can't predict and 
that we deal with as they occur.
    If you will turn to the next slide, this is a pretty 
simplistic statement of what it is we are trying to do. We try 
to put these out so that it is very simple for folks to follow 
what their job is particularly our system administrators and 
our operators, those charged with protecting the IT assets of 
the Department.
    This will be my final slide, steps to the goal, there are 
drilled down slides that are provided further in the brief that 
talk to each one of these points. We have done a couple of 
things this year that I think are very important that we 
articulate. One is we have put in place a clear chain of 
command. There is a single belly button now that is responsible 
for the status of the IT infrastructure in the Department. It 
is a four star and we are a component of supporting that four 
star. His or her responsibility today is to monitor, manage and 
operate the network and the associated IT assets.
    The steps to the goal, the preventive, proactive piece, we 
have put together secure configuration guidance in concert with 
the National Security Agency and we make those broadly 
available. We have had some success with actually getting 
vendors in step two to ship us products that are configured 
from their factories that are in compliance with that secure 
guidance so that we actually get components from the factory 
that are already configured accordingly. We also distribute 
gold disks for those that want to start from scratch with 
computers that are not configured that way and provide 
antivirus software and enterprise level not just to the 
Department in terms of IT assets that we own but also for home 
computer use. We find a lot of times one of the problems is 
people bring in disks that are actually infected. That way we 
can preclude some of that.
    Step three, we have a very robust set of patch servers 
stood up not only on our intranet but also on our classified 
network so we can keep current. We have the IAVA process I 
talked to and we are in the process of procuring for the 
Department and automated remediation tool so that we can take 
inventory and apply patches as they become available as it 
makes sense to do so.
    Step four is the state of all the computers we have in the 
process of this procurement but we also send out compliance 
teams that do on the order of several hundred visits a year and 
we are training the services to be able to do this themselves 
as well. We also spot check that people are keeping their 
configurations current.
    With that, I am happy to take any questions the committee 
has.
    [The prepared statement of Ms. Meyerriecks follows:]

    [GRAPHIC] [TIFF OMITTED] T6992.040
    
    [GRAPHIC] [TIFF OMITTED] T6992.041
    
    [GRAPHIC] [TIFF OMITTED] T6992.042
    
    [GRAPHIC] [TIFF OMITTED] T6992.043
    
    [GRAPHIC] [TIFF OMITTED] T6992.044
    
    [GRAPHIC] [TIFF OMITTED] T6992.045
    
    [GRAPHIC] [TIFF OMITTED] T6992.046
    
    [GRAPHIC] [TIFF OMITTED] T6992.047
    
    [GRAPHIC] [TIFF OMITTED] T6992.048
    
    [GRAPHIC] [TIFF OMITTED] T6992.049
    
    [GRAPHIC] [TIFF OMITTED] T6992.050
    
    Mr. Putnam. Thank you. Is belly button a technical term or 
is that Defense jargon? [Laughter.]
    Our next witness is Daniel Mehan, the Assistant 
Administrator, Information Services and Chief Information 
Officer, Federal Aviation Administration. In that capacity, he 
is the principal advisor to the Administrator on the agency's 
information technology and directs strategic planning for 
information technology across the agency. He oversees the 
implementation of the FAA's information system security, E-
Government and process improvement programs.
    Prior to joining the FAA, Mr. Mehan spent 30 years at AT&T 
where upon his retirement he served as international vice 
president for quality and process management.
    Mr. Mehan graduated from Drexel University with a 
Bachelor's Degree in electrical engineering. He also has a 
Master's in systems engineering and a Ph.D. In operations 
Research from the University of Pennsylvania.
    Welcome to the subcommittee. You are recognized.
    Mr. Mehan. Good afternoon, Mr. Chairman and members of the 
subcommittee. It is my pleasure to appear before you today to 
provide a perspective on the challenges of securing information 
systems in a Federal/civilian agency and to share with you the 
model the FAA has developed to address these challenges over 
the next several years.
    I would like to commend the subcommittee for holding this 
hearing on the effects of our cyber security program and to 
acknowledge my colleague, Lisa Schlosser, the Department's 
Associate CIO for Information Technology Security.
    The FAA maintains, operates and regulates the largest and 
most complex aviation system in the world. Effective management 
of a vast web of information about aircraft, weather, runway 
conditions, navigational aids and myriad of other elements is 
paramount to accomplishing our mission. To secure its cyber 
infrastructure, the FAA is implementing an android model for 
cyber defense depicting on the easel to your left that emulates 
one of the most resilient systems in the world, the human body. 
This holistic view enables the agency to address both short and 
long term cyber security objectives within the context of a 
unified framework.
    There are six principal elements of the android cyber 
defense and they are analogous to six facets of the human 
body's defense. The three on the left side of the android are: 
architecture simplification, element hardening and boundary 
protection are the ones that have received the most attention 
historically and I would like to address them first.
    Architecture simplification is analogous to nutrition and 
exercise. It is designed to ensure that the cyber 
infrastructure is in good shape to resist an attack. In this 
area, we are developing a technical reference model and common 
access architecture that will become the road map for effective 
information technology applications in the future. We are also 
ensuring that the number of systems in our inventory declines 
over time as we establish a more streamlined information 
technology architecture.
    Element hardening is analogous to protecting major organs 
such as the heart and lungs. This element focuses on 
vulnerability management since it is about discovering 
vulnerabilities and setting priorities to conduct remediation. 
The FAA will complete security certification and authorization 
packages on more than 95 percent of its systems by the end of 
this month. In addition, more than 1,600 FAA servers are 
scanned on a regular basis in order to identify and reduce the 
number of vulnerabilities per server. Results in these areas 
are included as key metrics in the FAA's overall management 
plan known as our flight plan which is reviewed monthly with 
Administrator Blakey.
    With respect to patch management, the FAA has established 
policy and is currently using patch management tools to deliver 
software patches on our systems. We are also completing the 
requirements for a departmentwide patch management tool set 
which will allow for an enterprise-wide license and 
standardized approach.
    Boundary protection is analogous to skin and membrane. It 
is the first line of defense against invaders. The FAA has 
significantly improved its boundary defense by reducing the 
number of authorized Internet access points, by implementing a 
new email system that reduces the number of mailboxes from 855 
to 12 and by beginning to deploy the new FAA telecommunications 
infrastructure.
    We believe there are tangible benefits being gained from 
our focus on the three left side elements of the android 
demonstrated by the fact that the agency and the Department 
have fared well in the recent cyber storms of Sasser, blaster 
and nimda. That said, there is much more to do.
    The FAA is on a path to modernize its air traffic systems 
and to use more commercial, off the shelf products. The agency 
will also augment the three elements on the right side of the 
android model: orderly quarantine, systemic monitoring and 
informed recovery.
    Orderly quarantine is analogous to the human body's immune 
system. We need a cyber immune system that can find, analyze 
and cure previously unknown viruses faster than the viruses can 
spread. Human intervention must be eliminated for portions of 
the defense because of the necessity to react quickly. 
Increased research will be required in the coming years to 
develop practical defense capabilities in this challenging area 
and it is an area where people process and technology must be 
blended.
    Systemic monitoring is analogous to monitoring the vital 
signs of the body on a continuous basis. The FAA wants to 
implement an IT infrastructure that can detect failures in near 
real time and protect and heal itself. This capability requires 
the system to know its environment and to act accordingly. Self 
awareness and autonomic capabilities are still embryonic. One 
challenge in these operations is that input from a large number 
of network sensors involves enormous amounts of data that must 
be processed. The FAA has begun incorporating into its Computer 
Security Incident Response Center a data fusion capability 
using the next generation of tools to conduct data aggregation 
and event correlation to detect anomalous behavior.
    Informed recovery is analogous to medical regimens such as 
administering antibiotics and undergoing surgery. Informed 
recovery and complex information systems is the set of actions 
that occur after there has been a cyber security incident. For 
the FAA these actions will include advisories from our CERT, 
establish procedures to be followed during an alert and orderly 
backup and recovery mechanisms. Since a key requirement is to 
shrink response time, one of the near term goals is to converge 
vulnerability scanners, trouble ticketing programs and patch 
management software in order to automate more of the process 
from scanning to notification to remediation. The private 
sector can advance this initiative by exporting system message 
logs to an external bus so that this information can be used in 
real time with the other data sources.
    To conclude, Mr. Chairman, the FAA, with the entire 
Department of Transportation, is complying fully with FISMA and 
has fared well using its multi-layered defense approach in the 
face of recent viruses and worms. That said, cyber defense over 
the balance of this decade must rely on the total android. The 
FAA will meet this challenge through a coordinated application 
of traditional and emerging techniques that provide a 
comprehensive approach to cyber defense. The android model 
presents a unifying framework for addressing cyber security on 
such a comprehensive basis.
    To make one final human analogy, no one can guarantee we 
will never catch a cold but we need to be sure it doesn't 
become a case of pneumonia. The FAA and the Department of 
Transportation are dedicated to achieving that objective.
    That concludes my remarks, Mr. Chairman. I would be pleased 
to answer any questions you may have.
    [The prepared statement of Mr. Mehan follows:]

    [GRAPHIC] [TIFF OMITTED] T6992.051
    
    [GRAPHIC] [TIFF OMITTED] T6992.052
    
    [GRAPHIC] [TIFF OMITTED] T6992.053
    
    [GRAPHIC] [TIFF OMITTED] T6992.054
    
    [GRAPHIC] [TIFF OMITTED] T6992.055
    
    [GRAPHIC] [TIFF OMITTED] T6992.056
    
    [GRAPHIC] [TIFF OMITTED] T6992.057
    
    [GRAPHIC] [TIFF OMITTED] T6992.058
    
    Mr. Putnam. Thank you, Mr. Mehan.
    Mr. Clay, would you like to make any opening statements?
    Mr. Clay. No, I will forego the opening statement and get 
right to the questioning.
    [The prepared statement of Hon. Wm. Lacy Clay follows:]
    [GRAPHIC] [TIFF OMITTED] T6992.059
    
