[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]



                    INDUSTRY SPEAKS ON CYBERSECURITY

=======================================================================

                                HEARING

                                 of the

                     SUBCOMMITTEE ON CYBERSECURITY,
                 SCIENCE AND RESEARCH, AND DEVELOPMENT

                               before the

                 SELECT COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 15, 2003

                               __________

                           Serial No. 108-16

                               __________

    Printed for the use of the Select Committee on Homeland Security


 Available via the World Wide Web: http://www.access.gpo.gov/congress/
                                 house

                               __________



                      U.S. GOVERNMENT PRINTING OFFICE
97-672 PDF                 WASHINGTON : 2004 _____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-00012004



                 SELECT COMMITTEE ON HOMELAND SECURITY



                 CHRISTOPHER COX, California, Chairman

JENNIFER DUNN, Washington            JIM TURNER, Texas, Ranking Member
C.W. BILL YOUNG, Florida             BENNIE G. THOMPSON, Mississippi
DON YOUNG, Alaska                    LORETTA SANCHEZ, California
F. JAMES SENSENBRENNER, JR.,         EDWARD J. MARKEY, Massachusetts
Wisconsin                            NORMAN D. DICKS, Washington
W.J. (BILLY) TAUZIN, Louisiana       BARNEY FRANK, Massachusetts
DAVID DREIER, California             JANE HARMAN, California
DUNCAN HUNTER, California            BENJAMIN L. CARDIN, Maryland
HAROLD ROGERS, Kentucky              LOUISE McINTOSH SLAUGHTER,
SHERWOOD BOEHLERT, New York            New York
LAMAR S. SMITH, Texas                PETER A. DeFAZIO, Oregon
CURT WELDON, Pennsylvania            NITA M. LOWEY, New York
CHRISTOPHER SHAYS, Connecticut       ROBERT E. ANDREWS, New Jersey
PORTER J. GOSS, Florida              ELEANOR HOLMES NORTON,
DAVE CAMP, Michigan                    District of Columbia
LINCOLN DIAZ-BALART, Florida         ZOE LOFGREN, California
BOB GOODLATTE, Virginia              KAREN McCARTHY, Missouri
ERNEST J. ISTOOK, JR., Oklahoma      SHEILA JACKSON-LEE, Texas
PETER T. KING, New York              BILL PASCRELL, JR., New Jersey
JOHN LINDER, Georgia                 DONNA M. CHRISTENSEN,
JOHN B. SHADEGG, Arizona               U.S. Virgin Islands
MARK E. SOUDER, Indiana              BOB ETHERIDGE, North Carolina
MAC THORNBERRY, Texas                CHARLES GONZALEZ, Texas
JIM GIBBONS, Nevada                  KEN LUCAS, Kentucky
KAY GRANGER, Texas                   JAMES R. LANGEVIN, Rhode Island
PETE SESSIONS, Texas                 KENDRICK B. MEEK, Florida
JOHN E. SWEENEY, New York

                      JOHN GANNON, Chief of Staff

         UTTAM DHILLON, Chief Counsel and Deputy Staff Director

               DAVID H. SCHANZER, Democrat Staff Director

                    MICHAEL S. TWINCHEK, Chief Clerk

                                 ______

   SUBCOMMITTEE ON CYBERSECURITY, SCIENCE, AND RESEARCH & DEVELOPMENT

                    MAC THORNBERRY, Texas, Chairman

PETE SESSIONS, Texas, Vice Chairman  ZOE LOFGREN, California
SHERWOOD BOEHLERT, New York          LORETTA SANCHEZ, California
LAMAR SMITH, Texas                   ROBERT E. ANDREWS, New Jersey
CURT WELDON, Pennsylvania            SHEILA JACKSON-LEE, Texas
DAVE CAMP, Michigan                  DONNA M. CHRISTENSEN,
ROBERT W. GOODLATTE, Virginia          U.S. Virgin Islands
PETER KING, New York                 BOB ETHERIDGE, North Carolina
JOHN LINDER, Georgia                 CHARLES GONZALEZ, Texas
MARK SOUDER, Indiana                 KEN LUCAS, Kentucky
JIM GIBBONS, Nevada                  JAMES R. LANGEVIN, Rhode Island
KAY GRANGER, Texas                   KENDRICK B. MEEK, Florida
CHRISTOPHER COX, CALIFORNIA, ex      JIM TURNER, Texas, ex officio
officio

                                  (ii)



                            C O N T E N T S

                              ----------                              
                                                                   Page

                               STATEMENTS

The Honorable Mac Thornberry, Chairman, Subcommittee on 
  Cybersecurity, Science, and Research & Development, and a 
  Representative in Congress From the State of Texas.............     1
The Honorable Christopher Cox, Chairman, Select Committee on 
  Homeland Security, and a Representative in Congress From the 
  State of California............................................    45
The Honorable Jim Turner, Ranking Member, Select Committee on 
  Homeland Security, and a Representative in Congress From the 
  State of Texas.................................................    62
The Honorable Robert E. Andrews, a Representative in Congress 
  From the State of New Jersey...................................    58
The Honorable Donna M. Christensen, a Delegate in Congres From 
  the U.S. Virgin Island.........................................    47
The Honorable Bob Etheridge, a Representative in Congress From 
  the State of North Carolina....................................    45
The Honorable Sheila Jackson-Lee, a Representative in Congress 
  From the State of Texas........................................    54
The Honorable Zoe Lofgren, a Representative in Congress From the 
  State of California............................................     1
The Honorable Loretta Sanchez, a Representative in Congress From 
  the State of California........................................    52
The Honorable Pete Sessions, a Representative in Congress From 
  the State of Texas.............................................    49
The Honorable Lamar S. Smith, a Representative in Congress From 
  the State of Texas.............................................    40

                               WITNESSES

Mr. Jay Adelson, CTO & Founder, Equinix, Inc.
  Oral Statement.................................................    18
  Prepared Statement.............................................    20
Mr. Whitfield Diffie, Chief Security Officer Sun Microsystems, 
  Inc.
  Oral Statement.................................................     8
  Prepared Statement.............................................    10
Ms. Tatiana Gua, Chief Trust Officer and Senior Vice President, 
  America On-Line (AOL) Core Services, AOL Time Warner
  Oral Statement.................................................    28
  Prepared Statement.............................................    30
Mr. Frank Ianna, President--AT&T Network Services, AT&T 
  Corporation
  Oral Statement.................................................    22
  Prepared Statement.............................................    24
Dr. James Craig Lowery, Chief Security Architect/Software 
  Architect and Strategist, Dell Computer Corporation
  Oral Statement.................................................    14
  Prepared Statement.............................................    16
Mr. Phil Reitinger, Senior Security Strategist, Microsoft 
  Corporation
  Oral Statement.................................................     2
  Prepared Statement.............................................     4

                                APPENDIX
                   Materials Submitted for the Record

Responses to Questions for the Record from Dr. James Craig Lowery    72
Responses to Questions for the Record from Mr. Jay Adelson.......    72
Responses to Questions for the Record from Mr. Frank Ianna.......    74
Responses to Questions for the Record from Ms. Tatiana Gau.......    78
Responses to Questions for the Record from Mr. Phil Reitinger....    79

 
                    INDUSTRY SPEAKS ON CYBERSECURITY

                              ----------                              


                         TUESDAY, JULY 15, 2003

                      U.S. House of Representatives
             Subcommittee on Cybersecurity, Science
                               and Research and Development
                     Select Committee on Homeland Security,
                                                   Washington, D.C.
    The subcommittee met, pursuant to call, at 10:02 a.m., in 
Room 2118, Rayburn House Office Building, Hon. William 
Thornberry [chairman of the subcommittee] presiding.
    Present: Representatives Thornberry, Sessions, Boehlert, 
Smith, Camp, Linder, Lofgren, Sanchez, Andrews, Jackson Lee, 
Christensen, Etheridge, Lucas, Langevin, Meek, Cox (ex 
officio), Turner (ex officio), also present, Dunn.
    Mr. Thornberry. [Presiding.] The hearing will come to 
order.
    This hearing of the Subcommittee on Cybersecurity, Science, 
Research & Development will take testimony today on industry 
perspectives on cybersecurity.
    And let me first thank each of the witnesses for making the 
effort to be here today. As you look down the line, it is truly 
not only a group that has a lot to offer to this subcommittee, 
but the world leaders in so many fields.
    So I appreciate each of you being here, and I appreciate 
the staff being able to assemble this panel and all we have, 
and enable us to learn from it.
    Ms. Lofgren and I again ask unanimous consent that members 
other than the chairman and ranking member waive oral written 
statements--oral opening statements, written opening statements 
will be made part of the record and each of the witnesses 
written statements will also be made a part of our record.
    And at this time the Chair will yield to the distinguished 
gentlelady from California, Ranking Member Ms. Lofgren.
    Ms. Lofgren. Thank you, Mr. Chairman.
    This is a terrific panel and I know that we at the end of 
the day will know more about what we face as a nation in the 
area of cybersecurity and will have, I think, a better idea of 
the prudent steps that we should take.
    I am especially pleased--I mean, every one of the witnesses 
is spectacular--but I would like to issue a special welcome to 
Whit Diffie, who was part of the encryption wars that Mr. 
Goodlatte and I engaged in with so many of the members of the 
committee a few years ago, and the inventor of public key 
encryption.
    I hope that as we hear from the witnesses, we can 
particularly hear about your company's investment into research 
and development on cyber vulnerabilities, and without going 
into specifics, learn about the various types of cyber attacks 
your company has faced in the past year, your company's 
policies on information-sharing relative to cyber attacks as 
well as any experience you have had in dealing with the 
Department of Homeland Security.
    As the chairman and I have discussed in past occasions, I 
think we all know the issue really is what benchmarks do we put 
in place, how do we audit or ensure benchmarks are being met, 
and which carrot and stick do we put in place.
    And those are broad categories, but the details are 
troublesome.
    And so that is what we are, I think, dealing with and we 
know that most of the infrastructure that needs to be protected 
is in the private sector, so it is absolutely so important that 
you are here today.
    And I would ask--well, we already have consent to put my 
full statement into the record.
    And I thank the chairman for yielding.
    Mr. Thornberry. Thank you, gentlelady.
    And I think we see things exactly the same.
    We are not going to be successful as a country without a 
partnership with each of you and other industry folks.
    So at this time I want to turn to our witnesses.
    As I mentioned, your full written statement will be made 
part of the record, and I will invite each of you to either 
summarize it or make such comments as you wish.
    We are going to go down the row.
    And I am going to start with Philip Reitinger, who is 
senior security strategist with Microsoft.
    Thank you for being here with us today.
    And you are recognized for five minutes.

 STATEMENT OF MR. PHIL REITINGER, SENIOR SECURITY STRATEGIST, 
                     MICROSOFT CORPORATION

    Mr. Reitinger. Thank you very much.
    Good morning.
    Good morning, Chairman Thornberry, Ranking Member Lofgren, 
and members of the subcommittee.
    As the chairman indicated, my name is Phillip Reitinger, 
and I am a senior security strategist with Microsoft 
Corporation.
    I want to thank you for the opportunity to appear before 
you here today to provide our views on an issue that affects 
government, businesses and consumers--cybersecurity. Microsoft 
is deeply committed to confronting the challenges of 
cybersecurity and we recognize our responsibility to make our 
products ever more secure.
    Our efforts accelerated after September 11 and crystallized 
when Bill Gates launched our trustworthy computing initiative 
in January 2002. Trustworthy computing is Microsoft's top 
priority and involves every aspect of the company. Last year, 
we had all 8,500 developers on the Windows team stop developing 
new code to focus on security. We spent over two months 
training our developers, reviewing the security of existing 
codes, reducing potential vulnerabilities, modeling threats, 
and conducting penetration testing of the code. This critical 
investment cost us an estimated $200 million dollars and 
delayed by months the release of our recent Windows Server 2003 
product.
    Trustworthy computing, broadly, means that we are working 
to ensure that computers better protect the security of 
personal and corporate information, enable people in 
organizations to control how their information is used, and are 
more reliable. Security, privacy, reliability and business 
integrity are the core pillars of our trustworthy computing 
initiative. In this effort, we are working to create products 
and services that are secure by design, secure by default, 
secure in deployment, and to communicate openly about security.
    Secure by design means two things. Writing more secure code 
and architecting more secure products and services. Secure by 
default means writing computer software that is secure out of 
the box, whether in a home environment or an IT department. 
Secure in deployment means making it easier for consumers and 
IT professionals to maintain the security of their systems. And 
communications means sharing what we have learned, both within 
and outside of Microsoft, particularly through our industry-
leading response center.
    The trustworthy computing goals are ingrained in our 
culture and are part of the way we value our work. Yet, we 
recognize that trustworthy computing and improved cybersecurity 
will not result from the efforts of one company alone. As 
demonstrated by my colleagues on this panel, we are not alone 
in these efforts. Microsoft is dedicated to working together 
with these industry partners and with government leaders to 
make the goals of trustworthy computing an industry-wide 
reality.
    We do so in a number of forums, including the IT ISACs, the 
Partnership for Critical Infrastructure Security, the National 
Cybersecurity Alliance and the Trusted Computing Group. We also 
recognize that technology, alone, cannot provide a complete 
answer.
    I want to outline a few specific areas where government 
policy can help promote cybersecurity. First, the government 
can help by recognizing IT products engineered for security and 
by securing its own systems. This can include purchasing 
common-criteria certified products, and even awarding a Malcolm 
Baldrige type of award for security solutions.
    Secondly, we support additional federal funding for 
cybersecurity research development, including university-driven 
research that can be transferred to the private sector so that 
industry can further develop this technology and deploy it 
widely.
    Third, we support an international law enforcement 
framework that establishes minimum criminal liability and 
penalty rules for cyber crime, so that cyber attackers cannot 
escape punishment for attacks against the United States by 
seeking refuge outside our borders.
    Fourth, the government must be both a provider as well as a 
consumer of valuable threat information.
    Finally, even with the creation of the Department of 
Homeland Security and the National Cybersecurity Division, both 
of which Microsoft supported, cybersecurity remains an 
interagency problem. Without a multi-disciplinary effort by 
both government and industry, we will not succeed.
    In conclusion, Microsoft is committed to strengthening the 
security of our products and services and is equally committed 
to working with governments and our industry peers on security 
issues.
    In the end a coordinated response to cybersecurity risks 
offers the greatest hope for promoting security and fostering 
the growth of a vibrant online economy. Thank you very much.
    [The statement of Mr. Reitinger follows:]

               PREPARED STATEMENT OF MR. PHILIP REITINGER

    Chainnan Thornberry, Ranking Member Lofgren, and Members of the 
Subcommittee: My name is Philip Reitinger, and I am a Senior Security 
Strategist at Microsoft reporting directly to Microsoft's Chief 
Security Strategist. I want to thank you for the opportunity to appear 
today to provide our views on an issue that affects governments, 
businesses, and consumers around the world--cybersecurity. It is the 
responsibility of all of us to ensure that the tremendous benefits of 
technology for governments, business and consumers are not thwarted by 
attacks on our computer systems. Because most cyber attacks are not 
discovered or, if discovered, are not reported, and because we have no 
national or international statistically rigorous measurement of damages 
from cyber crime, the exact cost of cyber attacks to companies and 
consumers is unknown. But four things are clear:
    First, there are people in cyberspace who seek to corrupt our 
systems. These criminals act with the knowledge that they are highly 
unlikely to be caught, let alone prosecuted and imprisoned.
    Second, the known damages are significant--perhaps in the billions 
of dollars annually. Software applications and operating systems, and 
the networks on which they reside, are ubiquitous and integral to 
society, and attacks upon them can cause significant disruption.
    Third, as September 11th taught us, our preconceived notions of the 
risk from terrorism and other threats may underestimate the actual risk 
by orders of magnitude. A cyber attack on the backbone of one of our 
nation's critical information infrastructures could disrupt America's 
physical and economic well-being and have a massive worldwide impact.
    Fourth, and most important, these attacks have an impact greater 
than immediate financial loss. Perhaps their greatest cost is the loss 
of consumer trust in information technology. Without such trust, 
society cannot realize the full potential of information technology. 
Thus, the effort to achieve cybersecurity--to achieve the trust 
necessary to reap the benefits of the digital age--is a critical 
priority for us all.
    At Microsoft, we are deeply committed to cybersecurity and we 
recognize our responsibility to make our products ever more secure. We 
are at the forefront of industry efforts to enhance the security of 
computer programs, products and networks, and better protect our 
critical information infrastructures. We also work closely with our 
partners in industry, government agencies and law enforcement around 
the world to identify security threats to computer networks, share best 
practices, improve our coordinated response to security breaches, and 
prevent computer attacks from happening in the first place. These 
efforts accelerated after September 11 and crystallized when Bill Gates 
launched our Trustworthy Computing initiative in January 2002.
    Today, I want to describe the ways in which we believe industry and 
government can work in partnership to promote cybersecurity. First, I 
will discuss our commitment to Trustworthy Computing and how it is 
reflected in our products and our research and development efforts. 
Next, I will discuss our efforts to join forces with industry and 
government to help guard against cyber-threats and enhance security for 
businesses and consumers. Finally, I will address government's critical 
and tailored role in enhancing cybersecurity.
    Microsoft's Commitment to Trustworthy Computing
    Trustworthy Computing is Microsoft's top priority and involves 
every aspect of the company. Last year, we had all 8,500 developers on 
the Windows team stop developing new code to focus on security. We 
spent over two months training our developers, reviewing the security 
of existing code, reducing potential vulnerabilities, modeling threats 
and conducting penetration testing of the code. This effort cost us an 
estimated $200 million dollars, and delayed by months the release of 
our recent Windows Server 2003 product. But we know that it was worth 
these costs, and it was a critical step to enhance the security of 
Microsoft's key software platform.
    ``Trustworthy Computing'' broadly means that we are working to 
ensure that computers better protect the security of personal and 
corporate information, enable people and organizations to control how 
their information is used, and are more reliable. We also are working 
to ensure that when problems do arise, they can be resolved immediately 
and predictably. Security, privacy, reliability and business integrity 
are the core pillars of our Trustworthy Computing initiative.
    The security pillar of Trustworthy Computing is most relevant for 
today's hearing. Under this pillar, Microsoft is working to create 
products and services that are Secure by Design, Secure by Default, and 
Secure in Deployment, and to communicate openly about security.
         ``Secure by Design'' means two things: writing more 
        secure code and architecting more secure products and services. 
        Writing more secure code means using a redesigned software 
        development process that includes training for developers, code 
        reviews, automated testing of code, threat modeling, and 
        penetration testing. Architecting more secure products and 
        services means designing products with built in and aware 
        security, so that security imposes less of a burden on users 
        and security features are actually used.
         ``Secure by Default'' means that computer software is 
        secure out of the box, whether it is in a home environment or 
        an IT department. It means shipping products to customers in a 
        locked-down configuration with many features turned off, 
        allowing customers to configure their systems appropriately, in 
        a more secure way, for their unique environment.
         ``Secure in Deployment'' means making it easier for 
        consumers and IT professionals to maintain the security of 
        their systems. We have a role in helping consumers help 
        themselves by creating easy-to-use security technology. Due to 
        the complexity of software and multiple environments in which 
        it may be placed, software will never be perfectly secure while 
        also being functional. Accordingly, ``secure in deployment'' 
        means providing training on threats and security; offering 
        guidance on how to deploy, configure and maintain products 
        securely; and providing better security tools for users, so 
        that when a vulnerability is discovered, the process of 
        patching that vulnerability is simple and effective.
         ``Communications'' means sharing what we learn both 
        within and outside of Microsoft, providing clear channels for 
        people to talk to us about security issues, and addressing 
        those issues with governments, our industry counterparts, and 
        the public.
    The Trustworthy Computing goals are real and specific, and this 
effort is now ingrained in our culture and is part of the way we value 
our work. It is demonstrated by our enhanced software development 
process. It is demonstrated by our continued development of more 
sophisticated security tools, including threat models and risk 
assessments, to better identify potential security flaws in our 
products. It is demonstrated by our formation of what we believe to be 
the industry's best security response center to investigate immediately 
any reported product vulnerability and build and disseminate the needed 
security fix. And perhaps more clearly than anything else, it is 
demonstrated by our delay in releasing a product for months to continue 
to improve its security. In short, security is--as it should be--a 
fundamental corporate value. We make every effort to address security 
in the initial product design, during product development, and before a 
product's release, and we remain committed to security in the product 
once it has gone to market.
    At times, of course, people worry that increased security may lead 
to an erosion of privacy. It is important to note that we do not view 
security and privacy as in inevitable conflict. In fact, we think 
technology can help protect both simultaneously. We hear repeatedly 
from customers that they need new ways to control how their digital 
information is used and distributed. In response, we are working on a 
number of emerging rights management technologies that will help 
protect many kinds of digital content and open new avenues for its 
secure and controlled use. For example, we are on the verge of 
releasing Microsoft Windows Rights Management Services (RMS), a premium 
service for Windows Server 2003 that works with applications to help 
customers protect sensitive web content, documents and e-mail. The 
rights protection persists in the data regardless of where the 
information goes, whether online or offline. In this way it allows 
ordinary users and enterprises to take full advantage of the 
functionality and flexibility offered by the digital network 
environment--from sharing information and entertainment to transacting 
business--while providing greater privacy and persistent protections.
    Much work on Trustworthy Computing, however, remains ahead of us. 
One key piece of that work is the Next-Generation Secure Computing Base 
(NGSCB). This is an on-going research and development effort to help 
create a safer computing environment for users by giving them access to 
four core hardware-based features missing in today's PCs: strong 
process isolation, sealed storage, a secure path to and from the user, 
and strong assurances of software identity. These changes, which 
require new PC hardware and software, can provide protection against 
malicious software and enhance user privacy, computer security, data 
protection and system integrity. We believe these evolutionary changes 
ultimately will help provide individuals and enterprises with greater 
system integrity, information security and personal privacy, and will 
help transform the PC into a platform that can perform trusted 
operations, to the benefit of consumers.
    Microsoft's Collaboration with Third Parties on Security 
Initiatives
    Notwithstanding the robust nature of our own efforts, we recognize 
that Trustworthy Computing and improved cybersecurity will not result 
from the efforts of one company alone. And, as will be demonstrated by 
my colleagues from this and the next panel, we are not alone in these 
efforts--responsible information technology companies increasingly 
focus on security as a key corporate goal. Microsoft is dedicated to 
working together with these industry partners and with government 
leaders to make the goals of Trustworthy Computing an industry-wide 
reality. For example, as part of our work on NGSCB, we work with a 
variety of hardware and software partners to ensure that the PC 
platform has built-in protection against future viruses, threats from 
hackers, and unauthorized access to private information and digital 
property.
    In April of this year, we joined four other industry partners (AMD, 
Intel, IBM and Hewlett-Packard) in establishing the Trusted Computing 
Group (TCG), a not-for-profit organization formed to develop, define, 
and promote open standards for hardware-enabled trusted computing and 
security technologies. The primary goal is to help users protect their 
information assets (data, passwords, keys, etc.) from external software 
attack and physical theft and to provide these protections across 
multiple platforms, such as servers, PDAs, and digital phones.
    In addition to these efforts, Microsoft remains committed to a 
multi-disciplinary approach to security that extends beyond technical 
solutions and specifications. Early detection and warning of 
cybersecurity threats, public education on cybersecurity, incident 
response, and prosecution of cyber-crimes, among other things, are all 
key aspects of creating a more secure computing environment. In order 
to have effective prevention and response, there must be an emphasis on 
cooperation and information sharing. For this reason, we have been 
supporters of the National Cyber Security Alliance and the Partnership 
for Critical Infrastructure Security, and we work closely with 
government agencies and other industry participants on both an 
informational and operational level to prevent and investigate computer 
intrusions and attacks.
    We also helped found the Information Technology - Information 
Sharing and Analysis Center (IT-ISAC) and provided its first president. 
The IT-ISAC coordinates information-sharing on cyber-events among 
information technology companies and the government. We continue to 
support and are working with other members to improve the IT-ISAC's 
efforts to coordinate among members, with the government, and with 
other ISACs. Such efforts are critical because this nation's 
infrastructures were and are designed, deployed, and maintained by the 
private sector. The interdependencies among infrastructure sectors mean 
that damage caused by an attack on one sector may have disruptive and 
perhaps devastating effects on other sectors. Voluntary information 
sharing and industry-led initiatives, supported by government 
cybersecurity initiatives, comprise an essential first line of defense 
against such threats.
    We believe that the information sharing engendered to date by the 
IT-ISAC and other ISACs is an important step in enhancing public-
private cooperation in combating cybersecurity' threats. Yet, there 
remains room for progress and government and industry should continue 
to examine and reduce barriers to appropriate exchanges of information, 
and build mechanisms and interfaces for such exchanges. This effort 
must involve moving away from ad hoc exchanges and toward exchanges 
that are built into business processes. This will require working 
toward a common understanding of the information that is valuable to 
share, when and how such information should be shared, and the means by 
which shared information will be protected. The keystones are trust and 
value--if an information sharing ``network'' provides value and the 
participants trust it, then information will be shared. While the 
appropriate structure and form of this network are still evolving for 
both industry and government, we are eager to see a robust exchange of 
information on cybersecurity threats and will work with government, our 
industry partners, and with the ISAC community toward that goal.
    Where Government Policy Can Make a Difference
    While the sorts of technology-related steps outlined above can 
address many of the security challenges we face, technology alone 
cannot provide a complete answer. A comprehensive response to the 
challenges of cybersecurity depends on both technology and public 
policy--and critically, on how technology and policy interact with and 
complement one another. I want to outline a few specific areas where 
government policy can be particularly helpful in promoting 
cybersecurity.
    First, the government, through public attestations and its own 
security practices and procurement efforts, can help by recognizing IT 
products engineered for security. For example, the late Commerce 
Secretary, Malcolm Baldridge, was honored by having a quality award 
named after him and bestowed upon businesses that demonstrate 
outstanding quality in certain areas. We understand that the Department 
of Homeland Security is considering a similar award for high quality 
security solutions. We think this is a good idea and we are ready to 
support the government as it develops and implements this visible 
incentive.
    Likewise, the government can lead by example by securing its own 
systems through the use of reasonable security practices and buying 
products that are engineered for security. Where appropriate--such as 
for national security agencies and other agencies, issues, and services 
for which security is of the utmost importance--this should include 
purchasing products whose security has been evaluated and certified 
under the internationally-recognized (and U.S. supported) Common 
Criteria for Information Technology Security. Such efforts to procure 
only security-engineered products, and specifically such clear support 
for the Common Criteria, will help strengthen the government 
infrastructure. In doing so, the government also will help set a high 
standard for security--one that ultimately is necessary to enhance the 
protection of critical infrastructures.
    Second, public research and development can play a vital role in 
advancing the IT industry's security efforts. Accordingly, we support 
additional federal funding for cybersecurity research and development 
(R&D), including university-driven research. The public sector should 
increase its support for basic research in technology and should 
maintain its traditional support for transferring the results of 
federally- funded R&D under permissive licenses to the private sector 
so that industry can further develop the technology and deploy it 
widely.
    Third, Microsoft believes that greater cross-jurisdictional 
cooperation and capability among law enforcement is needed for 
investigating cyber-attacks. Cyber-attackers can easily transit any 
border, as demonstrated by the I LOVE YOU and Anna Kournikova viruses 
and the Solar Sunrise attacks, all of which were international in 
scope. Enhanced law enforcement cooperation across local, state and 
international borders, along with increased law enforcement capability 
internationally, is vital for law enforcement to prevent and 
investigate cyber attacks. We therefore support an international law 
enforcement framework that establishes minimum criminal liability and 
penalty rules for cyber crime so that cyber-attackers cannot escape 
punishment for cyber attacks against the U.S. by seeking refuge outside 
of our borders.
    Fourth, government has a critical role to play in facilitating 
information sharing. Government sharing its own information with 
industry is essential both to protect critical infrastructures and to 
build value in an information sharing network. In short, the government 
must be a provider as well as a consumer of valuable threat 
information.
    Finally, government must recognize that even with the creation of 
the Department of Homeland Security and the new National Cyber Security 
Division (NCSD)--both of which Microsoft supported--cybersecurity 
remains an interagency problem. Accordingly, one of the key roles for 
the new Department, and specifically for NCSD, will be building 
incentives for effective government action, helping other government 
agencies develop new business processes that support homeland security, 
and reducing government stovepipes. Without a multidisciplinary effort 
by both government and industry, we will not succeed.
    Conclusion
    Microsoft is committed to strengthening the security of our 
products and services and is equally committed to working with 
governments and our industry peers on security issues, whether by 
offering our views on proposed regulatory and policy measures or 
participating in joint public/private security initiatives. In the end, 
a coordinated response to cybersecurity risks--one that is based on 
dialogue and cooperation between the public and private sectors--offers 
the greatest hope for promoting security and fostering the growth of a 
vibrant online economy.

    Mr. Thornberry. Thank you.
    We will now turn to our next witness, which is--who has 
already been partially introduced, Whitfield Diffie is vice 
president and fellow at Sun Microsystems, and has been one of, 
if not the key leader in public key cryptography. And thank you 
for being here. You are recognized for five minutes.

STATEMENT OF MR. WHITFIELD DIFFIE, CHIEF SECURITY OFFICER, SUN 
                       MICROSYSTEMS, INC.

