[Senate Hearing 108-516]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 108-516

    VIRTUAL THREAT, REAL TERROR: CYBERTERRORISM IN THE 21ST CENTURY

=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON TERRORISM, TECHNOLOGY
                         AND HOMELAND SECURITY

                                 of the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                      ONE HUNDRED EIGHTH CONGRESS

                             SECOND SESSION

                               __________

                           FEBRUARY 24, 2004

                               __________

                          Serial No. J-108-58

                               __________

         Printed for the use of the Committee on the Judiciary


                    U.S. GOVERNMENT PRINTING OFFICE
94-639                      WASHINGTON : DC
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                       COMMITTEE ON THE JUDICIARY

                     ORRIN G. HATCH, Utah, Chairman
CHARLES E. GRASSLEY, Iowa            PATRICK J. LEAHY, Vermont
ARLEN SPECTER, Pennsylvania          EDWARD M. KENNEDY, Massachusetts
JON KYL, Arizona                     JOSEPH R. BIDEN, Jr., Delaware
MIKE DeWINE, Ohio                    HERBERT KOHL, Wisconsin
JEFF SESSIONS, Alabama               DIANNE FEINSTEIN, California
LINDSEY O. GRAHAM, South Carolina    RUSSELL D. FEINGOLD, Wisconsin
LARRY E. CRAIG, Idaho                CHARLES E. SCHUMER, New York
SAXBY CHAMBLISS, Georgia             RICHARD J. DURBIN, Illinois
JOHN CORNYN, Texas                   JOHN EDWARDS, North Carolina
             Bruce Artim, Chief Counsel and Staff Director
      Bruce A. Cohen, Democratic Chief Counsel and Staff Director
                                 ------                                

      Subcommittee on Terrorism, Technology and Homeland Security

                       JON KYL, Arizona, Chairman
ORRIN G. HATCH, Utah                 DIANNE FEINSTEIN, California
ARLEN SPECTER, Pennsylvania          EDWARD M. KENNEDY, Massachusetts
MIKE DeWINE, Ohio                    JOSEPH R. BIDEN, Jr., Delaware
JEFF SESSIONS, Alabama               HERBERT KOHL, Wisconsin
SAXBY CHAMBLISS, Georgia             JOHN EDWARDS, North Carolina
                Stephen Higgins, Majority Chief Counsel
                David Hantman, Democratic Chief Counsel


                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Feinstein, Hon. Dianne, a U.S. Senator from the State of 
  California.....................................................     3
    prepared statement...........................................    32
Kyl, Hon. Jon, a U.S. Senator from the State of Arizona..........     1
    prepared statement...........................................    36
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont, 
  prepared statement.............................................    42

                               WITNESSES

Lourdeau, Keith, Deputy Assistant Director, Federal Bureau of 
  Investigation, Washington, D.C.................................     6
Malcolm, John G., Deputy Assistant Attorney General, Department 
  of Justice, Washington, D.C....................................     5
Schmidt, Howard A., Vice President and Chief Information Security 
  Officer, eBay, Inc., San Jose, California......................    23
Verton, Dan, Author, Burke, Virginia.............................    18
Yoran, Amit, Director, National Cyber Security Division, 
  Department of Homeland Security, Washington, D.C...............     8

                       SUBMISSIONS FOR THE RECORD

Forbes Magazine, Peter Huber and Mark Mills, September 15, 2003, 
  article........................................................    34
Lourdeau, Keith, Deputy Assistant Director, Federal Bureau of 
  Investigation, Washington, D.C., prepared statement............    44
Malcolm, John G., Deputy Assistant Attorney General, Department 
  of Justice, Washington, D.C., prepared statement...............    53
Schmidt, Howard A., Vice President and Chief Information Security 
  Officer, eBay, Inc., San Jose, California, prepared statement..    67
Verton, Dan, Author, Burke, Virginia, prepared statement.........    77
Yoran, Amit, Director, National Cyber Security Division, 
  Department of Homeland Security, Washington, D.C., prepared 
  statement......................................................    87

 
    VIRTUAL THREAT, REAL TERROR: CYBERTERRORISM IN THE 21ST CENTURY

                              ----------                              


                       TUESDAY, FEBRUARY 24, 2004

                              United States Senate,
        Subcommittee on Terrorism, Technology and Homeland 
                      Security, Committee on the Judiciary,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 10:11 a.m., in 
room SD-226, Dirksen Senate Office Building, Hon. Jon Kyl, 
Chairman of the Subcommittee, presiding.
    Present: Senators Kyl and Feinstein.

  OPENING STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE 
                        STATE OF ARIZONA