    [GRAPHIC] [TIFF OMITTED] T6992.060
    
    Mr. Putnam. Very well. I will recognize you for 5 minutes.
    Mr. Clay. Thank you, Mr. Chairman, for holding this 
hearing. I guess I had better start with Mr. Dacey.
    I would be interested to know your views on whether FISMA 
ought to be reexamined to address issues of cyber security in 
the Federal Government? Are there specific issues that should 
be addressed in this Congress, in particular?
    Mr. Dacey. In terms of FISMA, I think the law itself is 
fairly complete and comprehensive. I think there are a number 
of steps still underway, certainly the development of standards 
by NIST, the continuing refinement and development of some of 
the performance measures and reporting processes to assist the 
Congress in oversight. At this point, I don't have any specific 
changes that would be required but I do suggest that Congress 
should continue, and this subcommittee in particular, as it 
has, to monitor the progress of FISMA's implementation. There 
certainly have been challenges identified that need to be 
addressed and those need to go forward and continue to be 
monitored and improved over time.
    Mr. Clay. Based upon your survey, what patch management 
practices do agencies need to focus on?
    Mr. Dacey. The areas that we looked at, and this is a 
survey and self reported information, but overall, we found 
there were some practices that were consistently applied. I 
think the area that was interesting to me personally was the 
number of agencies that did not have agencywide patch 
management policies and procedures. I think what I said before 
was a third said they didn't have agencywide policies and about 
40 percent said they didn't have procedures. I think that is an 
important area because unless you have a consistent approach to 
patch management in the agency, there is a high likelihood that 
you are going to do it in an ad hoc manner and be consistent in 
protecting your infrastructure.
    In terms of some of the other areas, I think in risk 
assessments in terms of testing and monitoring, I think all the 
respondents said they were doing some level. There were some 
agencies, however, that were kind of at the top end, testing 
all patches, doing formal risk assessments. I think there is 
some variation in the extent to which they are applying those 
practices and that might be something to continue to look at 
and determine whether or not some of those agencies should come 
up a level in terms of their adoption of those practices.
    Mr. Clay. Thank you for that answer.
    Mr. Yoran, your testimony mentions efforts underway to 
develop a comprehensive operational partnership called the U.S. 
CERT Partner Program for Improved Security Response Efforts. 
Can you describe for us the key changes that you feel will 
demonstrate improvements over current U.S. CERT efforts? Is the 
private sector embracing these efforts or are there pockets of 
resistance within certain industries or sectors?
    Mr. Yoran. There are a number of improvements between the 
partnership program which the U.S. CERT is undertaking and the 
existing paradigm. In many cases, the national response in 
cyber security has historically been coordinated by a number of 
private and trusted relationships and we will continue to 
encourage those relationships but at the same time, we 
recognize a need as our Nation's dependence on technology 
increases, the need for us to institutionalize many of those 
interactions and institutionalize the response as a Nation to 
cyber activities and incidents. So the focus in the partnership 
program is to really extend the existing practices surrounding 
incident response, to institutionalize them, to promote the 
dialog and structured relationships that can promote a more 
effective response going forward.
    In terms of reluctance or resistance to such a partnership 
program, we have been very encouraged by the enthusiasm of the 
private sector to interact with the Department of Homeland 
Security and in fact with the other departments and agencies in 
the Federal Government in a coordinated national response 
activity. So I think in large part, we are very pleased by the 
response.
    Mr. Clay. Let me ask, did you deploy any of the national 
cyber alert systems recently with the different viruses and 
worms and how did that work?
    Mr. Yoran. We have issued a number of alerts. The National 
Cyber Alert System went live January 28, 2004. We have issued a 
number of alerts based on our analysis, based on feedback in 
collaboration we have had with other departments in the Federal 
Government and also with numerous entities in the private 
sector providing us their analysis and opinion on severity of 
vulnerabilities and the breadth of ongoing activities.
    In terms of the effectiveness of that program, we have had 
in just a few months time over a quarter of a million direct 
subscribers, people looking for the types of information which 
we are publishing to them and we have also established 
relationships with other programs such as Infoguard and other 
entities which are actively engaged in responding to cyber 
security activities. They are also distributing that 
information. So we are pleased with the progress of that alert 
system and the private sector has also engaged us in numerous 
incidents where they want to leverage our capability to help 
get out the word about a particular vulnerability. A case of 
that might be where Cisco had a number of vulnerabilities a few 
weeks ago and they wanted to ensure that the word got out about 
those vulnerabilities to the folks responsible for protecting 
those routers. Through that relationship, we are able to help 
them in that effort.
    Mr. Clay. For Ms. Meyerriecks, how do you assess the risk 
associated with different vulnerabilities? Does this affect 
your approach in monitoring your networks for vulnerabilities 
and attacks? In one of your handouts, you talk about DOD 
employees using their personal home computers. How secure is 
that practice?
    Ms. Meyerriecks. Let me make sure that I clarify that. Our 
employees use not their work computers but their personal 
computers at home and when they find something that is useful 
and many of us work long hours, I am sure you can relate, they 
may in fact bring in a disk or some other media. When we did 
the enterprise license for antivirus and associated things, we 
actually licensed it such that they could also use it for home 
use on their home computers.
    Mr. Clay. I wonder how much work they actually take home. I 
am just curious.
    Ms. Meyerriecks. At least some of us work lots of hours 
which I am sure you can relate to. I just wanted to be clear on 
that.
    The reason we categorize the threats is a risk assessment 
strategy that we take and if it is categorized as a relatively 
low threat, then we can react to that at a different pace than 
we would if something looked like it could cause a real 
compromise. That is intrinsically why we categorize things. The 
things I talked to today, the category I and II are those 
things we think would have most mission critical impact. We 
work those at a much higher priority, much higher pace. In lots 
of cases, we are actually supplying to other folks the code and 
sharing information very, very early on so that we are 
positioned to respond very quickly to the threats before they 
become widely known, publicly or can be exploited. That is part 
of our risk management mitigation strategy that we have 
categorized things to respond in that way.
    Mr. Clay. Thank the panel for their answers.
    Thank you, Mr. Chairman.
    Mr. Putnam. Thank you, Mr. Clay.
    Ms. Evans, in FISMA, there is a section that targets 
vulnerability reduction requiring each agency to develop 
specific system configuration requirements. Can you elaborate 
on the steps that have been taken or will be taken to enforce 
this provision?
    Ms. Evans. We have sent out our draft FISMA reporting 
guidance to the agencies for this year, fiscal year 2004. We 
are specifically asking questions about how they are putting 
together the configuration management and how they are managing 
that particular aspect of the act. As I said in my statement, 
we are asking specifically if they are using industry 
benchmarks, how they are managing the process and how they 
identify vulnerabilities. This is an ongoing process of which 
the IGs are also involved through verification of agency data 
and assessment of the process and look at how the agency, the 
department's management of the IT security program overall. We 
are specifically addressing the configuration management issue 
this year as well and asking the IGs to look at that.
    Mr. Putnam. Part and parcel of that, how great an obstacle 
is it that so few agencies have completed the reliable 
inventory of assets? How does that play into vulnerability 
management?
    Ms. Evans. As we previously discussed during the March 
hearing, we agree that this really is the heart and soul of the 
issue and that it is difficult for an agency to say they have 
secured 90 percent of their systems if there isn't a good 
management process in place to identify the inventory of those 
systems. Again, in the fiscal year 2004 guidance, we are 
stressing that point and asking the IGs to look at how that 
process is being managed within the agency and whether 
inventory is being updated. We have taken your concerns very 
seriously and we too have asked those questions.
    As you know in the scorecard one of the criteria that is in 
place in order for agencies to go green, they have to be able 
to show that they have certified and accredited 90 percent of 
their systems. The basic question we are asking is, how they 
identify the 90 percent, and how they can assert that this 90 
percent is based off of the covered inventory and whether there 
is a good process in place to manage this invention before an 
agency will really move to green.
    Mr. Putnam. Mr. Yoran, FISMA also requires each agency to 
establish minimum security configuration standards for the 
system they deploy. I would expect DHS is the leading agency in 
meeting this requirement so that other agencies can learn from 
your experience. What have you done to develop minimum security 
benchmarks?
    Mr. Yoran. We are working actively with a number of 
organizations within the Federal Government to help establish 
those standards. Clearly it is not an effort which can be done 
within the Department of Homeland Security in isolation. To 
that end, we are working with NIST on those efforts and we are 
also working with the Center for Internet Security and making 
sure that the standards which are produced by the Center are 
readily available to those departments and agencies should they 
choose to adopt them for their own systems. It is also an area 
where we believe significant progress can be made working with 
vendors and encouraging them to take stewardship for their 
products in producing security configuration guidelines for 
those products, not only for the Federal departments and 
agencies but for use in the private sector as well.
    Mr. Putnam. Is it that partnership or some other testing 
facility that you have established to ensure applications are 
not negatively infected by the more secure configurations?
    Mr. Yoran. There are a number of testing labs and 
facilities both in the private sector and in the public sector 
to focus on vulnerabilities and configuration management. Our 
effort, specifically in the Control Systems Center of U.S. CERT 
and the test bed facility is to look at the control system and 
SCADA applications which are in use in the critical 
infrastructures and to increase emphasis, focus and testing of 
their security features and mechanisms.
    Mr. Putnam. Section 3544 of FISMA describes Federal agency 
security responsibilities as including ``information systems 
used or operated by an agency or by a contractor of an agency 
or other organization on behalf of an agency.'' That same 
section also requires that each agency provide information 
security for the information and ``information systems that 
support the operations and assets of the agency, including 
those provided or managed by the agency, another agency, 
contractor or other source.'' OMB's guidance in 2003 states, 
``Agencies are responsible for ensuring appropriate security 
controls for third party systems that have access to Government 
systems.''
    In my 2003 FISMA report card, the majority of agencies had 
not reviewed FISMA compliance with their contractors. What 
steps are being taken to remedy this and who is, to borrow Ms. 
Meyerriecks' term, who is the belly button to ensure this is 
happening? We will start with you, Ms. Meyerriecks.
    Ms. Meyerriecks. Because of the sensitivity of the mission 
that the Department has, we have for many years put in place in 
our contract and acquisition strategy security criteria, 
particularly for developers and administrators of mission 
critical classified systems. That is has been a common practice 
for us for a number of years. I want to distinguish a couple 
different levels of contract support that we do. There are 
contractors that administer systems in our environment, on our 
behalf. They fall into the exact same set of criteria that any 
of us do as a Government or military employee of the Department 
of Defense. It may be contractor maintained but it is a 
Government asset, so we apply the exact same physical security, 
information technology security. That is in our best interest 
and we have done that because of the criticality of the 
mission.
    The second level I think is what you were poking at more 
directly and that is the people that supply products to us. 
Those folks, because of the acquisition strategy that we have 
in place, have to fall under the same sort of criteria. For 
example, if you are doing mission critical command and control 
for us, then there is a common security classification 
clearance required as well as for example, contractors cannot 
work in our building unless they have a secret level DOD 
clearance and have had that in place for quite some time.
    If you are poking at the commercial industry, that is 
another step we would need to work with OMB and the rest of the 
agencies to look at what the implications are there. That is 
very far reaching as you are well aware.
    Mr. Putnam. Ms. Evans.
    Ms. Evans. As part of our FISMA guidance, we do provide a 
question and answer section to clarify these types of issues 
going forward to the agencies. As far as asking who is 
responsible, the way that FISMA is set up, each agency head is 
responsible for the management of their overall security 
program. Therefore, if they make use of multiple contract 
services, the issue of how they manage their overall security 
profile needs to be addressed. We are planning to look at that 
this year along with the other issues that we have talked 
about, such as configuration management.
    Mr. Putnam. Mr. Dacey, do you want to add anything to that?
    Mr. Dacey. Just a couple comments. When we did the first 
GISRA implementation, identification was made that contractor 
systems were a problem because a lot of agencies weren't 
considering them. In last year's FISMA reporting we got a bit 
of improvement but there was a discrepancy to some extent in 
this particular measure between the IGs and the CIOs reporting 
the information. The CIOs said as my records indicate 22 
agencies said they did manage and monitor their contractor 
systems appropriately. The IGs said about half of them did. So 
there was some difference. I think that is one area as we 
talked about in March that further refinement of the type of 
information we are getting back would be very helpful. Right 
now there is basically one question that says are you 
monitoring and supervising your contractor systems. I think if 
we were to look at that and perhaps gain a bit more information 
in the next reporting cycle, which Ms. Evans alluded to, I 
haven't seen what you are asking for, that could help get that 
information. I think that is an important area.
    I still think there are areas that haven't been explored 
and OMB's guidance talks about State and local governments. The 
Federal Government has lots of systems that interact with State 
and local systems particularly in the benefits area. That is an 
area that I don't know has been explored a lot. I know in some 
areas there has been a lot of exploration. Medicare contractors 
have long been supported. I know DOD has done that for several 
years. So I think that is an area where we need to keep looking 
closely. I think that is a risk area as evidence from our 
control system testimony. A virus gotten from a contractor 
system right into the Davis Bessey nuclear powerplant which 
fortunately at that time was under maintenance but it just goes 
to show there are lots of avenues and opportunities. We 
routinely test some of those areas when we do our security 
reviews, particularly where contractors are regularly into 
agency systems.
    Mr. Putnam. Mr. Mehan, you mentioned your agency's total 
compliance with FISMA. Does that include the OMB's guidance 
regarding third party systems and contractors?
    Mr. Mehan. Yes. We have put a lot of focus on personnel 
security. Our contracts have all been modified to be sure that 
wherever people are dealing with information technology and 
have access to our systems, the appropriate clearances are 
provided and that we know the people who are using those 
systems.
    I will tell you though that just as in the long run, there 
are more sophisticated techniques that will be used, it is our 
intent over the longer run to eventually use biometrics to test 
the entry of contractors or others to our systems on a more 
controlled and daily basis.
    Mr. Putnam. Mr. Dacey, as I mentioned in my opening 
statement, my concern is not only on how future systems will be 
protected but how we retrofit current systems and improve their 
security and integrity, cleaning them, protecting them and 