    Mr. Diffie. Well thank you very much.
    When people look back on this era we are in, the end of the 
twentieth century, the beginning of the twenty-first, I think 
what is going to be remembered is the era of a transition from 
a physical society to a virtual society, an information 
society, an electronic society. And things that we now regard 
as fairly arcane security mechanisms will come to be seen as 
fundamental social mechanisms in the same way that 
interpersonal recognition, which is a security mechanism, is 
perhaps the most fundamental mechanism of society.
    Now, information security at this point is in my view 100 
years old. There is a lot of prehistory, a lot of cryptography 
in the Renaissance and things like that. But the critical thing 
was the introduction of radio, because radio was the 
communications medium so valuable that nobody could afford to 
ignore it. And yet it was a medium in which all of the 
traditional security measures typified by the diplomatic pouch 
had no applicability at all. And consequently, cryptography was 
the only mechanism available to protect radio.
    Now there are some other more technical ones, but 
cryptography is the most general one. And that swamped the code 
clerks.
    First World War, they were working with techniques intended 
to encrypt a small volume of messages that were going to go 
into other protective channels. Suddenly they had to encrypt a 
vast fraction of what was communicated by radio. And this 
started a race to automation and a race to develop good 
cryptography that dominated information security for most of 
the twentieth century. I am pleased to say that I think that as 
a practical matter, we have largely solved that kind of 
problem. And I will just list one example of something that 
happened within the past few months.
    Within the past 4 years or so, the U.S. adopted a new 
national cryptographic standard. It is called the Advanced 
Encryption Standard. And it was actually formally adopted the 
26th of November, 2001. Unlike its predecessor, the data 
encryption standard, it was designed to be as secure as anybody 
could want. And that fact has been recognized this spring in 
the issuance of CNSS-15, policy memorandum from the Committee 
For National Security Systems, recognizing the AES is adequate 
to be used for the protection of classified national security 
data.
    Now, there is still a long way to go. Even in that 
direction we are a long way from having the first piece of 
comsec equipment that uses AES. But this is a crucial 
milestone.
    Later in the 20th century, communications security, 
cryptography centered security was joined by computer security. 
And in the first generation of this in the 1970s and 1980s, the 
envision was what was then called timesharing, lots of 
processes running on the same computer. That program was not 
entirely successful, although I am pleased to say that one of 
its best products is one of ours: Sun's trusted Solaris system 
is used widely throughout the federal government for high 
security applications.
    But what happens if a secure computing, more than if the 
problem was solved, was that the problem changed?
    And it became a problem of network security, and we went 
into--curiously, one of the greatest developments in security 
is something Sun not originated but certain pioneered, which is 
client-server computing: dividing functionality out among the 
computers of a network so that one appeals to another for 
services.
    We introduced the Java programming language--a different 
style of writing programs with security very high among its 
qualifications.
    Cryptography has become much more widely available and much 
better developed than it was back in the first period of 
computer security.
    And the cost of hardware has fallen so that we can support 
computer security better with dedicated hardware.
    In short, we have a whole new ball game. It also happens we 
have a whole new challenge.
    Today when we say, as say a lot at Sun, The network is the 
computer, we are not saying a shadow of what we will be saying 
when we say that five to 10 years from now.
    We are entering an era--the current buzzword is ``Web 
services.'' I don't know if the buzzword will persist, but the 
concept will endure.
    Computers communicating with computers and subcontracting 
work to them. You need data mining done? You need a movie 
rendered? You go out and you look at yellow pages, you find a 
computer, a resource that has the equipment to do this, and you 
get it done, they return their bill.
    Suddenly we face a new set of security requirements and 
these are characterized by negotiation--one computer has to 
agree with the other what is going to be done; and by 
configuration control--a computer has to demonstrate to the 
other that it is capable of doing these things.
    So we are in the infancy of a computer-mediated society and 
economy. And one of the critical things we know: We have to be 
careful. The decisions we make in security today are going to 
influence the structure of society all through the 21st 
century.
    So we need both not to rush into regulation, particularly 
not to respond to disasters by sudden patch-up regulations, but 
to exercise foresight in this area to devote efforts to 
studying this area and to plan well for the security measures 
we need.
    Very often the short sight of individual users drives 
security policy. They prefer what appears to be convenience in 
applications over a sound structure that gives them secure 
operation because they don't anticipate the inconvenience of 
being broken into and having lots of down time. I think that 
government will have a big but what must be a very carefully 
considered role to play in this.
    Security is going to be far more than just technology. It 
is going to influence law, it is going to influence business. 
The example I gave in my written testimony is: You capture the 
current contracting and subcontracting mechanism in things that 
happen in fractions of a second between computers. What are you 
going to do about adjudication? Nothing we have at the moment 
speaks to the time scale and complexity of operation--of 
business operations--that is approaching.
    I would like to close with one concrete suggestion, 
prefaced with some very important thanks. There was a proposal 
within the past year ago to move the computer security division 
of NIST into the new homeland security department. And we at 
Sun and many in industry thought that this was ill-considered 
because that division had learned over its 15 years of 
operation after the Computer Security Act of 1986 to work with 
industry, to field standards that industry actually accepted 
and used.
    And we feared that the move into a department with a more 
military and more classified and more closed style would lead 
to standards that were not so enthusiastically received by 
industry.
    So I would like particularly to thank representatives 
Boehlert, Goodlatte and Lofgren for their support in this 
matter.
    But I think the computer security division at NIST needs 
much more support and has now a vital role to play. My 
colleague spoke about the importance of common-criteria 
certification for security processes. And that is a very 
valuable mechanism; it is very much in need of improvement.
    The set of classifications within that system are 
complicated, hard for users to understand, hard for them to 
know the difference between something certified at EAL-2 and 
EAL-4. It needs to be simplified; evaluation needs to be 
improved and speeded up, but probably most important--something 
that the government is best placed to do--is that a validation 
mechanism for these ratings needs to be put in place, something 
that follows this history of evaluated products, determines 
whether they are really functioning securely, and is able to 
speed back the record of break-ins or attempted break-ins to 
these products in order to improve the evaluation products and 
guarantee that when we have security certification it really 
means the things are secure.
    Thank you very much.
    [The statement of Mr. Diffie follows:]

PREPARED STATEMENT OF MR. WHITFIELD DIFFIE, CHIEF SECURITY OFFICER SUN 
                           MICROSYSTEMS, INC.

    When historians write the history of the late 20th century and the 
early 21st, they are likely to see it as the period when the world 
moved from the physical to the virtual. When face to face meetings, 
written letters, and visits to showrooms were progressively replaced by 
phone calls, e-mail, and web browsing. As information, and with it 
human culture, come to travel more and more in a digitized, computer-
mediated world, the computer and communications infrastructure must be 
expanded to provide the fundamental mechanisms needed to support the 
totality of human culture. One of these, widely recognized but little 
understood, is security.
    Information security: essentially, the protection of information in 
electronic media, is about a century old. The field has a long 
prehistory. Information has been protected on paper and in crude 
telecommunication channels, like signal fires, for millenia but 
information security as we know it today dates from the development of 
radio and from the use of radio in WWI.
    The first major problem in information security was cryptography. 
Despite cryptography's romantic aura and long history, prior to radio, 
cryptography was always a secondary security measure. A dispatch on 
paper might be enciphered but its primary protection lay not in the 
encryption but in the careful handling of the diplomatic bag. Although 
telegraph messages were frequently sent in code, the customers were 
relying more on the integrity of the telegraph companies than on the 
codes for security.
    The use of radio, particularly military radio in wartime, was 
different. Radio was so valuable that no one dared forgo its use. Prior 
to radio, Britain's First Sea Lord, who commanded the largest navy in 
the world had only a vague idea of where his ships were. He might 
dispatch a flotilla on a mission and not hear anything about their 
progress for weeks or months. Within a few years of the introduction of 
radio, the First Sea Lord could expect to reach any ship in the fleet 
within hours. Today, of course, with the exception of submarines, this 
process is virtually instant, like making any other phone call.
    The problem with radio from a security viewpoint is that everyone 
can listen to the radio and often the people you don't want listening 
get better reception than the ones you do. This promoted cryptography 
from a secondary security measure to a primary one. It was the only 
security measure of any use in protecting radio transmissions and it is 
still the primary one. The result was to swamp the code clerks, whose 
hand techniques were designed to add extra protection to a small 
fraction of military traffic, not provide the primary protection to 
most of it.
    The result was the race to automate cryptography, and the resultant 
race to automate cryptanalysis, that dominated cryptography throughout 
the 20th century. For half a century, military cryptography was 
dominated by rotor machines: electromechanical devices that embodied 
cipher alphabets in rotating wheels and automated the polyalphabetic 
ciphers that had been known since Renaissance Italy but had been too 
prone to errors to see extensive use. Mechanization reduced the errors, 
increased the speed, and allowed much more thorough protection than 
could be achieved by hand.
    In the 1930s, a new kind of rotor machine was developed in the US, 
one in which the wheels, of one rotor machine were moved by the actions 
of another rotor machine. This machine, called Sigaba, was the most 
secure cryptosystem of its era and it appears that no Sigaba traffic 
was read in the WWII period.
    By the time of WWII, the US had secure cryptographic systems for 
protecting ten-characterper-second telegraph traffic but little ability 
to protect voice or other broader-band signals. The first secure 
telephone was developed during the war. The system, called Sigsaly, 
provided very secure, surprisingly comprehensible voice communications 
with one severe drawback: the system occupied thirty-racks of 
equipment, weighed as many tons, and cost millions. At first, the only 
customers who could ``afford'' Sigsaly were Roosevelt and Churchill. 
Even though, Sigsaly's were later provided to major military commands, 
there were never more than a dozen of them. However limited in 
deployment, Sigsaly was proof of concept for secure voice and the need 
to develop higher speed cryptosystems dominated cryptographic 
development for decades.
    Although, like all important subjects, cryptography is still beset 
with profound unsolved problems, it is no longer the limiting resource 
in secure communication that it was for most of the 20th century. Good 
cryptographic systems are now available and the mathematical 
foundations on which they rest are widely understood.
    The new status of cryptography is exemplified by the US Advanced 
Encryption Standard (Federal Information Processing Standard 197). AES 
is the successor to the US Data Encryption Standard (FIPS-46) which was 
adopted in 1977. At that time, the National Security Agency, recognized 
the need for a cryptographic system to protect government information 
outside the national-security sphere. Because such a system could not 
achieve its objectives without being made public, NSA worried that it 
would also be used by the enemies of the United States. The result was 
a compromise, a system that NSA considered strong enough for its 
intended application but weak enough that it would not present an 
insurmountable obstacle if NSA encountered a DES cryptogram that it 
felt sufficiently motivated to read. The development process, although 
formally open, was in fact closely held and the compromise became the 
subject of a long-running controversy.
    When the DES came to the end of its useful lifetime in the late 
1990s, the National Institute of Standards and Technology set out to 
replace it. This time the process was entirely different. After a 
public process of developing the requirements for the new algorithm, a 
solicitation drew fifteen candidates from around the world. The 
candidates were studied over a period of two years in a process that 
involved three public conferences. Five finalists were selected from 
the fifteen and then one winner was selected from the finalists. On the 
26th of November 2001, an algorithm designed in Belgium was selected as 
the national standard of the United States.
    To those who had watched the evolution of US cryptographic policy 
over the previous three decades, the AES seemed miraculous but an even 
more surprising turn occurred this spring, which was publicly announced 
in June. The Committee on National Security Systems of the Department 
of Defense issued Policy Directive 15, which authorized the use of AES 
(in approved implementations) for all levels of classified national 
security information. It will be years before we are applying COTS 
infosec technology to the majority of our national security systems but 
we have just passed a essential way point on that road.
    Although, unification of other aspects of cryptography have not 
reached the same level of standardization, key-management techniques 
based on the first generation of public-key cryptographic systems is in 
use for both government and private sector security. Second generation 
key-management techniques based on elliptic curve cryptosystems 
promises a greater degree of unification within the decade.
    In the latter half of the 20th century, cryptography was joined by 
another information security problem: secure computing. With the 
development of computers capable of running more than one program at a 
time, came the problem of running two different programs with different 
security levels or different owners and preventing them from 
interfering with each other. In the 1970s and 1980s there was great 
optimism about the prospects of developing a multi-level secure 
operating system.
    This program called for extensive system specifications and formal 
verification that the systems met their specifications. This proved 
expensive and fewer systems emerged than had been expected. Among the 
successes is Sun's Trusted Solaris, a high-security operating system 
that is widely used in DoD and the Intelligence Community. In a 
reflection of the rising importance of security, the enhanced-security 
features of Trusted Solaris are being steadily integrated into the 
main-stream Solaris product and the two systems will be merged in the 
next major release.
    Despite such isolated successes as Trusted Solaris, the problem of 
secure computing has been transformed more than solved. In the 1970s an 
organization of moderate size, such as Rand or the MIT Lincoln 
Laboratory would have a small number of big computers, perhaps only 
one. Every program that was run would have to be run on the one 
machine. If it was so sensitive that it could not be run in the 
presence of other programs, for fear that they might be spying on it, 
it would have to pay the high price of having the machine to itself.
    As the seventies flowed into the eighties, two factors came 
together to change this. Computers got cheaper and became available at 
a variety of prices and a variety of levels of performance. Equally 
important, the ARPAnet, ancestor of the Internet, became available. 
This meant that a sensitive project no longer had to make arrangements 
for using a shared computer. It could purchase its own computer, 
appropriate to its needs an budget, put the computer in a room, and 
lock the door. Its communications with the outside world, if it needed 
any, could be handled through network channels more easily controlled 
than the communication paths internal to an operating system.
    Client-server computing, the concept on which Sun was built, 
although rarely thought of as a security mechanism, has made a major 
contribution to security. In the network environment, a sensitive 
database can be isolated on a machine by itself, communicating with the 
rest of the world through a network connection. Enforcing the 
databases' access policies against users of other machines on a network 
is far easier than enforcing them against other users on the same 
machine.
    Another key success in computer security came with the Java 
language. In the 1970s, DoD aspired to purchase ``untrusted'' 
applications, such as compilers and run them on classified data, in 
this case secret programs. Untrusted in this case means ``uncleared.'' 
The programs in question came from reputable software manufacturers but 
from manufacturers who did not have DoD facility clearances or cleared 
workforces. In the 1990s, this objective was magnified several fold. 
With the rise of the Internet, it became valuable for client computers 
to import applet programs in real time from servers. As the cost of 
putting up a server is small, the applets no longer could be counted on 
to come from reputable computer manufacturers. ``Untrusted'' had 
reached a new level; a workstation needed the ability to run programs 
about which it knew nothing and get useful work out of them, without 
exposing itself to excessive risk. The Java solution is to write the 
programs in a portable language which is structured to allow the client 
machine to verify the structure of the incoming program before 
executing it.
    Given the substantial effort that has been devoted to computer 
security over the past thirty years, the mixed results of that effort, 
and the fact that the need for security is steadily increasing, it is 
reasonable to ask what the prospects are today for major improvement. 
If one answers, as I would, that the prospects are quite bright, one 
must also answer the question ``Why?''
    As described above, the answer is that in large part, we are facing 
a new problem. The computer security problem seen in the 1970s has 
changed into a network security problem of the 21st century. Some 
problems have been solved, some problems remain, and many new problems 
have appeared. Equally important is the fact that new tools have become 
available. In the 1970s, cryptography was primitive by comparison with 
its development today. Two aspects of cryptography especially crucial 
to computer security, public key cryptography and hashing functions 
were in their infancy. Equally important, the National Security Agency, 
whose monopoly of cryptographic erudition was far greater then than 
now, was the major backer of secure computing research but discouraged 
the application of much cryptographic techniques to the problem in 
unclassified research. The final piece of the puzzle is the ever-
decreasing cost of computing. It is now feasible to dedicate computing 
capacity to security in a way that was not feasible even a decade ago.
    An early example of a hardware-based approach to security problems 
is the domaining system of Sun's E12K and E15K servers. These servers 
can assign processors to processes and confine the resources available 
to those processes within a hardware-enforced domain. The effect is to 
combine much of the security advantage of running the process on an 
isolated computer with the advantage in cost and flexibility of running 
it on a shared computer.
    It is a fair summation of our present position in information 
security that we have an excellent toolkit in the cryptographic area 
and a moderately good one in the computer security area. Having good 
toolkits is not the same as having good security, however; if it were, 
the security of the cyberinfrastructure would be far better than it is. 
Much of what needs to be done can be characterized as routine. New code 
needs to be written with greater care than has often been customary, 
old code needs to be repaired, and the security mechanisms that we know 
how to build--keying infrastructures, for example--need to be built, 
shaken down, and brought to a level of operational quality that allows 
us to depend on them. Other challenges loom on the horizon, however.
    For as long as I have known the company, Sun has had the slogan: 
``The Network is the Computer.'' and every year the slogan becomes 
truer. For years, it has been difficult for me to detect whether files 
I was using were on my own desktop or stored on a server some distance 
away. More recently, it has become possible to call on specialized 
computing and storage processes outside my own machine. These more 
recent techniques go under the name ``Web Services.'' At present most 
uses of web services involve interaction of a program currently being 
used by a human being--most often a browser--with a remote website 
supplying a service. In the near future--five or ten years at the 
most--this will evolve into a primarily computer to computer activity.
    Today, the activities of both the public and the private sectors 
consists largely of business to business contracting and subcontracting 
processes. Some of these require great imagination and will for the 
indefinite future be performed by humans; others are routine and will 
be automated at a steady rate. Computers needing services will consult 
``yellow pages'' directories of available services; choose providers 
according to price and capability; send out work orders; receive their 
results; and pay their bills.
    Two sorts of web-based businesses are easy to foresee. The first 
are specialized businesses; businesses that offer a specific sort of 
service. They may have proprietary algorithms for such computationally 
intensive activities as graphic rendering or datamining; they may have 
access to specialized data such as the results of physical, biological, 
or social studies; they may have vast amounts of computing power. At 
present, Google provides an example of all three. It possesses vast 
amounts of computing power that it uses to build specialized databases, 
available to no one else, and it delivers information to its customers 
using specialized algorithms for both building and searching the 
databases.
    A second kind of business that is in its infancy is more general in 
character: utility computing. As a business, utility computing is 
rather like property rental. Many companies, rather than owning 
property, rent their offices and often subcontract to their landlords 
the provision of furniture, food, environmental controls, etc. As 
utility computing matures, a startup-- based perhaps on development of 
a new datamining algorithm--will no longer need to raise sufficient 
capital to have the powerful computer required to do production runs 
for its customers. It can wait for work to come in, then turn around 
and lease computing capacity from a ``computer cycle provider.''
    What sort of security measures will be required in this 
environment? They will parallel those of the current contractual 
mechanisms, particularly those employed for government contracts. When 
a system integrator contractor subcontracts the fabrication of a part 
for a military aircraft to a machining business, it is trusting not 
only that the work will be done correctly but that the plans for the 
part will be returned and that the subcontractor will not make extra 
copies for competitors. In choosing its subcontractor, the system 
integrator will seek a provider with a suitable facility clearance. 
Contracting on this scale is generally for work lasting from days to 
years and often reflects long-standing business relationships.
    The computers will do it all faster. It is hard to predict exactly 
how far in the future this vision is but at some point, contracts for 
specialized data processing are likely to be negotiated and fulfilled 
in seconds.
    The two problems that will be at the forefront of security research 
and development over the next decade are negotiation and configuration 
control. They will parallel existing business functions but they will 
take place at much higher speed and without moment-to-moment human 
oversight. The circumstances will encorporate many mechanisms now in 
use such as reputation assessment (clearance, Better Business Bureau 
membership) but in a far less forgiving environment. When contracting 
goes badly at present, problems are generally referred to the courts. 
When contracting goes badly on the scale of seconds, what mechanism 
will step into the breach?
    As we move our economy and society further and further into 
computer mediated telecommunication channels, the role of cybersecurity 
in homeland security will grow steadily. There will not be general 
agreement on the proper course of action. Our decisions will advantage 
some legitimate parties and disadvantage others. The solutions to the 
problems that arise will thus be as much legal and political as 
technical and will tax both our resources and our imaginations.

    Mr. Thornberry. Thank you, sir. We will now turn to Dr. 
Craig Lowery, who is chief security architect and a software 
architect and strategist at Dell Computers.
    Welcome, sir, you are recognized.

 STATEMENT OF DR. JAMES CRAIG LOWERY, CHIEF SECURITY ARCHITECT/
  SOFTWARE ARCHITECT AND STRATEGIST, DELL COMPUTER CORPORATION

    Dr. Lowery. Thank you Chairman Thornberry, Ranking Member 
Lofgren, members of the subcommittee. My name is Craig Lowery, 
software architect and strategist for Dell.
    We are very pleased to be here this morning, and we would 
like to wholeheartedly concur with your opening themes of 
partnership and consensus, because Dell believes that that is 
the best way to go about achieving more secure systems for 
everyone. Since everyone is using these systems, we all play a 
role.
    We see a universe of technology which has vendors and 
customers that are working in partnership together. It is not 
reasonable to think that one party or the other has a complete 
key to solving the security puzzle.
    Vendors bring products to market, and they must make 
reasonable allowances for security as part of the design of 
those products. And customers have a responsibility, too, in 
the way that they deploy those products.
    It is possible to create a product that is ``secure,'' when 
it is shipped as a single component, but when it is placed into 
an aggregate configuration it could very well be part of an 
insecure infrastructure that is created.
    So it is not a one-sided approach that should be considered 
to solving the security puzzle. It has to be partnership-and 
consensus-driven. One of the things that is defining about Dell 
as a company is its direct business model, which you may have 
heard about.
    If you haven't, I will give you just a little bit of a 
glimpse into it, because it very much influences how we are 
approaching this problem, among others.
    The direct business model means that Dell believes that 
having direct relationships with our customers is the best way 
to go about delivering solutions to them, because we can hear 
directly from them the problems that they are having, they are 
trying to solve, the solutions that they need.
    One way to arrive at consensus of customer input, customer 
feedback, is through standards. We are a very standards-
oriented company. We prefer to deliver standards-based 
solutions, because we believe that that is, first of all, 
something that has gone through a consensus process, either 
formal or sometimes more informal, through user groups.
    We also see that that consensus process develops a standard 
which everyone understands, there are no surprises, and can be 
delivered to, we can deliver products to that. That is very 
much in line with our direct business model.
    One of the concrete examples that I have for you this 
morning of this strategy at work is a new offering from Dell 
which is based on work that is been done by a group called the 
Center for Internet Security, or the CIS.
    The Center for Internet Security is a group of users across 
sectors of industry, government, education, finance and health 
care, who have gotten together their security experts and have 
pooled their knowledge of experience and best practices, the 
best way to go about securing things.
    And the product of this group is a set of things called 
benchmarks. These benchmarks are settings for pieces of 
software, such as operating systems, which the users that are 
members of the CIS agree are the best settings, according to 
their research and their work.
    At the request of our government customers, we have taken 
those settings for Microsoft Windows 2000 and we are now making 
those settings available direct from our factory, pre-
installed, on certain products, specifically our Optiplex, our 
Latitude notebooks and our Precision Workstations.
    This is the direct result of our philosophy and the work of 
the consensus mechanism in the industry to bring about 
immediate changes into the security landscape at this time.
    We certainly see that security is a moving target, and that 
as things progress these improvements will appear not as a 
change to settings that we have to make, but that are going to 
be built directly into software products, and we see that 
already happening at the source.
    We are also working in other areas to deliver more secure 
solutions to our customers at their request, things like smart 
cards, which are a form of authentication that has been 
requested by customers.
    We now have smart card readers built into our D series 
Latitude notebook computers, and also we have keyboards for our 
systems which read smart cards.
    We have biometric technology, which we have been 
evaluating, and we have decided that some of those solutions 
meet our requirements and those of our customers, and we are 
now making those things available through our Software and 
Peripherals Department.
    Standard physical locks for chassis and racks and things 
like that are always something that we are attending to and 
making sure are securing the physical hardware, and new types 
of products, for example, such as fire walls, which we are 
making available through Dell to our customers so that they are 
able to get their security solutions, or most of their computer 
solutions, directly from us.
    So in summary, we do believe that security is best achieved 
in partnership and consensus, things we are very happy to hear 
that are being expressed here today.
    Our direct model, we believe, puts us in a position to 
really make use of standards and to help disseminate that kind 
of information. The CIS offering is a concrete example of that 
in action.
    We continue to evaluate best-of-breed solutions in the 
security space and bring them to market as our customers 
request them.
    Thank you for your time.
    [The statement of Dr. Lowery follows:]

          PREPARED STATEMENT OF DR. JAMES CRAIG LOWERY, PH.D.

    Chairman Thornberry, Ranking Member Lofgren, and Members of the 
Subcommittee, thank you for the opportunity to discuss Dell's 
perspective on cybersecurity and the role of technology, specifically 
hardware and software security products. My name is Craig Lowery and I 
am the chief security architect in the Dell Product Group.
    Headquartered in Round Rock, Texas, a suburb of Austin, Dell was 
founded in 1984 on a simple concept: that by selling computer systems 
directly to customers, Dell could best understand their needs and 
efficiently provide the most effective computing solutions to meet 
those needs. Today, Dell is the world's leading computer systems 
company. The company employs approximately 40,000 team members around 
the globe. We design, build and customize products and services to 
satisfy a range of customer requirements from the desktop notebook, 
server, storage and professional services needs of the federal 
government agencies, to those of the largest global corporations, and 
to those of consumers at home.
    To fully appreciate Dell's security strategy, one must understand 
Dell's direct business model. We believe that the best customer 
solutions are most efficiently derived through direct relationships 
with our customers and suppliers. Our build-to-order system allows 
customers to order computers tailored to their needs, manufactured 
specifically for and delivered directly to them. We believe that 
customers receive the best value from products built with standard 
technologies; to that end, we seek to foster standards throughout the 
industry to reduce cost and increase customer flexibility and choice. 
As I will explain, each of these facets of the direct model plays a key 
role in how Dell is approaching computer system security.
    Cybersecurity has become increasingly important for our industry 
due to the need to provide products to our customers to better protect 
their IT systems from cyber attacks and viruses. Until recently, most 
company security solutions have been proprietary and customized to fit 
their specific needs. As the need for IT security has grown from 
supporting specific applications to that of protecting critical IT 
infrastructure, our industry, including Dell, has pushed for 
standardization to make security more affordable and widely available.
    As a technology vendor, Dell is committed to delivering value 
through reducing the costs of acquisition, deployment, interoperation 
and maintenance of our products, including our security products. Dell 
believes that these benefits are best achieved through the benefits of 
industry standard technologies. Specifically, Dell believes that 
standards in the security arena are driving and will continue to drive 
these technologies to levels of maturity that make them more 
transparent to the end-user and thus suitable for widespread adoption 
in the industry. As these technologies mature, Dell leverages the 
benefits of its direct model to bring these technologies to market 
quickly and affordably.
    Securing information systems is only possible through partnership 
between vendors and customers. Security is a moving target, and the 
products and services addressing security needs necessarily evolve as 
the landscape changes. Vendors are responsible for bringing to market 
products that incorporate widely accepted security design goals. 
Customers are responsible for deploying the products in a manner 
consistent with effective security best practices. Vendors must be open 
to customer feedback to understand their security concerns, and 
customers must be diligent to provide that input.
    Dell is placing more and more emphasis on security as a chief 
design consideration in all of our products. Certainly as a hardware 
vendor, we are acutely aware of the need for physical security through 
mechanisms such as locks and detection devices. Our efforts to deliver 
more secure products extend beyond hardware. Since we custom-build the 
systems we ship, including factory installing operating systems and 
applications, we have the opportunity to continually improve upon the 
software configurations we offer to customers. We work closely with 
software providers during their design and implementation phases. We 
are able to identify and integrate tested security components into our 
factory-installed software so that customers can enjoy the benefit of 
best solutions ``out-of-the-box.'' Pre-installed virus protection is 
one example.
    An important security benefit of our build-to-order system is that 
it reduces the time between when we make changes to our products in the 
factory, and the time a customer receives the product. Therefore, if we 
improve the security of a product, our system helps to minimize the lag 
time in getting it to the customer since there is no inventory that 
must first be moved in the distribution channel.
    Another example of creating an even more secure software 
configuration is a new Dell offering available through our custom 
factory integration unit. Dell is beginning to offer desktop systems 
installed with Microsoft Windows 2000 pre-set to the Center for 
Internet Security's Level I benchmark. This is a separate offering from 
our ``normal'' Windows 2000 installation, which continues to be 
available.
    The CIS Level I benchmark is a consensus standard which the CIS 
considers the best and least restrictive security settings for Windows 
2000. These settings were developed with input from government 
agencies, business, universities, and individual security experts. In 
providing the factory installed benchmark systems, Dell is responding 
to customer demand for a hardened operating system direct from the 
factory. Although it is designed for our public segment customers such 
as federal, state and local governments, this product can benefit any 
organization wishing to receive a certain level of security with a 
system directly from Dell.
    System BIOS passwords and hard-drive passwords continue to play an 
important role in security. For even more robust forms of 
authentication and access control, Dell now offers integrated smart 
card readers in our Latitude D-family notebooks as a standard feature, 
and in our smart card reader keyboard for desktops. In addition, Dell 
offers biometric authentication solutions in the form of add-on 
peripheral devices. Dell is actively involved in new developments in 
wireless security standards such as Wi-Fi Protected Access, and the 
emerging 802.1li standard.
    Through our software and peripherals department, Dell is able to 
provide customers with thirdparty solutions that meet their demanding 
standards, such as wireless products, firewalls, and security software.
    Again, security requires cooperation between vendor and customer. 
At Dell, we know our customers face many challenges when it comes to 
successfully deploying an IT infrastructure that is secure, usable, and 
manageable. We provide deployment and management assistance to our 
customers in several forms to help them in these efforts.
    In addition to telephone support, Dell provides access to our 
technical support web site. Premium technical support is available to 
customers requiring even faster response. Our engineers develop white 
papers and journal articles targeting many content areas, including 
computer system security. These articles are also freely downloadable 
from our web site at dell.com/powersolutions. We are actively engaged 
with security organizations such as the SANS Institute, the CERT 
Coordination Center, the Center for Internet Security, and the Free 
Standards Group.
    Dell also makes available pre-packaged and customized services, 
helping to ensure consistent, repeatable processes for our customers. 
Dell's service offerings include everything from onetime services to 
deploy and configure, to fully managed solutions where we take on the 
day-today tasks of running your IT infrastructure. Security is one of 
many aspects we consider in providing these services to our customers.
    Dell is a security-aware and privacy-aware company. We know that 
security is of increasing importance to our customers, and we are 
striving to deliver more secure products and services, as well as those 
that are security-specific, as they become available. We deliver 
security solutions in a way that is consistent with Dell's model: 
quality, low cost, easily integrated standards-based solutions that 
meet our customer requirements, delivered directly to them. We look 
forward to working with this Subcommittee as it considers ways to 
improve cybersecurity.
    Thank you again for inviting me to participate in today's hearing 
and for seeking Dell's perspective on cybersecurity. I would be happy 
to answer any questions.