    Chairman Kyl. Good morning. This hearing of the Judiciary 
Committee Subcommittee on Terrorism, Technology and Homeland 
Security will come to order.
    First, as I catch my breath, my apologies particularly to 
the witnesses here before us, but also to Senator Feinstein and 
to those of you in the audience. We are well over-scheduled. 
Senator Feinstein, I know, has a meeting that began at ten 
o'clock, too, so her presence here is very, very much 
appreciated for however long you can be here. Let me just give 
a brief opening statement, then call on Senator Feinstein, and 
then we are anxious to hear from our panel.
    On January 27, this Subcommittee examined the security of 
our seaports and their vulnerability to terrorist attacks. 
Today, we are going to examine the security of our cyber 
infrastructure and its vulnerability to cyberterrorist attacks.
    As the world has grown more connected through the Internet 
and cyberspace, the dangers associated with attacks on that 
technology have also increased. The quantity and quality of 
cyber attacks are on the rise. The number of computer security 
intrusions increased from about 84,000 in 2002 to 137,000 in 
2003.
    Computer viruses are spreading at much faster rates and 
causing more damage than ever before. While it took 26 hours 
for a virus in 2001 to infect 300,000 machines worldwide, a 
virus in February 2003 infected 300,000 machines within only 14 
minutes. As Secretary Ridge stated in December, ``anywhere 
there is a computer...whether in a corporate building, a home 
office or a dorm room...if that computer isn't secure, it 
represents a weak link because it only takes one vulnerable 
system to start a chain reaction that can lead to devastating 
results.''
    Since 1997, this Subcommittee has held seven hearings on 
cyber attacks and critical infrastructure protection. During 
the most recent of these hearings, witnesses expressed concerns 
about terrorists conducting cyber attacks against the United 
States. Terrorists already use cyber tools to raise funds and 
to organize physical attacks. They could obviously use those 
same tools for conducting cyber warfare.
    In 2000, FBI Director Louis Freeh testified before this 
Subcommittee that cyberterrorism was, and I am quoting now, ``a 
very real, though still largely potential threat.'' Today's 
hearing will focus on the status of that threat now and what we 
are doing to reduce the threat.
    Terrorists are targeting our cyber infrastructure and we 
have got to educate the public about this threat. According to 
news reports, data from al-Qaeda computers found in Afghanistan 
show that the group had scouted systems that control critical 
U.S. infrastructure. An attack on these systems could have 
devastating results, especially if done in conjunction with a 
physical attack.
    A study by the National Infrastructure Protection Center 
concluded that the effects of September 11 would have been far 
greater if launched in conjunction with a cyber attack 
disabling New York City's water or electrical systems. An 
attack on these systems would have inhibited emergency services 
from dealing with the crisis and turned many of the spectators 
into victims.
    The Subcommittee today will hear from five witnesses, three 
experts from the Federal Government and two from the private 
sector. The first is Assistant Attorney General John Malcolm at 
the Department of Justice. He is the Deputy Assistant Attorney 
General in the Criminal Division of the Department of Justice. 
He oversees the Computer Crime and Intellectual Property 
Section, the Child Exploitation and Obscenity Section, the 
Domestic Security Section, and the Office of Special 
Investigations. An honors graduate at Columbia College and 
Harvard Law School, Mr. Malcolm served as a law clerk to judges 
on both the U.S. District Court for the Northern District of 
Georgia and the Eleventh Circuit Court of Appeals.
    Second is Deputy Assistant Director Keith Lourdeau, Cyber 
Division of the FBI. Keith Lourdeau is the Deputy Assistant 
Director of the FBI's Cyber Division. He previously served as 
Assistant Special Agent in Charge of the St. Louis Division, 
where he was responsible for the daily operation of that 
division.
    Mr. Lourdeau entered the FBI in 1986 and has served in the 
Chicago, Little Rock and St. Louis field offices. While serving 
at FBI Headquarters, Mr. Lourdeau was detailed to the CIA to 
assist in establishing a new initiative between the CIA and the 
FBI in targeting international organized crime groups.
    Director Amit Yoran, National Cyber Security Division, 
Department of Homeland Security. He is the Director of the 
National Cyber Security Division for DHS. Previously, he served 
as the Vice President for Managed Security Services at Symantec 
Corporation, where he was primarily responsible for managing 
security infrastructures in 40 different countries.
    Before working in the private sector, Mr. Yoran was the 
Director of the Vulnerability Assessment Program within the 
Computer Emergency Response Team at the Department of Defense 
and the Network Security Manager at the Department of Defense, 
where he was responsible for maintaining operations of the 
Pentagon's network.
    On the second panel, we have two individuals. Dan Verton is 
the author of Black Ice: The Invisible Threat of 
Cyberterrorism, which is a book analyzing al-Qaeda's ability to 
conduct cyber attacks and U.S. vulnerability to cyber 
terrorists. He is also a senior writer on the staff of 
Computerworld, covering national cyber security and critical 
infrastructure protection.
    Mr. Verton is a former intelligence officer in the United 
States Marine Corps, where he served as senior briefing officer 
for the Second Marine Expeditionary Force and analyst in charge 
of the Balkans Task Force from 1994 to 1996.
    Finally, Howard Schmidt is the Vice President and Chief 
Information Security Officer for eBay. Prior to that, Mr. 
Schmidt served as the Chair of the President's Critical 
Infrastructure Protection Board in 2003, and as the Special 
Adviser for Cyberspace Security for the White House from 2001 
to 2003. Mr. Schmidt has also worked as the chief security 
officer for Microsoft and as the head of the Computer 
Exploitation Team at the FBI's National Drug Intelligence 
Center. From 1983 to 1994, I am proud to say he was an officer 
for the Chandler Police Department in Arizona.
    In conclusion, the United States has not suffered a major 
cyberterrorist attack, but we have got to continue to improve 
our security of our critical infrastructure systems because the 
more dependent we become upon technology, obviously the greater 
challenge in protecting it.
    We have a distinguished panel of witnesses before us today 
and I am very interested in examining with them the threats and 
vulnerabilities that we face and what Congress can do to help 
prevent cyberterror and to prosecute cyber criminals in the 
United States and abroad.
    As always, I want to thank Senator Feinstein for her hard 
work in helping to put together this hearing. We have had an 
excellent relationship in dealing with this particular subject 
over the years that we have been together on this Subcommittee 
and I look forward to working with her.
    [The prepared statement of Senator Kyl appears as a 
submission for the record.]
    Chairman Kyl. Senator Feinstein.

  STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM THE 
                      STATE OF CALIFORNIA

    Senator Feinstein. Thanks very much, Mr. Chairman, and I 
appreciate your leadership and your agreement to have this 
hearing.
    Let me just begin right at the top and say my concern is 
that we really don't take cyberterrorism as seriously as we 
should, that it isn't at the top of this huge totem pole in 
Homeland Security. I believe Mr. Yoran reports to an assistant 
secretary, and the strategy up to this point, as I understand 
it, is to leave most of this to the private sector. I am not 
really sure, long-term, that this is going to work.
    I think you only have to look at a recent computer virus, 
MyDoom, that recently spread in January like wildfire across 
the Internet to really understand the threat. MyDoom was 
responsible for sending 100 million infected e-mails in its 
first 36 hours, and accounted for one-third of all e-mails sent 
worldwide on one evening. The virus shut down the website of 
the SCO Group, and also attacked the Microsoft website. Damages 
worldwide ran into hundreds of millions of dollars.
    Denial-of-service attacks offer only a small glimpse into 
what is a huge potential cyberterror threat. A terrorist could 
theoretically use a computer to open the flood gates of a dam--
we have talked about this before--disrupt the operations of an 
aircraft control tower, shut down the New York Stock Exchange 
or other important businesses or government agencies, or 
disrupt emergency communications of law enforcement and safety 
officials. And we know how many invasions there are a year of 
Defense computers here in the United States. It is a real 
problem, and we have been fortunate so far.
    One oft-cited example is an April 2000 incident in 
Australia where a disgruntled consultant sabotaged the 
electronic controls to a sewage system, letting loose millions 
of gallons of sewage on a town. But the threat is uniquely 
insidious. In contrast to attacks on our ports or biological or 
chemical weapons, cyberterror does not have to be launched 
within the United States geographic confines.
    I would also note that 85 to 90 percent of our Nation's 
cyber infrastructure remains under the control of the private 
sector. And as I said, the administration so far has embraced a 
voluntary, market-based approach to cyber security. In December 
2002, Governor Gilmore criticized this voluntary approach. He 
said, ``So far, pure public/private partnerships and market 
forces are not acting...to protect the cyber community.'' So I 
am concerned that we essentially are unprepared for a major 
cyber attack.
    Here are some questions I hope the panel can address: How 
real is the threat? Has the Department of Homeland Security 
placed a high enough priority on defense against 
cyberterrorism? Are we better prepared today to defend against 
a cyber attack than we were on 9/11? Is the current voluntary 
private sector and government collaboration working? Is there 
more we can or should do to defend ourselves?
    Now, I understand that an NIE is going to be released 
sometime later this week on cyberterrorism. So we might want to 
also take a look at that and see where we go from here.
    Thanks very much.
    [The prepared statement of Senator Feinstein appears as a 
submission for the record.]
    Chairman Kyl. Thank you very much, Senator Feinstein.
    It is also very helpful having Senator Feinstein also on 
the Intelligence Committee, on which I served for 8 years. And 
it is going to be interested to coordinate with the 
Intelligence Committee, as well, any specific activities that 
we follow through on here.
    Senator Feinstein. As a matter of fact, I am going to have 
to leave in about 20 minutes. We have George Tenet over in 
Intelligence this morning.
    Chairman Kyl. I was aware of that, so let's get right to 
the panel. I think we will do the clock just so you can get an 
idea of when you have spoken for 5 minutes. Obviously, any 
other statements you would like to make for the record, in 
addition to your written statements, we will include.
    Let's start with Mr. Malcolm and then go on down to Mr. 
Lourdeau and then Mr. Yoran.

    STATEMENT OF JOHN G. MALCOLM, DEPUTY ASSISTANT ATTORNEY 
        GENERAL, DEPARTMENT OF JUSTICE, WASHINGTON, D.C.

    Mr. Malcolm. Thank you, Chairman Kyl, Senator Feinstein. On 
behalf of the Department of Justice, I would like to thank you 
for inviting me to appear before you this morning to discuss 
the important issue of cyberterrorism.
    Under the President's National Strategy to Secure 
Cyberspace, the Department of Justice and the FBI are charged 
with leading the national effort to investigate and prosecute 
cyber crime. Our role as law enforcement distinguishes what we 
do from what the Department of Homeland Security does.
    Specifically, while DHS deals with vulnerability 
assessment, prevention and damage mitigation, we act to prevent 
and deter cyber crime by investigating cyber crime incidents 
and identifying and prosecuting those who violate Federal laws.
    Cyberterrorism involves the use of computer systems to 
carry out terrorist acts, which are in turn defined by 
reference to specific criminal statutes. True cyberterrorism is 
characterized by large-scale destruction, or the threat of such 
destruction, coupled with an intent to harm or coerce a 
civilian population or government.
    Because attacks on critical infrastructure have the 
potential for large-scale disruptions and mass casualties, even 
if not accompanied by terroristic intent, the issues of 
cyberterrorism and critical infrastructure protection are often 
intertwined. We have been fortunate enough not to experience a 
devastating attack of cyberterrorism or a crippling attack on a 
critical infrastructure. Nevertheless, the hard lessons of 9/11 
teach us that preparation is critical.
    The Department has developed specialized expertise in the 
area of cyber crime, led by the Computer Crime and Intellectual 
Property Section, or CCIPS, which I oversee. That section's 37 
attorneys focus exclusively on issues relating to computer and 
intellectual property crime. They are supported in the field by 
212 computer and telecommunications coordinators, or CTCs, who 
are specially trained Assistant United States Attorneys who 
function effectively as a resource for their respective 
districts and as a point of contact for multidistrict cases.
    The Department has also focused on developing partnerships 
with other Federal agencies, with State and local law 
enforcement and with industry organizations. We work closely 
with DHS's National Cyber Security Division and the Cyber 
Interagency Incident Management Group, with the National White 
Collar Crime Center's Cyber Crime Advisory Board and the 
National Association of Attorneys General, and with InfraGard, 
an important initiative that expands direct contacts between 
government and private sector infrastructure owners and 
operators.
    Because cyber attacks frequently transcend geographic 
boundaries, the Department's cyber crime initiatives have not 
been confined to the United States. CCIPS chairs the G8 
Subgroup on High-Tech Crime and has successfully spearheaded 
the development of the 24/7 Network. In addition, CCIPS is 
active on several committees of the Organization of American 
States that relate to cyber security, and it has worked with 
other regional governmental groups including the Asia Pacific 
Economic Cooperation Forum, or APEC.
    We intend to continue our work toward improving the quality 
of cyber crime legislation and response mechanisms in other 
regions of the world. We believe that improved laws will not 
only serve as a deterrent, but will also increase the overall 
prosecution of cyber criminals, including cyberterrorists, who 
would seek to operate in otherwise lawless nations.
    The Department relies on a number of tools, both 
substantive and procedural, to investigate and prosecute cyber 
attacks. One of the most important of these is the USA PATRIOT 
Act. You are no doubt aware that many of the USA PATRIOT Act's 
provisions are currently set to expire. Because these 
provisions, including the emergency service provider exception, 
the hacker trespass exception and the nationwide search 
provision, would be essential to any investigation or 
prosecution of cyberterrorism, I would urge you not to allow 
these provisions to sunset.
    While I would like nothing better than to be able to assure 
you that an attack of cyberterrorism will never occur, 
unfortunately I can't do that. I can, however, assure you that 
the Department is taking and will continue to take the 
necessary steps to prepare to respond appropriately in the 
event of a cyber attack.
    I thank you again for allowing me the time to address this 
Subcommittee on this important issue and I look forward to your 
questions.
    [The prepared statement of Mr. Malcolm appears as a 
submission for the record.]
    Chairman Kyl. Thank you very much, Mr. Malcolm. You are 
right on the button time-wise.
    Mr. Lourdeau.