making sure they are not immediately spreading something to the 
newer systems. Some suggest that Federal systems have already 
been compromised and are currently being used as attack tools. 
What are your thoughts on that? Obviously it is very alarming 
and how do we go about identifying those and cleaning up those 
systems?
    Mr. Dacey. There are a couple of issues there. One is the 
challenge in the Federal environment particularly of applying 
patches and other techniques to protect those systems in the 
first place. Again, prevention is the first step. I think the 
challenge there is how do we keep the system patched. We have 
control systems with unique characteristics that you can't just 
apply a patch, it might break your control system and the 
vendors sometimes take a while to understand and assess the 
patches before they can apply them because those control 
systems rely upon some of the same operating systems that 
vulnerabilities occur.
    Additionally, in applying patches, testing them is a major 
challenge. I think if you look at successful agencies or 
private sector actually, and I think you made some visits in 
the field, you will see they have standard builds. We talked 
about it here at DISA, we are hearing about that at Agriculture 
and other places. If you don't have standard configurations, 
you don't know how your systems are going to react when you 
start applying these patches and making the fixes. So I think 
that is another area we need to keep looking to in terms of 
that, and a very critical area because it takes a lot of time 
if you have all disparate systems to understand how these 
patches are going to affect them.
    The third area is just looking at some of these other 
practices we talked about today, defense in-depth and some of 
the other strategies, not just patching but how do we protect 
the whole by providing layers of protection. Related to that as 
part of FISMA is the whole process of monitoring these systems, 
making sure we are able to detect anomalous activities so if we 
do find someone is in there doing inappropriate things and stop 
it as quickly as possible. I can't speak to the extent to which 
that may be happening but certainly there have been reported 
instances where Federal systems have been attacked and used as 
servers for chat rooms, certainly some State systems have been 
used to do other activities because someone broke in and set up 
back doors. It does happen. I just don't know or have any 
information on the frequency but it is possible.
    Mr. Putnam. Mr. Yoran, how effectively are we using other 
information technology management options, the Federal 
enterprise architecture comes to mind, to promote or ensure 
information security within the Federal Government? I will let 
you take first crack and then Ms. Evans.
    Mr. Yoran. I believe we are leveraging the enterprise 
architecture. It is really an area that falls outside of the 
specific purview of the Cyber Security Division and I would 
defer to Ms. Evans.
    Ms. Evans. Thank you for asking that question. Actually, as 
we have discussed previously, the Architecture Committee of the 
CIO Council has been working on a security profile to overlay 
through all the models of the Federal enterprise architecture. 
The reason for this is to be sure that security is thought of 
through all aspects of the system life cycle as investments go 
forward. The Federal enterprise architecture, from our 
standpoint, is very critical and security needs to be 
highlighted from the very beginning of the planning of an 
investment all the way through the operations and maintenance 
of that investment. We have to ensure that we are leveraging 
best practices and components that have been deployed in other 
parts of the Government and the architecture will give us the 
tool with which we can do that. Several of the mechanisms and 
practices we are talking about will be brought to life as we 
leverage this profile. The Council is getting ready to release 
a draft of this profile to the CIOs for comment very shortly.
    Mr. Putnam. Ms. Meyerriecks, take a moment if you would and 
give us some detail as to what security procedures DOD has 
implemented.
    Ms. Meyerriecks. We could go on at length about those but 
some of the ones I think have been most effective, some of the 
things we have done in the past 12 months are the tightening up 
I spoke to in my testimony about the interfaces between the 
corporate intranet, our NPRA Net as we refer to it and the 
Internet in terms of the gateways but we were also in a 
situation several years ago and brought to the attention of the 
Secretary where we actually had no DMZ, a demilitarized zone, 
actually a common IT term as well but it fits the military very 
well in terms of where we put our public facing Web servers and 
portals. People were actually coming into our corporate 
intranet to hit those. That was a major issue because it made 
us very vulnerable to anybody who could exploit one of those in 
terms of getting into the corporation. So one of the major 
initiatives we took on in the last 12 to 18 months was to 
establish a demilitarized zone and put out practices and 
procedures for how a provider, and we have literally tens of 
agencies that provide public facing, consumer interfaces, how 
they could intersect with our demilitarized zone. It was 
actually funded as opposed to a fee for service initiative. 
Their responsibility is to put the servers in the zone and 
configure them properly so that they are not able to be used as 
a departure point for further exploit into the infrastructure. 
You see in our flattening curve actions like that have actually 
we think started to pay off in terms of penetration, successful 
penetration into our infrastructure.
    Another very successful effort was also the STGS and the 
work we have done with NSA which is one of our sister agencies 
and also NIST, just a DOD/IC intelligence community, in terms 
of specifying secure configurations and the really good 
response we have had from all of our commercial providers in 
terms of being willing to learn from those and in some cases 
embrace those and ship product based on those configuration 
management guides.
    I would say those are two things that have been force 
multipliers in terms of our ability to combat the threat.
    Mr. Putnam. Do you have an agencywide patch management 
system?
    Ms. Meyerriecks. We have a DOD-wide patch management 
system. DISA administers to a large extent that capability for 
the Department but it is very much a partnership with 
particularly the services in terms of distribution and command 
and control of how we distribute those patches. As my 
colleagues alluded, we do have unique applications, so there 
are places where an Air Force has a specific mission that might 
be impacted in a negative way by a particular patch because the 
vendors can't understand every implication. We roll them out at 
an enterprise level and then we do testing for each of the 
specific platforms where we have those sorts of applications to 
ensure that it is not going to have a dilatory effect on the 
actual application we are trying to support.
    Mr. Putnam. Having laid out some of these strengths, maybe 
you can share why DOD's FISMA score is so bad.
    Ms. Meyerriecks. We will have to take that for the record, 
sir. I don't have the background to address that. I apologize.
    Mr. Putnam. We will let you answer that for the record.
    Mr. Yoran, we spend $60 billion a year in IT hardware, 
software, annual investment by the Federal Government. 
Obviously DHS being something of a startup I merging all the 
disparate departments and agencies, you are spending a fortune 
and you have unique security requirements. How have you used 
the procurement power behind the needs that you have to really 
ensure that the security is baked in?
    Mr. Yoran. That question really needs to be answered with a 
number of tier responses. Within the Department of Homeland 
Security, we are working with Steve Cooper's organization and 
the CIO shop to identify the security requirements of the 
Department and ensure that we are procuring those technologies 
which can address the security requirements which the CIO's 
office is ultimately responsible for identifying.
    We also hope to be able to better leverage those 
requirements and in our interaction with the other departments 
and agencies of the Federal Government to work with the vendor 
community so that they can take some of those practices and 
improve the products which they are delivering to the Federal 
Government as a customer and to the extent that we can create 
consistency between our requirements and the requirements of 
other critical infrastructure operators, BITS and the financial 
services, the American Chemical Council and the chemistry 
sector, and we can define these uniform requirements for the 
vendor community. I believe that will make their job a lot 
easier and a lot more focused in bringing us solutions which 
address these common requirements.
    Mr. Putnam. Ms. Evans, do you wish to add anything to his 
comments on ways to leverage our $60 billion annual investment 
in high quality, more secure products?
    Ms. Evans. We do intend at OMB to use the Smart Buy 
initiative to really work on leveraging these security 
benchmarks. It will require partnership between the Government 
and industry but, I do believe, based on my past experience as 
the Department of Energy CIO, industry wants this partnership 
just as much as Government does. There is value to both parties 
coming together. The Government can make their expectations 
very clear. Industry benefits because the country as a whole 
will benefit from more secure products.
    I think industry wants a partnership. I know we have talked 
to industry about that. We intend to leverage that same type of 
model that we used at Energy through the Oracle contract. That 
took a long time with the Center of Internet Security working 
on the benchmarks across several industry partners that were 
involved in coming up with those benchmarks. This work could be 
leveraged and can be used in the long run by everyone. It is 
our intention to do that. That is why we are asking about 
benchmarking, and as we continue to evolve the Smart Buy 
initiative we can take it to industry and say this is how we 
would like to proceed with our buying.
    Mr. Putnam. Ms. Meyerriecks, do you wish to add anything? 
Obviously this is a huge concern for the Department of Defense 
software assurance. Do you have any comments on that?
    Ms. Meyerriecks. I would just like to echo my colleague's 
statements regarding industry.
    The other comment that I would make is one of the things 
that has also proven beneficial to us is efforts like the 
common criteria where we actually encourage vendors to think 
about how to make more secure products while they are still in 
the labs as opposed to negotiating a configuration after it has 
already been cut into the silicon if you will. Amit talked 
about the importance of influencing products earlier in their 
development cycle, so they are thinking about that as opposed 
to patching them afterwards. Common criteria has been 
especially useful. We ought to think about how we encourage 
more of that behavior.
    Mr. Putnam. Mr. Mehan.
    Mr. Mehan. The only thing I would add to what my colleagues 
have said which I support is what vendors have told us is that 
it is important that in our request for quotes and so forth 
that we have the same enthusiasm for cyber security as we have 
in other rhetoric. The cyber security aspect of it was 
absolutely fundamental. In fact, vendors pretty much had to 
prove they could satisfy that before we got into too much else 
they were going to provide. That sent a strong signal to 
industry.
    Mr. Putnam. This is a particularly good panel in terms of 
the agencies and departments represented for this topic. I 
really appreciate your participating. When you look at FAA and 
certainly the events that have transformed our approach to air 
travel and peoples' approach to security and safety, obviously 
the Department of Defense and certainly Homeland Security and 
all of you are in key positions to be crying in the night about 
the need for more emphasis on cyber security. Do the three of 
you have the ear, the access, the entre to your respective 
department or agency heads and do you believe that the cyber 
threat is being adequately addressed? Begin with Mr. Mehan and 
end with Mr. Yoran and then unfortunately we are going to have 
to bring this panel to a close. Mr. Mehan.
    Mr. Mehan. I clearly have access to the Administrator of 
our agency whom I report to directly. I also have access to the 
Department of Transportation CIO who is also the vice chair of 
the Federal CIO Council and we have the ear of the Secretary of 
Transportation. There is no lack of access to the top deck of 
Transportation and Aviation. I think it is a message that all 
of us in concert with Congress have to keep putting out to the 
public and putting out to the industry because I think one of 
our big challenges is in the second half of this decade, there 
is the potential that we could see more orchestrated, more 
sophisticated attacks and we have much to do in order to be 
ready for them. That is part of why we have laid out a long 
term model for approaching this.
    Mr. Putnam. Thank you, Mr. Mehan. While we give Ms. 
Meyerriecks another moment to think through her comments, your 
android approach, your design, your idea, is very effective and 
we certainly appreciate the work that you are doing at FAA.
    Ms. Meyerriecks.
    Ms. Meyerriecks. I have my direct report to my agency head 
as well and we absolutely have access to our CIO who has made 
it one of their top priorities--it would be good to have one 
who wasn't an acting one if I could put in that plug--as well 
as access to the Secretary and this is a high priority for us. 
I share the concern that we not lose focus in terms of keeping 
it a high priority topic because with all of the demands on the 
resources of the Department we need to make sure that it stays 
front and center in terms of our leadership's interest and 
commitment to it, but it is not an issue today.
    Mr. Putnam. Mr. Yoran.
    Mr. Yoran. The Department of Homeland Security, I 
personally have spoken with Secretary Ridge, with Executive 
Secretary Lowey on cyber security issues and am confident in 
their focus and attention to cyber security as a very valid 
concern for our Nation. On a regular and ongoing basis, I have 
discussions about cyber security with the Under Secretary for 
Information Analysis and Infrastructure Protection, Under 
Secretary LaBudy and Assistant Secretary Laskowski.
    Our approach is to continue to focus on an outcome based, 
integrated risk management approach which includes an active 
interest in cyber security as a vulnerability to our Nation.
    Mr. Putnam. Thank you.
    Mr. Dacey or Ms. Evans, do you have any final remarks 
before we dismiss panel I and seat panel II? Mr. Dacey.
    Mr. Dacey. Just a brief comment. We have talked a lot about 
trying to address some of the security issues of the software 
as it is developed but I do think and FISMA promotes a 
consistent process to try to develop the standard minimum 
security guidelines by risk level as well as NIST is developing 
checklists which are consistent with the standard guidelines in 
the STGs that were talked about earlier. I think that is an 
important area because we need to continue to leverage that 
being done centrally because I don't think we can rely 
continually on the system admins to individually come up with 
the right solutions or even subcomponents of agencies. To the 
extent we can build in some clear processes, communicate those, 
develop training and so forth, that will go a long way because 
just with patch management if you are looking at maybe having 
24 or 48 hours to get something fixed, that is not a long time. 
You have to look for more long range solutions to the problem.
    Mr. Putnam. Ms. Evans.
    Ms. Evans. First, I would like to thank you again for 
having this hearing on cyber security. This is an important 
priority to the administration. We are taking steps to ensure 
that it does stay on the forefront as my colleagues have 
mentioned. We are doing this through the implementation of 
FISMA but as well as through the President's management agenda. 
Because this is a priority, we are trying to ensure that the 
agencies have the resources that they need in order to ensure 
they have good management practices in place to achieve the 
results of a safer infrastructure, and safer cyber security 
environment, so that we can move forward and use technology in 
a way that minimizes risk to us. Thank you again for the 
hearing.
    Mr. Putnam. Thank you. Noting that there are no further 
questions, we will stand in recess while we reset the witness 
table for panel II. The subcommittee is recessed and will 
reconvene in just a few moments.
    [Recess.]
    Mr. Putnam. The subcommittee will reconvene.
    I would ask the witnesses to take their seats, please.
    [Witnesses sworn.]
    Mr. Putnam. We will move immediately to testimony with Ms. 
Dubhe Beinhorn, vice president of Juniper Federal Systems and 
is responsible for the development and execution of all aspects 
of Federal engagements. Prior to joining Juniper in 2001, she 
was with SafeNet where she was general manager of the PKI 
hardware and software division and held responsibility for all 
aspects of this division including sales, systems, marketing, 
supporting and manufacturing. She has more than 25 years of 
experience in the Federal Government and the enterprise 
competing industry in both domestic and global markets.
    Ms. Beinhorn holds a Bachelor's Degree in business from 
Roanoke College in Virginia. Welcome to the subcommittee. You 
are recognized for 5 minutes and I would ask all of our 
witnesses to please limit your testimony to 5 minutes as we 
have a large panel.
    You are recognized.