    Mr. Thornberry. Thank you, sir.
    As my colleagues can tell, we have roughly divided up the 
witnesses into two groups. We have heard from three witnesses 
that are roughly in the field of products, and now we are about 
to turn to three that are roughly in the field of services 
although with these companies, clear lines are difficult to 
draw.
    We will now turn to Jay Adelson, who is a founder and chief 
technology officer of Equinix, which is the largest 
independent, or neutral, provider of interconnection and data 
center services in the world.
    Welcome, sir. You are recognized for five minutes.

   STATEMENT OF MR. JAY ADELSON, CTO & FOUNDER, EQUINIX, INC.

    Mr. Adelson. Thank you. Chairman Thornberrry, Congresswoman 
Lofgren, distinguished members of the committee, I sincerely 
appreciate having the opportunity to be here today as a 
representative from Internet industry, and more specifically, 
the perspective of critical Internet infrastructure, the 
Internet itself, network access points, or commonly known as 
Internet exchange points.
    As you said, my name is Jay Adelson. I am the founder and 
chief technology officer of Equinix. And the reason Equinix has 
a unique perspective on the issue of Internet security is, as 
you said, we are the largest neutral provider of 
interconnection. Equinix's facilities, therefore, serve as the 
meeting places for all the various elements of Internet, 
ranging from enterprise users, large Internet Web sites, 
network providers, telephone carriers, cable companies and 
subscriber services.
    Much of the Internet industry knows us as an exchange point 
or NAP where most of the Internet traffic in the United States, 
or significant portions, converge as they pass from one 
network, such as AT&T, to another, such as AOL, as well as the 
place where important sites, such as Google, Yahoo, Paypal, IBM 
customers and others place their critical infrastructure.
    A good analogy for an exchange point is that we function as 
an international airport for Internet networks and services. 
And our airlines are networks and our travelers are data bits 
and bytes. There are 100 exchange points in the world bearing 
services and levels of security though, in common, they all 
facilitate this exchange of traffic.
    While my distinguished panel members are part of well 
known, large vendors and network service providers, the chances 
are, while you may not have been exposed to Equinix in the 
past, you stand to receive e-mail that traverse our exchange 
points and surf Web sites housed in our facilities. The very 
fact that Equinix is a physical part of the Internet 
infrastructure, where such a large percentage of the Internet 
itself, happens is not as well known. It illustrates the fact 
that the Internet itself is a massive structure interconnecting 
independent entities very difficult to accurately measure, 
monitor, and international in scope.
    Equinix, like international airports, focuses heavily on 
the physical security of our data centers. And we have 
instituted check points, audit trails, people traps, steel 
cages, layers of biometric security, et cetera, and very strong 
security operations procedures. Our customers demanded these in 
the late 1990s when we built them. And we based the security 
design and requirements from our financial service customers 
and recognize that there was no physical security standard on 
which to build and base our new design.
    We were not able to find any of these reference standards 
to the level of security operation procedure we felt, and our 
customers felt, were appropriate for such an important hub as 
Internet traffic. It didn't exist. So, therefore, we made a 
conscious decision, as part of our business plan, to be the 
most physically secure exchange point in the United States.
    But this model is fairly unique in that market forces 
allowed us to develop this new approach to providing heightened 
physical security.
    A balance must be achieved between network service 
providers, hardware vendors and their users. Ultimately, users 
must bear, as my colleagues suggested, the largest 
responsibility for protecting their assets. Network service 
providers and software and hardware vendors supporting the 
Internet industry can only empower the Internet users with 
systems and services that enabled secured use of the Internet.
    There are strong economic limitations to the scope of 
physical and logical protection network service providers can 
reasonably implement. But at a minimum, a baseline standard of 
configuration and administration can be met.
    The cyber and physical security best practice, developed by 
the Network Reliability and Interoperability Committee, are a 
good example of how infrastructure operators are able to 
provide baselines for all network operators to follow. These 
range from information about network configuration to 
background checks for employees in critical facilities. And as 
a nation, we must continue to advance research and development 
to increase the embedded security level as well as support 
these standards at the network level and with edge users.
    There are a surprisingly high number of autonomous networks 
and systems that affect the health of the Internet. A common 
misunderstanding is that only a few very large networks, known 
as backbones, create the largest impact.
    As incidents of the past have taught us, there are many 
more players, enterprises, domain name service providers, 
foreign networks and small regional networks that can impact 
network stability and security.
    These entities are scattered all over the world, their 
security policies and procedures are as diverse as the networks 
and services that they operate.
    While information sharing with the federal government is a 
newer concept in the Internet arena, information sharing is 
fairly robust within the Internet technical community, and it 
has to be. We are all customers and providers to one another, 
and a major failure on the Internet impacts all infrastructure 
operators at the bottom line.
    We communicate with our account reps, our technical help 
desk, our emergency contacts, to restore services as quickly as 
possible. It is not clear, however, how to integrate the 
federal government into the commercial information-sharing 
exchange.
    The government has an opportunity to act as a means to 
spread the word during a crisis, and tools such as the Cyber-
Warning Information Network are a good start, although the 
original intent of these systems must not be diluted.
    Opening the communication channels is critical when every 
second counts, but choosing what data is appropriate through 
ISAC-to-ISAC communications, versus leaving it open, limits 
their effectiveness.
    The federal government must do more to expand information-
sharing with infrastructure owners, and establishing the 
National Cyber-Security Directorate at the Department of 
Homeland Security is a good first step.
    In the event of a cyber-crisis, it is important for the 
Department of Homeland Security to understand that the 
infrastructure owners, the network operators in particular, are 
the first responders.
    Speed is of the essence in responding effectively to these 
types of crises, and therefore adding communications steps and 
information management runs the risk of slowing down the 
response.
    For infrastructure operators, the Internet is first and 
foremost a commercial enterprise, and thus restoration of 
service is critical in order to meet the service level 
agreements with customers, as well as to support the Internet 
commerce generally.
    This must be recognized as processes are developed, and, as 
well, centralization of all this information will improve 
accuracy in communication. The methods of information 
distribution must be relatively instantaneous and flat in 
hierarchy.
    In conclusion, Equinix strongly supports the work of the 
Department of Homeland Security in working to promote both 
physical and cyber-security for our nation's networks. And I 
very much appreciate the opportunity to testify here today, and 
would be happy to answer questions that the committee may have.
    [The statement of Mr. Adelson follows:]

                 PREPARED STATEMENT OF MR. JAY ADELSON

    Chairman Thornberry, Congresswoman Lofgren, distinguished members 
of the Committee; I sincerely appreciate having the opportunity to be 
here today as a representative from Internet industry, and more 
specifically, the perspective of critical infrastructure of the 
Internet itself, the Internet Exchanges, or Network Access Points 
(NAP).
    My name is Jay Adelson, and I am the Founder and Chief Technology 
Officer of Equinix. The reason Equinix has a unique perspective on the 
issue of Internet security is that we are the largest independent, or 
``neutral,'' provider of interconnection and data center services in 
the world. Equinix's facilities serve as the meeting places for all the 
various elements of the Internet, ranging from enterprise users, large 
Internet web sites, and network providers such as telephone carriers, 
cable companies and subscriber services.
    Much of the Internet industry knows us as a NAP operator, or 
Network Access Point, where most of the Internet traffic in the United 
States converges as it passes from one network, such as AT&T, to other 
large networks, such as UUNet or AOL, as well as the place where 
important web sites, such as Google, Yahoo!, PayPal, or IBM customers, 
place their critical infrastructure.
    A very good analogy for a NAP operator is that we function as an 
international airport for Internet networks and services, though our 
airlines are networks, and our travelers are the data bits and bytes. 
There are over a hundred NAPs throughout the world, varying in services 
and levels of security, though in common they all facilitate the 
exchange of Internet traffic.
    While my distinguished panel members are part of well known, large 
network service providers, chances are that while you may not have been 
exposed to Equinix, you have sent or received e-mails that have 
traversed our exchange points, and surfed websites housed in our 
facilities. The very fact that Equinix, as a physical part of the 
Internet infrastructure, where such a large percentage of the Internet 
passes, is not as well known, illustrates the fact that the Internet 
itself is a massive structure of interconnecting, independent entities, 
very difficult to accurately measure or monitor, and international in 
scope.

Role of Industry and Equinix In Securing Cyberspace
    The Internet exists on multiple layers, both the physical and the 
logical. At the physical level, the industry has a long way to go to 
secure itself. While some infrastructure operators provide advanced 
cyber and physical security, some operators have not yet incorporated 
security into their basic business plan. This provides the Internet 
industry as whole with much room for improvement.
    Equinix, like international airports, focuses heavily on the 
physical security of our datacenters, and have instituted checkpoints, 
audit trails, man traps, steel cages, five layers of biometric 
security, high-availability video, concrete embankments and strong 
security operations procedures. Our customers have demanded this 
physical security from our facilities. When we built them in the late 
nineties, we based the security design on the requirements from our 
financial services customers, and recognized that there was no physical 
security standard upon which to base our new design. We were not able 
to find any reference standard for the level of security operations 
procedure we felt, and our customers felt, was appropriate for such an 
important hub of Internet traffic. It simply didn't exist.
    Equinix, therefore, made a conscious decision as a part of our 
business plan to be the most physically secure NAP operator in the 
United States. However, our model is fairly unique in that market 
forces allowed us to develop a new approach to providing heightened 
physical security for critical Internet assets. At this point, 
Equinix's customer base represents over 90% of the Internet routing 
table, as over 120 of the largest and most prolific Internet networks 
use our locations as their critical hubs.
    Equinix, as a central exchange point between networks, will 
continue to do our part to physically secure the Internet assets. At 
the logical level, the implementation issues are international in 
scope, with literally thousands of independent players requiring 
education and motivation to adopt modem security practice.

Industry Responsibilities
    A balance must be achieved between network service providers, 
hardware vendors, and their users. As secure as a network may be from 
compromise, or as many features that a hardware or software vendor 
places in their products, ultimately users must bear the largest 
responsibility for protecting their assets.
    Network service providers, and software and hardware vendors 
supporting the Internet industry can only empower the Internet's users 
with services and systems that enable secured use of the Internet. 
There are strong economic limitations to the scope of physical and 
logical protections network service providers can reasonably implement, 
but at a minimum, a base-line standard of configuration and 
administration can be met.
    The cyber and physical security best practices developed by the 
Network Reliability and Interoperability Committee (NRIC) are a good 
example of how infrastructure operators are able to provide baselines 
for all network operators to follow. These range from information about 
network configuration to background checks for employees in critical 
facilities. However, best practices are often difficult and costly for 
smaller networks, enterprises, universities, governments, or 
individuals to implement. As a nation we must continue to advance 
research and development to increase our imbedded security level, at 
the network level and with edge users.

Information Sharing
    There a surprisingly high number of autonomous networks and systems 
that affect the health of the Internet. A common misunderstanding is 
that only a few, very large networks, commonly known as backbones, 
create the largest impact. As incidents of the past have taught us, 
there are many more players, including enterprises, content providers, 
domain name server operators, foreign networks and small regional 
networks, that can have significant impact on network stability and 
security. Recent research Equinix conducted shows evidence of there 
being over 13,000 entities, not including network service providers, in 
the global Internet that manage their own multi-network connectivity, 
injecting their network information into the global Internet. These 
entities are scattered all over the world, and their security policies 
and procedures are as diverse as the networks and services they 
operate. While abuse from one of these entities can be mitigated 
through good security practice, a large number of them are as relevant 
in information sharing as the network operators themselves.
    While information sharing with the federal government is a newer 
concept in the Internet arena, information sharing is fairly robust 
within the Internet technical community. It has to be--we are all 
customers and providers to one another, and a major failure on the 
Internet impacts all infrastructure operators at the bottom line. We 
communicate with our account representatives, with our technical help 
desks, with our emergency security contacts, to restore service as 
quickly as possible. What is not yet clear, however, is how to 
integrate the Federal government into the commercial information 
sharing exchange.

How the Federal Government Can Help with Information Sharing
    The Federal Government has the opportunity to act as a means to 
spread the word during a crisis as a central moderator. Tools such as 
the Cyber Warning Information Network are a very good start, although 
the original intent of these systems to be a tool during a crisis for 
the Internet community must not be diluted. Opening the communication 
channels is critical when every second counts. Choosing what data is 
appropriate for ISAC to ISAC communications, versus leaving it open, 
limits their effectiveness.
    The Federal government must do more to expand information sharing 
with Internet infrastructure owners. Establishing the National Cyber 
Security Directorate at the Department of Homeland Security is a good 
first step. However, for the Federal government to become a trusted 
partner for information sharing purposes, it will have to develop 
business plans and models to highlight how and where the government is 
best suited to assist the Internet infrastructure in protecting and 
restoring itself.
The Role of the Department of Homeland Security
    The DHS has two unique and immediate functions that it should 
provide to infrastructure operators. First, DHS should provide a 
platform for information to be shared, amongst infrastructure sectors, 
and to the states. Second, DHS should be working in partnership within 
industry to promote the development of cyber security standards and 
baselines, to ensure a national approach to cyber-security. Clarifying 
the Federal government's role as the ``Public'' partner in our Public--
Private Partnership, cited in the National Strategy. to Secure 
Cyberspace, will be a critical task for the new Cyber Security 
Directorate. A network operator, content provider, or NAP operator all 
have different roles to play in a crisis, and the value of the response 
will be contingent upon the DHS having a clear understanding of what 
data is appropriate for which group, and what action, if any, the 
government is capable of taking.
    In the event of a cyber-crisis, it is important for the DHS to 
understand that the infrastructure owners, the network operators in 
particular, are the ``first responders.'' Speed is of the essence in 
responding effectively in these types of crisis, and therefore adding 
communication steps and information management runs the risk of slowing 
down the response. For infrastructure operators, the Internet is first 
and foremost a commercial enterprise, and thus restoration of service 
is critical, in order to meet service level agreements with customers, 
as well as to support Internet commerce generally. As a result, crisis 
communications at the technical level between the largest 
infrastructure operators is generally very good. Trust and experience 
has played a large role in increasing the response capabilities of the 
largest infrastructure operators, and the government will have to 
develop trust and experience as it becomes a part of cyber-security. 
This must be recognized as processes are developed, as while 
centralization of the information will improve accuracy, the methods of 
information distribution must be relatively instantaneous and flat in 
hierarchy. Working with industry as the ``first responder'' will be an 
immediate challenge, and a new paradigm for DHS that requires dedicated 
effort.
    In conclusion, Equinix strongly supports the work of the Department 
of Homeland Security in working to promote both physical and cyber-
security for our nation's networks. I very much appreciate the 
opportunity to testify today, and would be happy to answer any 
questions that the Committee may have.

    Mr. Thornberry. Thank you, sir, appreciate it. Frank Ianna 
has been with AT&T for more than 30 years, including most 
recently as president of AT&T network services.
    Earlier this year he announced his intention to retire, but 
they can't let him go. And so we are glad you are here within 
us today, sir, and now you are recognized for five minutes.

STATEMENT OF MR. FRANK IANNA, PRESIDENT, AT&T NETWORK SERVICES, 
                        AT&T CORPORATION

    Mr. Ianna. Chairman Thornberry, thank you very much, 
Congresswoman Lofgren and members of the subcommittee. Let me 
summarize my testimony with several points, and then 
recommendations under some of those points.
    First, along the idea of cyber and physical security. 
Cyber-threats are particularly challenging to the service 
industry for four reasons.
    First, attackers do not need a physical presence or a large 
investment in a physical presence to cause harm. They could do 
it remotely.
    Point number two is that all vendors of products and 
services, hardware and software, whether they are switching 
elements or computing elements, have critical roles to play in 
enhancing the overall cyber-resiliency of mission-critical 
services.
    And several recommendations can spring from this, such as 
software and equipment vendors and network operators and 
standards bodies should have products that have built-in 
baseline security features. With system administration, any 
interaction of these should be made simple.
    Service providers and vendors should collaborate also to 
develop an overall security management system so that we could 
see very instantaneously the traffic anomalies happening on 
networks, then we could respond very quickly too.
    And the government can stimulate development of more secure 
products by funding research and development of inter-operable 
software and hardware standards to provide network management 
described above.
    The third point is that there is extensive interconnection, 
as some of my colleagues have mentioned, this is very nature of 
communications among telcom and IP providers and data network 
providers.
    And each of these carriers are interconnected to form a 
service for a consumer or a business.
    We must help each other. And we have to communicate with 
each other, our operations centers, on a continuous basis. A 
significant failure in one network can cause a significant 
failure in another network. And in many cases, the symptoms of 
a failure in one network actually show up first in the other 
network.
    Carriers today do share network disruption information 
directly between their operation centers, ours, the global 
network operation center in Bedminster and all the other 
carriers that we interface with, and with the Telecom 
Information Sharing and Analysis Center, the Telecom ISAC, 
today.
    For example, the slammer worm that we detected on January 
25, 2003 was the fastest-spreading worm in history, but 
industry worked together with the Telecom ISAC and with 
government to share our mitigation plans, our strategies and 
our notification procedures.
    Point number four, insider threats to our network should 
not be discounted. A malicious insider may easily circumvent 
cyber-security protections employed to discourage outside 
threats. So a recommendation here would be to have 
infrastructure providers and governments work together to 
develop a process to ensure that all employees and contractors 
with access to critical facilities undergo background checks, 
screening and National Crime Information Center reviews.
    Now, the next point is talking about public and private 
partnerships. What we are saying here is that there is a good 
opportunity to have a public/private partnership with the 
government. The telecom ISAC, for example, is a good example of 
this, it is the number one long-standing public/private 
partnership in telecom.
    Point number six, is companies will only engage in 
sustained and meaningful information sharing when there is a 
compelling business case to do so and only in a trusted 
environment. And this is for two related reasons. The 
government should consider adopting the NCC funding model to 
enhance effectiveness of other ISACs where the government is 
actually funding some of the infrastructure for us to 
communicate amongst each other.
    For example, the round-the-clock staffing is not borne 
exclusively by the private sector, it is borne by the 
government. And the government partners provide value back to 
the industry. Two examples here, the government should provide 
value to other ISACs in the form of useful and timely threat 
information, and supporting industry's response recovery 
efforts during the crisis.
    The NRIC, as my colleague here mentioned, the National 
Reliability and Interoperability Council, which is really the 
sixth incarnation of that council created every 2 years, is a 
long-standing partnership that the FCC and the Telecom industry 
started in 1992.
    The FCC--and point number seven--has wisely recognized that 
to be successful, the effort must be: number one, voluntary; 
number two, developed by industry experts; and number three, 
adaptable to different network providers to reflect differing 
architectures and approaches. What constitutes a network 
failure in a wire line voice network is very, very different 
than what constitutes a failure in an IP-provided network, for 
example.
    Two final points here. Number one, information about 
physical locations and capabilities of network infrastructures 
must be carefully safeguarded. We have seen instances where 
much public information has been put out and there are lot of 
requests for information. We recommend here that particularly 
we work with the Department of Homeland Security and 
particularly the states.
    We may not be only getting one request from the federal 
government, and we actually could be getting 50 requests from 
different states to provide very macro and very specific threat 
and vulnerability information. And we believe that the 
Department of Homeland Security should be the focal point for 
coordinating process amongst all federal agencies and states so 
that we ensure that the information is properly managed.
    And then finally we should expand our public and private 
partnership. Private sector critical infrastructures providers 
must have the opportunity to provide input to portions of the 
new national emergency response plan that address how the 
private sector would respond in a national crisis. I would like 
to thank you for allowing me to make these comments, 
summarizing the positions that AT&T has from our experience in 
these industries. Thank you very much.
    [The statement of Mr. Ianna follows:]

                 PREPARED STATEMENT OF MR. FRANK IANNA

Thank you for this opportunity to testify on behalf of AT&T regarding 
industry views on cyber security. My name is Frank Ianna, and I am the 
outgoing President of AT&T Network Services. My testimony will describe 
AT&T's views on several aspects of this very important issue.
AT&T is among the premier voice and data communications companies in 
the world, serving businesses, consumers, and government. The company 
runs one of the most sophisticated communications networks in the U.S., 
backed by the research and development capabilities of AT&T Labs. A 
leading supplier of data, Internet and managed services for the public 
and private sectors, AT&T offers outsourcing and consulting to large 
businesses and government. With approximately $37 billion of revenue, 
AT&T has about 40 million residential customers and 4 million business 
customers who depend on AT&T for high-quality communications. As such, 
we have an overarching interest in preserving and promoting a safe, 
secure and robust infrastructure that will be a key enabler of economic 
growth and prosperity of the United States. We therefore very much 
appreciate the opportunity to offer these comments today.
Cyber vs. Physical security:
Sound security practices obviously must address both physical risks and 
cyber risks. Cyber security risk management is more focused on the 
``logical'' or user's view of the way data or systems are organized as 
compared to physical security risk management of our network which is 
topology/technology-focused. But cyber threats are particularly 
challenging for at least four key reasons. First, attackers do not need 
physical presence to do significant harm, and a cyber ``saboteur'' 
could launch attacks from anywhere. Nor does it take a large investment 
to launch a cyber attack, only a PC and access to the Internet.

Second, the availability and deployment of cyber security capabilities 
is not only a service provider issue, but requires the involvement of 
product developers, vendors, and end-users. Software code is becoming 
increasingly complex and the number of lines of code is multiplying at 
an incredible rate. Thus no single entity has complete control over the 
security of its product or service. The very structure of to day's 
hearing reflects that reality - that all vendors of products and 
services have critical roles to play in enhancing the overall cyber-
resiliency of mission-critical services. Industry, standards bodies, 
software and equipment vendors, network operators, and end-users of all 
products and services that make up the Internet should ensure that 
these products have built-in baseline security features and that these 
features are appropriately configured and kept up-to-date. System 
administration of current cyber products is much too difficult. Vendors 
need to be encouraged to simplify their products and employers need to 
increase the level of expertise required to perform this vital task.

One specific area in which service providers and vendors could 
cooperate that would make a vast improvement in cyber-security is in 
the development of an overall security management system that would 
provide detailed traffic statistics to the Network Operations Centers 
of major IP backbone providers about the transmission of packets on our 
networks and detect and respond to anomalies, as we do today in our 
public switched telecommunications network.

Government can also play a key role in stimulating development and 
deployment of more secure products and services, not by trying to 
impose compliance at some arbitrary level, but by funding research and 
development of interoperable software and hardware standards to provide 
the network management that would enable network operators to detect 
and stop malicious attacks in the core network. Government can also 
create strong incentives for the deployment of these capabilities 
through its purchasing power as a user of more secure cyber 
capabilities.

Third, because there is extensive interconnection among 
telecommunications and IP networks, carriers must assist one another 
because a significant failure in one network can affect another 
network. In fact, telecommunications carriers today share network 
disruption information directly between Network Operations Centers, and 
with the sector Information Sharing and Analysis Center (ISAC). The 
Slammer worm, which was detected on January 25,2003, was the fastest 
spreading worm in history. This worm affected more than 90 percent of 
vulnerable hosts within 10 minutes, far more quickly than Code Red of 
2001. Industry participants worked together through the Telecom ISAC 
and with the government to share mitigation plans. The good news is 
that the Slammer worm had no payload; the bad news is that a similar 
worm could be launched with a malicious payload. We need to be better 
prepared by building more secure technology and employing better 
processes to support security controls for the entire network.

Lastly, though cyber threats can originate anywhere, the insider threat 
should not be discounted, because a malicious insider may easily 
circumvent cyber security protections that are deployed to discourage 
outside threats. To address this issue, providers of critical 
facilities must work with others in industry, and with government at 
all levels to develop and employ a standard process to ensure that all 
employees and contractors with access to critical facilities undergo 
appropriate background checks, screening, and National Crime 
Information Center reviews. Government can play a key role by helping 
to develop the most efficient process, and by acting as a centralized 
resource to coordinate requests from industry for reviews. This is good 
and will help.

Now, having said that, I want to add that those service providers of 
critical infrastructure have had to solve the problem of access long 
before it became prominent following the events of September 11. Many 
people enter and leave critical infrastructure facilities every day. 
The location may be any location where multiple providers have placed 
facilities and equipment. These individuals may be communications 
technicians from different service providers who are maintaining 
equipment housed in the building. There are others who also may need to 
gain access to a building, such as power contractors, janitors, vending 
machine operators, copying machine technicians, etc. During the day, 
any number of non-communications-related individuals go in and out of 
telecom buildings. One solution that AT&T has implemented is to escort 
all non-badged individuals who need access to critical locations. AT&T 
has made strong security a top priority for many years, but because we 
are so extensively interconnected with other infrastructure operators, 
we must also closely cooperate with our peers, arguably to a greater 
extent than in any other infrastructure. Our industry has of necessity 
been a leader in the information sharing process long before the 
President's Commission on Critical Infrastructure Protection and PDD-63 
recommended the formation of sector-specific, information sharing 
forums in May, 1998.

    Developing an effective ``public-private partnership``:
As you know, most of the country's critical infrastructures are owned 
and operated by the private sector, thus the private sector must play a 
key role in safeguarding those infrastructures. With cyber security, 
the private sector has an even more important role, because the 
responsibility for implementing adequate security measures falls not 
only on core infrastructure providers like AT&T, but also on government 
and business enterprises that deploy and rely on cyber information 
systems to perform business-critical functions. For these reasons, much 
has been said about the need for an effective ``public-private 
partnership'' to share security-related information and to address 
security-related threats and vulnerabilities. These are laudable goals, 
and in fact, AT&T and other telecommunications companies have been 
working together to identify and address security risks, and to develop 
security-related best practices in partnership with government, for 
many years. Two of the most significant partnerships are noteworthy.

    The Telecom-ISAC
Much of the benefit attributed to a partnership between government and 
industry involves the need to encourage robust, timely, two-way 
information sharing about threats, vulnerabilities, intrusions and 
anomalies. New protections provided in the recently enacted Homeland 
Security Act significantly reduce the possibility that sensitive 
information shared voluntarily for these purposes might be disclosed 
publicly. Nevertheless, companies will only engage in sustained and 
meaningful information sharing when there is a compelling business case 
for doing so, and only in a trusted environment. We at AT&T have a lot 
of experience in this area. Telecommunications carriers have shared 
information informally with the National Communications System (NCS) 
since 1984. In 1991, the National Security Information Exchange (NSIE) 
was established as a forum in which government and industry could share 
information in a confidential, trusted environment. Since March of2000, 
the NCS's National Coordinating Center (NCC) has served as the 
Information Sharing and Analysis Center, or ``ISAC'' for 
Telecommunications. Telecom-ISAC participants, including industry and 
government representatives, gather and share information on threats, 
vulnerabilities and intrusion attempts. Information is analyzed to help 
avert or minimize disruptions to the telecommunications infrastructure. 
The results are aggregated and disseminated as provided by agreement 
among the ISAC members. In addition, the NCS hosts the NCC and is the 
lead agency for the telecommunications support functions under the 
Federal Emergency Response Plan. In that capacity, the NCC is 
specifically charged with assisting in the coordination of 
telecommunications restoration and provisioning during national 
disasters through government and industry cooperation on a 24-hour 
basis. NCS and the telecommunications carriers also collaborated on the 
development of the ``Government Emergency Telecommunications Service'' 
or ``GETS'', which provides government and industry personnel with key 
national security or emergency preparedness responsibilities with the 
ability to gain priority access to the public switched telecom network 
in times of significant network congestion.

There are two related reasons why we believe that the telecom-ISAC has 
been particularly successful. First, the Telecom-ISAC is funded largely 
by government appropriations, so the core infrastructure and round-the-
clock staffing is not borne exclusively by the private sector, as is 
the case with other ISACs. Second, government ``partners'' provide 
value back to the industry participants. First, the information-sharing 
goes two ways. The government routinely provides specific threat and 
alert information to industry representatives. Second, in real crises, 
the government NCC representatives quickly engage as ombudsmen on 
behalf of industry, helping industry gain access to impaired locations 
for purposes of restoration and recovery, and they represent the needs 
of concerns of the industry in terms of coordinating response. On 
September 11, 2001, the NCC helped network providers gain access to 
Ground Zero to restore communications, including arranging for military 
air transport for some of our key disaster recovery personnel who were 
stranded in California when commercial aircraft were grounded. The 
ability of government to deliver this kind of assistance, proven 
repeatedly in crises of differing degrees over the years, has led to an 
atmosphere of trust and cooperation in which we in industry have felt 
comfortable sharing sensitive information with the government and with 
our competitors in times of crisis.

This level of trust is essential because in order for information about 
security concerns and incident response activities to be useful to 
companies and to the government, it must be shared quickly. This need 
for expediency results in reports that are initially incomplete and 
potentially inaccurate, and there can be unintended consequences if the 
information is not treated with care. This trusted environment has also 
allowed industry and government partners to engage in periodic 
``exercises'' to test the potential impact of different threat 
scenarios based on accurate network data from multiple carriers.

    The National Reliability and Interoperability Council (NRIC)
Another example of the partnership that has worked and should be the 
model for any government and industry problem solving is the Network 
Reliability and Interoperability Committee (NRIC). First organized by 
the FCC in 1992, the NRIC was established following several telecom 
outages to study the causes of the outages and to make recommendations 
to reduce their number and effects on consumers. Since then, some 50 
telecom carriers, equipment manufacturers, state regulators and 
consumers have participated. This has been a standing committee for 
over 10 years, and is a forum where industry and government come 
together for the good of the industry to work specific issues. Y2K was 
one such issue. NRIC VI is focused on Homeland Security with teams 
addressing both Physical and Cyber security. The product is a set of 
best practices (proven processes used in the industry) for service 
providers and equipment/software vendors to use to mitigate risk of 
attacks.