STATEMENT OF KEITH LOURDEAU, DEPUTY ASSISTANT DIRECTOR, FEDERAL 
           BUREAU OF INVESTIGATION, WASHINGTON, D.C.

    Mr. Lourdeau. Good morning, Chairman Kyl, Senator 
Feinstein. On behalf of the FBI, I would like to thank you for 
this opportunity to address the FBI's role in combatting 
cyberterrorism.
    As our Nation's economy becomes more dependent on computers 
and the Internet becomes an increasingly more integral part of 
our society, new digital vulnerabilities make U.S. networks 
systems potential targets to an increasing number of 
individuals, including terrorists.
    The Director of the FBI has established protecting the U.S. 
from terrorist attacks as its number one priority and 
protecting the U.S. against cyber-based attacks and high-
technology crimes as its number three priority. The FBI's Cyber 
Division's number one priority is counterterrorism-related 
computer intrusions.
    Our network systems make inviting targets for terrorists 
due to the potential for large-scale impact to the Nation. The 
vulnerabilities to our network systems arise from easy 
accessibility to those systems via the Internet, harmful tools 
that are available to anyone with a point-and-click ability, 
the globalization of our Nation's infrastructures, and the 
interdependencies of networked systems.
    Terrorist groups are increasingly adopting the power of 
modern communication technology for planning, recruiting, 
propaganda purposes, enhancing communications, command and 
control, fundraising and fund transfers, and information-
gathering.
    To date, cyber attacks by terrorists or persons affiliated 
with them have largely been limited to relatively 
unsophisticated efforts, such as the e-mail bombing of 
ideological foes or the publication of threatening content. 
However, increasing technical competency in these groups is 
resulting in an emerging capability for network-based attacks. 
The more familiar they become with computers and their 
potential as a viable weapon against us, the more likely they 
will try to acquire the skills necessary to carry out a 
cyberterrorist event.
    The FBI assesses the cyberterrorism threat to the U.S. to 
be rapidly expanding, as the number of actors with the ability 
to utilize computers for illegal, harmful and possibly 
devastating purposes is on the rise. Terrorist groups are 
showing a clear interest in developing basic hacking tools, and 
the FBI predicts that terrorist groups will either develop or 
hire hackers particularly for the purpose of complementing 
large physical attacks with cyber attacks.
    Attacks against regional targets could have a significant 
effect on computer networks, while coordinated attacks on 
multiple regions could achieve a national effect with severe 
repercussions. There are numerous control systems whose 
destruction would have a far-reaching effect. Large-scale 
distribution systems, such as those involving natural gas, oil, 
electric power and water, tend to use automated supervisory and 
data acquisition systems for administration. These SCADA 
systems tend to have both cyber and physical vulnerabilities.
    A major method used in preventing cyberterrorism is the 
sharing of intelligence information. The FBI routinely passes 
intelligence received in active investigations or developed 
through research to the intelligence community. Throughout the 
FBI field offices, special agents serve on cyber task forces 
with other agencies. The FBI is also a sponsor/participant in 
the InterAgency Coordination Cell. This environment of 
information-sharing and cooperation is expanding to include 
foreign governments such as the 5 Eyes.
    The FBI has established cyber task forces, public/private 
alliances, cyber action teams, cyber training, and a cyber 
intelligence center, all to provide a strategic framework and 
program management tool for all FBI computer intrusion 
investigations.
    While the following two incidents were not cyberterrorism, 
they are an indication of the ability of individuals to gain 
access to our network systems and the possible damage that can 
result.
    For example, an individual used simple explosive devices to 
destroy the master terminal of a hydroelectric dam in Oregon. 
Although there was no effect on the dam's structure, the simple 
attack completely disabled the dam's power-generating turbines 
and forced a switch to manual control.
    A coordinated attack on the region's infrastructure 
systems, such as the SCADA systems that control Washington, 
D.C.'s electric power, natural gas and water supply, would have 
a profound effect on the Nation's sense of security. This 
incident demonstrated how minimal sophistication and material 
can destroy a SCADA system.
    In another example, on May 3, 2003, an e-mail was sent to 
the National Science Foundation's Network Operations Center 
which read, ``I've hacked into the server of your South Pole 
Research Station. Pay me off, or I will sell the station's data 
to another country and tell the world how vulnerable you are.''
    The e-mail contained data only found in the NSF's computer 
systems, proving that this was no hoax. NSF personnel 
immediately shut down the penetrated servers which control the 
life support systems for the 50 scientists wintering over at 
the South Pole. The FBI determined that the hackers were 
accessing their e-mails from a cyber cafe in Romania.
    Through joint FBI and Romanian investigative efforts, the 
Romanian authorities seized documents, a credit card used in 
the extortion, and the e-mail account that was used to make the 
demands of the NSF. On June 3, 2003, two Romanian citizens 
accused of hacking into the NSF South Pole Research Station 
were arrested.
    The unique complexity of protecting our Nation's network 
systems is a daunting task. The protection of our network 
systems is a shared responsibility between the private sector, 
Federal, State and local law enforcement, the Department of 
Homeland Security and the intelligence community, both domestic 
and foreign.
    Again, I offer my gratitude and appreciation to you, 
Chairman Kyl, and Senator Feinstein for dedicating your time 
and effort in addressing this vitally important issue. I would 
be happy to respond to any questions you may have. Thank you.
    [The prepared statement of Mr. Lourdeau appears as a 
submission for the record.]
    Chairman Kyl. Well, thank you very much, Mr. Lourdeau. That 
one story you told, I am sure, is illustrative of many others, 
but it is a great story. We need to get more of that 
information out so that we can follow our educational role here 
and really convince people that this is real, this isn't just 
hypothetical.
    Mr. Yoran.