 STATEMENTS OF DUBHE BEINHORN, VICE PRESIDENT, JUNIPER FEDERAL 
  SYSTEMS; SCOTT CULP, SENIOR SECURITY STRATEGIST, MICROSOFT 
  CORP.; LOUIS ROSENTHAL, EXECUTIVE VICE PRESIDENT, ABN AMRO 
SERVICES CO., INC.; MARC MAIFFRET, CHIEF HACKING OFFICER, eEYE 
 DIGITAL SECURITY; AND STEVE SOLOMON, CHIEF EXECUTIVE OFFICER, 
                CITADEL SECURITY SOFTWARE, INC.

    Ms. Beinhorn. Thank you, Mr. Chairman and members of the 
subcommittee. It is a pleasure to appear before you today to 
discuss the growing challenge of vulnerability management in 
information technology systems. You and the subcommittee have 
been leaders in raising awareness of the importance of network 
security in the public and private sectors. Your work with the 
Corporate Information Security Working Group is an important 
example of your commitment to ensuring a true public/private 
partnership for solving the very difficult challenge of cyber 
security.
    At Juniper Networks we take our participation extremely 
seriously as we do our commitment to you, Mr. Chairman, in 
fully supporting active participation by CEOs, working groups 
and other forums all with an end goal of joint solution 
determination.
    The challenge itself, the threats to today's networks 
continues to grow. Attacks continue to evolve and move from the 
network to the application level. They are more sophisticated, 
using new origination points and come from known and unknown 
sources. The problem is made worse because of the inability of 
much of the existing Internet infrastructure to identify and 
then block threats that emerge. More vulnerabilities are 
discovered every day. The time from discovery to exploit 
continues to shrink and the pressure placed on network 
administrators to remediate these vulnerabilities in a timely 
fashion continues to grow much like baling water out of a boat 
that continues to spring leaks. Patch management is only a 
short term fix and does nothing to solve the root cause of 
network insecurity.
    Part of the challenge is the simple fact that the Internet 
is not just one network. It is multiple networks connected 
together. As such, it was never designed with security in mind. 
Its greatest strength, widespread connectivity at low cost, is 
also one of the greatest weaknesses. With low cost comes 
diminished value, unreliability and lack of security. Each 
network has its own security policy and as we all know, network 
security is only as strong as the weakest link.
    At the moment, only isolated networks can guarantee 
infrastructure and data security from outside attacks. However, 
isolated networks work against netcentric enterprise services. 
Additionally, isolated networks do not address the problem of 
insider attacks and are cost prohibitive for many Government 
and enterprise networks.
    Most people are focused on securing the enterprise. There 
is, however, another critical element. It is securing the 
fabric of cyberspace beyond the enterprise firewall, the space 
between the enterprises. President Bush, in his national 
strategy to secure cyber space, called for ``securing the 
mechanisms of the Internet.''
    Right now, all packets travel over the same public network 
with the same priority and the same security. Part of the 
challenge is recognition that all packets are not created equal 
and we must devise a security approach that assigns the right 
level of security for each packet that flows from its 
originator through the public network to its destination. This 
is the challenge.
    First and foremost, service providers and networking 
companies of both private and public infrastructure play a 
critical role in alleviating the problem. All companies should 
be encouraged by Congress and congressional leaders to share 
information. Specifically, public and private industry forums 
should focus on pre- and post-attack vulnerabilities as well as 
real time attack isolation and prevention. All Internet 
stakeholders need to develop a set of industry best practices 
based on the information communicated by all forums. As an 
example, such collaboration may yield mechanisms to prevent 
users masquerading as other users and denying access in the 
first place, techniques for securing the network control plane 
so that false routes may not be hijacked or injected, thus 
preventing man in the middle attacks. Finally, the use of 
automated tools to conduct assessments and ongoing security 
audits to help identify vulnerabilities on the network and 
usual activity.
    These tools can also be part of a larger effort aimed at 
creating a culture within companies as well as Government 
agencies of security awareness and responsibility. These 
industry best practices allow for malicious traffic to be 
identified, blocked and prevented from spreading. They give us 
the ability to quickly identify and quarantine hot spots and 
reduce the spread of viruses and the rising cost of businesses 
and consumers from such attacks.
    The public network cannot stand alone in the protection of 
businesses, institutions and citizens. Security must also be 
established at multiple levels including application device and 
department levels. These security measures must be able to 
communicate with each other and with the network to form a 
level of protection that is greater than the sum of the parts. 
Networks must intelligently interact with the user and the 
application so that the level of trust can be established at 
the beginning of each network transaction.
    Much work has been done by companies participating in the 
Web services movement and standards development effort. Local 
and wide area networks must leverage this work to extend the 
concept of trust agents and user federations to the network 
itself. The work is already underway. At Juniper Networks, 
along with 18 other industry leaders, we are working to build 
these standards to create networks that can deliver a specified 
level of security, performance and reliability. The group calls 
itself the Infranet Industry Council. It seeks to put existing 
technology and standards to work building on them when 
necessary to form an underlying communications infrastructure 
that provides the best attributes of public and private 
networks.
    An infranet is a selectively open network with assured 
performance and security of a private network enabling a packet 
infrastructure to support all communications. Infranets can be 
built and operated by service providers, agencies and 
businesses and can be securely interconnected with each other 
for the purpose of giving users and on demand appropriately 
tuned to their unique security and quality requirements. At the 
appropriate time, we would welcome the opportunity to explain 
this further.
    Over the long term, vulnerability management must be 
addressed by all Internet community members to design more 
secure systems and networks with a zero trust tolerance. This 
means there should be absolute distrust of outsiders and 
insiders. We should recognize both as equal threats and not 
give greater weight to one or the other. Building networks that 
trust no one is a far better approach to managing the threats 
and will ensure a higher level of security.
    Juniper Networks' approach to network security is based on 
ensuring reliability, security and quality throughout the 
network. This commitment and our activities with public 
infrastructure providers and with the defense and intelligence 
community enables us to do our part to better secure our 
critical networks and play an active role as a member in the 
cyber security industry alliance.
    In today's world, it is no longer about competing. It is 
about collaborating. With your help, Mr. Chairman, the 
Government initiatives to guide industry, vendors and all 
stakeholders will succeed in true joint development of a 
worldwide Internet capable of meeting its mission regardless of 
malicious intent, unforeseen failure or misadventure.
    On behalf of Juniper, we thank you for the opportunity to 
be here today.
    [The prepared statement of Ms. Beinhorn follows:]