Another feature of NRIC is the monitoring and analysis of the 
performance of the public switched network based on reliability data 
collected during the last 10 years. The Network Reliability Steering 
Committee NRSC, a voluntary industry committee, reviews each outage 
report submitted to the FCC, looks for trends, publishes the results 
quarterly and annually, and looks for ways to improve the collective 
performance of the network. A new phase of this work, currently 
underway in the NRIC, is collecting similar outage data on wireless, 
cable and ISP networks in order to conduct data analysis, enable 
performance improvement, and develop new best practices. In leading 
this effort, the FCC has wisely recognized that to be successful, it 
must be: 1) voluntary; 2) developed by industry experts; and 3) 
adaptable by different network providers to reflect differing 
architectures and approaches.

    Safeguarding sensitive proprietary information:
As a private sector operator of a major part of one of America's most 
important critical infrastructures, we carefully safeguard all 
information about the physical locations, capabilities and components 
of our world-wide infrastructure. While some security experts discount 
the ``security through obscurity'' approach to risk management, I 
disagree. A July 9 Washington Post article describing the ability of a 
GMU graduate student to amass copious quantities of sensitive 
information about a vast array of critical infrastructure facilities 
highlights the danger of making sensitive information too easily 
available. In fact, we would suggest that if possible, this student's 
report be provided by the Department of Homeland Security to the 
appropriate industry body, presumably the Telecom-ISAC, for analysis of 
its accuracy. It is in keeping with national security interests to 
assess the extent to which a motivated individual can develop a map of 
the infrastructure through compilation of publicly available 
information. The findings would be very useful in developing safeguards 
to prevent the continued proliferation of such information.

While this kind of threat clearly is of major importance for physical 
security, it also presents a very significant, indirect threat from a 
cyber-security perspective because the information could be used to 
launch simultaneous cyber and physical attacks, which could result in 
exponential reductions in network capacity and potentially dramatic 
customer impact.

Despite these concerns, we are increasingly solicited by various 
governmental entities for very specific, extremely sensitive, 
proprietary information about our capabilities and maps of our network 
facilities and routes. States are attempting to compile lists of the 
critical assets of AT&T and other carriers for purposes of critical 
infrastructure protection. We are concerned about the breadth, open-
endedness, lack of specificity, potential cost, and ability to 
safeguard and keep confidential any information that is provided. 
Neither states nor the federal Government should expect this 
information from network operators. First, security-related information 
that is provided to government entities outside the federal Department 
of Homeland Security may not be adequately protected from federal and 
state Freedom of Information laws. Even more importantly, it is not 
clear that information collected on a wholesale or generalized basis 
advances homeland security in any way, and may create greater risks to 
homeland security. In fact, proper analysis of any potential 
vulnerability requires a detailed assessment of the specific facilities 
of concern, the services they support, and the impact mitigation 
strategies applicable to those services. Instead of making arbitrary 
requests for massive downloads of extremely sensitive information, 
states should work with the Department of Homeland Security (DHS) and 
directly with critical infrastructure providers to determine what 
specific information is really needed and to establish coordinated 
processes and procedures. The DHS should be the focal point for the 
coordination across the regions, states, and municipalities, as well as 
across key industry sectors, to ensure that the information is useful, 
responsive, and properly managed.

Expanding and refining the ``public private partnership''
We understand that the Department of Homeland Security, in coordination 
with the nation's governors, is updating and expanding the Federal 
Disaster Response Plan into a National Response Plan, and that private 
sector critical infrastructure providers will have the opportunity to 
provide input to portions of the plan that address how the private 
sector would respond in a national crisis. We applaud this approach, 
and look forward to continuing to work with the country's leaders, both 
public and private sector, to ensure that the private sector's views 
are considered and our capabilities are reflected in the evolving plan. 
I would also like to emphasize that a significant challenge during the 
recovery from the attacks of September 11 was physical perimeter 
control procedures that were changed as the responsible government 
authority shifted from local to state to federal control. As NSTAC 
recommended to the President, I also recommend that Congress task the 
Department of Homeland Security to partner with industry in developing 
a physical perimeter control plan to be part of the National Response 
Plan for use by all government authorities.

AT&T would like to particularly thank Chairman Thornberry, 
Congresswoman Lofgren and the Members of this Subcommittee for holding 
a hearing on this important issue. I offer AT&T's assistance to the 
Committee as well as my own, and I would be glad to answer any 
questions you may have.

    Mr. Thornberry. Thank you, sir.
    Finally, batting cleanup as they say, Tatiana Gau is chief 
trust officer and senior vice president at America Online. 
Thank you for being here and you are recognized for five 
minutes.

 STATEMENT OF MS. TATIANA GAU, CHIEF TRUST OFFICER AND SENIOR 
       VICE PRESIDENT, AOL CORE SERVICES, AOL TIME WARNER

    Ms. Gau. Thank you, Chairman Thornberry, Representative 
Sessions, Representative Lofgren and members of the 
subcommittee. Thank you for the opportunity to testify before 
the subcommittee on the important issue of cybersecurity.
    My name is Tatiana Gau, and I am the chief trust officer 
and senior vice president, America Online, where much of my 
focus is on cybersecurity, consumer protection, privacy and 
online safety.
    At AOL we are committed to playing the leadership role on 
the issue of security. Employing our technology, tools and 
educational resources we strive to provide secure products and 
services, to ensure a safe and secure environment online, and 
to educate our members to help them protect themselves.
    As part of these efforts, we have developed extensive plans 
to address security issues in our products and services, our 
network and on the Internet.
    AOL is working hard to implement recommendations in the 
President's national strategy to secure cyberspace that apply 
to our service. This strategy lays out some very important 
steps that the private sector should take and that AOL is 
undertaking to protect consumers.
    We have designed elements of the next version of our 
software, AOL 9.0 Optimized, to fit the recommendations in the 
strategy. AOL embraces the partnership between government and 
private sector envisioned by the strategy, and we are committed 
to working with our vendors and competitors to strengthen 
security at the network and the end-user level.
    Online security is an ongoing process.
    At AOL, network security is an important part of the cyber 
safety equation. In order to prevent denial-of-service attacks 
and other intrusions, AOL, like many other ISPs, has integrated 
dynamic denial-of-service mitigation protection at all levels 
of our system which help us protect against attempted attacks.
    We monitor our network for viruses and take both proactive 
and reactive measures to prevent, detect and eliminate them.
    AOL also employs significant protections to safeguard 
access to member data. And we have incorporated many new safety 
and security features in our next client software, which is 
expected to be available later this summer.
    These cutting-edge safety and security features include: a 
free firewall for broadband users provided in partnership with 
Network Associates; free and premium antivirus services which 
are automatically updated every time a user logs on to AOL; 
advanced spam filters; and computer checkups that enable our 
members to diagnose and fix security problems within their 
systems.
    Through easy-to-use, behind-the-scenes protective measures 
and checkups, we are helping our consumers help themselves, 
especially in instances where the user may not know how to 
install or update security settings on their own.
    Clearly no tools or technologies are useful unless 
consumers know about them and know how to use them. That is why 
AOL also undertakes significant effort to provide a wide range 
of educational resources.
    For example, AOL's safety and security area online includes 
specific information about the security features that AOL 
provides and tips on how members can protect themselves against 
scams and viruses as well as how to protect their credit card 
numbers and passwords.
    It also hyperlinks members to industry collaborative Web 
sites, like Stay Safe Online, GetNetWise, the FTC's information 
security Web page, for other specific suggestions and 
reinforcement of our messages.
    In addition to informing our members about security risks 
and solutions, we recognize that online leadership means taking 
on responsibilities beyond the AOL community. To that end we 
have undertaken numerous initiatives such as joining with other 
leading private-sector companies to form the National 
Cybersecurity Alliance, in partnership with the federal 
government.
    The Alliance Web site, www.staysafeonline.info, provides 
clear and concise consumer tips on information security as well 
as security background papers and research studies.
    Just last month, in response to an Alliance study, and as 
part of our ongoing educational outreach, we launched a media 
campaign to inform high-speed users about the dangers of an 
unprotected broadband connection. The primary goal of this 
unprotected broadband media campaign has been to reinforce the 
message that Internet users need to be cyber secure citizens 
and ensure that their computers cannot be hijacked by hackers 
to engage in cyber crime.
    Many of the initiatives I have outlined here involve close 
cooperation with our partners in industry and government and 
could not succeed without the existence of reliable processes 
for sharing information. Internet attacks can come from any 
part of the network of networks that constitutes the Internet 
and come in many different changing forms.
    For this reason, AOL strongly supports the development of 
information-sharing and analysis centers--ISACs--and through 
these and other fora actively engages in sharing information 
about cyber-threats and-attacks.
    And, because cyber-attacks can happen quickly and at any 
time, all ISPs should have a 24/7 point of contact within their 
company to work with other ISPs, other providers and 
governments to respond to potential cyber-threats.
    We believe that government can play a valuable role working 
with the private sector in encouraging dialogue among all 
industry players to promote information sharing and helping to 
educate consumers and businesses. We look forward to working 
with the Department of Homeland Security to achieve this goal, 
and we applaud the creation of the National Cybersecurity 
Division last month to continue and expand on many of these 
public-private partnership objectives.
    Thank you for the opportunity to be here today.
    [The statement of Ms. Gau follows:]

                 PREPARED STATEMENT OF MS. TATIANA GAU

    Chairman Thornberry, Representative Sessions, Representative 
Lofgren, and Members of the Subcommittee, on behalf of America Online, 
Inc., I would like to thank you for the opportunity to testify before 
the Subcommittee on the important issue of cybersecurity. My name is 
Tatiana Gau, and I am the Chief Trust Officer and Senior Vice President 
at America Online, Inc., where much of my focus is on cybersecurity. I 
oversee the integrity of the user experience, consumer protection, 
privacy, online safety, accessibility, community standards and policy, 
as well as crisis management and coordination for all of the company's 
brands.
    At AOL, we are committed to playing a leadership role on the issue 
of security. Employing our technology, tools, and educational 
resources, we strive to build secure products, provide a safe and 
secure environment within which to surf the Internet, and educate our 
members to help them protect themselves. As part of these efforts, we 
have developed extensive plans to address security issues in products, 
our network, and on the Internet.
    To succeed in the area of security, we work with our members to 
give them the tools and knowledge that they need to protect themselves. 
We cooperate with other ISPs, mailers, and members of the computer 
industry on our plans and initiatives. We also work closely with the 
FTC, FCC, and other federal and state entities. Because of the nature 
of the Internet, we believe that only through cooperation among all the 
parties can we properly address cybersecurity as a whole, both for our 
members and the public in general.
    AOL is working hard to implement recommendations in the President's 
``National Strategy to Secure Cyberspace'' that apply to our service. 
This Strategy lays out some very important steps that the private 
sector should take and that AOL is undertaking to protect consumers. As 
I will describe, we have designed several features of the next version 
of our software, AOL 9.0 Optimized, to fit the recommendations in the 
National Strategy. AOL embraces the partnership between government and 
the private sector envisioned by the National Strategy, and is 
committed to working with our vendors and competitors to strengthen 
security at the network and end-user levels.
AOL'S COMMITMENT TO SECURITY
    At AOL, safety and security are our top priorities. We have worked 
hard to develop a culture within the company where the starting point 
for all of our products and services is safety and security. However, 
online security is an ongoing process. It means providing consumers 
with easy-to-use security technologies, educating consumers about what 
to do to help keep their machines and the rest of the online community 
secure, controlling the use of our networks and keeping them safe, 
keeping personal information private, avoiding scams, and educating 
consumers about safe computing practices. Because we recognize that 
safety is one of the keys to instilling consumer confidence in the 
online medium and is critical to the continued growth and expansion of 
the Internet, we are working continuously to safeguard our members' 
accounts and computers and our infrastructure.
    The AOL approach to consumer security is therefore threefold, with 
a focus on: 1) building more secure products and technology, 2) 
providing state-of-the-art security tools to our members, and 3) 
educating consumers-both at AOL and beyond-to keep security in mind 
while surfing the Internet. In each of these areas, we work with others 
in industry and our friends in the government in a partnership aimed at 
providing a secure network for all users.
    1. BUILDING SECURE PRODUCTS AND TECHNOLOGY
    Our company strives to develop and deploy the best security 
technology available. The AOL brand includes many products and services 
that many people do not realize are part of AOL, including AIM, WinAmp, 
and Netscape. We have invested in all of these products and services 
with the aim to provide the best security technology available for our 
subscribers.
    We believe that network operators must make security a top 
consideration in every decision about their networks. We believe that 
they should monitor their networks for intrusions, apply all security 
patches for their software in an expeditious fashion, and employ a 
variety of other applicable best practices.
    At AOL, network security is an important part of the cybersafety 
equation. We monitor our network for viruses and take both proactive 
and reactive measures to prevent, detect, and eliminate them. We have a 
dedicated team of network security specialists who are on call 24 hours 
a day, seven days a week to protect the security of our infrastructure. 
Moreover, AOL member-to-member communications take place within a 
controlled environment, and are facilitated over our highly secure data 
transit network.
    In order to prevent denial-of-service attacks and other intrusions, 
AOL has integrated denial-of-service mitigation protections at all 
levels of our system, which help us protect against attempted attacks. 
AOL is no stranger to the cybersecurity fight. We are under almost 
constant attack from hackers and spammers who target our networks. To 
combat these attacks, AOL and other ISPs have designed Intrusion 
Detection Systems (IDS), which unobtrusively monitor corporate networks 
in real time for activity such as known attacks, abnormal behavior, 
unauthorized access attempts, and policy infringements. These systems 
can be used proactively to block certain types of infections and 
attacks. For example, ISPs can be configured to recognize and block 
inbound traffic that could otherwise infect AOL's corporate data 
systems. IDS also can be used to detect computer compromises through 
signatures that identify known hostile traffic patterns. When these 
compromises are detected in AOL's network, the IDS system generates an 
alert to the AOL security staff, which responds immediately.
    When file attachments containing new viruses are reported to AOL by 
our members, a signature is built and passed on to anti-virus software 
vendors and our own IDS machines so that the viruses can be detected in 
subsequent attacks. We alert our customers as to how they can prevent 
further propagation of a virus and reach out to other providers where 
we detect abnormal Internet traffic that may be generated by a virus.
    AOL also employs significant protections to safeguard access to 
member data. AOL keeps passwords strictly confidential; verification of 
screen names and passwords is performed on AOL's secure servers. We 
recognize that a sound security system involves not only use of tools 
such as firewalls, intrusion detection systems, and anti-virus 
software, but that our employees play an integral role in protecting 
security. To this end, access to member data is granted on a need-to-
know basis, and employees are extensively trained and screened prior to 
being granted access privileges. We also conduct periodic internal 
auditing of network records of data access to detect and promptly 
address suspicious activity.
    2. PROVIDING OUR MEMBERS WITH SECURITY TOOLS
    We are particularly proud of the safety and security features of 
our new client software, AOL 9.0, which is expected to be available 
later this summer. These cutting-edge safety and security features 
include a free firewall for broadband users, free and premium anti-
virus services, advanced spam filters, and a computer ``check-upt' that 
enables our members to diagnose and fix security problems within their 
systems. Some of these features have already been launched but will 
come together as a complete package in AOL 9.0.
    To assist both our narrowband and broadband members, AOL runs a 
virus scan on all e-mail attachments that it receives from the Internet 
or that are uploaded from our members. If a problem is detected and we 
can fix the filet we do so and deliver it to the addressees. If it is a 
Trojan horse, something that by its very nature cannot be fixed, we 
return the e-mail (but not the attachment) to the sender with a 
warning. However, e-mail attachments are only one way that a computer 
can get infected with virus. AOL, therefore, has a premium anti-virus 
offering that, after downloading a small program, will guard a 
subscriber's computer from viruses on floppy disks or CDs. In addition, 
every time a subscriber signs on to AOL, the virus definition file is 
updated with the latest virus definitions--the most important step in 
protecting your computer because more than 250 new viruses are released 
on the Internet every month.
    In addition, AOL is providing broadband members with a customized 
firewall to guard against hackers and other unauthorized intruders by 
helping build a wall around the member's computer. The wall, when 
properly configured, blocks access to sensitive files, financial 
records, and personal data stored on the member's computer. AOL has 
teamed with Network Associates to provide free firewall protection.
    We strongly believe that all users, whether an AOL member or a user 
of another service, should install, regularly update, and run anti-
virus software at least once a week. If the user has broadband, he 
should also install and run a firewall. These two steps alone would 
dramatically increase the security of consumers' computers.
    In addition, AOL has built in an array of security features to 
address the growing problem of spam. AOL already blocks as many as 2.4 
billion spam messages in a single day. To empower our members and to 
track down and block spammers more quickly, we provide users with a 
``Report Spam'' button on the AOL 8.0 software, which gives us rapid 
reports of spam that evades our filters. Building on the ``Report 
Spam'' feature and based on extensive member feedback, AOL 9.0 will 
contain unparalleled spam fighting tools that will make it easier for 
members to manage spam and to protect themselves from unwanted mail. 
These tools include very advanced filters, as well as a feature that 
will block images and URLs from unknown senders unless a member chooses 
to see them. This feature will help ensure that spammers cannot force 
e-mail that could compromise the security of members' computers. We 
also are working closely with Congress on legislative solutions to 
spam.
    AOL 9.0 also empowers users to be proactive toward security by 
providing for computer check-ups. Through these easy-to-use check-ups 
and behind-the-scenes protective measures, AOL can diagnose and fix 
security as well as connectivity problems on a member's computer. We 
help the member help themselves, especially in instances where the 
member may not know how to install or update security settings on their 
own.
    3. EDUCATING CONSUMERS AT AOL AND BEYOND
    AOL devotes significant time and energy to providing a wide range 
of well-placed education tools and resources that our members would 
find difficult to avoid. Because our members spend an average of 70 
minutes per day online with AOL, we have ample time to remind them 
about security, and we do. This time online also has implications for 
the safety of the infrastructure. With more people staying online 
longer, those computers can be used to launch a distributed denial-of-
service attack.
    For this reason, AOL spends considerable resources to highlight 
safety and security information available on the AOL service. First, 
members can easily reach safety, security, and privacy information on 
the service with a toolbar button-which is always right in front of the 
member. Second, we have promoted and will be promoting even more 
educational material on spam and Internet scams with our Welcome Screen 
space. A recent Welcome Screen promotion on scam e-mails had the 
highest click-through of any Welcome Screen promotion (including those 
on Britney Spears) until we started our current promotion on spam. Spam 
is currently the number one area of interest to our members.
    One important feature of our service is its Safety, Security, and 
Privacy area. Member security begins with educational tools that are 
clear, easy to find, easy to use, and easy to customize. Collectively 
taking care of our community, this site urges members to ``protect your 
home computer and the nation's Internet infrastructure.'' The site 
includes specific information about how members can protect themselves 
against scams and viruses, as well as how to protect their credit card 
numbers and passwords. It also hyperlinks members to industry 
collaborative sites like ``StaySafeOnline,'' ``GetNetWise,'' and 
``Site-Seeing Tips: Travel Insurance for Cyberspace'' for other 
specific suggestions and reinforcement of our messages.
    Another key feature of our service is AOL Keyword: Help. This 
feature provides a resource for members who need assistance on any 
topic, including security. This process is easy to navigate, clear and 
simple to understand. At Help, one of six listed topics is ``Online 
Safety.'' Clicking this link gives the member online safety subtopics 
to choose, including information on protecting your password, avoiding 
computer viruses and spotting scams and schemes. Clicking any of these 
choices gives the member a menu of related short, simple, useful 
articles such as ``Password Requests in E-mail,'' and ``Password 
Stealing Schemes.''
    In addition to providing many avenues for our own members to be 
fully informed about security risks and solutions, we recognize that 
online leadership means taking on responsibilities beyond the AOL 
community. AOL feels keenly an obligation to use our resources wisely 
for the benefit of all consumers in the online world. To that end, we 
have undertaken numerous initiatives.
    For example, we have joined with other leading private sector 
companies to form the National Cyber Security Alliance, a unique 
partnership with the federal government that fosters awareness of 
cybersecurity through educational outreach. The Alliance website, 
http://www.staysafeonline.info, provides clear and concise consumer 
tips on information security. AOL is proud to have participated in the 
design of that site, to be hosting it on our web servers, and to be 
dedicating substantial resources toward driving traffic there.
    To gauge consumer attitudes toward and readiness regarding 
cybersecurity, AOL has commissioned studies independently and with 
others in industry to help identify areas where efforts and initiatives 
can further enhance security. We use the results of these studies to 
tailor solutions to members' attitudes and practices. A recent study 
conducted by the Alliance demonstrated that the overwhelming majority 
of broadband consumers lack basic protections against the dangers of an 
always-on connection to the Internet. The study revealed that most 
consumers do not realize that they lack those protections or that their 
computers and personal information are at risk.
    In response to this study, and as part of our ongoing educational 
outreach, we launched a major campaign in June to inform high-speed 
access users about the dangers of an unprotected broadband connection. 
The primary goal of this Unprotected Broadband media campaign has been 
to reinforce the message that Internet users need to be cybersecure 
citizens and ensure that their computers cannot be hijacked by hackers 
to engage in cybercrimes.
    4. THE IMPORTANCE OF INFORMATION SHARING
    Many of the initiatives we have outlined above involve close 
cooperation with our partners in industry and government and could not 
be successful without the existence of reliable processes for sharing 
information. Because Internet attacks can come from any part of the 
network of networks that constitutes the Internet and come in many 
different, changing forms, information sharing regarding security 
threats is essential to good cybersecurity. For this reason, strongly 
supports the development of Information Sharing and Analysis Centers 
(``ISACs''), and through these and other fora actively engages in 
sharing information regarding cyber threats and attacks.
    This cooperation has proven very important to the continued stable 
operation of the Internet. For example, in February of 2000, the ISP 
industry worked together to combat the largest attack on the Internet 
to date by a single individual in Canada who was able to organize a 
large scale denial-of-service attack on several large websites, 
temporarily knocking them out of service. As the attack occurred, the 
large players in the ISP industry quickly communicated with each other, 
through informal technical contacts, to isolate and locate the source 
of the attacks. As a result of the industry's quick response, service 
to the websites was restored in a matter of hours, and the 
functionality of the Internet as a whole was never interrupted.
    This type of response is typical in the ISP industry, and these 
well-established informal procedures and responses proved to be 
effective in remedying subsequent attacks on the infrastructure, such 
as NIMDA and Code Red viruses.
    When our IDS system detects or we receive reports of new viruses, 
we build a signature and pass along to anti-virus software vendors as 
well as our own IDS machines. We also reach out to other ISPs when we 
detect abnormal traffic patterns that may reflect a virus or hacker 
attack, and have a Cybersecurity team on call 24 hours a day, seven 
days a week available to address indications or reports of security 
threats. Indeed, because cyber attacks can happen quickly and at any 
time, we believe strongly that all ISPs should have a similar 24/7 
point of contact within their companies to work with other ISPs to 
respond to potential network abuses.
    Information-sharing can also help on the law enforcement side of 
the cybersecurity equation. AOL works closely with law enforcement and 
other government agencies to deal with threats to the critical 
infrastructure, even when those threats may not directly affect AOL or 
our members. AOL has a dedicated team of professionals, including 
former prosecutors, who work with law enforcement in investigations of 
cybercrimes, including hacking and other security threats. We cooperate 
with authorities not only in responding in a timely fashion to their 
requests for information during an investigation, but also pro actively 
in alerting law enforcement to potential network threats. AOL has 
worked closely with government and law enforcement to identify and 
locate major hackers whose actions have threatened the Internet, 
including the creator of the infamous Melissa virus.
    We look forward to working with our colleagues in industry and 
government to build upon these existing mechanisms for cooperation and 
information-sharing, and to ensure that the lines of communication are 
open and clear.
THE ROLE OF GOVERNMENT AND PUBLIC-PRIVATE PARTNERSHIPS
    We believe that government can work with the private sector in the 
following key areas of cybersecurity: 1) encouraging dialogue among all 
industry players to promote informationsharing; 2) educating the public 
about staying alert to potential network abuses; and 3) promoting 
active cooperation between industry and government in finding and 
apprehending hackers. Many of the initiatives we outlined above have 
involved close cooperation between government and industry players in 
these areas.
    With responsibilities for cybersecurity now coming under the 
primary purview of the Department of Homeland Security's Directorate 
for Information Analysis and Infrastructure Protection, we applaud its 
creation of the National Cyber Security Division (NCSD) last month and 
believe it can continue and expand on many of these public-private 
partnership objectives. We look forward to working with the NCSD, 
particularly as it seeks to:
         identify risks and help reduce vulnerabilities to 
        government's cyber assets and coordinate with the private 
        sector to identify and help protect America's critical cyber 
        assets. As previously stated, government can play a very 
        valuable role in keep the lines of communication open and clear 
        about cyber threats and cybersafety;
         oversee a consolidated Cyber Security Tracking, 
        Analysis & Response Center (CST ARC), which hopefully will 
        serve as an effective, single point of contact for the federal 
        government's interaction with industry and other partners on a 
        24x7 basis. The CST ARC should work closely with existing ISACs 
        and should seek to develop tools to increase communications 
        among all players; and
         create cybersecurity awareness and education programs 
        and partnerships with consumers, businesses, governments, 
        academia, and international communities. In coordination with 
        the National Cyber Security Alliance and its StaySafeOnline 
        campaign, and other organizations, the NCSD should seek to 
        advance the development and expansion of education programs 
        without delay.
    We look forward to seeing DHS's execution of the actions and 
recommendations outlined in the National Strategy to Secure Cyberspace, 
and will support those efforts as we continue to work closely with 
government and law enforcement in minimizing threats to our 
cybersecurity.
CONCLUSION
    We applaud the Subcommittee for its examination of these issues as 
companies such as ours undertake significant efforts on behalf of our 
members and the Internet as a whole. We will continue to work hard to 
implement recommendations laid out in the National Strategy in our 
products and our outreach initiatives, and encourage other companies to 
do so as well. We are deeply committed to addressing cybersecurity in 
partnership with government and with our suppliers and others in our 
industry. We look forward to continuing to work with Congress, the 
Administration, and others in industry toward ensuring cybersecurity.