  STATEMENT OF AMIT YORAN, DIRECTOR, NATIONAL CYBER SECURITY 
  DIVISION, DEPARTMENT OF HOMELAND SECURITY, WASHINGTON, D.C.

    Mr. Yoran. Thank you, Chairman Kyl, Senator Feinstein. I 
appreciate the opportunity to appear before you today to 
discuss the important issue of cyberterrorism. I also welcome 
the chance to provide your Subcommittee with an update on the 
efforts of the Department of Homeland Security's National Cyber 
Security Division to defend our Nation against the menace of 
cyber threats.
    The National Cyber Security Division, established by the 
Department in June of 2003, represents a crucial component of 
the Information Analysis and Infrastructure Protection 
Directorate. Under the leadership of Under Secretary Frank 
Libutti and Assistant Secretary Robert Liscouski, the IAIP 
Directorate leads the Nation's efforts to protect the Nation's 
critical infrastructures from attack or disruption.
    Placement of the National Cyber Security Division in the 
IAIP Directorate allows for the careful integration of physical 
and cyber security approaches into a common, holistic 
management framework. Through the integration of physical and 
cyber protection capabilities, the components of IAIP work 
together to protect America's critical infrastructures.
    Under the leadership of Assistant Secretary Liscouski, we 
are considering the full range of risks to the Nation, 
including loss of life, disruptions to infrastructure services, 
economic impact and national security implications. Recognizing 
that future terrorists attacks may not be limited to cyber or 
physical acts, but rather a combination of the two to amplify 
impact, the Office of Infrastructure Protection is organized to 
examine threats and vulnerabilities across multiple dimensions, 
including integrating and mapping vulnerabilities to threats, 
assessing sector-specific and cross-sector vulnerabilities, and 
understanding national, regional and local impacts.
    Moreover, the close linkage of the Office of Information 
Analysis, led by Assistant Secretary Patrick Hughes, the 
primary threat information intelligence-gathering and analysis 
capability of the Department of Homeland Security, promotes the 
ability to map threat information with cyber vulnerabilities. 
This mapping allows for the effective prioritization of 
potential risks and implementation of remediation efforts as 
quickly as possible to limit the impact of computer incidents.
    For the remainder of my remarks, I will provide an overview 
of the cyber threat environment facing the Nation and 
activities the National Cyber Security Division is undertaking 
with its partners to reduce our National vulnerability to these 
threats.
    As members of this Subcommittee have heard on numerous 
occasions, cyber threats continue to be a significant national 
and global concern. When vulnerabilities are identified, 
viruses are launched, or when other types of cyber attacks are 
reported, it is often difficult to immediately identify and 
understand the underlying motives for such attacks.
    Is it an isolated cyber attack, for example, a part of a 
terrorist plot, a criminal enterprise, or a teenager surfing 
the Net in search of a thrill? The difficulty is that 
vulnerabilities and techniques that are exploited in the 
interest of cyber crime or even cyber hacktivism are the same 
vulnerabilities and techniques that are at issue when 
discussing cyberterrorism.
    Therefore, the National Cyber Security Division employs a 
threat-independent strategy of protecting the Internet and 
critical infrastructures from all types of attacks. While 
staying acutely aware of how terrorists might exploit cyber 
techniques, we face challenges in distinguishing between 
malicious acts of terrorism versus other types of attacks as an 
event is occurring in real time.
    Rather than only focusing on specific attack profiles, we 
are developing programs and initiatives that apply to the gamut 
of attack approaches. In other words, our mission extends to 
protecting cyber systems across the entire threat spectrum, 
regardless of an actor's intent. If we attempt to stovepipe our 
protection efforts to focus on different types of attackers who 
may use the cyber infrastructure, we risk the possibility of 
limiting our understanding of the entire threat environment.
    While maintaining a threat-independent approach, the 
National Cyber Security Division recognizes that DHS and the 
Federal Government must remain vigilant in the identification 
of all types of cyber attackers. Components of the IAIP 
Directorate and our Federal partners in law enforcement, 
defense and intelligence devote considerable time and energy to 
identifying groups and individuals with the capability to 
launch cyber attacks and to determining the individuals 
responsible for an attack and its aftermath.
    At the Department of Homeland Security, the question we ask 
ourselves everyday is how are we making America safer, because 
in the end that is our key metric for success. In preparing to 
testify, I reflected on how far we as a country have progressed 
in cyber security in the past decade. The accomplishments are 
truly remarkable.
    In that time, we have created a Cabinet-level agency to 
bring together government, industry and academia to manage 
national cyber incidents. Government agencies, private 
corporations and our research community have developed, fielded 
and improved cyber security technologies such as firewalls, 
anti-virus technology and intrusion prevention systems to 
better protect our networks.
    Again, I wish to thank the Chairman, Ranking Member and 
members of the Subcommittee for the opportunity to speak with 
you today and I look forward to answering your questions.
    [The prepared statement of Mr. Yoran appears as a 
submission for the record.]
    Chairman Kyl. Thank you very much, Mr. Yoran.
    In view of the fact that Senator Feinstein is going to have 
to leave, would you like to lead with the questions?
    Senator Feinstein. Oh, how nice. Thank you very much. I 
would be happy to.
    I strongly believe that cyber security should be one of the 
lead priorities of the Department of Homeland Security. Before 