    [GRAPHIC] [TIFF OMITTED] T6992.061
    
    [GRAPHIC] [TIFF OMITTED] T6992.062
    
    [GRAPHIC] [TIFF OMITTED] T6992.063
    
    [GRAPHIC] [TIFF OMITTED] T6992.064
    
    [GRAPHIC] [TIFF OMITTED] T6992.065
    
    Mr. Putnam. Thank you.
    Our next witness is Scott Culp, senior security strategist 
for Microsoft Corp. As member of the Trustworthy Computing 
Team, Mr. Culp focuses on developing companywide security 
policies and procedures, evaluating the security of current 
Microsoft products and services and reaching out to the 
critical infrastructure protection community.
    Mr. Culp is the founder and former manager of the Microsoft 
Security Response Center where he helped develop and implement 
leading security response capabilities.
    Welcome to the subcommittee. You are recognized for 5 
minutes.
    Mr. Culp. Thank you for the opportunity to appear today. My 
name is Scott Culp and I am a senior security strategist at 
Microsoft. Delivering on the trustworthy initiative is one of 
Microsoft's top priorities and improving the manageability of 
security patches is an important part of that work.
    A troubling recent security trend has been the dramatic 
shortening of the time between the issuance of a patch that 
fixes a vulnerability and the appearance of a worm exploiting 
it. In just the past several years, this window has narrowed 
from hundreds of days in the case of nimda to 26 days to 
blaster, to 17 days for the recent Sasser worm. In the face of 
this trend, Microsoft is employing a defense in-depth strategy.
    First and foremost, Microsoft recognizes that the most 
effective improvement we can make with regard to patches is to 
require fewer of them and we are making substantial progress in 
reducing security vulnerabilities in our software but no 
software will ever be completely free of vulnerabilities and so 
we are improving entire patch management ecosystems. Over just 
the past year, we have largely standardized the operation of 
our patches, significantly reduced their size and reduced the 
need to reboot the system after applying them. In the next 
service packs for Windows XP and Windows Server 2003, we will 
deliver new technologies that will help protect systems even if 
the user has not installed all needed patches. In the longer 
term, we are developing break through technologies that will 
enable systems to dynamically change their behavior when needed 
patches are missing and to automatically recognize and defend 
against attacks.
    At the same time, we are working to help raise Federal 
agency awareness of products and resources that address the 
requirements of the Federal Information Security Management Act 
and we are providing improved training opportunities for all 
our customers, including continuing our twice yearly Federal 
security summits. We are also contributing to important 
security policy initiatives. Within just the past few months, 
Microsoft co-chaired a National Cyber Security Partnership Task 
Force that recommended important improvements in the entire 
software development life cycle including patch management. We 
are working with BITS to address the financial sector's legacy 
and other needs and challenges.
    These efforts and others underlie what we believe is the 
industry's leading incident response process. To highlight 
this, let me use the Sasser worm as an example. On April 13, 
2004, Microsoft published a security bulletin and patch 
addressing the vulnerability that Sasser ultimately exploited. 
Microsoft's engineering and educational efforts over the 
preceding months contributed to a patch uptake rate that was 
300 percent higher than for last summer's blaster patch. We 
provided information, guidance and recovery tools for our 
customers worldwide, including contacting U.S. CERT at the time 
of the release of the bulletin and again when Sasser was 
discovered. Our antivirus reward program caused an individual 
to provide information to law enforcement that contributed to 
the arrest of the worm's alleged author.
    Ultimately, we believe these actions reduced the worm's 
impact but the fact that it occurred at all reminds us that we 
need to continue improving. We all have roles to play in 
improving cyber security. As the Congress and the 
administration addressed this topic, we suggest several actions 
which we are eager to work with the Government on.
    First, we hope the Senate will ratify the Council of Europe 
Cyber Crime Treaty. Second, our law enforcers are doing great 
work but need more training and better equipment. Third, 
Government systems administrators would benefit from more 
intensive training in security. Fourth, we support the common 
criteria process but believe it could be improved to make it 
more efficient and cost effective. Finally, we support 
increased basic research in cyber security and computer 
forensics.
    In the final analysis, a more secure computing environment 
is best achieved when industry leaders continue to innovate 
around security to continuously improve the security of 
software products, help customers operate their networks more 
securely and to provide effective security and incident 
response processes.
    I would like to thank the committee for this opportunity 
and I look forward to your questions.
    [The prepared statement of Mr. Culp follows:]

    [GRAPHIC] [TIFF OMITTED] T6992.066
    
    [GRAPHIC] [TIFF OMITTED] T6992.067
    
    [GRAPHIC] [TIFF OMITTED] T6992.068
    
    [GRAPHIC] [TIFF OMITTED] T6992.069
    
    [GRAPHIC] [TIFF OMITTED] T6992.070
    
    [GRAPHIC] [TIFF OMITTED] T6992.071
    
    [GRAPHIC] [TIFF OMITTED] T6992.072
    
    [GRAPHIC] [TIFF OMITTED] T6992.073
    
    [GRAPHIC] [TIFF OMITTED] T6992.074
    
    [GRAPHIC] [TIFF OMITTED] T6992.075
    
    [GRAPHIC] [TIFF OMITTED] T6992.076
    
    [GRAPHIC] [TIFF OMITTED] T6992.077
    
    [GRAPHIC] [TIFF OMITTED] T6992.078
    
    [GRAPHIC] [TIFF OMITTED] T6992.079
    
    [GRAPHIC] [TIFF OMITTED] T6992.080
    
    [GRAPHIC] [TIFF OMITTED] T6992.081
    
    [GRAPHIC] [TIFF OMITTED] T6992.082
    
    [GRAPHIC] [TIFF OMITTED] T6992.083
    
    [GRAPHIC] [TIFF OMITTED] T6992.084
    
    [GRAPHIC] [TIFF OMITTED] T6992.085
    
    Mr. Putnam. Thank you.
    Our next witness is Louis Rosenthal, executive vice 
president, ABN AMRO Services Co. He is responsible for 
information technology infrastructure and operations, 
supporting the consumer, commercial mortgage and e-commerce 
business units of ABN AMRO in North America, as well as some 
global business units.
    Prior to his current position, Mr. Rosenthal held the 
position of executive vice president of service delivery at 
European American Bank in New York, formerly owned by ABN AMRO. 
Prior to that, he spent 7 years at the Bank of New York. He 
serves on the executive committee and advisory group for BITS, 
the technology arm of the Financial Services Roundtable.
    Welcome to the subcommittee. You are recognized for 5 
minutes.
    Mr. Rosenthal. Thank you, Mr. Chairman, for the opportunity 
to testify today about the ways the financial services sector 
is addressing information security challenges.
    I am Louis Rosenthal, executive vice president with LaSalle 
Bank Corp., a subsidiary of ABN AMRO Services Co. I am pleased 
to appear before you today on behalf of BITS and the Financial 
Services Roundtable. I am a member of the BITS Executive 
Committee, a non-profit industry consortium of 100 of the 
largest financial institutions in the United States. BITS is 
the sister organization to the roundtable. LaSalle, one of the 
largest banks in the midwest, is a subsidiary of Netherlands-
based ABN AMRO Bank operating in about 60 countries around the 
world with about $780 billion in assets.
    Through BITS, the financial services industry has been at 
the forefront of advancing security. No industry takes cyber 
security more seriously than the financial sector. The 
financial services industry is firmly committed to safeguarding 
our customers' information, maintaining our trusted 
relationship with our customers and complying with the numerous 
laws and regulations promulgated by the financial regulators.
    The challenges are plentiful. As I speak, hackers are 
writing code to compromise systems. Viruses are at epidemic 
levels. We are increasingly concerned that a coordinated cyber 
attack of some kind could impact communications, SCADA systems 
or first responder systems and put all of us at terrible risk. 
The prospect of zero day exploits with malicious payloads are a 
reality. Cyber security, like physical security, is critical to 
the well being of the Nation and its infrastructure.
    Financial institutions are heavily regulated and constantly 
supervised by our Federal and State regulators. The industry 
has worked consistently and diligently to comply with these 
requirements. We do not believe more regulation of the 
financial services industry will help us address the cyber 
security challenges. Rather, we believe the private and public 
sectors must work together to address cyber security issues. 
That is why we are urging our partners in the technology 
industry to do their fair share to ensure the soundness of our 
Nation's critical infrastructure. It is also why BITS 
enthusiastically participated in the chairman's Corporate 
Information Security Working Group.
    Ensuring software security is enormously costly. In 
December 2003, BITS surveyed its member institutions on the 
cost of addressing software vulnerabilities, including managing 
software patches. We found that software vulnerabilities are 
approaching the cost of $1 billion annually to the financial 
services industry alone.
    In October 2003, BITS launched its software security and 
patch management initiative. BITS' goal is to mitigate security 
risks to financial services consumers and the financial 
services infrastructure, ease the burden of patch management 
and help member companies comply with regulatory requirements.
    A key part of this work is our collaboration with software 
companies to create solutions acceptable to all parties. We 
have shared with these companies a series of business 
requirements that BITS members agree are critical to the 
soundness of systems used in the financial services industry. 
In February of this year, BITS and the Financial Services 
Roundtable held a cyber security CEO summit here in Washington. 
The event promoted CEO to CEO dialog on software security 
issues.
    This past April, BITS and the Financial Services Roundtable 
announced a joint policy statement calling on the software 
industry to improve the security of products and services it 
provides to financial services customers. BITS is working with 
other critical infrastructure industries and industry 
associations to help motivate a larger user movement. For 
example, BITS worked closely with the Business Roundtable in 
developing that organization's widely publicized cyber security 
principles. The BITS Product Certification Program is another 
important part of our work to address software security. The 
BITS Certification Program is a testing capability that 
provides security criteria against which software can be 
tested.
    It is important for the committee to recognize the 
dependence of all critical infrastructures on software and the 
Internet. In so doing, we have developed six key 
recommendations for the committee to consider. One, encourage 
providers of software to accept responsibility for their role 
their products and services play in supporting the Nation's 
critical infrastructure. Two, support measures that make 
producers of software more accountable for the quality of their 
products including ensuring their products are designed to 
include security as part of the development process, testing 
that their products meet quality standards and that financial 
services security requirements are met before the products are 
sold, developing patch management processes that minimize cost, 
complexity, downtime and risk to user organizations. Software 
vendors should identify vulnerabilities as soon as possible and 
ensure that the patch is thoroughly tested and continuing patch 
support for older but still viable versions of software 
currently in use in the critical infrastructures.
    Three, provide incentives and other measures that encourage 
implementation of more secure software development processes. 
Four, provide exemption from antitrust laws for critical 
infrastructure industry groups so they can better discuss and 
develop baseline security requirements for the software and 
hardware they purchase. Fifth, encourage collaboration and 
coordination among other critical infrastructure sectors and 
Government agencies to mitigate software security risks. Sixth, 
encourage regulatory agencies to review software vendors 
similar to how the regulators currently review third party 
service providers so that software vendors deliver safe and 
sound products to the financial services industry. Through 
collaboration and a partnership, we can address the cyber 
security challenges.
    Thank you for the opportunity to testify today and I will 
take questions later.
    [The prepared statement of Mr. Rosenthal follows:]