    Mr. Thornberry. Thank you.
    It is a little bit frustrating from this side of the dais 
because I think the subcommittee could spend an entire hearing 
with each of you. And yet what we are trying to do is also get 
our arms and brains around the larger problem, the overview. 
And so we appreciate each of you being here today.
    I want to mention before we turn to questions that toward 
that end this subcommittee is sponsoring, with CRS, a workshop 
on cyber-security, and I would encourage all members to have 
their staff members attend. It is Monday, July 21, in the 
Cannon Caucus Room. Ms. Lofgren and I have sent information on 
this to each of your offices. We have some fine folks who are 
there and I would recommend that you send your people.
    I would like to start with a kind of a broad overview 
question addressed to each of you. And a number of you have 
talked about this in your statement. But, again, in the 
interest of trying to see if there is consensus and in broad 
form where we go, I would like for each of you to briefly 
address this question. We are not going to have time to get all 
into it, but we will go back.
    And here is, I guess, my question. The market is driving 
each of you towards some measure of greater security. First 
question is, are you comfortable that that market-induced level 
of security is sufficient for our nation's security or is 
something more required than where the market is going to take 
you?
    Secondly, if you think something more is required--and I 
don't assume that--but if you think something more is required, 
then just in rough outline what is the federal government's 
role in achieving that extra measure beyond which the market 
allows you to go.
    Again, I would ask each of you to be relatively brief in 
your answer, because I want to turn to other folks, but that is 
kind of the big question that this subcommittee is grappling 
with. And so I would like to just go down the line.
    Mr. Reitinger, if you would start?
    Mr. Reitinger. Thank you, Mr. Chairman. I will try to be 
very brief.
    I think the market is going to go a long way. This is a 
very innovative industry. And as you heard from the panel 
today, across the industry we are seeing security innovation.
    It is possible that in selected areas the market will not 
go as far as the nation needs for national or homeland security 
purposes. I have two points on that.
    One, you can't look at that broadly, though. In other 
words, the market may not go far enough in a particular place, 
or in another particular place or sector. So I think it is less 
a broad question and more a particularized question.
    Second, it is dynamic. In other words, the question is not 
where is the market now, but where is the market going and 
where do we need to be? Do we need to look at the direction we 
are going in.
    Second point, even if the market is not going to go as far 
as we want to go, I would urge policy makers to move in as, I 
believe my estimable colleague Whit Diffie said, as tailored a 
fashion as possible. Just because the market may not go as far 
as you need for national security doesn't mean to leap to 
regulation or some other mandatory step.
    I think one of the critical functions for the new 
Department of Homeland Security is to take a very close look at 
where the market is going, figure out what it is going to do, 
where there may be gaps, and then figure out the best and least 
intrusive way to close that gap. And I think some of the 
suggestions we would have I stated in my written statement and 
I outlined for the committee and won't repeat.
    Thank you.
    Mr. Thornberry. Thank you.
    Mr. Diffie?
    Mr. Diffie. I think I will take it for granted that there 
is some role for government in this and just spend a moment or 
two just looking at what that might be.
    I think it is important for the government to do those 
things that it is uniquely qualified to do. So, for example, 
the government has access to information that is not available 
or not as readily available in the private sector. And so, as I 
said in my testimony, I believe that a follow-up mechanism for 
measuring the actual security of systems in operation should be 
used to validate the certification mechanisms.
    This turns on the fact that the intelligence information 
needed to do that is very hard for industry to get because 
individual pieces don't want to share it and they share it more 
readily with the government.
    I also believe the government has played a very important 
role in standardization. I cited the advanced encryption 
standard. If it is anything like as successful as its, I 
believe, more controversial predecessor, the data encryption 
standard, that will be something that the fact the U.S. 
government took this on as a standard will have a transforming 
effect.
    Finally, there is government's incomparable role as a 
customer, both in the sense that the government could perhaps 
show more foresight in putting security forth as a requirement 
for the systems that it uses but also in a unique ability to 
engage in certain large purchases, so to speak. So, one of the 
problems--we have had a long discussion of why public key 
infrastructure has not developed as well as many of us hoped. 
And I believe at root that is a capital development problem. 
That is to say, like a telephone infrastructure, a keying 
infrastructure becomes more valuable, the more of it there is. 
And so it is hard to get it started.
    So, if you contrast general government and civil sector 
keying activities with those of the Department of Defense, 
which has a focused mechanism for putting out up-front 
development costs, you see that they got much better results in 
a shorter period of time.
    So I think the government needs to consider what major 
steps like that it might take.
    Mr. Thornberry. Thank you. Dr. Lowery.
    Dr. Lowery. I am wondering if there will be much left to 
say by the time you get to the end of the row because many of 
the themes that you have heard expressed so far to my right we 
also concur with. In particular, government's role as a 
customer is one that we see as extremely important. You have a 
lot of opportunity to give us input through our direct 
relationship with you as a customer of Dell, for example, to 
tell us what it is that you want.
    And the CIS benchmark offering is a prime example of this 
in action. This is a result of government customers asking for 
that. So, as a customer, I think you have immediate impact to 
how industry works through market forces.
    The coordinating role of government also should be 
reemphasized because since we do believe in standards or where 
this is going to happen, the consensus that needs to be driven 
here, a coordinating role is important to make that happen. And 
I think that government helping to arrive at standards is an 
important function that you can provide. And we would like to 
see more involvement in helping to coordinate the standards 
that are already being developed through the market.
    Mr. Thornberry. Thank you.
    Mr. Adelson, is market enough? And if not, where does 
government fit?
    Mr. Adelson. I believe market drives much of the end-user 
requirement, end-user type of applications and tools. While 
government can certainly advise and inform the service 
providers to provide those tools, market will only go so far as 
to, say, create my end-user environment, something from 
Microsoft, something from AOL.
    At the network infrastructure level, for example, if two 
networks have authentication when they speak with other, users 
never see that. They don't know if it is on or off. And so, in 
order to get network infrastructure going, you have to have 
certifications and standards, create some kinds of best 
practices, check against them, and then be able to advise the 
user community that a network has met or not met those 
standards.
    Mr. Thornberry. Thank you.
    Mr. Ianna.
    Mr. Ianna. Answer to the first question. I think that the 
market will take it a long way but not all the way. And I think 
the government can help here.
    And I would liken this back to when the FCC and the Telecom 
industry created the network reliability council. I there were 
some failures in the industry, local carriers, long distance 
carriers. And I think they were dragged in front of a hearing, 
and were asked two basic questions.
    Number one, how reliable is the public switched 
telecommunications network? And there was not a lot of good 
information to give that answer. And if you couldn't answer the 
first question, you certainly couldn't answer the second one, 
is it getting better or is it getting worse?
    Forming the network reliability council brought all of the 
participants in the industry together, NRIC as it is now 
called.
    And we now have some 44 quarters worth of data broken down 
amongst the components, the physical components, of wire line 
networks as to what causes failures. And we know how reliable 
it is and is it getting better or worse and what is causing a 
particular problem.
    So I would suggest that the way that we approach this--is, 
to have a voluntary public forum that we could share 
information, best practices and the like and that we set a 
standard to answer the question: How cyber secure are we? And 
there is going to be a metric around that. And is it getting 
better? Is it getting worse? Because it will continuously 
change. As we interconnect one network to another network, if 
somebody introduces a new application, the holes or the 
opportunities for hackers to get in and do something will 
change continuously.
    By the way, I think you could also answer the question 
amongst different industry segments, the financial industry, 
the water industry, the power industry. And each one of those 
can focus on their own mission-critical services and how cyber-
secure they are and how they need to be. And we could share 
information amongst those ISACs too.
    Mr. Thornberry. That changing nature is part of the 
challenge for government because we don't change very fast, 
particularly when we are talking about laws and regulations. So 
I think that is a good point that several of you made.
    Ms. Gau?
    Ms. Gau. I have been with AOL since the mid-1990s and never 
has there been a time where I haven't had to argue until I was 
blue in the face about the need and the good business sense to 
include security in our products. Our consumers are demanding 
it now. Extensive research that we have done shows that it is 
first and foremost on their minds when they are surfing the 
Internet, especially if they have family involved.
    And they may not be thinking about the nation's critical 
infrastructure in that context, but they are thinking about how 
to be safe themselves and how to protect their point of 
vulnerability. And obviously, they have the buying power.
    Well, consumers are not the only buyers out there. As some 
of my colleagues have mentioned, government can play a role 
here in really driving the market for more secure products. 
One--a similar situation might be with Section 508 of the 
Americans with Disabilities Act which requires that companies 
include accessibility in their products if they are going to 
sell to the government. Similar types of approaches could be 
taken in the area of security.
    With respect to what more could the government do, I would 
go back to the mission of the National Cybersecurity Division 
and to homeland security in general in this area with respect 
to information-sharing, providing those of us in the industry, 
those of us that are working to keep the critical 
infrastructure up in place with information that we might not 
be able to easily obtain elsewhere; to provide for research and 
development in areas that we are not able to. And to also work 
to educate all users, consumers, businesses and other 
government agencies alike about the need for cyber-security.
    Mr. Thornberry. Thank you.
    Ms. Lofgren?
    Ms. Lofgren. Thank you, Mr. Chairman. This is a very 
helpful panel.
    And actually, if I am listening to you, I am hearing broad 
agreement on many themes: that we do need standards. We need 
accountability towards those standards. We need a role for 
government in coordination and maybe assisting in the 
development of those standards, additional research.
    I am glad, Mr. Ianni, that you mentioned the physical 
infrastructure issue because that is also--I don't want to 
belabor that. But that is something that we--you know, we are 
thinking hackers, but actually the tradition of terrorists has 
been guys with bombs. So we should not overlook that element.
    I have a question because Mr. Diffie mentioned that we do 
now will have a downstream effect. And I think about that all 
the time, that if we make a misstep now that it will have an 
impact, you know in 10 or 50--my children will live with the 
mistakes that I make. And so I especially want to avoid them.
    And while we are focusing on security, which we must do, I 
am eager to hear from you, what is the worst thing we could do 
as the federal government that would either impair our 
security, but also impair our liberty in the future? I am 
concerned about what we might do now that would impact the 
architecture of the Internet to the detriment of our free 
society. And I am wondering if you have thought about those 
issues and what your thoughts might be. Each of you, starting 
with Mr. Reitinger
    Mr. Reitinger. Thank you, Congresswoman. Although it is a 
little unfair for me to go first on each of these. I will be 
very brief so I don't cut folks off.
    I would say I think the worst thing that you could do is 
something that would impair security and privacy innovation. 
Doing something in such a way that the ability of industry to 
respond to the increasing market demand for security and the 
increasing need for homeland and national security, that 
ability would be impaired in some way.
    Mr. Diffie. I guess my greatest concern is that these 
technologies will get bottled up and become the properties of--
to give the jargon, certain elites, in the way that say, drug 
development is now regulated. I think it is very important that 
people continue to own their own computers, genuinely to own 
their own computers, to have the root authority and the actual 
power to control what their computers do. So that we get 
security sort of by an aggregation from the ground up of all of 
the individual citizens, rather than something imposed by some 
government-industry security mechanism that restricts either 
security practices, security uses, or in general, the use of 
computers by the citizenry.
    Dr. Lowery. I think anything that you do which does not 
allow for the fact that security is a moving target is going to 
be ill conceived. It is a changing landscape from day to day.
    So anything that is done above and beyond what customers 
are asking us to do, I think has to be very carefully 
considered, because ultimately, as time moves forward and we 
are looking back on what we are deliberating today 15 years 
from now, we very well may say, How could we have foreseen this 
happening?
    So we have to be very open minded about what could happen 
in the future, and not kid ourselves that we have all the 
answers today.
    Mr. Adelson. I think anything that government does that 
would slow down first response, and from, you know, that if, 
your good intentions aside, monitoring or controlling the 
``Internet,'' with quotes around it, you know, is something 
that is far beyond the scope, and if you tried to implement 
such a thing, I fear that the Internet itself would actually be 
at increased risk toward our, you know, how fast you get back 
up after a national crisis.
    Mr. Ianna. I think the worst thing that the government 
could do is not listen to the industry participants as to what 
they are capable of doing, and what can be done in a timely and 
cost-efficient manner.
    I go back to some of the NRC days, where we were trying to 
define a failure. And if you ask a consumer group, they may 
come up with something that says, Well, this is a failure, and 
every time you have this failure you need to file a report.
    We would have cut down acres of trees and buried Washington 
in paper and not improved the state of reliability had we 
adopted some of those that the industry said, This can 
constitute a failure, and this is what we want to improve. We 
work together in a true partnership.
    I really believe that all of the industry participants in 
that case, in telecom, although we were fierce competitors, 
came together in the best interests of the country.
    So listening to the participants about what is doable and 
what can be done quickly and cost-effectively, I think, is very 
important. Not listening to them, I think, would be a very big 
mistake.
    Ms. Gau. Well, I have to echo all my colleagues' comments, 
particularly in the area of developing standards that might be 
obsolete by the time they would be published, because security 
is a moving target, and it is an ongoing process.
    Additionally, I think, one of the worst things government 
could do would be to not engage and further strengthen 
relations with the private sector.
    There have been ongoing dialogues, AOL have very close 
working relationships with government and also with law 
enforcement at the state and local levels, and we are engaged 
in a continual dialogue.
    But anything that would hamper our ability to respond, 
whether it is some type of system where we have to go through a 
central control without being able to first focus on what we 
need to do as a company to get our business back up and to be 
able to provide the service to our customers would be a 
mistake.
    Mr. Thornberry. The gentleman from Texas, Mr. Smith.
    Mr. Smith. Thank you, Mr. Chairman. Mr. Reitinger, let me 
address my first question to you and ask you to call upon your 
experience with the Department of Justice, where you served 
prior to joining Microsoft.
    There, according to your bio, you were a prosecutor of 
computer crimes. One of the frustrations we have on this 
committee, and I have to say we have in on the Judiciary 
Committee, as well, is not being able to quantify the number of 
computer crimes, not knowing how many are committed, not 
knowing what the trends are, and therefore, not being able to 
necessarily address the problems as much as we should.
    As you know, when computer crimes are prosecuted, they are 
kept track of by statute not by type. What can we do to get a 
better handle on the types of computer crimes that are 
committed, how many are committed and what the trends are?
    Mr. Reitinger. Thank you very much, Congressman.
    I think your frustration is widely felt. One of the 
concerns--and you will see in the opening of my written 
statement, as I think in prior testimony the committee has 
seen, there is a general sense that we don't really know what 
the scope of computer crime and computer damages are. We 
actually don't have a statistically rigorous measurement of the 
amount of harm from computer crime and computer attacks.
    There are government agencies that do that sort of thing, 
the Census, the Bureau of Justice Statistics. I would think 
that having a statistically rigorous analysis of the amount of 
harm that our economy faces as a result of computer crime would 
be a very valuable thing and help close what I think of as the 
knowledge gap that we face in addressing questions in that 
area.
    Mr. Smith. I agree and I think that is exactly what we need 
to do. And I will try to engage in some discussions with the 
various agencies to try to collect that information for the 
reasons that you stated. Thank you.
    Dr. Lowery, in regard to your testimony, you mentioned some 
of the initiatives that Dell has taken as far as systems 
security goes. Would you go into a little bit more detail of 
specifically about what Dell has done that you find effective.
    Dr. Lowery. Yes, I would be glad to.
    Dell has responded to customer input, specifically from our 
federal customers, to deliver from our factory directly to them 
Microsoft Windows 2000 installed on Dell computers, 
specifically the Optiplex, Latitude and Precision Workstations, 
that are already set with the configuration settings from the 
Center for Internet Security, which I mentioned before.
    The reason that we have done this is purely because 
customers have requested it. Also, we see it as something that 
can be made available to all of our customers. It is not 
something that is restricted to our federal customers. We think 
that everyone can benefit from it.
    So this is an example of industry best practices as they 
exist currently, today, that we can bring to market with very 
minimal lag time because of our direct model. We build--most 
every system that we ship is custom built to that particular 
customer's order. And so as soon as we have new information 
that impacts product safety or security and we are able to get 
that into the product and into the factory, it is in our 
customer hands typically in five to 10 days after that as we 
start shipping it.
    So that is why we have taken that role. We can deliver that 
technology fairly quickly to our customers that have requested 
it.
    Mr. Smith. Thank you, Dr. Lowery.
    Mr. Reitinger, let me go back to you and Ms. Gau. Both of 
you have had extensive experience dealing with the federal 
government. We have heard in response to some earlier questions 
that we need to establish a better relationship with the 
federal government. We need to do more listening, and so forth. 
Specifically, though, how do you think the federal government 
can better, or more enhance cybersecurity?
    Ms. Gau, let me begin with you.
    Ms. Gau. At the risk of sounding repetitive, I am going to 
go back to the information-sharing, the research and 
development, coordination with private sector and education 
components that actually form the mission of the National 
Cybersecurity Division.
    One of the areas that we are looking at right now in terms 
of the industry is information-sharing with each other and how 
we can continue to improve on those processes that already 
exist, such as 24-7 contacts that exist amongst the players in 
the industry. And taking that a step further, really having 
that kind of cooperative relationship with government at the 
DHS level in the National Cybersecurity Division is something 
that I would very much look forward to.
    At this point, we are still developing our relationship 
with DHS and I look forward to seeing the Cybersecurity 
Division get going, so to speak, and engage us more actively.
    Mr. Smith. Okay. Thank you.
    Mr. Reitinger?
    Mr. Reitinger. Thank you very much, Congressman.
    I will also--I think the main points we have hit on and Ms. 
Gau also retracked there--let me touch on one point on 
information-sharing. There is an anecdote I have heard about 
something that occurred long ago, before the IT ISAC in 
particular was formed, where my boss' predecessor, Howard 
Schmidt, got a call in the middle of the night from the network 
operation people who said we are seeing a spike in network 
activity. He came in and he saw that there in fact was an issue 
and started calling his colleagues, including a colleague from 
Sun.
    They were able to sort of quickly see that this spike was 
occurring across the networks and take some action. In 
particular, Howard was able to reach out and talk to people at 
the Department of Defense, and as a result, a lot of DOD 
computers got protected as a result of that.
    This goes to show that we already have a lot of ad hoc and 
very valuable information-sharing that is taking place. What we 
need to do now is put that on rails, make it a part of business 
processes for both government and industry so it becomes a part 
of how we do business. And the government, I think, can help a 
lot in that regard, in particular in some of the ways Mr. Ianna 
was referring to.
    Mr. Smith. Thank you, Mr. Reitinger.
    Thank you, Mr. Chairman.
    Mr. Thornberry. Thank you.
    The Chair's intention is to call on members in the order of 
appearance at the hearing. And I will now call on the gentleman 
from North Carolina.
    Mr. Etheridge. Thank you, Mr. Chairman. Let me thank you 
and the ranking member for holding this hearing, and more 
specifically, for our witnesses being here today, because I sit 
here and think of so many questions, so much information and so 
little time on such a critically important question.
    Mr. Reitinger, let me ask you the first one, because I am 
going to go from your written testimony, if I may, and then I 
will come back and ask the others. The next time I will go in 
reverse order from the other end. But yours first.
    You stated that cybersecurity remains an interagency 
problem, as you said earlier, and that a key role for DHS and 
the National Cybersecurity Division is building industries for 
effective government action in helping other agencies develop 
procedures that support homeland security.
    What has the department done thus far to fulfill this role? 
And have its efforts produced results that industry is feeling?
    Mr. Reitinger. Thank you, Congressman.
    I might be the wrong person to ask that question to. The 
people who could best answer it would be in the department.
    I am very encouraged by a lot of the activity that the 
department is undertaking. I think they are very new. They were 
only officially stood up less than six months ago. But 
listening to the things that they are saying, particularly 
Assistant Secretary Liscouski, on the issue of cyber-security, 
I am looking forward with hopeful expectation to the things 
that they are going to accomplish.
    In particular, one of the things that I think they are 
doing is focusing on deliverables, getting things done in both 
the short term and the medium term as they look towards the 
long term.
    I think there is a tremendous problem there. There are a 
lot of government stovepipes that need to be tackled. And I 
think the entire department needs a lot of help from across the 
bureaucracy and from this committee. But I feel very hopeful 
about it.
    Mr. Etheridge. Thank you. Want you to understand, I asked 
you that question because you have been inside and now moved 
outside, and I think it is critically important to hear your 
views on it.
    Let me start on the other end and ask this question of each 
one of you very quickly, because each one of you touched on 
about the security issues that you are employing that you have 
ramped up.
    And my question is, what event or events prompted the 
additional focus on security from your strategic standpoint as 
an industry? Because different ones have talked about the 
customer demands--that does it. Was it customer demand or was 
it an attempt to differentiate between products or some other 
events? Because you have shared with us the need for industry 
to be given a goal, but at the same time industry's going to 
take certain actions.
    It would be of interest to me and I think to others on this 
committee to know some of the things that have driven that.
    Ms. Gau. As a consumer-facing business, the AOL perspective 
is going to be geared, obviously, towards what we see with our 
consumers.
    Whereas there have been the early technology adopters, as 
well as other people out there in the marketplace that have 
always been concerned about security, I would say that it was 
probably right around the time of the Melissa virus in the year 
2000 when the mass market of consumers all of a sudden realized 
that, My gosh, a virus, and the whole story of how it 
propagated and how the guy then got caught and the cooperation 
that was entailed in catching the guy--it really all of a 
sudden woke people up.
    And it was about the same time that also there were the 
attacks against eBay and a number of other major providers that 
were taken down for a brief period of time, as well as some 
privacy breaches, some high profile privacy breaches that took 
place that year.
    So I would say it was really in 2000 that we started seeing 
our consumers identifying safety and security as a top priority 
for them in the security research or general research that we 
do on a routine basis to understand our customers.
    Mr. Ianna. Actually, it starts from customer demand, but 
that only starts from the base of what you know and what you 
are trying to protect against. For example, in a data network 
you are saying, I am trying to make it as reliable as I 
possibly can. People know about cable cuts, they know about 
software failures--trying to make sure that this network is 
four nines of reliability. All of a sudden some other new thing 
comes up, somebody does a distributed denial-of-service attack, 
and you are hosting that Web site in your network. You now have 
to be aware of the fact that this goes on and how do you 
mitigate it.
    So it is not only customer demand but it is an event that 
occurs that is a new form of failure that you very quickly have 
to adapt to.
    And unfortunately, as networks get more and more 
sophisticated--for example, let us say for example in data 
networks now, Wi-fi becomes a very popular form of access. I 
guarantee you we will see different types of failures and 
different types of potential intrusions in gathering 
information in that network than we have seen in other 
networks, maybe because of the unsecure nature of transmitting 
some of that information.
    So it is the baseline of what you know always augmented by 
something new happening and customers saying, ``I don't want 
that to happen to my application. What are you, AT&T, what are 
you, service provider, ISP, doing to prevent that from 
happening again?'' And that is what drives our continuous 
development.
    Mr. Adelson. I will speak to the physical components, since 
that is our area of speciality.
    There was no specific event which changed the focus on 
physical security for us. I know back in 1996, I worked at 
Digital Equipment, in their research, and what we found was 
that the participants--and infrastructure radically changed 
from 1996 to 1997, and started to include companies like Alta 
Vista and Yahoo and Google, as well as the network service 
providers. Their requirements for physical security had 
commerce behind it, and it changed all of the focus.
    And so, for example, exchange points moved from a central 
office to a robust physical infrastructure. That is really the 
closest thing to an event--it is really a market shift that 
focused our change.
    Dr. Lowery. Congressman, I would say that I perceive no 
specific event, but instead a succession of events that are 
also progressive, kind of ramp-up.
    And also, as Mr. Diffie mentioned earlier, we are making a 
transition to more virtual world. And so it is becoming more 
important, and becoming something that we rely on increasingly. 
And this has been happening over the past three or 4 years. The 
time lines you have already heard.
    So that does drive customer demand. As customers become 
more aware of how much they have invested in these 
technologies, and how much those technologies impact them 
personally, they start making more specific requests.
    And as I said, we are always open to our customer input. 
That is what we are looking for. We look to them to help us 
make a determination as to where we go next as far as what we 
should be doing with our products.
    Mr. Diffie. Well, he stole my line. I thought I was going 
to be first to say that I couldn't remember any explicit event.
    As I go back over the half dozen things I can list, which 
seems to be significant Sun contributions to security--client 
server computing Java, hardware domaining, trusted Solaris--my 
sense is that they are the responses to our perception of our 
customers' needs in security, as opposed to their desires in 
security.
    So, for example, with the rise of the World Wide Web, the 
development of a computer language intended to have security 
with mobility--in this case, mobility of code--was intended to 
enable the sort of business development that we saw.
    And I think that is the kind of reflection that is always 
going to be required in this area, that you are never able to 
determine security requirements merely by market survey.
    Mr. Etheridge. Thank you, Congressman.
    Rather than listing a specific event, I will briefly 
mention three factors that I think play outside of customer 
demand, one of which relates to what Mr. Diffie was just 
talking about.
    First, I think there is a business imperative to build 
trust. Security is in a sense less a size of the slice of the 
pie issue as it is a size of the pie issue.
    For all of us to do better and be more successful, we need 
people--and for society to be more successful--we need people 
to utilize information technology broadly. That is not going to 
happen unless people trust information technology. And so we 
need to accomplish that.
    Second, September 11. September 11 taught is we need to 
worry not just about the foreseeable, but also the 
unforeseeable.
    And third, and this is a point related to what was just 
talking about: social responsibility. With market share comes 
responsibility. And we as large and important corporations have 
a responsibility to look towards protecting the security and 
privacy of our customers.
    Mr. Thornberry. Thank you very much.
    Thank you. Chairman Cox.
    Mr. Cox. Thank you, Mr. Chairman.
    I want to thank this panel for being exceptionally 
educational and for your willingness to devote some careful 
thought into providing your fair testimony even before you got 
here and, of course, for your years of experience that enabled 
you to do that.
    And I want to thank the chairman and the ranking member for 
organizing this particular focus on cybersecurity. As members 
of the panel know, in organizing this Committee on Homeland 
Security, and indeed, in organizing the Department of Homeland 
Security last year, the Congress had it in mind to pay 
particular attention to our information infrastructure. And 
this subcommittee is the only subcommittee in either the House 
or the Senate devoted to cybersecurity.
    I make the point because so much of our focus on what we 
now call homeland security, on fighting terror, is really 
coming to grips with technology, whereas in the 20th century, 
only nation states could pose WMD threats to us; in the late 
20th century, we found that such dirt-poor nations as North 
Korea could pose similar threats. And now we are finding that 
terrorist bans, and ultimately I am sure we will come to the 
conclusion in the 21st century, that individuals will find 
their own capacity to harm civilization levered by psychology 
in the same way that this technology is improving our 
productivity in all other peaceful aspects of our existence.
    And so I want to make sure that as we organize the 
Department of Homeland Security, we are focused not just on, 
for example, the Internet the way we know it today but on where 
this technology is headed, because 10 years ago if we would had 
this hearing and asked these questions with all that time to 
prepare, we still couldn't have prepared ourselves because so 
much of what we have today was unknowable at the time. And we 
want to make sure that in the future we are nimble.
    So in matching the strengths and weaknesses of the federal 
government, which we have all agreed today need to be a partner 
in this venture with those of the private sector, I find that 
one of the federal government's characteristics is extremely 
troubling. And that is that it tends to be ponderous and 
sluggish in its movements in developing regulations or in 
implementing its policies. Whereas what typifies not only the 
private sector but, in specific, the technology industry is 
lightning quick ability to change. And this change is going on 
all around us, not just our nation, but around the world.
    And so, my question is as we have gone from, for example, 
code red 2 years ago to slammer this year and we have got our 
reaction time to a matter of minutes, and we may be looking at 
even seconds, when what you are asking the federal government 
to do is help post best practices, how do we deal with the fact 
that it might take too long for the federal government to be 
the clearinghouse for this information?
    And anyone who wants to jump at that is welcome to do so 
because you are all expert in this.
    Mr. Diffie. Well, I will take a brief crack at it and say I 
think that the federal government should not be apologetic for 
being ponderous and slow. It is running the largest enterprise 
in the world. And I don't think if we look at the record that 
we would see, in cases where it is active in haste, it has 
necessarily acted very wisely.
    I think the important thing in here is that there are long-
term principles. Federal legislation must recognize the 
principles, speak to the principles, speak to provision of 
resources, and certainly weave the rapid reaction much further 
down the chain from Congress, perhaps to parts of federal 
agencies and to industry and individuals.
    Mr. Cox. Well, that certainly reflects my views, 
particularly when it comes to writing legislation. I want to be 
sure as a norm here in Congress that we try not to write 
technology into the law, because ultimately the lawyers will 
then make sure that in order to comply with the law, you 
maintain the technology that is written in the statute.
    And that will be a very, very bad world indeed. And so, I 
think your recommendation is getting us on the right track. I 
would be happy to hear further.
    Mr. Ianna. Yes, I think the answer to that question or a 
answer to that question is there are many solutions to a 
problem of sharing information. For example, the Telecom ISAC, 
we have to be very comfortable with that one. It has been a 
good government/industry partnership.
    I think the thing that we could be ponderous on is that 
there are many good solutions, and deciding which is the right 
one, we spend too much time on. I think they are all about 80 
percent right.
    And I think we need to spend more time on taking a good 
example of what works and then applying that to other 
industries not and worry about not making the right solution, 
but making the solution right, and leave the quick, rapid 
response to an ISAC or to an information sharing way lower down 
in the chain, but get the people and the participants 
participating in that very quickly and define what you want to 
protect and how you want to define your measure of success very 
quickly.
    And just say, for example, if you are protecting water, 
what is our critical systems that we want to have? What is the 
level of cybersecurity we need around those? Let the industry 
participate in that. And then, further down the chain, let them 
go implement those solutions.
    And then you will have to continuously look at it, because 
threats will change, lots of things will change, networks will 
change, but you will have a history, then, of are we getting 
better or are we getting worse? And that is the key.
    Mr. Thornberry. Mr. Reitinger?
    Mr. Reitinger. Just briefly, chairman, thank you.
    I think that this is a--cybersecurity is a network problem 
much like the Internet, and requires a network response. The 
government has some very important nodes on that network, with 
some strengths and weaknesses, and probably needs to 
concentrate on the things it does well and must do, as Whit was 
saying before.
    Within DHS, I think it needs to concentrate on three 
things: people, process and technology. And I think of those 
three, they are all important, just to expand a little on 
process. There are a lot of government business processes that 
are no longer well suited to protecting homeland security in a 
new environment. And DHS needs to lead that transition and 
incentivize--I know it is a private sector word--but 
incentivize that transition within government for processes 
that effectively protect homeland and national security.
    Mr. Cox. I thank you, Mr. Chairman. My time has expired.
    Mr. Thornberry. I thank the Chairman.
    Ms. Christensen?
    Mrs. Christensen. Thank you, Mr. Chairman. I want to 
welcome the panelists. We have had some briefings on 
cybersecurity that left us a lot less hopeful than informed 
than the information you have provided for us today.
    I want to begin by asking Mr. Adelson a question. Putting 
what you do in the perspective of first responders is very 
helpful. And communications, steps in information management, 
is an issue for all of the first responders, the fire, police, 
everyone. Is this a part of the ongoing dialogue that the 
private sector is having with the federal government? And do 
you have any recommendations as to what this committee can do 
to better make that more efficient so that you can respond in a 
timely manner?
    Mr. Adelson. Sure, I believe that there is a lot of 
learning going on right now, and I should stress that we are in 
the initial stages of determining where the threshold should be 
in information sharing. Information sharing being the critical 
component, as you have said, as an exchange point operators 
seen the communication problems that go on between network and 
service providers and vendors in government today, we know that 
it is a monumental task and should be approached very 
carefully.
    Classic example of this is the Freedom of Information Act 
provisions that really must be preserved to protect network 
service providers so that they can freely share that 
information with government without concerns.
    And I feel that that is one example of a number of areas 
where really we have to understand the full scope of what is at 
stake for network service provider before engaging in any kind 
of formal process.
    But I am encouraged by the process that is happened so far 
on the standards and suggestions that I have seen.
    Mrs. Christensen. You raise the trusted environment again. 
And that is really critical between the private--between 
private industry and between private industry and government. 
Are there recommendations from any of the panelists as what 
this committee can do to foster that trusted environment so 
that the communications can flow as it needs to flow?
    Mr. Ianna. The trusted environment can exist in a 
government-private partnership. We have seen it work in the 
telecommunications environment. We are concerned about sending 
lots of information to not only one place, but multiple places 
to then have it become public, which may not be in our best 
interests.
    The other thing, I think, that is really important is to 
get to the level of protection that I think we all want. A 
macroanalysis of vulnerabilities will not get you there, in my 
opinion. You have to get to the microanalysis of each and every 
industry and network.
    An example that I give is I could create a network for a 
large bank out of AT&T services, SBC services, Microsoft 
services, Equinix services, et cetera. And that could be very, 
very physically secure and very logically secure. I could take 
the same bank and the same four vendors and create a network 
that is not physically secure and not logically secure, just by 
putting the parts together differently or having absence of 
pieces.
    So a macroanalysis does not get you there. It is a 
microanalysis, and it has to be done at the industry and at the 
entity level. A lot of the components to create very secure, 
cyber secure, and very physically secure networks are there 
already. And a macroanalysis of this may not get you there. It 
has to get down to the, I believe, the individual network 
level.
    Mrs. Christensen. Well, maybe I can--I don't see anyone 
else jumping to answer, so I will ask my last question.
    The government and the private sector have been 
collaborating and discussing security before the creation of 
the Department of Homeland Security. Has there been good 
continuity in that collaboration? Has it improved? Has the 
creation of the department, bringing all of the different parts 
under one umbrella, has it become more cumbersome? Has this 
dialogue between the private sector and the government improved 
since the Department of Homeland Security over these issues? Or 
is it more complicated because of all of the different pieces 
coming under this one umbrella?
    Mr. Adelson. Well, I will say that my experiences before 
the Department of Homeland Security, while encouraging that 
there were efforts underway, we are, you know, minimally 
exposed to. Part of it is because, you know, we were focused on 
our customers and we didn't have the resources to have someone 
here in this environment at all times to interact with 
government.
    One of the components of DHS which was encouraging for us 
was they were reaching out. And for the first time we were 
hearing from government with a request to learn. Like this 
hearing today is a great example of that. So I think we are 
headed in the right direction.
    Mr. Ianna. I would just like to say that as part of this, 
many state governments have done something similar. And 
certainly, from a response request and the amount of effort 
that you have to put into it, and the vulnerability of 
information and create a few lists in 51 places, as opposed to 
one place, also. I would like to see more coordination and 
templating amongst the states to the federal level also. I 
think that would be very helpful.
    Mrs. Christensen. Thank you.
    Thank you, Mr. Chairman.
    Mr. Thornberry. Thank you.
    Vice chairman of the subcommittee, Mr. Sessions?
    Mr. Sessions. Thank you, Mr. Chairman.
    I am sorry to have skipped back and forth, but I heard the 
testimony from Mr. Diffie, and I heard you talk about standards 
by the government. I heard, certainly, Mr. Ianna talk about 
government standards that would be good for us to development. 
And part of the dialogue and discussions then that Dr. Lowery 
was the CIS.
    The question I have got for anyone on the panel is is there 
any consensus on a best practice?
    Mr. Ianna, I just heard you say you could develop a secure 
network that would be great. And depending on how you put the 
pieces of the puzzle together, it may or may not be secure 
using even the same vendors.
    Is there a best practices model out there that should be 
looked at, sanctioned, if not by some government entity, by I 
think they are called CIS? Is there something out there today 
that says this is the most secure way that we know of today to 
develop the architecture? Or would everything just be so robust 
you would have to literally pay somebody thousands of dollars 
to come and piece, part it for you? How difficult is that? And 
does the government follow a model, from what you can tell, as 
related to whatever this business model may be? Anybody?
    Mr. Ianna. I will try a shot. There are best practices that 
industry participants have shared. The NRIC previously the NRC 
is a good example of that. As we came across failures and we 
analyzed failures, we figured out what do people do? And what 
do people do well and what do people do not so well, or 
companies within that? And we created best practices and we 
shared them. And we are doing that right now in NRIC 6 at the 
physical level and at the cyber level.
    But to paint the entire problem, I believe, with one set of 
best practices, I would just urge that we don't fall into the 
trap. For example, a best practice for a financial application 
at a very high level transmitting, you know, hundreds of 
millions or billions of dollars in transactions may be one set 
of best practices.
    And somebody surfing the Web for information may be a 
totally different set of best practices with different levels 
of security, fire walls, et cetera.
    So I believe that best practices do exist in industries. I 
think we have some proof of it in the telcom industry. I can't 
speak for others. I think there are--power industry, for 
example, et cetera. But I don't know if there is one best 
practice that fits all sizes of all types of networks and 
applications that the government should sanction. I don't know 
if we should go that far.
    Mr. Sessions. Then, what would you say? Dr. Lowery, you 
might want to speak to this, but what would you then say, and 
your observations about the United States government, following 
these known best practices, how well do you think they do?
    Mr. Ianna. Well, that is a good point.
    The government is a very big customer. And it can drive 
some very big changes in the industry or practices in the 
industry just from its own purchasing power. So if the 
government decided, for certain networks, that it wanted these 
levels of cybersecurity, firewalling, anti-virus software, 
automatic updates, et cetera, it could drive that particular 
standard for that level of security because you have the 
purchase power of a large customer.
    Mr. Sessions. And how well do you think the government 
does?
    Mr. Ianna. I really can't paint that with one brush. I 
don't have an answer.
    Mr. Sessions. Good. There are examples of very, very good? 
Or do you enough about this to speak on this?
    Mr. Ianna. I probably don't know enough about it.
    Mr. Sessions. Okay. Thank you.
    Ms. Gau. If I may, I just wanted to pick up on one element 
that Mr. Ianna mentioned. And that was the auto updating.
    When you look at some of the organizations in the industry 
today that put out security standards, there are a number of 
them other than CIS. And they try to market it as a service. 
There are even security seal programs just like there are 
privacy seal programs where the industry is trying to take a 
self-regulatory approach to establishing a baseline level of 
security for certain applications.
    The problem is that as we have already said, security is an 
ongoing process and a moving target. And as part of any of 
these standards, as part of any potential piece of legislation, 
it needs to be auto updating. And there lies the dilemma.
    Mr. Sessions. I would love to see it stay away from 
legislation, but to be able to say there is some standards body 
that we believe enunciates the best practices and becomes a 
model. And somebody talked about this. I think that that could 
be a way to highlight someone. And I think that is the best way 
that we ought to pat somebody on the back but not with rules 
and regulations.
    Dr. Lowery, did you have a comment or someone else?
    Dr. Lowery. Just wanted to expand on the Center for 
Internet Security and also what has already been said, just to 
expand on that somewhat, that security is not one-size-fits-
all. There are best practices, though, which are broadly 
applicable. And the Center for Internet Security benchmark 
level one is intended to be that kind of best practice.
    They also have level two benchmarks, which are much more 
rigorous. And then you could also turn to individual companies 
and the products that they provide, and they can give you also 
their recommendations on how to best secure their products. So 
you look at the situation in which the technology is going to 
be deployed. You adopt best practices, which everyone has 
already agreed these are good ideas, and then you specifically 
tailor the security for your environment.
    Mr. Diffie. So let me speak to two aspects of what you have 
said. One is that the question you are asking about how well 
the government has done is really one in my mind that if in 
need of objective measurement, that is to say, I think, that it 
would behoove the government to just go through, make provision 
for assessing the security in operations of the computer 
systems its using.
    And then, asking about each individual sort of product and 
installation configuration, should we have been doing this. 
Should we continue to buy more things of this kind from the 
spender, whatever? A reactive--an energetic, a due diligence 
customer approach.
    The other point is it is the most critical thing in 
security in many ways, is a realistic vision of the threats. 
And we have before in Washington seen the impact of unrealistic 
visions in both directions, one of which is not to worry about 
it, and the other of which, particularly during the Cold War, 
is to let us security enthusiasts, and I have--though were many 
in the federal government, get in a position to try to push, in 
this case, civilian agencies to meet various kinds of military 
standards that merely cost a lot of money.
    And because there was a general--not an inevitable, but a 
general antagonism between security and flexibility, you must 
be very careful about how you impose practices and security 
standards on agencies so as not to interfere with their getting 
of their work done, which is the primary thing.
    Mr. Reitinger. Briefly, Congressman, to re-emphasize what 
Dr. Lowery said, there is no one-size-fits-all solution. Anyone 
taking a particular configuration of the system, for example, 
needs to take a look and see whether that meets their 
particular environment.
    But one additional point, one thing that can be done, and 
something that Congress did last year was pass a management 
framework for information security in the federal government as 
a part of FISMA. So that is not a one-size-fits-all, that is 
actually a management framework that addresses security in 
federal government systems.
    Mr. Adelson. You asked a specific question about whether 
best practice could secure, and I just wanted to point out best 
practices are important, but there are still a lot of research 
that needs to be done at the industry level to fully secure 
vulnerabilities that we have exposed over the course of the 
next few years in the infrastructure, and we can't just leave 
that. Federal government could help with funding of research, 
for example, to help us get us there.
    Mr. Sessions. I thank the panel.
    Thank you, Chairman.
    Mr. Thornberry. I thank the gentleman. And I might mention 
next week this subcommittee is having a hearing trying to focus 
on the research and development ahead and what those needs are 
and how those resources ought to be directed. And so, I think 
the gentleman makes a good point.
    The gentlelady from California, Ms. Sanchez?
    Ms. Sanchez. Thank you, Mr. Chairman. I have some specific 
questions for--and so, I will call out the names when I come to 
the question for you all.
    I just want to say thanks for having me, Mr. Chairman, and 
I know I have learned quite a bit.
    I am a member from California, and I represent Orange 
County, which has a pretty good information and high-tech 
community. So I have been working with some of my colleagues, 
like Anna Eshoo and Zoe Lofgren and others on some of these 
issues like encryption and everything over the years. But I 
mean, this is just such a large area for us to try to focus on. 
I really appreciate all of you being here today for it.
    Mr. Reitinger, even if an underlying operating system is 
considered secure, can programs running on that platform still 
cause problems like spreading viruses or attacking other 
systems? And if that is the case, would we need to security 
check every piece of software that we run?
    And if we do that, do you foresee proprietary problems if 
its necessary to check source codes of all programs, for 
example, for security holes, embedded viruses and other issues?
    Mr. Reitinger. Certainly, applications as well as operating 
systems can have vulnerabilities and can pose difficulties. I 
think what is essential is to use software that is developed by 
companies that use a robust quality assurance or software 
assurance process where they, in the course of development do--
use trained developers, track their source code, do code 
reviews, do external third-party reviews, do penetration 
testing and seek external certification, such as the common 
criteria, for their products.
    And I think that provides a fair amount of assurance that 
the products are as secure as they can be under the 
circumstances.
    Ms. Sanchez. Thank you.
    Mr. Diffie, you say that the latest encryption standard is 
as secure as you need to be. And I was just discussing with Ms. 
Lofgren where we were with encryption, because we have been 
working on this for awhile. I know it is a regulatory process 
now, and we seem to have an ability to move encryption 
standard, if you will. Can you explain what you meant by as 
secure as we need to be at this point?
    Mr. Diffie. I apologize--I don't think that was probably 
exactly the term I used. I think I said a secure as one could 
want. And what I meant precisely is that when the data 
encryption standard was fielded 25 years ago, it had to give, 
getting into technicalities, a 56-bit key, about a billion 
billion possible keys.
    And that number was chosen, at the time, to be a compromise 
between the desires of the intelligence community and the 
perceived security needs of civilian government.
    The advanced encryption standard offers three different key 
lengths: 128, 192 and 256. And as far as my community, the open 
cryptographic community can tell, and as far as we understand 
from NSA, what they believe, we do not know how to break into 
AES encryption at any of those key lengths faster than just 
looking through the keys. That is infeasible at all three of 
those lengths.
    And so to take the words of the preface to an old Soviet 
encryption standard, this algorithm places no limitation on the 
security of the data to be protected.
    So that is exactly what I meant, that the intent here and 
what we observe in the public community and what NSA tells us 
all accord in saying that this is as secure as any 
cryptographic algorithm we know of.
    Ms. Sanchez. Thank you. I hadn't quite heard it put that 
way so thank you for your information on that.
    Dr. Lowery, you talked about a partnership between the 
vendors and the customers. Vendors provide security-minded 
products, and customers make sure that they have proper 