the creation of the Department, your predecessors, Richard 
Clarke and Howard Schmidt, had senior positions on the White 
House staff. They served as special advisers to the White House 
on cyberspace security. Now, as I said, cyber security is 
relegated to a mid-level position in the Department. As 
Director, you don't report directly to Secretary Ridge, but to 
an assistant secretary.
    My question is this: Given your lack of seniority in the 
Department, how will you be able to direct assistant 
secretaries in other directorates to bolster up cyber security? 
Do you have the organizational clout, for example, to get the 
Border and Transportation Directorate to bolster its cyber 
security policies? Tough questions.
    Mr. Yoran. Senator Feinstein, I would maintain that cyber 
security maintains a very high profile within the 
administration and within the Department of Homeland Security. 
We must continue to maintain cyber as an integral component of 
our overall risk management approach to our critical 
infrastructures and to our public interest. It should not be 
stovepiped as an individual protection approach.
    I would also maintain that there are advisers within the 
White House who maintain very close awareness of cyber activity 
and cyber preparedness, but that within the Department of 
Homeland Security, through Homeland Security Presidential 
Directive 7, the Department of Homeland Security should 
maintain an organization to be the Nation's focal point for 
cyber security preparedness.
    Senator Feinstein. At this point, have any directives been 
given by Homeland Security to other departments to tighten 
their cyber security?
    Mr. Yoran. The National Cyber Security Division works very 
closely in collaboration with the Office of Management and 
Budget, with the National Institute of Standards and Technology 
and with a number of other organizations across the Federal 
Government who have responsibility and authority to create 
standards and help define protection strategies for our 
Government.
    Senator Feinstein. Well, I take it the answer is no to my 
question.
    Today, 85 to 90 percent, as I understand it, of the cyber 
security infrastructure is in private hands, and private sector 
control makes defending this aspect of our homeland somewhat 
unique. What can the Federal Government do to ensure the 
security of so many resources that are now outside of 
Government control, anyone that would like to have a crack at 
it?
    Mr. Lourdeau. Well, one of the things that we need to do is 
we still need the public/private alliances between Government 
and private industry. There are contingency plans and other 
issues that the Government could assist private industry with 
so that there is a consistency across the board for security, 
both cyber and physical.
    As we know, there is a correlation between physical attacks 
and cyber attacks, and if the infrastructure's physical 
capabilities are not protected, then the cyber capability is 
not going to be protected. So I think it is very important that 
we continue that relationship between private industry and 
Government, and assisting in providing contingency plans and 
have that consistency across the board.
    Senator Feinstein. Is that happening today? Are these plans 
available for review? Could this Subcommittee take a look at 
those plans?
    Mr. Lourdeau. Yes, we have those. When the FBI had the 
National Infrastructure Protection Center, we were assisting in 
providing contingency plans, and I believe that Homeland 
Security has taken that over.
    Mr. Yoran. That is correct. In Homeland Security 
Presidential Directive 7, there is new focus on critical 
infrastructure protection planned. In addition, we have a 
tremendous amount of collaboration ongoing with the private 
sector through a number of different forums and we are working 
aggressively on contingency planning in various bad-base 
scenario capabilities, such as the Critical Infrastructure 
Warning and Information Network, so that we can communicate 
with the private sector and amongst the key Federal departments 
and agencies who would respond to cyber incidents.
    Senator Feinstein. Mr. Chairman, I think it would be very 
useful if our joint staffs were able to take a look at those 
plans, because there is no way of us really exercising any 
oversight if 85, 90 percent of this is private sector.
    Now, if those alliances exist and are in writing, it seems 
to me we ought to be able to review them, and I would make that 
request that our joint staffs have an opportunity to take a 
look at what does exist with respect to achieving cyber 
security in the private sector now.
    Chairman Kyl. Any difficulty with providing us that 
information and meeting with us and our staff?
    Mr. Lourdeau. No, and I will speak for both of us. We will 
make sure that is available to you.
    Chairman Kyl. All right.
    Senator Feinstein. May I place a statement by the ranking 
member, Senator Leahy, in the record?
    Chairman Kyl. Yes. Without objection, it will be received.
    Senator Feinstein. Thank you very much, and I am going to 
excuse myself. Thank you for your courtesy.
    Chairman Kyl. Well, thank you. I know you had to leave that 
other hearing. We appreciate you being here.
    Senator Feinstein. Thank you.
    Chairman Kyl. Let me now ask some questions. Specifically 
as a follow-up to Senator Feinstein's question here, we have 
held, as I said, a number of hearings on this. Back before 
there was a Department of Homeland Security, we had testimony 
about the NIPC, in fact, a couple of different times.
    In 2001, at one of our hearings, the GAO had prepared a 
report on the National Infrastructure Protection Center, at 
that time located in the FBI. It was critical of the NIPC, 
stating that NIPC had failed to develop a broad strategic 
analysis of cyber-based threats. What I am interesting in 
knowing is how DHS, now having taken that over, has proceeded 
to address concerns like that, or have you?
    I will tell you, let me ask you a second follow-up question 
because it relates specifically to your testimony, Mr. Yoran. 