    [GRAPHIC] [TIFF OMITTED] T6992.086
    
    [GRAPHIC] [TIFF OMITTED] T6992.087
    
    [GRAPHIC] [TIFF OMITTED] T6992.088
    
    [GRAPHIC] [TIFF OMITTED] T6992.089
    
    [GRAPHIC] [TIFF OMITTED] T6992.090
    
    [GRAPHIC] [TIFF OMITTED] T6992.091
    
    [GRAPHIC] [TIFF OMITTED] T6992.092
    
    Mr. Putnam. Thank you, Mr. Rosenthal.
    Our next witness is Marc Maiffret, chief hacking officer 
for eEye Digital Security, a leading security software 
provider. In 2001, eEye engineers discovered and named the Code 
Red virus and helped the White House avert a potential 
disaster. In addition, eEye's research team discovered the 
latest Microsoft ASN vulnerability.
    Mr. Maiffret has been featured in several publications and 
has testified previously before Congress providing his expert 
opinion on the Nation's infrastructure.
    Mr. Maiffret, welcome to the subcommittee. You are 
recognized for 5 minutes.
    Mr. Maiffret. Thank you very much.
    For some time, security has been a race to create new 
protection mechanisms for never ending onslaught of 
vulnerabilities, the vulnerabilities that organizations face 
are not simply system and software vulnerabilities but also 
social vulnerabilities and how people interact with technology.
    On the surface, it would seem the simple solution to the 
vulnerability problem would be as easy as organizations 
patching their systems. This however is not the case. Times are 
changing and now more than ever new threats arise quicker than 
ever before. The window of vulnerability which is the time 
organizations have to patch the systems is shrinking.
    On average, new threats emerge between 1 and 2 weeks after 
a vulnerability is discovered, therefore not allowing companies 
to react fast enough. Patching is not enough. We need new 
security solutions that can mitigate the risk of 
vulnerabilities before new threats emerge regardless if systems 
are patched or not.
    One of the reasons that organizations are failing is not 
from a lack of security tools but from the lack of creating a 
process and policy around those security tools. Simply having 
the tools to know that you are vulnerable or that you are under 
attack is not enough if the information is not audited and 
tracked to some sort of completion.
    I thought it would be helpful to illustrate in kind of real 
world terms some of the problems that a large organization 
actually faces in terms of computer security. I actually met 
with the head of security for the largest financial 
organization in the United States and have some interesting 
statistics. This organization is actually in charge of auditing 
2.5 million IP addresses or computer addresses. Out of those 
2.5 million IP addresses, there is roughly over half a million 
active systems or computer or devices they need to protect. On 
a system of this scale, there is really no room for failure, 
even if you think of a 1 percent failure of security or a 1 
percent failure of patches being deployed and whatnot, that is 
still many thousands of systems potentially going to be at risk 
or no longer functioning. Those are systems that are dependent 
for business processes and other types of activities.
    The interesting thing is that while some of these numbers 
are staggering for this organization, they are able to maintain 
their security in a way that allows them to not only roll out 
patches within 48 hours of vulnerabilities being released, but 
at the same time have all the right protection mechanisms in 
place on the perimeter of their network.
    Even with all this, being a large network and having a good 
response to security, doing everything right is costing them 
roughly $15 million per security incident. That would be a 
critical security vulnerability which requires them to go out 
of the normal operation activities to deploy a patch or to 
secure their systems.
    That is all I have for now.
    [The prepared statement of Mr. Maiffret follows:]

    [GRAPHIC] [TIFF OMITTED] T6992.093
    
    [GRAPHIC] [TIFF OMITTED] T6992.094
    
    [GRAPHIC] [TIFF OMITTED] T6992.095
    
    [GRAPHIC] [TIFF OMITTED] T6992.096
    
    [GRAPHIC] [TIFF OMITTED] T6992.097
    
    [GRAPHIC] [TIFF OMITTED] T6992.098
    
    [GRAPHIC] [TIFF OMITTED] T6992.099
    
    [GRAPHIC] [TIFF OMITTED] T6992.100
    
    [GRAPHIC] [TIFF OMITTED] T6992.101
    
    [GRAPHIC] [TIFF OMITTED] T6992.102
    
    [GRAPHIC] [TIFF OMITTED] T6992.103
    
    [GRAPHIC] [TIFF OMITTED] T6992.104
    
    [GRAPHIC] [TIFF OMITTED] T6992.105
    
    [GRAPHIC] [TIFF OMITTED] T6992.106
    
    [GRAPHIC] [TIFF OMITTED] T6992.107
    
    [GRAPHIC] [TIFF OMITTED] T6992.108
    
    Mr. Putnam. Thank you, Mr. Maiffret.
    Our next and final witness for this panel is Steve Solomon, 
chief executive officer of Citadel Security Software since its 
formation in December 1996 and as president and CEO of CT 
Holdings since May 1997. Mr. Solomon spent 8 years in the 
security software industry.
    Citadel Security Software creates and provides full life 
cycle vulnerability management solutions that protect 
information technology infrastructures. Mr. Solomon is a board 
member of the Cyber Security Industry Alliance and served as 
the chairman of the Committee on Computer Privacy and Data 
Security Standards, a private sector initiative that followed 
the work of the Privacy Roundtable led by U.S. Senator John 
Cornyn, formerly attorney general of Texas.
    Welcome to the subcommittee. You are recognized for your 
testimony for 5 minutes.
    Mr. Solomon. Good afternoon, Mr. Chairman and members of 
the subcommittee. I want to thank you for the opportunity to 
appear today to discuss vulnerability management strategies and 
technology.
    Before I start, I want to applaud the committee for having 
the commitment and vision to help our Nation's drive awareness 
and direction to this ever growing security threat facing our 
critical IT infrastructure.
    Today's organizations face exponential growth in the number 
of vulnerabilities and the speed at which the attacks are 
introduced. At a recent DOD Information Assurance Conference, 
it was predicted by the year 2010, we will face nearly 400,000 
new vulnerabilities per year which equates to roughly 8,000 
vulnerabilities per week or one new vulnerability every 5 
minutes.
    By successfully exploiting one vulnerability, organizations 
are exposed to potentially tens of millions of dollars in 
economic damage and successful attack on our Nation's critical 
infrastructure could result in life threatening events, 
jeopardize our national security and impact our way of life.
    By the year 2010, it is estimated there will be half a 
billion users on the Internet. In a society open like ours, our 
complex organizations, remote employees and open access to 
systems, we are targets for individuals and organizations that 
want to attack us. We cannot let September 11 repeat itself in 
cyber space.
    To be prepared for this onslaught, we must continue to 
expand the foundation that the committee has initiated. 
Expansion must include the need for sound vulnerability 
management processes, supporting technology and the necessary 
legislation to ensure our Nation's critical IT infrastructure 
is protected. We have seen the sophistication and speed of the 
attacks mature to where the existing security measures such as 
firewalls and a virus are not enough to stop these attacks. By 
fixing known vulnerabilities, we can proactively eliminate 
cyber threats, reduce risk and deliver a more secure IT 
infrastructure.
    Organizations must take a proactive stance and implement a 
full life cycle vulnerability management capability. Success 
requires new processes, automated technology to support these 
processes and management's commitment to drive the needed 
change.
    In the public sector, FISMA is helping to drive initiative 
in the awareness for improved cyber security. However, 
interpretation has not been consistent throughout all agencies 
resulting in inconsistencies and actions to address these 
problems. However, there are excellent examples of 
organizations that have already implemented proactive 
vulnerability management processes such as the Department of 
Veterans Affairs and National Finance. In addition, other 
agencies such as FAA, the DOT, IRS and Department of Defense 
have all started taking proactive steps to address the need for 
full life cycle vulnerability management.
    For most of corporate America, the process is broken or 
fragmented across different groups using point tools and manual 
techniques. There are some industries ahead of others primarily 
driven by the mandates of Sarbanes-Oxley, GOB and HIPPA which 
are driving awareness and need for more proactive uses. 
However, the interpretation of these mandates and the required 
action to comply are too broad resulting in ineffective results 
leading to continued attacks and exposure on a daily basis.
    Compounding the problem across both the public and private 
sector is the increased number of remote users who return to 
the enterprise networks with compromised environments results 
in continued introduction of malicious attacks after 
remediation actions have taken place. Organizations have 
implemented some form of patch management tool have a false 
sense of security. On average, only 30 percent of an 
organization's verified vulnerability relates to patching, 
leaving the network exposed to the remaining 70 percent of the 
problem which are more dangerous and easily exploited. These 
products do not address the problem of full life cycle 
vulnerability management and effectively become part of the 
problem.
    To successfully deliver a full life cycle vulnerability 
management process, automation is a necessity. The ability for 
multiple security and IT operations disciplines to work 
together requires technology that provides an integrated 
platform by which to manage the process. Leveraging automation 
will shift organizations from reactionary to a proactive 
vulnerability capability.
    Technology is available today to deliver the flexibility of 
automated vulnerability management. A key requirement is 
solutions that provide seamless integration across the 
assessment and remediation steps of the process. Full function 
remediation solutions must address all types of IT 
vulnerabilities and provide a mechanism to report on the 
progress from the assessment to mitigation to the ongoing 
compliance. In order to streamline the process, solutions must 
provide a comprehensive library of remediation actions 
identified to fix the vulnerabilities with the ability to 
rapidly deploy the remediation actions across the network on a 
consistent, repeatable process.
    As new vulnerabilities are discovered on a daily basis, 
there must be a mechanism to continually deliver new 
intelligence and remediation actions that are tested. To 
mitigate the impact to remote users, solutions must provide 
capability to both quarantine and remediate devices upon the 
network connection.
    The commercial software industry must be involved in 
providing solutions. NIAP common criteria certification is an 
excellent step in the endeavor, yet there is no enforcement 
across the public sector to purchase products that are common 
criteria certified. We recommend the Government lead the way in 
requiring software solutions be certified and common criteria 
at AL3 or above before they can be procured for implementation.
    To further reduce the risk, we must address the concern of 
offshore development. A major portion of the software 
development today occurs offshore. We must ask for additional 
controls to ensure software development overseas is secure. 
Software development organizations should be required to have 
all overseas development of software examined for malicious 
capabilities embedded in the code. Industry and Government must 
work together to develop some form of standard to review the 
process to address the growing threat.
    A few months ago many leaders from the cyber security 
industry came together to form an important alliance. The Cyber 
Security Industry Alliance represents the latest commitment 
from cyber security industry to positively enhance information 
security. I am proud to say Citadel serves as a board member on 
the committee. The mission of CSI is to enhance cyber security 
through public policy initiative, public sector partnership and 
corporate outreach, academic programs and alliance behind 
emerging industry technologies.
    In conclusion, the vulnerability management is a core 
security requirement. By successfully implementing a proactive, 
automated approach, organizations can reduce the risk and 
mitigate their exposure to cyber threats. Industry and academia 
must work together closely with Government to drive awareness, 
education and provide direction across public and private 
sectors with national security efforts.
    I thank the committee for the opportunity to testify.
    [The prepared statement of Mr. Solomon follows:]