security settings. I am concerned about the customer who might 
not know how to keep things secure or inadvertently creates 
problems within the system. Can you elaborate on the 
responsibilities that you think we would like to see customers 
take on with respect to security?
    And how do we, as a government, encourage that? Because, 
you know, we are as secure as our weakest link and it could be 
one of these users.
    Dr. Lowery. I think one of the most important things you 
can do is to educate end users, not about technical aspects of 
security, but simply about the role that they play as 
individuals, as gatekeepers, into a larger community of data 
sharing and information sharing.
    If we could get the end users to understand that as a 
participant in e-mail, for example, simply opening an 
attachment has ramifications that not only affects them, but 
could affect others. Just an awareness of their ability to 
impact others through how they use these technologies could go 
a long way to improving security for everyone who participates 
in these systems.
    Ms. Sanchez. Thank you.
    I see that my time is up. I have some other questions, but 
I will submit them for the record, Mr. Chairman.
    Thank you, gentlemen and--
    Mr. Thornberry. The Chair thanks the gentlelady.
    The gentlelady from Texas, Ms. Jackson Lee.
    Ms. Jackson Lee. Thank you very much, Mr. Chairman. And 
thank you and the ranking member for holding this important 
hearing.
    To the panelists, thank you for your presentation and your 
indulgence on members who have several hearings going on at 
once.
    Let me take personal privilege and express my appreciation 
that Dell is still in Texas, in Austin, Texas. We are gratified 
for that. And to thank AOL Time Warner for being one of the 
first groups to host members of Congress out into the Virginia 
location. I think that is prior to the merger, but we thank you 
very much. This is an important issue.
    The bell is ringing, I believe, so let me quickly comment.
    Mr. Thornberry. If the gentlelady would yield briefly?
    The Chair's intention is to go until we have about 7 or 8 
minutes left in this vote. My understanding is we have two 
votes. And then I would like to come back. Hopefully, we would 
be gone no more than 15 minutes, and then we could resume. And 
so that is my intention.
    Thank the gentlelady.
    Ms. Jackson Lee. In an article, and the date is a little 
fuzzy, so I will just refer to the article, talks about the 
administration abolishing the high-level Critical 
Infrastructure Protection Board and the fuzziness of the 
administration's position on cybersecurity. And I would be 
interesting in your assessment on what the sense of the 
industry is with respect to where government is on 
cybersecurity particularly in the loss of Richard Clarke, who 
was a very visible government person on these issues and the 
fact that this board now has been recomprised in DHS with a lot 
lower profile and staffing, if you are familiar with that 
particular board.
    But that was the board that had the face of the 
administration, and that is the Critical Infrastructure 
Protection Board that generated after the turn of the century 
and of course, after 9/11.
    My question is what can we do in government as relates to 
cybersecurity? And I ask these questions. Do we need more 
information sharing? Do we need more firewalling? And do we 
need a best practices? And in your opinion, what are the three 
things that the government may need to do immediately to 
improve cybersecurity? If you want to point it at the 
department or point it at this select committee because we are 
supposed to be the fixer-up-it in terms of trying to find 
solutions.
    I would appreciate your response to that, whoever wants to 
jump in. Or we could start--we will start in that direction, 
yes.
    Ms. Gau. Thank you. I appreciate you reference to the 
former Critical Infrastructure Protection Board and Richard 
Clarke, whom I worked with quite closely, with him and his 
staff on the national strategy that came out. One of the things 
I have noticed is that there has been little reference, other 
than my own, to the national strategy to secure cyberspace. And 
although there are critics of the document that say it is too 
watered down and that it does not really lay out 
responsibilities, it simply makes recommendations.
    It nonetheless serves as a blueprint. And there are 
detailed actions and recommendations outlined in that document 
that address all of the issues we have been discussing today.
    One of my recommendations would be to indeed look at that 
document, engage more actively in pursuing the actions and 
recommendations in the document, and to look towards perhaps 
elevating the level of attention that the national 
cybersecurity division has right now.
    My personal experience and AOL's experience has been that 
when that board existed and Richard Clarke was in place, we had 
a much more active relationship with the White House on 
cybersecurity than we do now.
    And whether or not the placement of the national 
cybersecurity division within DHS is the appropriate location 
is not something that I believe I am qualified to speak to. But 
we would like to see a similar level of attention and priority 
given to the issue of cybersecurity.
    Ms. Jackson Lee. One of the points you mentioned was 
firewalling versus information sharing. And let me just say 
that security is an almost unlimited excuse for keeping things 
secret. And very often in the short run that is the right thing 
to do. But I think it should be recognized that secrecy in 
regard to security matters should always be thought of as a 
vulnerability. Because no matter how hard you are trying to 
keep a secret, your opponents might discover it. And the ideal 
security systems are ones that operate in a very open 
environment, and do not depend on secrecy about themselves.
    So I want to say that although we in industry very often 
have a parochial interest in the government helping us keep 
secrets about how our products work, about what our 
vulnerabilities have been, that the long-run interest of 
government is probably in promoting and requiring greater 
openness.
    Ms. Jackson Lee. Can I get one person to answer the 
question, what the government needs to do right now in 
cybersecurity--just one person, and then?
    Mr. Adelson. I will say--
    Ms. Jackson Lee. I appreciate it.
    Mr. Adelson. --promote the Department of Homeland Security 
as the epicenter of information sharing for industry and 
federal, state and local government--number one.
    Number two, preserve the federal information act 
protections and the Critical Infrastructure Information Act.
    Number three, consider funding for outreach to promote the 
sharing, research and development of security and testing.
    I just want to say that that is an introduction. Right? But 
that is the immediate thing that could see support for, those 
three things would be critical right now.
    Ms. Jackson Lee. Anyone else?
    Mr. Ianna. Just to echo that, there are some examples of 
ISACs that I believe are working well. I could speak for mine 
in telecommunications industry ISAC as well as the Network 
Reliability Council sponsored by the FCC. We see effective 
partnerships between the government and the private sector, 
particularly where the government is funding part of the 
infrastructure, which I believe is important, which the other 
ISACs may not be experiencing. That might be a good model to 
move to those other ISACs.
    Ms. Jackson Lee. You think it needs to be elevated in the 
Department of Homeland Security from where it is now?
    Mr. Ianna. I can't say that. I just say that there is an 
effective--it seems to be, from my perspective in this 
industry, an effective model in Homeland Security right now, in 
telecom ISAC.
    If the other ISACs are struggling--and I don't know if they 
are--with information sharing, maybe a funding, a government 
funding of some of those ISACs would be helpful.
    Ms. Jackson Lee. Does anyone believe it should be elevated 
from where it is in the Department of Homeland Security to a 
higher presence, this whole idea of cybersecurity?
    Mr. Diffie. I am willing to say yes, but I think that is 
something to give a considered answer would require a bit of 
study of what is actually being done, organization of the 
department.
    Ms. Jackson Lee. Did you have a response, sir?
    Mr. Reitinger. I would say that I think cybersecurity is a 
critical issue. I think one reaches a point where 
reorganizations become harmful rather than helpful.
    What we are interested now is seeing action and working 
with the department to make it as productive and effective as 
possible.
    Ms. Jackson Lee. Thank you.
    Mr. Thornberry. The Chair thanks the gentlelady.
    As I mentioned, we have two votes, and my intention is to 
be back in about 15 minutes to continue this hearing.
    Again, I thank all of our witnesses for their patience.
    And we will resume shortly.
    The subcommittee stands in recess.
    [Recess.]
    Mr. Thornberry. The subcommittee will resume its setting. 
Obviously, other members are going to be coming back after the 
vote.
    And again, I thank the witnesses for their patience.
    Let me ask about a couple of areas as members are coming 
back. One of the things that I am struck by in each of your 
testimony today is a somewhat different tone from some of the 
testimony we received before.
    In some of our previous meetings and hearings, there is a 
feeling that the advantage lies with the cyber attacker, that 
the advances in technology are really working to the advantage 
of the people who are trying to break into systems and find out 
things, and that our response is lagging further and further 
behind, and for a variety of reasons, which they have 
enumerated. And it is a somewhat pessimistic view of our 
country's ability to protect against particularly sophisticated 
sorts of attacks.
    I would be interested in that larger sense from what you 
all see in your business dealings every day, whether you share 
that view of and concern that attacks are growing exponentially 
both in number and in sophistication. And that it is going to 
be very difficult for us to stay ahead of the bad guys, if you 
will.
    Mr. Diffie?
    Mr. Diffie. Well, let me suggest to start with that we are 
ahead. Our economy, I know, is not as its best at this instant, 
but fundamentally, it is a great, thriving, robust institution. 
Our society, likewise. So a lot of the way you view this issue 
of how many attacks there are how sophisticated they are, how 
much damage they did you is really just a matter of setting 
thresholds, which are going to come out very emotional, because 
loosely speaking, any level of attack is irritating to us.
    And I would be very skeptical that on balance development 
and cyber attacks so far could actually be said to have slowed 
our society down very much.
    Moving to a slightly more technical level, I would say that 
we have unquestionably made major achievements in some areas of 
security, which, if adequately widely deployed, would put an 
end to many of these things. And so, this again comes down 
almost to a matter of definition. When you are trying to 
protect, you are trying to protect the whole curtain wall of 
your fortress. And somebody who punches any hole through it 
gets credit. So we will probably always be chafing at the 
number of cases in which we failed.
    But I think that if you look at the overall development, 
and not just of security techniques, but of computer software. 
You will find it is far more robust, far more reliable, far 
more resistant to attack today fundamentally than it used to 
be.
    The difficulty comes out of the degree to which this is a 
dual-use technology. And the technology is in the hands of a 
wide diversity of people, some of whom don't have our best 
interests at heart. What worries me maybe most in planning 
about this is that we think of it a lot as cyber crime and as a 
cyber nuisance.
    And that as so far, we have not seen any 9/11-like, let 
alone a nuclear bombing-like attack on the United States by 
cyber methods.
    I believe it is still a matter of speculation whether that 
could by itself be comparable in damage. When you look at our 
own military doctrine, we use cyber warfare conjoined with 
physical warfare.
    But the thing that worries me is that we are not making 
sufficient preparation for protecting ourself against cyber 
attack by what I think of as real enemies, enemies who have 
assets outside the United States, outside the control and to 
some degree outside the retribution of the United States, who 
can develop and cook their attacks long enough that they will 
be really dangerous when they happen.
    Mr. Reitinger. I would just reiterate, Mr. Chairman, that I 
am equally positive about what industry can and will 
accomplish. I think the priority has changed.
    One area that we do have to attack is the issue that has 
come up a number of times of information sharing. Sadly, 
hackers are still better at sharing information than perhaps we 
in government and industry are. They are great at describing 
vulnerabilities in systems and building wonderful GUI-based 
attack tools to use. We need to share information to that same 
level.
    But I remain very positive that government and industry 
working together and industry innovating will achieve new and 
better security solutions. And we are actually better off and 
we are getting better off over time.
    Dr. Lowery. Mr. Chairman, I would add to that that a 
pessimistic or defeatist attitude is not warranted. We have a 
very positive outlook on this as well. There are really no 
technical reasons that we should be less secure than we are 
perceived to be.
    Again, I point back to education as a prime component of 
this. That many of the problems that continue to arise, this 
lag that you may be perceiving is really a gap in education, 
which we could rectify if we put resources behind educating 
those who are using the technology so they use it in a more 
responsible manner.
    Mr. Thornberry. And Ms. Gau?
    Ms. Gau. With respect to AOL suffering a debilitating 
cyber-attack, I would be optimistic in saying that I don't 
believe it could happen. However, let me just say that AOL is 
attacked by hackers on a daily basis. We see all forms, all 
varieties and all numbers of hacker attacks. And they have 
increased and varied in techniques over the years. And as a 
result, not only have we had to invest money into the systems 
that we have in place to monitor the network, but also the 
staff that we have in place to be there. We have also had to 
make sure that we are eternally vigilant about these issues.
    And to the extent that we remain vigilant and that we use 
the security technology that is available today, I believe we 
are in a good position. However, there is still the human 
element. The human element being the weakest link. And there, 
again to reiterate education, it is not only on a public 
awareness level, but it is also making sure employees are 
trained, that they understand what are the steps that they need 
to take.
    Mr. Thornberry. And I want pursue the education issue in 
just a second. Just real briefly, are you finding it more 
difficult to stay ahead of the hackers? I mean, you said you 
are putting more resources into it, is it becoming increasingly 
difficult to stay a step or two ahead?
    Ms. Gau. I would not characterize it as being more 
difficult, no.
    Mr. Thornberry. Okay, that is helpful.
    Gentleman from New Jersey, Mr. Andrews?
    Mr. Andrews. Thank you.
    I would like to thank the witnesses for their outstanding 
work and testimony today.
    Thank the chairman and the ranking member for another in a 
series of truly edifying and challenging hearings. Thank you 
for your work.
    I want to go back to the question the chairman raised at 
the beginning of the questions here because I think it is the 
central focus that we have. He asked whether the panel thought 
that the market alone would bring us to a sufficient point of 
security or whether there was a point beyond that. And I think 
I heard the consensus was that although the market would take 
us a very long way indeed that there was an increment of 
security above and beyond what the market would do.
    The second point of consensus that I am hearing is that one 
of the ways, one of the most effective ways the government can 
help us stretch the market, stretch the market solutions is 
through the creative use of our purchasing power as a customer 
that demands these products.
    The third thing that I am hearing a point of consensus is 
that that purchasing power must be carefully calibrated and 
distinguished among various sectors. What the Agriculture 
Department would buy would be something very different than 
what the Defense Department would buy. That it needs to be 
continuously upgraded. A theme that I am hearing from the 
panel, and really from the members, is that if we have a static 
standard of what is sufficient that you are all going to leave 
us behind in the dust, at least I hope you will if that is the 
case.
    And the final point of consensus that I am hearing is 
that--I think I am hearing is that we need to do a surgical and 
thoughtful job of articulating what those standards ought to 
be. We shouldn't haphazardly define the standards.
    What I would like to ask the panel is if I have misstated 
any point of consensus here, please tell me. And I say that 
without pride of authorship, I am simply reporting what I think 
I hear, number one. And number two, if it was your job to 
design the standard-setting function within the Department of 
Homeland Security and within the U.S. government generally, 
what would that institution look like? What kind of institution 
would it be that would tell our purchasing people what it is 
they should demand when they buy a system that protects the 
Social Security Administration's record? Or when they buy a 
system that protects the troop deployment databases of the 
Marines Corps? Or whatever else.
    And we will start with our friend from AOL at the right 
side.
    I, just parenthetically, my last name begins with 'A' and 
in law school a lot of professors call on students in 
alphabetical order. It is a very harrowing experience. So when 
I taught law school, I start at the other end of the alphabet 
so I wanted the people at the other end to get their just 
deserts. So because you have had to wait so often today, we 
will start at your end.
    Ms. Gau. Picking the latter part of your question with 
respect to what would an institution look like that might set 
security standards for the government, I think that the model 
of everything we are talking about where it would be an 
institution that would work closely with the private sector 
together, as we all hope to do, with Department of Homeland 
Security. That there would have to be dialogue to establish 
what the baseline security standards would be.
    And such an institution, presumably, would have tentacles 
into procurement processes such that they could mandate the 
different standards, just as there are other standards such as 
those that I have referenced earlier today such as 
accessibility standards and products.
    Where it might best fit, I don't think I am really in a 
position to say either. But I think that such an attempt by the 
government to indeed mandate that as a customer and a consumer 
of these goods that government would move in the direction to 
push manufacturers and service providers to include the 
baseline security standards is a step in the right direction.
    Mr. Andrews. I want to be clear also, as I know you said, I 
am not talking about mandating standards on the private sector. 
I am talking about mandating our own internal standards for 
demanding product when we go into the private sector.
    Yes, sir.
    Mr. Ianna. I think the question has to be answered this 
way, what level of security do you want to be able to espouse? 
Do you have a metric to be able to easily convey to the public 
that we have raised the cyber-security level to this level? And 
we have to create that metric, just like we had to create the 
metric in network reliability.
    What are we talking about? We are talking about, you know, 
how many DPMs, defects per millions of failures you have and 
what constitutes a failure, et cetera.
    And then I think it has to be done on a--you can't eat this 
elephant all in one bite. You have to do it in small bites. And 
every sector needs to define, I believe, their critical systems 
that they need to have cyber-defense around. And once you have 
done that, do we have, for example, the critical systems cyber-
protected to this gold level in the Department of Agriculture 
or how long will it take us to get there.
    Then I think--if I were in the government, I would be 
trying to convey to people that we have a methodical way of 
convincing people that we know what we are doing. We know what 
direction we are going in. And we know how we are on our 
journey to get there.
    And secondly, lastly actually, it is not static. The minute 
somebody says I am protected to the gold level, a new threat 
comes in and the gold standard has to be redefined.
    Mr. Andrews. Sir?
    Mr. Adelson. I believe that that is the key is the dynamic 
nature. And perhaps one way to achieve a dynamic standard, if 
you--that is kind of a contradiction in terms, but--is to 
actually involve in real time, industry. And by real time, I 
mean having individuals who represent industry be part of a 
panel wherever this group sits in government, where they can 
provide that data and how it has changed in real time.
    And I suggest that just because industry, because of the 
market forces, is going to be thinking about that with a great 
degree of diligence. And I would expect that their message 
should be heeded, even across different sectors, as it applies 
to, you know, buying power within government.
    Mr. Andrews. I hear you. Boy, that would raise significant 
issues about protection of intellectual property. I mean, we 
want to do that, but we want to do it in a way that doesn't 
punish the private sector concern for participating in that, 
right?
    Mr. Adelson. I think there are certainly protections that 
can be put in place so that communication can happen. I can 
tell you that it is relatively rare, although it does occur, 
where, you know, data about an incident is something that I 
might fear being propagated.
    However, data about the security technology itself is 
really mostly, in terms of consumer products, you know, 
certainly the case, public data. And there is a lot out there 
which would go a long way. And certainly within the standards 
set, I would hope that these would be technologies that 
everyone can purchase.
    So there isn't a lot there to hide.
    Mr. Andrews. Thank you.
    Dr. Lowery. Congressman, I think you have accurately 
summarized at least what we believe at Dell. And as far as how 
I would structure this entity that you have referenced, I don't 
know that I would be an expert in helping you to architect such 
an organization. But things that you should consider when you 
are developing the standards for the government, consider what 
I said earlier and that is that there is a baseline of security 
which is just prudent for everyone to adhere to. And then each 
particular application of technology must be scrutinized in the 
context in which it will be used and security for that purpose 
needs to be customized for it accordingly.
    Mr. Andrews. Thank you.
    Sir?
    Mr. Diffie. I think that what we have to keep in mind is 
the breadth of the activity you are talking about. Government 
has a major movement in the last, say 20 years, to move to 
commercial off-the-shelf technology to support all its 
activities wherever it can, to narrow back the, you know, 
technical nuclear, the technical comsat with things. It all 
stems from going away with the national arsenal system 80 years 
ago.
    Second, all of this is in some sense dual-use technology in 
terms of the role it plays in cyber-crime and cyber-warfare and 
cyber-security. So you are building things out of standard 
components, components that people use for a very wide range of 
things in society.
    And finally, this is an international problem. We cannot 
afford, as we did during the Cold War, to think of our own 
security needs in isolation from those of our trading partners 
and indeed the rest of the world.
    So let me suggest that this organization, which is going to 
need to walk down the Potomac on its tiptoes, I am afraid, has 
to be a meeting ground with a prudent ability to manage 
information relations between quite a number of constituents. 
Its government customer--and I construe that broadly; the 
intelligence and law enforcement communities on which it will 
depend for a lot of the kinds of feedback information I have 
been talking about; the industry on which it will depend almost 
entirely for products and processes and support; and the 
international community, the international standards 
organizations and many different kinds of governmental and non-
governmental and industrial organizations throughout the world.
    So the best I can say is I am very in favor of openness in 
the standard-setting function. And that that should be 
specialized so the cases where closed things are needed, that 
we should give careful thought to the way the information-
restricted activities take place and be sure that that is 
subordinate to the general openness that will allow us to 
accommodate ourselves to everybody's needs.
    Mr. Andrews. Follows your principle that secrecy creates 
vulnerability as I think you said at the beginning.
    Mr. Diffie. Yes, actually, I think that actually this 
principle's a little broader than this. My view is this is 
infeasible without a lot of information-sharing that has been 
stifled in the past.
    Mr. Andrews. Yes, sir, thank you.
    Mr. Reitinger. I will be very brief, Congressman. First 
off, on standards, one suggestion I would have is that as, 
again, I am repeating a lot of what Whit is saying, that we 
avoid having specific government standards to the extent 
possible. I think if you rely on industry-based market-driven 
standards, you will find the government keeps more up to date 
than if it sets government-specific standards which will maybe 
become hoary in a shorter period of time.
    The second thing is that I think it would be useful to turn 
and see what is happening at NIST under some of the processes 
started under the Federal Information Security Management Act. 
NIST--I would have to go back and reread the act, but I know 
NIST recently published FIPS 199, which has a categorization of 
information and information systems into risk categories.
    My understanding is that under that last act, they are 
going to go on and produce guidelines for how to protect that 
information. And that might be a very valuable process for this 
committee to look at and watch.
    Mr. Andrews. Thank you very much.
    Thank you, Mr. Chairman.
    Mr. Thornberry. Thank the gentleman for, again, asking 
excellent questions.
    The ranking member of the full committee, the gentleman 
from Texas.
    Mr. Turner. Thank you, Mr. Chairman.
    First, I want to compliment you, Mr. Chairman and Ms. 
Lofgren, our ranking member, on your leadership in the area of 
cybersecurity. Those who have been a part of your hearings and 
your also compliment you on the leadership you are both 
providing in this important area.
    Dr. Lowery I want to compliment Dell for your leadership in 
providing or offering your Center of Internet Security Level I 
benchmark to your customers.
    There is no question that your business model selling 
directly to customers provides an excellent opportunity to 
promote the purchase of a secure computer system.
    I guess your interest in providing security arose out of 
the Department of Defense requirements. By then turning that 
into an offering to others with the stamp of approval of the 
Center for Internet Security, it seems to me that it should 
become something very quickly that most people would want to 
pay for.
    Dr. Lowery. We agree with that assessment too, Congressman. 
We were directed to CIS by federal customers, who pointed to 
the CIS as a source of best practices that they agreed with.
    We evaluated the CIS and their benchmark settings, and we 
heard that a product offering where we could make those 
settings in the factory was feasible, that we could do as our 
customer requested. We did that, and we got it in such a way 
that others can benefit from our work and the work of CIS.
    We are very excited about the offering. We hope that it 
will contribute to improving the security landscape as it 
exists.
    Mr. Turner. Well, I commend you for it. The issue before us 
and the same one raised by Congressman Andrews: How do we 
replicate this? As I understand it, there is a host of entities 
out there that say they certify or they recommend certain 
security measures. Every company, you know, is looking for 
somebody. Not everybody looks to the Center for Internet 
Security. Some look to other groups out there.
    If we want to accomplish what I think is the goal that most 
of us share--self regulation--wewant to be sure the industry 
provides the leadership on security initiatives.
    As has been pointed out, if government is the role of 
creating standards they will be outdated the moment that they 
are drafted.
    It is clear we need a viable ongoing effort among industry 
partners to set some standards.
    How would you suggest, Dr. Lowery, or any of the witnesses, 
that we decide on a consensus organization made up of that we 
would look to as the good housekeeping seal of approval, if you 
will, for security. We should have something so we would know 
that if it had that stamp of approval on it, then that was the 
best you could buy. As you all have said, if you don't want to 
buy such a certified approved product then that is you choice.
    At the very least we would have provided an industry-wide 
approved certification that is recognized by the buying public. 
Then we would encourage the buying public to make a choice. The 
reason I believe strongly that is the right way to go is I 
think security is on everybody's mind. I think this problem can 
be solved in this fashion voluntarily, if industry will work in 
cooperation with government we will have a standard-setting 
entity that everybody knows about and respects, and therefore, 
will follow.
    I know how it was in our house when we made our last 
computer purchase. We were thinking about security now. And I 
think most people are. I don't think any business in America 
wants to be caught short in not providing security to its 
business systems.
    The liability and the risk are too great.
    So how can we get there with a standard that people will 
follow?
    Dr. Lowery. I think everything you said is true. And I also 
perceive that there are a lot of little organizations, for lack 
of larger ones. Each of them are trying to make sense out of 
the security problem and have delivered into the spaces they 
perceive where there is a gap, what they call their standard or 
a consensus that they have arrived at.
    I think all of them are valuable. None of them should be 
belittled because their stuff often comes from small sector 
doing something.
    But I do also see the need for convergence, a consensus 
process. Dell would also welcome seeing a more consolidated 
approach to achieving the standards. The fewer standards that 
there are, the easier it is for us to bring them to market.
    The only caution that I would give you in trying to 
approach a singular standard or a single organization, which 
does that, is that organization must understand that security 
is not one side fits all. We had to be very careful in its 
deliberations and in standards that it might recommend. To keep 
that in mind, that we must be sure that security fits the 
situation, that it is going to be the deployable technology.
    As far as the way to actually achieve the convergence, I 
think we are seeing some of that already. I am not exactly sure 
what to recommend what we do to hasten the convergence.
    Mr. Turner. Anyone else?
    Mr. Diffie. Let me extend that not one but sole point as 
saying it is important to remember that security is always a 
secondary objective. You always want to do something and you 
want to do it securely. So having an underwriters lab like 
stamps that would go on everything happens to be particularly 
tricky in security, because security is more contextual 
probably more than the other safety technologies. And so 
although your car, of course, depends on how it is driven and 
how it is maintained, as well as how it was built, that kind of 
environmental characteristics are even more important in the 
security area.
    So I think that a labeling scheme, we already have several, 
is not going to be trivial to achieve.
    Mr. Reitinger. Two brief points, Congressman. First off, as 
you suggested, there are lots of good standards or other 
organizations out there developing things and certifying things 
such as the common criteria.
    Second, I have got some very good news, which is although 
one size does not fit all--I agree very much with that--it is 
important to have as much consistency as possible among 
different people providing advice to consumers.
    And so Microsoft, for example, is working closely with the 
Center for Internet Security to converge our guidance on how to 
secure our products going forward. That kind of activity is 
taking place in industry. We are talking amongst ourselves and 
we are trying to solve the problem. And I think we are solving 
the problem.
    Mr. Turner. Thank you. Thank you, Mr. Chairman.
    Mr. Thornberry. Let me delve--I thank the ranking member--
let me ask briefly about the information sharing, because a 
number--we have talked about it a lot and it has come up in 
different contexts. Mr. Ianna, you talked, I know, specifically 
about the telecom ISAC and it being successful. What I hear 
from others is that their ISACs are not nearly as successful as 
you have become. And you mentioned government funding being one 
of the things that is not the case with the others.
    And then I am also struck, Mr. Adelson, one of the comments 
you made is that we share information real well on a technical 
level, but what that leads me to think, Okay, where do we not 
share information real well? That is going to be for the areas 
that are competitive, the things that are not so technical. And 
so the view has been expressed that there is a limit to how far 
information sharing is ever going to reach.
    That when you are dealing with competitors and industry 
grouping, they are only going to go so far. And they will talk 
about FOIA, and then they will talk about anti-trust and then 
they will do something else that they talk about.
    Whatever it is, it is going to be an obstacle to--and I am 
not criticizing that, but it is a natural thing.
    I guess I am interested in observations--Mr. Ianna, I will 
start with you--about this subject of information sharing. Are 
there legitimate barriers that the federal government needs to 
break down? Or is it more a question of a trusting sort of 
relationship that has to develop over time, at least for 
industry to share information with the federal government?
    So you see ISACs as--I will say salvageable--some people 
say they are not, need to start from scratch. And if so, how do 
we make them? And I realize there are too many things to get 
into. But I would appreciate each of your suggestions on this 
information sharing idea.
    Mr. Ianna. Well, first of all, I think one of the other 
keys on the telecom ISAC and other structures surrounding 
that--I mention ENRIC--is beware their time. They have been in 
existence for quite some time. ENRIC goes back almost 11 years. 
I don't know when. Probably more than that. So there has been 
time when they worked together.
    Believe me, the first few years when we started ENRIC at 
NRC, we had the exact same thing. I can imagine that Microsoft 
and MCI and AT&T and Sprint saying we are all going to share 
our failures. All right, it was not easy, okay, number one. 
Number two, it came down to a situation that we realized that 
by very nature we were all interconnected. And we were all just 
interconnected. And the failures that we would see in one 
network might show up in another network because we all used 
similar types of equipment.
    And I think some of those--some of those--you know, we all 
use equipment from a set of vendors that might experience a 
failure. So want to be able to know what happened.
    And then I think that the next thing that we experienced 
was nobody likes to advertise a failure. And there was a lot of 
debate about, Well, when I have a failure, it is AT&T and can I 
ask AT&T?
    And we had this debate. And we started out as they were 
masking it. And finally, after a while, we just said, Okay, 
here they are, here are the failures. And last year AT&T had 
20-something FCC reports on this--had three. I know how many 
MCI had. I know how many Sprint had.
    But the good news of that, the good news of that is that we 
do have quarters, 40 quarters worth of statistically valid data 
on failures on wire line networks. Now the debate going on at 
the NRC is others saying, Look, wireless for data networks, et 
cetera, will be voluntary. We will map the data, et cetera.
    So I think there are ways of sharing the information. And I 
think what it all comes down to in the end is that we can 
improve the situation of the whole lot. There are competitive 
issues. We worried about anti-trust. We worried about 
information sharing and competitive things. And we had lawyers 
praying over that for a while. And we got past that.
    And I think the end result has been that we have listed--
now the FCC has sat in front of you, and you ask is the network 
reliable? Can it give you a number? Can you say it is getting 
better or worse? And they can break it down by quarter. And 
they can break it down by technology.
    So I think the answer is it does work. It takes time. It 
takes trust. And the other issue of information sharing that I 
know a lot of people--and I am worried about also is when we do 
share information, is the problem about sharing information 
from one competitive entity to another, which you don't want to 
have happen as a competitive concern, but then making that 
information then public.
    I think some of the protections that went into the Homeland 
Security Act around information protection are good and need to 
be enforced so that we don't have information getting pulled 
out under Freedom of Information Act, something that we have 
shared that we don't want to become public and also that 
doesn't become public.
    Mr. Adelson. There are a few points that we made that I 
would like to comment on. First, regarding the telecom ISAC, I 
absolutely agree that the telcom ISAC has worked for 
telecommunication-specific issues. But just using 9/11 as an 
example, during that crisis, there were between 25 and 50 
extremely large critical networks and service providers in the 
United States who did not get any contact and were not part of 
any telecom ISAC. That is one issue.
    Secondly, on recent research you could do on the Internet 
would point to over 13,000 independent entities that are 
relevant to Internet stability, even for the biggest carriers.
    To put an ISAC together for Internet infrastructure would 
require representation not only from network service providers 
anymore, but from content providers, enterprise and vendors. 
Why so diverse? It is a function of the hierarchy used to be a 
carrier sold to a content provider who provided services for a 
user and so on.
    Now it is much more of a level playing field. And those 
players need to be represented at a security level in 
discussing these issues. So I don't know how to do that with an 
ISAC with the Internet. That is one issue.
    Secondly, you mentioned the technical communication that is 
going on. The real difference between the Internet and other 
industry areas where that communication happens is that the 
Internet is extremely interdependent. My ability to stay up is 
dependent on my peer--is the term used--and their ability to 
stay up. And so, because of that interdependency, there has 
been a tendency to communicate.
    Furthermore, because security issues on the Internet are 
technical in nature, we have been fortunate in that most of the 
communication that is been required at least for disaster 
recovery are handled by technical people. I mean, there are 
exceptions, the provisioning side, for example, who somewhat 
separate from the technical. But there has been some industry 
success there.
    And I think as we expand beyond network to network 
communications and go into network and enterprise 
communications, this is where I see a central point of contact, 
a central group becoming really critical, 13,000, 50,000, 
however many entities require some critical information. I am 
not comfortable relying on the industry itself to provide that 
intercommunication well.
    Ms. Gau. Actually, you took one of the points I wanted to 
touch upon relating to information sharing and is there a 
competitive barrier to doing so. I think, once again here, we 
see the marketplace forces in action. As we are networks 
connected to networks connected to each other, and we are in 
the interdependent, even though we have points of redundancy.
    If AOL sees a hacker attack coming on, that we might be 
able to sustain, but we might know that somebody else might not 
be able to or in more, should we say, self-centered interests, 
we don't want anything bad to happen to anybody else because if 
they go down, we are going to get a ton of mail thrown back at 
us from their servers as an example of a denial of service 
attack back on us.
    So we are actually motivated not only to maintain the 
stability of the Internet and the ability of people, for 
example, to send e-mail to AOL, but also for us to be able to 
maintain our own service and not have to then deal with a 
situation where somebody else has gone down.
    Additionally, in that same regard, not only are we reaching 
out to individual providers and companies and partners that we 
have that we know are going to potentially be impacted by a 
particular attack or a particular vulnerability, we do share 
that information with government and we do so in an effort to 
ensure that that information is made available to the mom and 
pop ISP that may not be able to have access to that information 
because, as you have pointed out, they don't have the resources 
to have somebody sitting here at the table.
    That is where we would really strongly like to continue to 
work with the government, in particular, the Department of 
Homeland Security and the new cybersecurity division.
    Mr. Thornberry. Mr. Ianna, let me ask you one brief 
question. You mentioned, which is not something I had thought 
of much before the demands placed upon you from 50 different 
states for information, which is information sharing in a 
little different way. Do you think that there needs to be 
some--you mentioned a template which implies that the federal 
government would require certain information and the same sort 
of thing could be sent to the states.
    Do you think that there is a need for some sort of 
legislation that preempts states from asking for the same or 
additional information? You know, we did that with ARISA on 
insurance where the federal standard is the thing that, you 
know, trumps everything else. If you are--if all of you could 
get demands from lots of different jurisdictions which would be 
impossible to keep up with, it seems to me.
    Mr. Ianna. I don't--I can't speak to whether legislation at 
the federal level would be the best way to do it. I would say 
certainly, cooperation, or saying look, if we are going to have 
a standard, let us make the federal government the standard. 
And if I just need to parse out the data for this state, here 
is the data for that state.
    I don't know. I could go back and research, but after the 
FCC at the federal level in NRIC, or NRC, started asking for 
outage reports, several states followed with that. I don't know 
how many. I think it is probably more than a dozen or so about 
outages in their states and whether or not they followed the 
same rules, et cetera.
    But I think it would benefit the industry, only because of 
this--particularly in cyber defense, it is very hard to 
determine the geography of where the issue is and where it 
started. It might be impacting something in a particular state, 
but the cause might have been in a totally different state.
    So trying to define geographic boundaries in a cyber 
environment is not the same as trying to define physical 
boundaries against physical attacks.
    So from a cyber perspective, it certainly would be helpful 
to have a template or a focusing organization, like Department 
of Homeland Security, say let us do it this way. Let us do it 
once. And then we could give you your data, okay, that is, you 
know, for your state.
    Mr. Thornberry. I suspect in all areas of information 
sharing that differences between industries are a key thing. I 
mean, I can see a number of the things you all are talking 
about that require information sharing for the IT sector may 
not apply to electricity or agriculture, some of the other 
critical infrastructures which have been identified and may be 
the same case here. Depends on how much the states regulate, 
for example, electricity or telecommunications as to the 
leverage they have to put demands upon you for any information.
    Mr. Ianna. Just one other point that was made by the 
gentleman to my right about the telcom ISAC and the IT-ISAC. 
One of the things that we found out is because, particularly on 
data communications and computer-based Internet communications 
et cetera, the telcom ISAC and the information technology 
computer ISAC are twisted together very tightly.
    For example, with the slammer virus, our security people 
were not only working with the telcom ISAC, but also obviously 
with the IT-ISAC. It was the computers on the network that were 
causing the problem with the virus and that was impacting the 
networks. So they are very tightly twisted together. And you 
can't just look at one, they are very tightly twisted together.
    Mr. Thornberry. Good point.
    The gentlelady from California have additional questions?
    Ms. Lofgren. Just one. And I am mindful that you have been 
here a long time, and we certainly do appreciate it. I think 
really the information you have provided us, each of you today, 
has been enormously helpful. And we may want to follow up with 
you as we proceed with additional questions and ideas.
    But listening today, obviously, this is a complicated area. 
But it may be further complicated by constraints that are 
being--that we may face as we go down the road. I heard the 
comment relative to the lawyers praying over the anti-trust 
implications. That was a cute way to put it.
    Recently, we expanded the exemptions for anti-trust risk 
for entities that are setting open technical standards. And I 
think it is important that the openness be part of it. And I am 
wondering--this will be two questions--whether we have 
sufficiently addressed anti-trust concerns in the development 
of open standard setting in this arena?
    And then secondarily, I can't remember who, mentioned the 
issue of the need to be able to deploy solutions in ways that 
are not burdened by intellectual property protection and 
whether anyone has advice for us in that area as well, those 
two implications of IP as well as anti-trust.
    Do we need to change the law in any way?
    Mr. Diffie. Well, I am not sure. I think there are 
ramifications from the question I don't understand. But the 
intellectual property issue has come in here in two different 
ways. One is a fairly ordinary issue of things that are 
particularly--are patentable and therefore royalties are owing 
to the patent holders in turn for using that technology.
    The other is in this argument in the computer industry 
between open source and closed source coding practices. And 
that is one of the ones that I think presents a thorny problem 
because in security there is, as I said earlier, a very 
explicit respect in which closeness is a vulnerability. At the 
same time, proprietary techniques, trade secrets are an 
essential basis of our business practices in this country.
    So we need to find a business model that permits the users 
of products with security requirements and security 
implications to be able to verify that the products have the 
security characteristics they need. And to do this, to see if 
we can do this and still allow ourselves the benefits of 
allowing some manufacturers with proprietary techniques.
    I don't have a clearer statement of it than that. But I 
believe it actually is one of the research frontiers in this 
area and it is a business frontier.
    Ms. Lofgren. One of the--I mentioned to Chris Henkin a 
comment that--I won't mention the fellow's name, and I don't 
think there is a chance in the world that the federal 
government will do this, that it was recommended by the--
someone in law enforcement that we establish a kind of a 
software clearinghouse and that the federal government would 
clear, you know, all the software. I think that is a very bad 
idea.
    But the issue is how do we achieve assurance? Obviously, 
not with a government agency. But how do we do this, for lack 
of a better word, the audit function for the security? Whether 
it is software or networks or hardware, how is that best 
achieved? How do we set up a structure so that occurs?
    Mr. Reitinger. Congresswoman, I think my answer to that 
would be the one I gave when you asked a similar question 
earlier, which is making sure that the vendor that is providing 
the software has a robust software assurance and quality 
assurance process that the government can review and make a 
judgment upon. I think vendors are moving in that direction. A 
lot of them are there already. And I think it is important and 
valued for customers to know about that process.
    Mr. Diffie. So I would say in this respect we should look 
at the successes and failures of an existing model, which is 
that for decades the National Security has been the executive 
agent for information security for the Defense Department and 
some other areas of the U.S. government. And they have done, in 
many ways, a good job.
    On the other hand, the mechanisms they have, whose strength 
is in the, unfortunately, their unification of intelligence and 
security and their ability to trade off between the two and 
make use of their intelligence function in monitoring the 
security of their products.
    They show no sign of being able to cope with the problem 
that we face, for the following reason. The Defense Department 
is a very large organization, but it is very unified. Everyone 
in the Defense Department knows the chain of command, starting 
with the President down through the secretary of defense.
    And the important point about the Internet as a place is 
that so many people stand their by rights. You don't get to vet 
your personnel in the whole world.
    So we have an extraordinary diversity. And I think your 
suggestion is one of the major critical points. You can ask 
what the track record and what the development methodologies of 
your suppliers are. It is also true that there is an ever 
developing methodology in two directions. One is vetting 
individual applications, knowing that you are going to be able 
to minimize the damage they can do you.
    This, just incidentally, is one of the targets to which 
Java is devoted. The other is in building operating systems 
that have sufficient capacity to confine applications so that 
the applications can't do damage to other things.
    And this is one: The declining cost of hardware has allowed 
us to devote more and more hardware to that explicit objective. 
Sun's largest servers now have what is called hardware 
domaining, which is a very robust way of containing processes.
    So I think that the proposal that the federal government 
should vet all the software is on the face of it is infeasible 
whether or not?
    Ms. Lofgren. Well, it is a non-starter anyhow.
    Mr. Diffie. Whether it is desirable or not, it is perfectly 
infeasible. But that both the original 1970s, 1980s DOD 
objective of building an operating system that could maintain 
what the Soviets called praksa; prison laboratories, where they 
didn't have to trust the staff because they weren't going to 
let them go anywhere. Or at standpoint in Java we call sandbox 
or at the other end improving software development methodology, 
which will have a profound impact not only in security but 
through all of our economy. I think both of these things will 
play a role.
    Mr. Ianna. I think there are--as a service provider who 
uses a lot of these different types of hardware and software 
technology, either in the provision of service directly or the 
support systems that help us provision and maintain these 
services, we have a practice where we try to test the software 
in our laboratory and attempt--and I do use the word 
``attempt''--to simulate many of the conditions that we may 
find in the network before the software and the hardware is 
introduced into the network. It is called an integrated test 
network.
    Some vendors find that process very, very cumbersome. It 
does add time to our development process and our deployment of 
technology.
    But the alternative is to have software out there which may 
have an interaction with some other software out there which 
creates something that is very bad for your customers on your 
network.
    I would like to be able to say that we find every bug in 
every software issue that we have and we know of every 
interaction that is bad that can happen out there, that is not 
the case. But we do have--and we have shared practices in the 
telcom ISAC and, the NRIC, on ways of testing those things.
    By the way, it was interesting, at least what I was 
thinking about this issue, one of the interesting things here 
is we had a time in our recent history where we had to do this 
very quickly, because we didn't have all the time in the world, 
and that was for Y2K. We had a date certain that we had to do 
something.
    And we picked a way of doing it because we couldn't make 
all the permutations, so we shared a lot of information. And if 
I knew this software interacting with this switch with this 
operating system was okay by some other vendor's test, I 
accepted that and I shared my tests with somebody else too. 
Otherwise, you would have, you know, even if you took one 
second for every test in the 3 years, you wouldn't have been 
able to test all the permutations. And that worked extremely 
well.
    The difficulty we have in this situation is we don't have a 
date certain when something is going to happen. And we don't 
know--the thing that might happen is not defined and will 
change. And creating that sense of urgency around that I think 
is important for us at the government level and at the industry 
level to do that we must be cyber secure and we must take this 
very seriously. We do only because we have had failures where 
software was the cause.
    Ms. Gau. Fortunately, at this point, we have not suffered a 
large-scale cyber attack by a foreign government or foreign 
agents so to speak. But AOL, as I mentioned, experiences hacker 
attacks on a daily basis. And over the years, we have found 
that that kind of pounding of our systems has helped us 
identify security problems that we are then able to fix. 
Because as it turns out, the hacker in question was just a 
teenager working, you know, on the computer, or not working, 
but playing on the computer in the home, and wasn't really 
seeking to do anything but to gain bragging rights for having 
accomplished something.
    And obviously, not everyone can do that to every product 
that they are going to put out into the market. There is only 
so much beta testing you can do. But one of the things that we 
have done with vendors of ours, particularly, for example, 
companies that participate in the shopping area on AOL, what we 
consider certified merchants. We require them to undergo 
security audit with one of two firms that we identify to them.
    Now, on a large-scale basis, that is not realistic, because 
there are costs involved. And so only the big players can 
really come to the table if they want to be in the shopping 
area on AOL because they are going to have to pay for this 
security audit.
    But there is no question that stress-testing of systems and 
perhaps further R&D, as well as further incubation periods for 
products might lead in a direction where we have less products 
in the market place that you have security holes discovered in 
once they hit consumers.
    Ms. Lofgren. Mr. Chairman, we should let them have lunch.
    Mr. Thornberry. I think the gentlelady's point is well 
taken.
    Let me thank each of you again for your time and your 
contribution. Let me also invite each of you to continue to 
discuss these issues with the members and the staff of this 
subcommittee.
    As we move ahead, we are going to continue to need your 
input and our suggestions.
    For example, next week we are having this hearing on 
research and development. What areas do you think the federal 
government should concentrate its research and development in 
the area of cybersecurity? If you have thoughts on that, we 
would like to hear it.
    Again, thank you for being here.
    And this hearing stands adjourned.
    [Whereupon, at 1:16 p.m., the subcommittee was adjourned.]