In the year 2000, the Director of the CERT Coordinating Center, 
which is a reporting center for computer security programs that 
is located at Carnegie Mellon--Richard Pethia, who is the 
director of that center, testified that the Government was 
awash in a sea of vulnerability studies, and what we really 
needed was to develop an accurate threat assessment for cyber 
attacks. He reasoned that the private sector could not afford 
to eliminate every vulnerability in their operations and had to 
prioritize.
    In your testimony, you state that the National Cyber 
Security Division employs a threat-independent strategy or 
protecting the Internet and critical infrastructures, and I 
understand the rationale behind that. Nonetheless, have you 
focused on developing a threat assessment of cyber attacks, in 
addition to dealing with your independent strategy?
    Mr. Yoran. Mr. Chairman, our protection strategy is threat-
independent. In the Directorate of Information Analysis and 
Infrastructure Protection, we have the ability to fuse and 
review threat information coming from across the sources with 
which information analysis deals, including law enforcement and 
intelligence.
    Chairman Kyl. Well, let me ask it another way. Mr. Malcolm 
testified that the FBI doesn't do a threat assessment, that 
that is now DHS' job. That may be fine if it is being done and 
if it is very transparent, but I still haven't heard you say 
that DHS has done a threat assessment for cyber attack.
    Again, I appreciate the rationale for the need to protect 
against and deal with an attack, whatever its source. But in 
order to appreciate the potential, and therefore devise ways of 
dealing with a specific kind of attack, it seems to me that DHS 
must be carrying out a cyber threat analysis and must have some 
kind of threat analysis in existence.
    This is something that I had talked with Mr. Mueller about 
before DHS existed as part of the overall response to 9/11, in 
which it was determined that the FBI no longer could simply 
respond to crimes and investigate them and provide evidence to 
prosecutors to prosecute the crimes, which is pretty much, Mr. 
Malcolm, what you said the role was with the creation of DHS.
    That is fine, if somebody else is now doing the job that we 
had asked the FBI to do right after 9/11, not leaving it just 
to the CIA. But in this country, we needed a threat assessment 
of cyber attack; it had to be done by somebody. If the FBI 
isn't doing it, then we need to know that DHS is doing it and I 
am still not clear on what DHS does in this regard and what you 
have in this regard.
    Mr. Yoran. Mr. Chairman, the Department of Homeland 
Security, in accordance with Homeland Security Presidential 
Directive 7, is developing a critical infrastructure protection 
plan which would be an integrated threat and protection 
strategy. It does not stovepipe cyber threats as an independent 
or stovepiped approach or threat to our infrastructures, but 
looks at cyber as one component of infrastructure protection.
    I would also add that through conducting exercises such as 
Live Wire, we are looking at threats against our 
infrastructures and ways which we can improve our preparedness 
and our response capabilities to cyber as an integrated attack 
vector to our Nation.
    Chairman Kyl. Well, I appreciate that. Is somebody else 
doing a threat analysis of cyber attack from terrorists or 
other state sponsors?
    Mr. Malcolm. Mr. Chairman, perhaps I will throw Mr. Yoran a 
lifeline, which is that DOJ has participated in things like 
Live Wire and, through CCIPS, we work very closely with DHS. I 
didn't hear Mr. Yoran to say that DHS is not doing that threat 
assessment. I heard him to say that it is subsumed as part of 
general critical infrastructure threat assessment.
    I can tell you, for instance, that in work dealing with 
telecommunications transactions, sub-cyber transactions within 
the Committee for Foreign Investment in the United States, I 
work on behalf of DOJ on that interagency committee. I have 
worked with Mr. Yoran, I have worked with Mr. Liscouski.
    We have discussed on numerous occasions vulnerabilities, 
including cyber vulnerabilities, and we do that vulnerability 
assessment both in terms of the current infrastructure and also 
in terms of players--nation states, potential private company 
threats within that worldwide infrastructure.
    Mr. Yoran. Mr. Chairman, I would just add you mentioned 
earlier the National Intelligence Estimate currently being 
released this week for a classified understanding of cyber 
threats, and also a focus or a requirement--not to openly 
disagree with Mr. Pethia's opinion, but the focus is and needs 
to remain on infrastructure services.
    And the goal here, the intent, is not cyber preparedness 
for cyber security's sake. It is in the delivery of 
infrastructure services to serve the public, and so we need to 
look at cyber as part of an integrated approach to 
infrastructure protection.
    Chairman Kyl. Well, I appreciate that, but I know--well, 
let me just ask this question. The NIE is being prepared by a 
group of agencies of our Government, and there will be 
primarily the classified version of that which includes 
obviously intelligence collection and our military use of 
cyber.
    But as a separate threat to our infrastructure, whether it 
be primarily Government or purely private sector, is there 
anywhere that you know of in our Government a specific threat 
assessment of terrorists or state sponsors of terror with 
respect to the Internet or our cyber security? I shouldn't just 
say the Internet because there are systems that aren't 
necessarily directly Internet-connected.
    Mr. Lourdeau. If I may answer, Chairman, the Cyber Division 
at the FBI has created--and I believe we have shared it with 
your staffers--the FBI's cyber threat assessment which is 
target-based to the threats, the targets that we believe are 
threats to the United States. That is, again, a classified 
threat assessment and we will be more than happy to share that 
with you.
    Chairman Kyl. Well, is this a target-based assessment of 
threats from any source or is it an assessment of the risk from 