    [GRAPHIC] [TIFF OMITTED] T6992.109
    
    [GRAPHIC] [TIFF OMITTED] T6992.110
    
    [GRAPHIC] [TIFF OMITTED] T6992.111
    
    [GRAPHIC] [TIFF OMITTED] T6992.112
    
    [GRAPHIC] [TIFF OMITTED] T6992.113
    
    [GRAPHIC] [TIFF OMITTED] T6992.114
    
    [GRAPHIC] [TIFF OMITTED] T6992.115
    
    [GRAPHIC] [TIFF OMITTED] T6992.116
    
    [GRAPHIC] [TIFF OMITTED] T6992.117
    
    Mr. Putnam. Thank you, Mr. Solomon.
    Ms. Beinhorn, Mr. Culp, the other three panelists have had 
some interesting observations to make about the software 
development community. Mr. Rosenthal supported that you do your 
fair share, Mr. Solomon called for expanded use of common 
criteria and expanded software assurance programs, particularly 
as we look at the offshore activity that is taking place. How 
do you respond to that? Mr. Culp first.
    Mr. Culp. We are supporters of the common criteria process. 
Windows 2000 has been certified. To a certain extent the valid 
concern about offshoring misses the point. It is not where the 
software is developed, it is how it is developed. Software 
built within the United States can be just as vulnerable as 
software built someplace else. What is important is not where 
it is built but that it is built with a solid, sound 
development process, that provides for independent review 
within the developing organization, that provides for thorough 
testing and that is mindful and protective against 
opportunities to try to insert malicious code.
    With that said, the vast majority of Microsoft software, 
including all of our Windows products, are built in the United 
States in Redmond but the overall concern about offshoring I 
think might be more properly redirected to be concerned about 
oversight of the software in a tight development process.
    Mr. Putnam. Ms. Beinhorn.
    Ms. Beinhorn. At Juniper, again we take the software issue 
extremely seriously. We also embrace the common criteria 
certification process as well as the FIPPS process with an eye 
toward the prevention up front. You might recall Donna 
Meyerriecks' comments earlier today about the development 
process and how important it is to look at these things prior 
to silicon. So we take it in a very logical sort of stepped 
process at Juniper. All of the elements of the security that 
are embedded in our products are scrutinized by a team of 
professionals and put through a rather rigorous testing 
scenario against all known vulnerabilities at that time. So we 
fully embrace the formal process and the certification process 
and I agree actually with my colleague that tighter controls on 
those processes is certainly in the best interest of the 
Internet and cyber security.
    To the point of offshore software, the majority of our 
software development is all done here but I also concur that it 
really doesn't matter where software is developed. I think 
again it is a process that requires very tight controls and 
very intense scrutiny.
    Mr. Putnam. How many lines of code are we talking about 
reviewing to find the couple of lines that are malicious? If 
you are going to take it up a notch, bake in security, you are 
concerned about the offshore influence, what type of task are 
we talking about to find something someone slips in?
    Mr. Culp. Well, it is a large task. All modern operating 
systems are in the tens of millions of lines of code order of 
magnitude. Trying to go through a completed code base and 
review it for something that somebody may have surreptitiously 
slipped in is very difficult and that is why it is so important 
to take a multilayered approach to vetting the software. You 
vet the individual modules as they are built, you vet the 
designs as they are developed, you can vet the fidelity of the 
development against the design and then as you get further 
along in the development, you begin to bring in folks who maybe 
haven't seen the software before but who are experts in code 
level review.
    One of the reasons that we participate in common criteria 
is because we want that external review. We bring the best 
minds we can to bear on writing the software but we know at the 
end of the day, we are human too and may make a mistake. So we 
want very much to include those independent, third party 
experts and give them an opportunity to review the product at a 
source code level and bring their expertise to bear to make 
sure we have done everything right.
    Mr. Putnam. Mr. Maiffret, what are your thoughts on that?
    Mr. Maiffret. I think in general, I agree it is not 
necessarily where the software is developed because it could 
just as easily be in the United States and somebody here on 
some sort of visa or is in the process of being sponsored. As 
far as being able to find bugs in software that were 
maliciously put there, in some cases it is almost an impossible 
task because as it stands right now, we still haven't even come 
to the point where we can automatically find all known security 
bugs within software. Because we can't do that, we are not 
going to be able to find people that are mistakenly putting 
bugs in there on purpose. Really, it is not a matter of can you 
find them and what not.
    Mr. Putnam. If it is an impossible task, what do we do?
    Mr. Maiffret. To take it back a level, to say it is an 
impossible task and at the same time say you are never going to 
have 100 percent security in an application, that it is an 
impossible task to identify all known vulnerabilities in 
applications, so I think we need to look at security in 
different ways. It is not about finding every single 
vulnerability that you can but about having outer safeguards 
around the actual components that you are trying to protect.
    A real world example that is great is if you take the DIS 
and NSA guidelines and the STG documents, there is plenty of 
configuration information in there that had computers actually 
been set up to comply with all those configurations options, 
there are numerous worms that actually wouldn't have been able 
to infect or do anything to those computers even if they 
weren't patched. A lot of times there are things like that you 
can do that more broadly protect systems. There are also other 
efforts you can do which actually Microsoft is one of the 
leaders in one of the common types of vulnerabilities, buffer 
overflows and Microsoft is working with a lot of the processor 
community to more generically be able to protect from those 
kinds of attacks knowing that you are not going to be able to 
discover all of them within the code.
    Mr. Putnam. Mr. Solomon.
    Mr. Solomon. On that subject, the offshore concerns were 
raised with us because it is easy and cheap and maybe my 
colleagues on this panel have processes in place, a lot of 
companies don't and the process is very simple for people to 
call up and get something done very quick and very cheaply and 
there are no controls on what is coming back in. It is simply 
saying we don't know what we don't know today. As you said, how 
many vulnerabilities would be in how many lines of code. I was 
at a recent conference with the Department of Defense and they 
estimate by the year 2010 for every 7-10 lines of code, there 
would be one new vulnerability. Try to find it. Once again, we 
have to take a proactive approach to this instead of 
reactionary. We have to develop a baseline, we are developing 
STGs and the right performance but what we are doing today in 
the manual process is broken because we can't keep up with the 
speed of the vulnerabilities unless we have a process for 
fixing it. Fixing everything as we talked about earlier, 
patching is not enough. Doing it consistently in a repeatable 
process, it becomes a core process of our information 
infrastructure.
    Mr. Putnam. Mr. Rosenthal, it is costing your industry $1 
billion a year. What are your thoughts?
    Mr. Rosenthal. I would agree with the panelists with 
respect to how code is written, how code is developed. I think 
there is a notion of a higher duty of care, not just in the 
software development process but in how the software is 
actually deployed and used in the environment. So the same 
software can be deployed in my home office, on my home 
computer. The implications of vulnerability being exploited 
there has very little impact on the Nation's infrastructure. 
That same software product deployed in a critical 
infrastructure like a financial services firm, an exploitation 
of a vulnerability can be extremely damaging to the financial 
services firm as well as the critical infrastructure of the 
Nation.
    I would tell you that I think in general the IT industry 
needs to understand exactly what their products are being used 
for, whether they be operating systems or accounting systems. 
They are not just products that get deployed in an environment 
identically. Changes are made, the way they are configured is 
different. In fact, the way they are managed in some cases is 
different. I think the industry should really spend more time 
understanding exactly the usefulness of these software and 
technology products, especially in critical infrastructure 
industries.
    Mr. Putnam. How well do you think the process is today, how 
effectively is the private sector working with DHS to release 
information about vulnerabilities, to share that with the 
people who need to understand it before the exploits are 
developed? Mr. Culp and then Ms. Beinhorn.
    Mr. Culp. We are actively sharing information through a 
number of different venues. The key point to understanding 
where we are coming from with respect to information sharing 
after the bulletin is out is that we recognize that although it 
may be bad publicity for Microsoft for a lot of people to know 
about a vulnerability they need to patch, that vulnerability 
isn't going to go away until people know about it and know what 
they need to do. So we have a very active interest in making 
sure that as many people know about our mistakes and what to do 
to correct them as possible.
    I will give you one example of what we have been doing. 
Virtually ever Microsoft employee carries around a stack of 
these cards that on the one hand has a placard exhorting people 
to sign up for the free security updates that we send by email 
every time we release a security bulletin. We have several 
million subscribers to this free service and we send out every 
security bulletin that we release to that mailing list.
    We are also working very closely with the CERTs, in 
particular U.S. CERT. We have a very close and productive 
relationship with DHS and believe they are vital in helping to 
get out the word to the U.S. computer user base but we also 
need to get information out to users and the rest of the world. 
So we actively work with CERTs in a number of different 
countries. As we did in the case of the Sasser worm, we contact 
the CERTs when the bulletin is released, we ask for their help 
in getting out the information to users and then when we find 
an attack in progress, we revisit and give them more 
information so everybody can stay informed.
    Mr. Putnam. So you are generally satisfied with the process 
as it stands today?
    Mr. Culp. I am never satisfied with the process as it 
stands, it can always be made much better. I would like to have 
to do a lot fewer of these alerts. I think that would be the 
best improvement we could make, to have to send out things a 
little less often through this channel but we do have by far 
the most robust communication system of anybody in the industry 
when it comes to reporting on security vulnerabilities.
    Mr. Putnam. You paid a reward for someone to turn in the 
person who released the Sasser worm, correct?
    Mr. Culp. We do have a virus rewards program. I believe the 
reward is paid out upon arrest and conviction. In the case of 
the Sasser worm, that is still being handled by law 
enforcement, so the program is there but the question of the 
Sasser worm hasn't come to finale.
    Mr. Putnam. Is there an estimate on the damage that the 
Sasser worm caused?
    Mr. Culp. I don't think I have seen an estimate yet and 
they usually vary widely depending on source.
    Mr. Putnam. Does anyone on the panel know? Anyone have any 
idea? What about the charges that were leveled against the 
individual? What is the potential penalty for releasing the 
worm?
    Mr. Culp. I don't know. That is a matter for German law. 
The individual who was arrested is in Germany and I am afraid I 
just not an expert in German law.
    Mr. Putnam. Let me ask it a different way. Do you think the 
penalties for releasing these worms and viruses in the United 
States are adequate considering the damage that has been done 
and is capable of being done to the economy?
    Mr. Culp. In general, I think I would like to see stronger 
enforcement and stiffer penalties. These worms are causing 
significant economic damage. They are requiring customers to 
spend serious resources to protect their enterprises and the 
punishment should be commensurate with the level of damage.
    Mr. Putnam. Mr. Rosenthal, your thoughts on that same 
question?
    Mr. Rosenthal. I don't know the exact penalties but I would 
tell you that they are not strong enough. A physical robbery of 
a bank, a holdup, we are limited by the amount of cash we allow 
tellers to have and many of those people walk rather quickly. 
Hackers have the ability of not just taking down a financial 
institution but they could knock out critical financial 
networks that impact our economy. So if you could tell me what 
the penalty was, I would tell you it needs to be doubled.
    Mr. Putnam. Mr. Maiffret, your company has researched and 
found a number of vulnerabilities, often being the first one. 
What tools are at your disposal or at anyone's disposal to 
analyze code and therefore discover these vulnerabilities?
    Mr. Maiffret. Really a lot of it comes down to the team of 
people we have been able to build. Obviously in-house we don't 
have source code to any of the software that we find 
vulnerabilities in so we actually look at the compiled code 
itself and are able to analyze it that way to find 
vulnerabilities. For the most part, a lot of times it is not 
necessarily tools that we use but just people sitting down, we 
have basic tools to look at a program but for the most part it 
is somebody actually going through how a program works and 
figuring out how to make it do things it shouldn't.
    Mr. Putnam. Mr. Solomon, do you want to comment on that?