                                APPENDIX

                   Material Submitted for the Record

Responses to Questions for the Record from DELL, Dr. James Craig Lowery

1. There has been widespread concern among computer industry insiders 
that DHS is not taking information security vulnerabilities seriously 
enough. There is still no Undersecretary for Information Analysis and 
Infrastructure Protection, and even when one is in place, there is 
concern that information security will be relegated to second-class 
status. Industry has expressed the interest in expanding partnerships 
with government agencies to improve security, but DHS does not appear 
to be moving quickly to embrace this idea.

        a. What do you see as the government's role in increasing 
        security and standards setting? Could it be fostered through 
        partnerships (such as those done through National Institute for 
        Standards and Technology) and purchasing criteria? Would 
        government mandated standards, such as the Common. Criteria, be 
        a helpful baseline or a hindrance to future innovation?
Response: Dell is interested in sharing its insights and views on 
cybersecurity with the Department of Homeland Security. Overall, the 
government's role in increasing, security and standards setting is as a 
customer and through its participation in organizations such as the 
Center for Internet Security in an open, voluntary and consensus-based 
process that includes input from all stakeholders.
    Security is a moving target, and the products and services 
addressing security needs necessarily evolve as the landscape changes. 
Government mandated standards would likely result in a one-size fits-
all approach that fails to address the security problem and would also 
be and obstac1e to innovation in our industry. Additionally, there is 
some concern that the process associated with the setting of government 
standards would be slow and cumbersome that technology and knowledge 
would always be ahead of government standards.

        b. From what you can tell, is there sufficient information-
        sharing taking place between researchers who discover most 
        vulnerabilities, companies who created the products and DHS? If 
        CERT were formally connected to DHS, would that-help FedCIRC 
        with information dissemination and the remediation of security 
        problems and breaches?
Response: We support the information-sharing that is taking place with 
organizations such as CERT Coordination Center, the SANS Institute, the 
Center for Internet Security, and the Free Standards group. These 
organizations are working to develop 'security solutions based on 
consensus and standards with the input from government agencies, 
businesses, universities, and individual security experts and to 
disseminate information. In order for these organizations to remain 
effective, it is important for Federal departments such as the 
Department of Homeland Security to participate in these organizations.

        c. How can the government help companies be more responsive to 
        known security issues? Would a law providing safe-harbor, with 
        a sunset, help encourage companies to quickly fix security 
        issues after they are discovered?
    Response: The Federal Government should provide information on its 
cybersecurity needs to its vendors as well as provide its input and 
views to organizations that are engaged in an open, voluntary and 
consensus-based process for the development of security standards.

  Responses to Questions for the Record from EQUINIX, Mr. Jay Adelson

1. There has been widespread concern among computer industry insiders 
that DHS is not taking information security vulnerabilities seriously 
enough. There is still no UnderSecretary for Information Analysis and 
Infrastructure Protection, and even when one is in place, there is 
concern that information security will be, relegated to second-class 
status. Industry has expressed the interest in expanding partnerships 
with government agencies to improve security, but DHS does ,not appear 
to be moving quickly to embrace this idea.

        a. What do you see as the government's role in increasing 
        security and standards setting? Could be fostered through 
        partnerships (such as those gone through National Institute for 
        Standards and Technology) and purchasing criteria? Would 
        government mandated standards, such as the Common Criteria, be 
        a helpful baseline or a hindrance to future innovation?
Response: The government has an opportunity to assume a leadership 
position in the coordination of efforts to create common security 
standards. While like many voluntary standards, they do not require 
regulatory enforcement such standards can be useful as competitive 
differentiators and therefore industry-driven.
    Partnerships would be required to fulfill this need, as currently 
the federal, government does not have the background, and relationships 
required on an international level to begin this dialogue. It would be 
of tremendous benefit to the industry if this could change, and via the 
UnderSecretary for Information Analysis and Infrastructure Protection, 
such expertise could be established within the DHS over time.
    The government has had a role in developing cyber and physical 
security best practices through the FCC's Network Reliability and 
Interoperability Counsel (NRIC), which can provide a model and a 
starting point. However, in our opinion, NRIC is not an effective place 
to create these best practices going forward, as it only represents 
regulated entities, a small subset of Internet infrastructure. 
Migrating the homeland security best practices work from NRIC to DHS 
will allow the scope of that work to be expanded to include previously 
untapped communities and a better representation of Internet 
infrastructure in general.
    Purchasing criteria to meet certain standards, as well as process 
and technology criteria, would be inclusive in these standards. While 
it would be appropriate for the federal government to act as an early 
adopter of these Common Criteria, the purchasing power of government 
does not alone constitute a significant enough motivator to catalyze 
adoption of these standards.

        b. From what you can tell, is there sufficient information-
        sharing taking place between researchers who discover most 
        vulnerabilities, companies who created the products and DHS? If 
        CERT were formally connected to DHS, would that help FedCIRC 
        with information dissemination and the remediation of security 
        problems and breaches?
Response: Our visibility into the information-sharing between DHS and 
other entities is limited. Certainly, at an operational level, we have 
seen no indication that DHS has had any significant communication with 
elements of the industry that represent the Internet infrastructure, 
outside of the major router manufacturers arid the top five 
telecommunication carriers. While five years ago this may have been 
sufficient, the Internet infrastructure has evolved into tens of 
thousands of individual influential entities that all require 
significant communication from DHS in the event of a crisis or in 
crisis preparation. CERT need not be formally connected to DHS for 
CERT's information to be better propagated. The communications path 
between DHS and industry can potentially be better funded and 
maintained than the communication path between CERT and industry, and 
this neutral organized approach could incorporate other information 
outside of CERT in the decision-making process of who to tell what 
information.
    In sharp contrast to DHS' current communication practice with 
industry, informal industry-based communication practice is strong 
between similar service providers, such as ISPs and telecom carriers, 
outside of any ISACs. Unfortunately, enterprises and large content 
providers have been excluded from this self-developed communication due 
to their relative infancy in the Internet infrastructure, and therefore 
this provides an excellent opportunity for DHS to develop these 
practices, particularly amongst the largest population of Internet 
infrastructure businesses represented by enterprise and content.

        c. How can the government help companies be more responsive to 
        known security issues? Would a law providing safe-harbor, with 
        a sunset, help encourage companies to quickly fix security 
        issues after they are discovered?
Response: Current communication plans from government to industry are 
event-driven. A major restructuring of this concept for the Internet 
industry would be necessary, shifting the approach to scheduled 
communication in addition to event-driven communication. The nature of 
business revenue priority would typically defocus enterprises from 
maintaining up-to-date information, however government-approved 
standards, that require regular participation by enterprise, would 
ensure proper communication practice.
    Laws providing safe-harbor would appropriately address privacy 
concerns. In essence, laws that protect service providers from brand 
damage after an event, such as exemptions from the Freedom of 
Information Act, would be necessary to ensure two-way communication.