    Mr. Solomon. Actually the discovery process internally will 
actually work with the CERT or scanning partners as well as the 
development team. A key side to that is identifying 
vulnerabilities in the wild as well before there are known 
exploits. As they are identified, we look to write the 
remediation fixes for them. So we have a team of engineers that 
actually write the remediation process so they can build a 
library. Today we have over 16,000 actions for cross multiple 
platforms for remediation so they get tested before they get 
applied. It is a team of engineers working with proprietary 
tools.
    Mr. Putnam. Ms. Beinhorn, this spring a researcher 
discovered a new way to exploit a vulnerability in the 
transmission control protocol that would potentially have 
allowed substantial disruption of Internet traffic. It has 
serious effects on routers. What steps did your firm take when 
you found out about the vulnerability?
    Ms. Beinhorn. That particular problem within TCP has been 
known for a while and companies like Juniper Networks and Cisco 
Systems worked along with a number of forums and the Government 
to resolve those issues. Yes, they were potentially very 
frightening but the actual truth of it is that when you 
architect something like TCP and it was done so many years ago, 
that as time evolves and systems and software evolve, different 
things will come up in code.
    I think the resolution to this particular issue is well in 
hand and probably anymore detail on this topic we should 
contribute something outside of this forum.
    Mr. Putnam. We talked about this in the first panel. The 
Government spends $60 billion a year annually in investment for 
IT goods and services. What can the Government do to leverage 
that buying power to get more security baked in?
    Ms. Beinhorn. It is Juniper's opinion and strong conviction 
that the Government and the public and private sectors need to 
work more closely. I think there are lots of very legitimate 
and productive forums out there but with respect to the spend, 
which is if you distill it down for equipment, it comes in on 
the order of about $10-$12 billion but the development of 
silicon and the direction the Government wants to take need to 
collide and that is not something that is done overnight. It is 
a process that has to take into consideration a lot of 
preventive measures with respect to both hardware and software.
    We would like to see a more formal and closely knit 
relationship. The President's management agenda does call for 
participation by private and public entities but we work with 
DISA, NSA and a number of agencies. It would be better if maybe 
DHS was the focal point or central point for the consolidation 
of the go forward requirements and they were brought formally 
to industry for discussion and evolutionary development.
    Mr. Putnam. Why DHS?
    Ms. Beinhorn. It is a suggestion, Mr. Chairman. It seems to 
be the agency with, as you said, the most amount of money, so 
it would be logical to perhaps place the responsibility there.
    Mr. Putnam. Mr. Culp or Ms. Beinhorn, times have changed, 
priorities have changed, security is a greater factor in 
development today than it used to be, tens of millions of 
computers around the world. As our security gets better with 
new versions of operating systems, we still will have millions 
of home users and small businesses and libraries and schools 
and everybody else that is a bit behind the curve on updating 
their equipment connected to the same network. As everyone 
agrees your security is only as good as your weakest link. How 
do we deal with that component of user groups even as the 
quality grows, the security improves, but you still have a lot 
of people out there using the old stuff. What do we do about 
that?
    Mr. Culp. That is absolutely true and that is one of the 
biggest hurdles. We know the software we are producing today is 
much more capable, much more secure. It is built for the 
current threat and environment. We do, as you mentioned, have a 
very large legacy base and there are some limits to what we can 
do but with that said, let me give you a couple examples of 
what we are doing.
    One thing we can do is upgrade the practices of the 
operators of that software. As often as not, the security of a 
network is dependent more on the management practices and the 
way it is deployed and configured than it is on the technology. 
So we worked very closely with some of our partners in the 
industry to develop deployment guides and configuration guides 
that will let people using the older software continue to do so 
effectively and securely.
    We are also in some cases back porting some of the 
technologies I described in my written and oral testimony to 
previous platforms. A really good example of that is the auto 
update mechanism that was originally released in Windows XP and 
lets you automatically get patches directly from Microsoft. 
After we released it for Windows XP, we back ported it to 
Windows 2000, so the Windows 2000 users could have the benefit 
of that same technology. We do that whenever we can. So as much 
as we can, we push that better technology back to the existing 
legacy base and provide them with better practices to secure 
what they have and we try to ease the migration into the newer 
platforms.
    Mr. Putnam. Ms. Beinhorn, do you want to comment on that?
    Ms. Beinhorn. Actually not. I think that is less germane 
for Juniper than it is for Microsoft.
    Mr. Putnam. Anyone else wish to comment on that? Mr. 
Solomon?
    Mr. Solomon. Back to the older programs, a lot of it comes 
back to the operating system itself and configuring and setting 
up the system. While we can update the patches and everything 
else, a great example is one organization that had about 1,500 
devices, did an assessment and realized they had 256,000 
vulnerabilities on one network. They determined 56,000 were 
critical, this is a Government agency. Out of the 56,000, maybe 
20 percent was related to patches and the rest were back doors, 
configurations, unsecure accounts, where anybody could get in 
and exploit that system. So it comes back to doing a total 
system management. It is a combination of working together. As 
I said earlier, a patch is not enough, you really have to focus 
on a complete vulnerability life cycle and close all these 
vulnerabilities going forward.
    Mr. Putnam. Talk to me a bit, particularly Mr. Maiffret and 
Mr. Solomon, about wireless, the way everybody is going, PDAs, 
the home PCs that are used for remote access and laptops that 
are brought on-sight, you have public and private networks, 
these unsecured systems obviously can be corrupted and then 
reintroduced into the system. How do we deal with that 
challenge which is only growing?
    Mr. Solomon. It is growing more and more as we get better 
in cleaning up our networks, then we have to worry about 
someone plugging back in and contaminating after a weekend. 
There is technology out there today that will actually 
quarantine a box and won't allow communication to the network 
before you remediate the box. So it is an automated approach, 
something we developed, the technology that now allows you 
before the communication back to the network, the box will be 
remediated. Today people are going to the hotel and plugging in 
or they come back after the weekend and utilize the device.
    Further, wireless devices are going to be a big concern 
moving forward, a simple printer on your network is a 
vulnerable box. I can actually export your printer faster than 
I can your desktop. We have to be more secure not just looking 
at our PC and servers, we have to look at more devices going 
forward from our printers, our copiers to wireless. That is 
where exploits will be controlling the future. People will be 
looking for the weakest link and those would be the weakest 
links within the community. Today you have to be able to 
remediate and have a total remediation process for people that 
have disconnected and quarantine those boxes before you allow 
them back on the network and make sure they are secure and 
remediated.
    Mr. Putnam. Mr. Maiffret.
    Mr. Maiffret. I would concur that there are many solutions 
being developed to help with the problem of rogue machines and 
remote users and things of that nature. As far as wireless 
goes, it is still pretty challenging because there are so many 
different types of wireless. There are not necessarily a lot of 
standards. There is everything from wireless that is used for 
home use and small offices to some of the more high end 
wireless systems to now things like cell phones running more 
popular operating systems which is going to create a whole new 
avenue of attack but for the most part on the wireless front, 
there are still so many going in so many different directions 
that it is hard to have standardized security on how the thing 
should work.
    Mr. Putnam. Any other comments on the trend toward wireless 
and reconnecting to the network? We will begin with Ms. 
Beinhorn as we wrap up this hearing and give you the 
opportunity to make any comments you wish you had been asked 
about or any thoughts or observations from this hearing. We 
will go down the line and begin with you.
    Ms. Beinhorn. Thank you. We are obviously very pleased to 
be a part of this today and we look forward to contributing in 
the future. We completely support your agenda for the 
involvement of industry and specifically the C level 
involvement because the buck stops there, so it should also 
start there and the commitment should start there.
    I just want to reinforce that. I think our participation in 
this and other forums will be helpful to the community.
    Thank you.
    Mr. Putnam. Thank you.
    Mr. Culp.
    Mr. Culp. I would echo what Ms. Beinhorn said. I think we 
are seeing positive results from the public/private 
partnerships and I think we are seeing the market causing many 
of the needed improvements. Customers are wielding their buying 
power as we speak, security is not just very high on their 
list, it is at the very top of their list. Microsoft and the 
rest of our colleagues in the industry know we have to supply 
that and provide it and it is that market pressure that is 
behind many of the improvements and innovations that I and the 
other folks on the panel have described today.
    Mr. Putnam. Mr. Rosenthal.
    Mr. Rosenthal. I would thank you again for your leadership 
in bringing these issues to the forefront today. Beyond the six 
recommendations that I mentioned before as well as in my 
written statement, I would ask the committee and you to closely 
look at the impact that software products and other technology 
products has on critical infrastructure sectors of our Nation.
    Thank you.
    Mr. Putnam. Thank you.
    Mr. Maiffret.
    Mr. Maiffret. I think there definitely needs to be a lot of 
thought and research put more on the side of why we are 
failing. It is amazing to me if we are spending especially in 
the Government, $80 million a year on technology and whatever 
the percentage is there on security, I think there definitely 
needs to be a lot of analysis done. Any time we do have a 
failure, what went wrong, was there not a budget, was there not 
enough personnel, was there the right personnel and the right 
tools in place but there wasn't a good process to actually 
track what was going on and things weren't followed through to 
completion, basically more specifics on why the failures are 
actually happening if we are spending that much.
    Mr. Putnam. Mr. Solomon.
    Mr. Solomon. I want to thank you for inviting me today and 
once again commend the committee on what they are doing.
    Last year I met with Mark Forman when he was head of OMB 
and he told me last year the Government spent approximately 
$1.5 billion in some form of vulnerability management with 
their IT budget and the agencies still got the majority of 
``F'' at that time. Looking at what the spend is in a cycle 
that is getting vicious, it is going to be more expensive and 
you can't keep up with it. As the hackers are moving faster, we 
seem to be moving slower sometimes because the reaction and our 
time and the process from manual to automation I think has to 
move a lot faster with understanding from legislation what they 
need to do.
    Common criteria we thought was a very key point and it is 
important to have comment period and as an industry, I think it 
is very important for us all to go through it but the key is 
agencies don't follow it sometimes. You can go through the 
standards but why go through the standards and all of a sudden 
purchase another technology that once again potentially is not 
going through the certification the industry should be going 
through.
    Third and most important, the definition, we heard a lot 
about patch management. I think the definition from 
vulnerability management to patch management is getting lost. 
The interpretation is it is vulnerability management, patching 
is a subset of what you need to do as part of vulnerability 
management. I see from the GAO report committees talking about 
configuration management but a true vulnerability management 
cycle includes configuration and patch management as a subset 
of what you need to do to ensure your networks.
    Thank you.
    Mr. Putnam. Thank you all. I want to thank both of our 
panels of witnesses for your participation today. The knowledge 
and experience and observations that were shared were 
outstanding.
    I want to thank Mr. Clay for his continued leadership and 
participation in these issues.
    As I stated earlier, security is a process, not a 
destination. Hackers, cyber criminals, disgruntled insiders, 
corporate spies and enemy states are not going away and no 
hardware or software will ever be totally secure. As such, the 
Federal Government and the private sector must be diligent in 
implementing proven risk management strategies to prevent, 
detect and respond to information security breaches.
    In the event there may be additional questions or 
statements for the record that we did not have time for today, 
the record will remain open for 2 weeks for submitted questions 
and answers.
    Again, thank you for your support and your leadership. With 
that, the subcommittee stands adjourned.
    [Whereupon, at 4:22 p.m., the subcommittee was adjourned, 
to reconvene at the call of the Chair.]

                                 