    Responses to Questions for the Record from AT&T, Mr. Frank Ianna

1. There has been widespread concern among computer industry insiders 
that DHS is not taking information security vulnerabilities seriously 
enough. There is still no Undersecretary for Information Analysis and 
Infrastructure Protection, and even when one is in place, there is 
concern that information security will be relegated to second-class 
status. Industry has expressed the interest in expanding partnerships 
with government agencies to improve security, but DHS does not appear 
to be moving quickly to embrace this idea.

        a. What do you see as the government's role in increasing 
        security and standards setting? Could it be fostered through 
        partnerships (such as those done through National Institute for 
        Standards and Technology) and purchasing criteria? Would 
        government mandated standards, such as the Common Criteria, be 
        a helpful baseline or a hindrance to future innovation?
    Response: Government should first ensure that its procurement 
activities across Federal, State, and Local settings are properly 
coordinated through a common set of security standards. This is a 
logical first step for our nation--and frankly, unless such 
coordination can occur between these separate government entities, it 
will be unlikely to occur in a more diverse commercial setting. 
Selection of which standard to use is not the critical issue; security 
best practices are well understood and agreed upon by current security 
professionals. The more important issue is that the selected standard 
be uniformly applied--and government procurement is the obvious place 
to start.

        b. From what you can tell, is there sufficient information-
        sharing taking place between researchers who discover most 
        vulnerabilities, companies who created the products and DHS? If 
        CERT were formally connected to DHS, would that help FedCIRC 
        with information dissemination and the remediation of security 
        problems and breaches?
Response: Information sharing about vulnerabilities has certainly 
gotten much better and companies like AT&T are taking advantage of that 
information to better protect against and respond to vulnerabilities as 
they are identified. For example, information shared quickly during the 
recent slammer and blaster events helped AT&T take the necessary 
assessment and remediation actions that much more efficiently and 
effectively. Regarding CERT specifically, what is most important is 
that CERT be among the resources available to DHS as part of the 
overall public-private partnership for information-sharing purposes. It 
seems unnecessary for CERT to be ``formally connected'' to DHS in order 
for it to continue to be a valuable tool for DHS and the private sector 
alike. The much more urgent issue is the prevention and removal of 
vulnerabilities from commonly used products such as commercial 
operating systems and applications.

        c. How can the government help companies be more responsive to 
        known security issues? Would a law providing safe-harbor, with 
        a sunset, help encourage companies to quickly fix security 
        issues after they are discovered?
Response: Government should foster a competitive commercial environment 
in which marketplace forces reward products and services that are free 
of security vulnerabilities. One area in which this can occur relates 
to government procurement (see above); another relates to a renewed 
assessment of the proper assignment of liabilities should such 
vulnerabilities result in business losses for users. That said, it is 
also important to ensure that companies that act responsibly by 
identifying vulnerabilities through timely and prudent evaluation, by 
notifying its customers and by otherwise handling identified flaws in a 
responsible manner are protected from liability and thus not 
discouraged from acting responsibly.

2. Several experts have cited the threat of cyber attacks by well-
organized and technically savvy terrorist groups--specifically Al 
Qaeda. An article in the Washington Post last year laid out chilling 
scenarios in which terrorists might carry out cyber attacks that could 
do the same amount of damage to our critical infrastructure as tons of 
explosives. Another fear is the coordination of a cyber and physical 
attack, so that our response capabilities would be compromised or even 
shut down just when we need them most.

        a. Do you agree that these threats are real? If so, how much of 
        a priority should they be? Are there other variations of the 
        cyber threat that should be getting more attention than they 
        have?
Response: It is difficult for an individual private-sector entity such 
as AT&T to assess the degree of actual cyber-threats, especially those 
outside of the telecommunications industry, and Congress should look to 
government intelligence agencies, and not the private sector, to gauge 
the likelihood and severity of cyber-threats. Nonetheless, the increase 
of attempted intrusions and disruptions that we have identified over 
time does suggest that there are real threats, and addressing these 
threats continues to be a high priority for AT&T, and should be for 
companies within each critical industry sector. Like the FCC/NRIC 
model, each industry sector should work together to identify the 
critical systems that could be exploited to cause disruptions, and 
develop and observe voluntary best practices to improve each company's 
intrusion detection, deterrence and disaster recovery capabilities. 
This assessment must be done separately for each sector, and 
specifically for each mission-critical system at the ``micro'' and not 
``macro'' level to be sure that characteristics unique to each system 
are identified and evaluated. Furthermore, each sector should develop 
measures around these best practices so that each industry's progress 
can be measured over time. In addition, it is important for companies 
that own and operate critical infrastructures, such as AT&T, to have 
ongoing communications with government intelligence entities to stay 
informed as new threats are identified.

        b. Are we, and specifically is DHS, doing enough now to address 
        the possibility of large-scale cyber attacks? If not, what more 
        needs to be done--is it a question of changing priorities? 
        hiring additional personnel? placing a higher-ranking official 
        in charge of the cybersecurity issue?
Response: The Department of Homeland Security was only created in March 
of this year, making it nearly impossible for a private-sector 
corporation such as AT&T to fairly assess its effectiveness in 
addressing cyber-security. Certainly more can be done, and naming a 
senior official responsible for cybersecurity will help.

        c. What is being done to research or combat the possibility of 
        viruses, worms or other cyber threats morphing, so that they 
        are impossible to protect against?
Response: The global cyber community is currently investing countless 
hours and resources in the establishment of incident response teams 
that identify and respond to viruses, worms, and other cyber attacks. 
While this is appropriate given our current global cyber security 
posture, such security investment could be redirected toward alternate 
innovations that could help enable new services and hence drive the 
economy. As such, the primary research issue should involve the 
prevention and removal of security vulnerabilities from occurring in 
the first place. This must start with the vendors of software products 
that are used almost ubiquitously across the globe on servers, 
workstations, and other devices. Virtually every major security 
incident being experienced in recent months rely on the presence of 
such software vulnerabilities.

        d. From what you can tell, is there sufficient information-
        sharing taking place between the intelligence community (and 
        specifically the DHS Intelligence Analysis Directorate), which 
        analyzes threats, and the science and technology arena (and 
        specifically the Science and Technology Directorate), where new 
        solutions and tools can be developed to counteract the most 
        likely or most worrisome threats?
Response: The private sector is not in a position to assess the quality 
of information sharing between these two nascent directorates within 
DHS.

        e. Do you feel the Information Sharing Analysis Center (ISAC) 
        established under Presidential Order is the right structure for 
        information sharing between sectors and the federal government? 
        What would you recommend as an optimal model for ISAC-like 
        activities? How is DHS working with your industry ISAC?
Response: We agree with the ISAC concept but would suggest that there 
is no single model that would meet the needs of every critical 
infrastructure. Infrastructure operators in some sectors, such as 
telecommunications, have a compelling need to communicate frequently 
through multiple points of interface. This is because the components, 
or segments, of the telecommunications infrastructure as interconnected 
and the functioning of each segment has significant implications for 
other operators. These communications channels are frequently exercised 
because incident management in the telecommunications industry is a 
daily necessity, due to the widely dispersed assets, which are exposed 
to a multitude of threats. Other infrastructures, such as electric 
power, probably have a similar requirement. However, an infrastructure 
such as water, likely does not have the same need for many operators to 
communicate with one another on a regular basis.
For infrastructures such as telecommunications, we believe the National 
Coordinating Center (NCC), operated by the National Communications 
System (NCS), which is a component of DHS, is the best model. It was 
established in 1984 and has functioned as an ``ISAC'' for over twenty 
years. The federal government operates the center while the private 
sector provides representatives for ``resident'' and ``non-resident'' 
memberships. The NCC is the focal point for coordination of disaster 
response for telecommunications under the Federal Response Plan (FRP). 
Government funding and participation in this ISAC makes a compelling 
business case for participation by the private sector.

        f. How has the insurance industry reacted to the development of 
        cyber attacks and cyber terrorism as a risk factor for your 
        industry? Are losses caused as a result of such incidents 
        generally covered under existing policies, or have new products 
        been created to specifically address this risk factor? Do you 
        have any sense of the impacts on insurance costs?
Response: The insurance industry has begun to develop new insurance 
products albeit this market is in the formative stages. Losses caused 
by cyber-related terrorist acts are generally not covered under 
existing policies. Though some new insurance products have become 
available, few insurance companies are willing to take on such risk, 
and even where available, coverage is limited and costly. There has 
been no impact to our insurance costs because this risk is excluded 
from our policies. If we chose to purchase insurance that protected 
against loss from this risk our insurance costs would increase.

3. Providing patches to vulnerabilities is time and resource intensive. 
How does your company address the problem of legacy equipment and 
software with respect to cybersecurity? Are older and discontinued 
products supported with respect to fixing newly discovered security 
flaws? If so, how is the end user notified? Is there a role for the 
federal government in this process?
Response: This is a significant and costly issue from a cybersecurity 
perspective. In many cases, security patches are not provided to 
address flaws in legacy systems and software, and we are left with no 
choice but to replace potentially vulnerable but otherwise operational 
capabilities. For example, commercial operating systems are often 
periodically ``retired'', at which point vendors will no longer provide 
remediation, patches or support. Entities running those operating 
systems have no option but to replace them or risk the possibility that 
vulnerabilities could be exploited.

4. Up to this point, cybersecurity has depended on voluntary consensus 
across industry. The Federal Communications Commission (FCC) has a 
process via the National Reliability and Interoperability Council 
(NRIC) that seems to have worked for the telecommunications sector, but 
much of this was based on the FCC regulatory role for that industry.
        a. Could DHS fill this void for establishing best practices, 
        common criteria, and standards for Information Technology 
        products and services, particularly for the Internet? If so, 
        how might that be structured?
Response: With regard to telecommunications, the Network Reliability 
and Interoperability Council, established in the early 1990's, has 
developed best practices for the wireline communications industry for 
reliability, physical and cyber security, etc., and the NRIC has 
expanded its work in the last few years on best practices to address 
IP-based, wireless and cable services. The Council has also established 
processes for standards and for templates (criteria) for 
interconnection and interoperability. Therefore, we do not see a void 
with regard to telecommunications. DHS should be encouraged to interact 
with the FCC/NRIC with regard to telecommunications best practices. 
This model could be used by other sectors as well, but each sector 
should be responsible for working with the appropriate government 
agencies (e.g. perhaps DOE and FERC for the electric power industry, 
Treasury and the Federal Reserve for the financial services industry), 
in conjunction with DHS, to develop and implement best practices 
tailored to each specific sector.

        b. Are there aspects of standards for which a mandatory 
        approach might be more appropriate, as is the case, for 
        example, in health care or telecommunications?
Response: The standards process is a necessary part of the service 
industry. In telecommunications, standards are essential because 
suppliers and competitors are all interconnected using ubiquitous 
standards agreed to by the industry. Service industry participants work 
the standards process in various standards committees such as ATIS and 
IETF for the telecommunications industry. The benefit of the standards 
process to the industry is the ability to gain consensus by all 
participants. This ensures that all ``voices'' are heard from and one 
group does not dominate the process. ANSI provides for accreditation to 
ensure that standards committees do follow this procedure. (if they are 
certified). However, a mandatory approach to security standards would 
be extremely difficult, and participation may be in jeopardy since 
industry participants will have concerns and the open exchange of 
information will not be as forth coming. Rather than attempting to 
mandate security standards, a better approach is to use an NRIC-like 
approach (described further in 2(a) and 4(a) above) and allow peer 
performance pressure to be the stimulus for improvement in the market 
throughout each sector.

        c. Some major auditing firms want to help companies assess 
        their security vulnerabilities and develop plans to address 
        them. How is the business case being formed to justify the 
        additional costs?
Response: Business Continuity is an essential process for each 
enterprise. Each enterprise does some degree of Business Continuity and 
risk assessment/remediation. This risk assessment must examine closely 
the ``expected value'' of each security investment, because even though 
the probability of loss is low, the impact could potentially be quite 
high. This analysis is key in order to establish accurate priorities in 
where to invest limited security resources. The use of external 
auditing firms helps the enterprise with their business continuity 
process. Use of auditing can be for: validation of internal risk 
assessment, identification of gaps, new opportunities or thoughts 
processes, certification of center operations, etc.
    The business case for auditors would be part of the business 
continuity business case.

5. Emergency preparedness and disaster recovery are common themes for 
the physical infrastructure, but there does not appear to be adequate 
attention to these areas for cyberspace.

        a. From the perspective of your industry, how should the 
        Department of Homeland Security prioritize its cybersecurity 
        activities, from threat detection through disaster recovery?
Response: Priority one should involve remediating vulnerabilities in 
software that powers our critical infrastructure. Investments in 
software engineering process improvements, research into better tools 
for ensuring correctness of software, and increased attention to 
correctness in government procurement activities should be paramount in 
the DHS plans.
    In addition, DHS alone cannot achieve the charter of the 
department. It will take partnership with the industry to develop the 
priorities and programs to meet the demands of the ``new'' cyber world 
we all live in now. Any major initiative that could have a significant 
impact on private sector infrastructures should include, from the 
outset, industry participation, guidance and expertise. For example, 
much has been said about the possibility that the government might 
establish a center for cyberspace security. However, before undertaking 
such an important project, government and industry need to work 
together to explore whether we should have a national center for cyber 
space security or not, and if so, who would participate, and how it 
would operate.

        b. What should be the threshold for federal involvement in the 
        event of a cyber attack? When should it be left entirely to the 
        private sector to respond?
Response: While the majority of critical infrastructure is owned and 
operated commercially, a non-trivial percentage (15% by most estimates) 
is controlled by government. Accordingly, government must ensure that 
it is properly responding to cyber attacks for these resources. Leading 
by example may be the most powerful means for improving the overall 
security posture of the nation.
In addition, thresholds for determining when federal government should 
get involved should be established on a sector-specific basis. In 
telecommunications, thresholds have been defined through the NS/EP 
process and the work of the NCC/NCS. Each event is different and it is 
difficult to define what the threshold should be to capture a process 
that would be applicable to all events. In the cyber world, each event 
has unique characteristics and it is difficult to define what is the 
critical nature of the event. The NCC/NCS has a long history in knowing 
when to pull the service providers together for a common restoration. 
Many of the principles applied over the years to the telecommunications 
structure can be transferred to the cyber arena. The NSEP process 
should be adopted for these purposes. These principles can and should 
be applied to other sectors, and adjusted for each sector that reflect 
the needs and particular characteristics of that sector. In fact, the 
threshold could be different in each industry sector.

        c. What role could the federal government play in 
        reconstituting Internet service if a major debilitating attack 
        were to occur?
Response: To the degree that government-controlled infrastructure is 
included in the overall Internet community (e.g., NIPRnet, DISN, FTS-
2001, etc.), government should obviously take the lead in coordinating 
proper reconstitution of such resources with its vendors, suppliers, 
and partners. More importantly, government should try to take the lead 
in preventing such attacks from occurring through the software 
vulnerability reduction measures outlined above.
In addition, the government should look to the NCC/NCS, established in 
1984 with the break up of the Bell System, to coordinate communications 
restoration when appropriate. Over the years the NCC has expanded its 
membership from traditional circuit switched providers to internet-
related providers and vendors. In fact, during the September 11th 
event, the NCC, with its links to the White House, worked with industry 
to restore Wall Street first as part of the recovery. Continued use of 
the NCC/NCS in the ``trusted' environment is the best way for the 
recovery process to work when required.

        d. In the event of a major cyber attack, what are your concerns 
        with respect to disaster recovery for your company and more 
        broadly? Do you think that existing continuity and recovery 
        planning are sufficient? If not, what more needs to be done?
Response: AT&T has the premier physical Disaster Recovery capability in 
the industry, which addresses the physical replacement of destroyed 
assets. AT&T has invested over $300M in infrastructure and processes 
that can be deployed to recover from such a disaster scenario. In 
addition, AT&T has detailed business continuity and recovery plans for 
all of our key data centers and systems. These processes are exercised 
regularly and overseen by resiliency experts at AT&T Labs to ensure 
that plans are tested and refreshed as warranted. We also monitor the 
health of our networks constantly and can identify and address 
abnormalities very quickly. Even in these tight economic times, AT&T 
has continued to invest including expanding our disaster recovery 
capabilities to our key facilities outside the United States. It is 
important for all entities, but especially operators of critical 
infrastructures, to perform periodic and rigorous assessments of their 
mission-critical functions to minimize the impact that disruptions 
might otherwise cause.
With regard to recovery from a major cyber attack, disaster response 
could take many forms. There are basic principles to guide the 
recovery: first, the detection and analysis of traffic data anomalies 
and other indicia in real-time; and second: remediation actions, which 
could range from applying software patches and upgrades, to 
quarantining and inoculating infected LANs, to shutting off routers to 
prevent further damage and rebooting machines using ``clean'' saved 
software.

        e. Is there a need for a coordinated international response as 
        part of the efforts to protect national information 
        infrastructures? What form might this response take?
Response: Obviously, global coordination is required. Multinational 
corporations do this across their business unit structure, often in a 
seamless manner.
In addition, the international environment is critical to controlling 
the health of the Internet. From a disaster recovery viewpoint, AT&T is 
investing in recovery for service nodes in Europe.
    Our Business Continuity and Risk Assessment processes are currently 
being refreshed in light of changed conditions. Establishing a working 
group across national boundaries could have benefit just as the NRIC 
Council has provided benefits in the communications industry. Cyber 
attacks can come from anywhere, therefore international cooperation at 
both the government and industry levels is a necessary component. 
However, currently, it is be very difficult for the private sector to 
engage in effective information-sharing and security coordination 
efforts in a global context because there are so many different 
approaches to information protection and disclosure world-wide at this 
time. There is a critical role for the U.S. government to play in 
structuring this partnership to ensure that U.S. corporations and 
citizens are protected by U.S. laws. Active private sector 
participation requires significant harmonization to ensure adequate 
legal protections such as protection of sensitive information are 
continually maintained.

     Response to Questions for the Record from AOL, Ms. Tatiana Gau

1. There has been widespread concern among computer industry insiders 
that DHS is not taking information security vulnerabilities seriously 
enough. There is still no UnderSecretary for Information Analysis and 
Infrastructure Protection, and even when one is in place, there is 
concern that information security will be relegated to second-class 
status; Industry has expressed the interest in expanding partnerships 
with government agencies to improve security; but DHS does not appear 
to be moving quickly to embrace this idea.

        a. What do you see the government's role in increasing security 
        and standards setting? Could it be fostered through 
        partnerships (such as those done through National Institute for 
        Standards and Technology) and purchasing criteria? Would 
        government mandated standards, such as the Common Criteria, be 
        a helpful baseline or a hindrance to future innovation?
Response: We believe that government's role is to lead by example on 
cybersecurity, to encourage information sharing and the development of 
industry best practices; support R&D, and to enter into partnerships 
with industry to improve cybersecurity in areas where it is lacking. 
Because cybersecurity is such a rapidly evolving area we do not believe 
that government mandated standards are a particularly effective 
approach, as such standards could quickly become obsolete. However, we 
do think that government procurement standards may be helpful in 
encouraging best practices throughout the private sector.

        b. From what you can tell, is there sufficient information-
        sharing taking place between researchers who discover most 
        vulnerabilities, companies who created the products and DHS? If 
        CERT were formally connected to DHS, would that help FedCIRC 
        with information dissemination and the remediation of security 
        problems and breaches?
Response: To our knowledge, while there is a good deal of information-
sharing taking place among researchers and IT companies, there is not 
yet significant information-sharing between DHS and the ISP sector. We 
applaud the recent decision by DHS to create a government CERT that 
will coordinate with the private sector. We believe such a 
collaborative approach will create an environment that is conducive to 
information-sharing and cooperation.

        c. How can the government help companies be more responsive to 
        known security issues? Would a law providing safe-harbor, with 
        a sunset, help encourage companies to quickly fix security 
        issues after they are discovered?
Response: AOL and other industry leaders already spend very significant 
sums of money on cybersecurity. However, government can foster greater 
responsiveness to known security issues through information-sharing, 
and by educating the public about security issues, as AOL does through 
its service. Government can play a particularly important role by 
providing easy-to-access security warnings for small business and home 
users.

    Responses to Questions for the Record from MICROSOFT, Mr. Phil 
                               Reitinger

1. There has been widespread concern among computer industry insiders 
that DHS is not taking information security vulnerabilities seriously 
enough. There is still no UnderSecretary for Information Analysis and 
Infrastructure Protection, and even when one is in place, there is 
concern that information security will be relegated to second-class 
status. Industry has expressed the Interest in expanding partnerships 
with government agencies improve security, but DHS does not appear to 
be moving quickly to embrace this idea.

        a. What do you see as the government's role in increasing 
        security and standards setting? Could it be fostered through 
        partnerships (such as those done through National Institute for 
        Standards and Technology) and purchasing criteria? Would 
        government mandated standards, such as the Common Criteria, be 
        a helpful baseline or a hindrance to future innovation?
Response: The government has a vital and tailored role to play in cyber 
security. First and foremost, the United States Government is the owner 
and operator of some of the largest and most sensitive computer 
networks in the world--its actions regarding its own cyber security can 
serve to demonstrate both the importance of the problem and best-in-
breed solutions. Accordingly, the U.S. Government must act as a model, 
buying technology engineered for security, and implementing state-of-
the-art security practices.

Second, the U.S. Government must attack the ``knowledge gap'' regarding 
cyber security--even today we do not know the quantitative risks posed 
by a lack of cyber security, and in which areas public and private 
actions fall short of addressing these risks. Business leaders are very 
good at risk management, but some of the risks posed by cyber crime and 
cyber attack are best known to the Government and need to be shared, to 
the greatest extent possible, with the private sector. This will 
enhance the business case for cyber security to the benefit of all. In 
particular, we all need to know more about interdependency between 
sectors and how that may affect our economy and our nation. Moreover, 
even with the increasing business focus on cyber security and enhanced 
private sector action, in some areas there may be a national or 
homeland security need for computer and network security above what the 
market will provide. Therefore, the government, with knowledge of the 
risk in hand and recognizing the dynamic nature of the problem, needs 
to conduct an analysis of where private action may fall short and then 
determine the best way to address this shortfall through tailored 
action.

Third, the U.S. Government needs to otherwise catalyze and enhance 
private action. There is and has been considerable activity in the 
cyber security realm, which can lead to two contrary but related 
mistakes. The first is to think that all, this activity is progress, 
and that the cyber security problem is close to being solved. The 
second is to view this activity as mere churn without progress. In 
fact, considerable progress has been made, with the private sector 
increasingly focusing on and devoting resources to cyber security, and 
the public sector taking actions such as creating the Department of 
Homeland Security and adopting an improved information security 
governance structure though the enactment of the Federal Information 
Security Management Act. The federal government is uniquely able to 
continue and enhance this progress. It can help reduce the ``churn'' by 
examining the activity that is taking place and identifying and 
supporting the private and public initiatives that offer the best 
opportunity to solve problems. It can, help to develop and support 
metrics by which the private sector can judge its status and 
capabilities. As identified in my testimony, the federal government 
should provide more support for cyber security R&D (among the topics 
could be improved development tools, security for Internet-scale 
computing, human-computer interaction and security, priority routing, 
basic protocol research, and wireless security). And with respect to 
information sharing, besides sharing its own information (see above), 
the federal government can catalyze information sharing by the private 
sector by working with it to develop interfaces and protocols for 
sharing information among the various players and for the subsequent 
protection and use of that information--this would help to ease the 
burden of sharing information and increase the trust that shared 
information would be handled appropriately.

Fourth, the U.S. Government must fulfill its particular 
responsibilities as a national government, including for national and 
homeland security. These include continuing to enhance the capability 
of law enforcement to catch and punish cyber criminals, because without 
an effective deterrent the amount of cyberc crime will continue to 
grow. The Government can also raise public awareness about computer 
security, and build international relationships and agreements that 
enhance computer security worldwide.

The government role in standards setting is also vital if properly 
tailored--in our view, the market should drive the emergence of open 
standards. If market competition is permitted to determine which 
standards succeed, users are most likely to get the best mix of 
security and value, while the process itself will ensure that more 
secure standards constantly replace those that are less secure. That 
said, the government can and should set the requirements for its IT 
purchases, relying to the greatest extent possible on the standards 
developed, through market-driven means. This gives the government the 
benefit of widely interoperable and more up-to-date technology and 
processes.

Moreover, as your question also suggests, where appropriate the 
government's acquisition policies should include purchasing software 
whose security has, been evaluated and certified under the 
internationally-recognized (and U.S. supported) Common Criteria for 
Information Technology Security. Policies requiring the acquisition of 
software that has received appropriate Common Criteria certifications 
should be developed and applied consistently and evenhandedly, and we 
applaud DoD's recent efforts to make clear that its security policies 
apply to software that has been developed under all business, 
development, and licensing models. Such efforts to procure only 
security-engineered technology, and specifically such clear support for 
the Common Criteria, will help strengthen the government infrastructure 
and motivate markets.

The government should, however, avoid mandating standards for use by 
the private sector. Legislated standards are likely to become quickly 
outmoded--indeed, they may be outmoded at enactment. Standards are 
already ``following'' rather than ``leading,'' that is, standards tend 
to enshrine best current practice rather than encapsulate expected 
innovation. Adopting a particular standard in legislation or regulation 
may enshrine outdated and antiquated technology and practice on our 
most critical infrastructures. Mandatory standards can also restrict 
innovation, by reducing the benefit from developing new technology or 
practices that are non-compliant, 'and also skew innovation, by 
favoring one technology or practice over another. Finally, mandating 
standards can actually drive security to a floor. Here, as elsewhere, 
the government must tailor its activity to meet specific needs, and act 
in the least intrusive manner possible, to avoid damaging the market's 
continuing innovation.

        b. From What you can tell, is there sufficient information-
        sharing taking place between researchers who discover most 
        vulnerabilities, companies who created the products and DHS? If 
        CERT were formally connected to DHS, would that help FedCIRC 
        with information dissemination and the remediation of security 
        problems and breaches?
Response: Information sharing regarding vulnerabilities is certainly 
taking place, and of course I would like to see it improve. Responsible 
disclosure of vulnerabilities minimizes risk to users, the
Internet, and the critical infrastructures that depend upon it by 
giving vendors an opportunity to develop a fix for a vulnerability 
before giving attackers the knowledge necessary to launch attacks. 
Microsoft applauds and thanks those researchers who follow responsible 
disclosure policies.
Therefore, Microsoft is working with other industry leaders to propose 
and institutionalize industry best practices for handling security 
vulnerabilities in ways that more effectively protect Internet users. 
We are a founding member of the Organization for Internet Safety (OIS), 
an alliance of leading technology vendors, security researchers, and 
consultants that is dedicated to the principle that security 
researchers and vendors should follow common processes and best 
practices to efficiently resolve security issues and to ensure that 
Internet users are protected. See www.oisafety.org. Last month, OIS 
published a set of best practices for reporting and responding to 
security vulnerabilities. These guidelines, which were built with input 
from across the security community, provide specific, prescriptive 
guidance that establishes a framework in which researchers and vendors 
can work together to improve the speed and quality of investigations 
into security vulnerabilities, then jointly provide guidance to help 
users protect themselves and their infrastructures. We view these best 
practices as an important step in elevating standards for 
accountability on all fronts and among all audiences in managing 
security vulnerabilities.
With regard to the formal connection of CERT to DHS, I would need 
further information on how such a proposal would work before commenting 
in detail.
        c. How can the government help companies be more responsive to 
        known security issues? Would a law providing safe-harbor, with 
        a sunset, help encourage companies to quickly. fix security 
        issues after they are discovered?
Response: The U.S. Government can help companies be more responsive to 
known security issues by taking the actions described above--being a 
leader and securing its own systems, addressing the knowledge gap, 
catalyzing and enhancing private sector activity, and fulfilling its 
governmental responsibilities. In particular, addressing the knowledge 
gap will help business both to make rational decisions about cyber 
security and risk management and to implement the best defense.
As for your question about Safe Harbor, I would need more information 
about the proposal to comment.

                                 