terrorism to the system?
    Mr. Lourdeau. Again, it is directed toward identifying the 
targets that are threats to the United States, and so it goes 
toward terrorism and state nations, and then the whole range of 
the concern over the Internet as far as child pornography, 
Internet fraud, intellectual property rights. It reaches all 
different aspects of cyber.
    Chairman Kyl. Well, I don't mean to belabor this, but 
obviously I need to get some more follow-up from each of you on 
this point and I would like to have some further clarification.
    It seems to me that in properly analyzing the threat and 
how to protect our systems, both government and non-government, 
when you have kind of a matrix, for one thing you examine the 
vulnerabilities, the threat-independent assessment of the 
private and governmental sectors. But you also would be 
obviously aided by an analysis of the kinds of attacks which 
could occur, ranging from the relatively benign nuisance kind 
of attacks, to non-benign hacking, to criminal enterprises, to 
terrorist attacks, and then specifically state-sponsored 
intrusion for all of the reasons that states attempt to 
intrude.
    Now, at that level you are really into classified material, 
I understand. But it seems to me that the assessment should be 
on both sides: who might attack us, and why and how, and how is 
our system vulnerable. I understand that when an attack occurs, 
you can't know immediately where it is coming from, and one of 
the first things is to try to figure that out so you know where 
you have to go. And it doesn't much matter in the early stages 
whether it is from a state or a terrorist or a couple of 
hackers who, in effect, replicate terrorists. But it is 
important as time goes on to know how to deal with it and what 
are the systems to warn or shut down, and so on.
    So I am still trying to understand whether there is a 
document, other than the NIE that is coming out--and perhaps it 
will be all-inclusive; I don't know--which analyzes the types 
of threats, including an assessment of risk from terrorist 
organizations. I mean, can I find a document that does that, 
and if so, what is it? Do any of you know where that might be?
    Mr. Lourdeau. Again, our threat assessment does not really 
address the vulnerabilities that would be attacked. We are 
looking at the entities or the places that might attack the 
U.S. That is what the FBI is focusing our energies on, is 
trying to address those threats. So, again, if I understand 
correctly, it is not as complete an assessment as what you are 
looking for.
    Chairman Kyl. But now what you just said then contradicts 
at least what I thought I heard before. DHS is looking at the 
vulnerabilities of the government and non-government systems in 
a threat-independent way.
    What you just said, Mr. Lourdeau, is that the FBI is 
actually looking less at the vulnerability of the systems than 
to the origins of the threat to try to understand those threat 
origins. Is that correct?
    Mr. Lourdeau. That is correct.
    Chairman Kyl. So is there a threat assessment that is 
prepared by the FBI from that point of view?
    Mr. Lourdeau. Yes, sir.
    Chairman Kyl. Okay, and I presume there are both classified 
and unclassified versions of that?
    Mr. Lourdeau. We just have a classified version.
    Chairman Kyl. All right.
    Mr. Lourdeau. And that has been shared with your staffers.
    Chairman Kyl. Okay. My staff is shaking his head no, so we 
will need to get this--
    Mr. Lourdeau. I am sorry. We will make sure that it is 
available to you.
    Chairman Kyl. Okay. So then just to summarize this point, 
let me just ask you all, do you think--Mr. Yoran, let me 
specifically ask you, do you think that our Government 
somewhere needs to have a threat assessment of potential 
terrorist attacks on government and non-government 
infrastructure?
    Mr. Yoran. Sir, if I could defer a response until after we 
see what comes out in the National Intelligence Estimate, I 
think at this stage, with the report pending this week, it 
would be premature to say that we need an additional threat 
assessment on what the capabilities are of various 
cyberterrorist organizations.
    Chairman Kyl. I am not saying additional. I mean, maybe 
that does the trick, but we need a threat assessment, right?
    Mr. Yoran. Yes.
    Chairman Kyl. In other words, the DHS threat-independent 
work that you are doing, you would agree, is not enough?
    Mr. Yoran. Sir, that is focused on vulnerability 
identification and protection remediation strategies. It is not 
focused on threat assessment.
    Chairman Kyl. Right, but you assume that the NIE will, in 
fact, also focus on a threat assessment?
    Mr. Yoran. Yes, sir.
    Chairman Kyl. Right, assume that, and so we will take a 
look at that and visit with you all on that later.
    Mr. Yoran. Sir, we have been working through the 
directorate and the information analysis folks in the 
production of that NIE. So we are an integral part of the 
production of that document and understanding what is happening 
there.
    Chairman Kyl. Well, again, I don't mean to belabor it, but 
I happen to know that, for example, intrusions into key 
Government computer systems by what we believe to be states 
represents a totally different kind of threat than the 
occasional--not occasional--it is almost ongoing, constant 
hacking by pretty capable people. And you deal with those 
vulnerabilities in different ways, right?
    Mr. Lourdeau. Yes, sir.
    Mr. Yoran. Sir, you deal with the threats in different 
ways.
    Chairman Kyl. Yes, that is exactly right, but whether the 
system is vulnerable to a particular technique that may be used 
by both a state sponsor, a terrorist or a hacker isn't the only 
point in being able to defend. It is also helpful to assess the 
threat coming from each of those various sources. At least it 
seems to me it is. I will be curious to get some follow-up 
response from each of you, including we will take a look at the 
NIE and then visit with you.
    Mr. Malcolm, you specifically mentioned the USA PATRIOT Act 
and I appreciate your doing that. We may well need to follow up 
on your testimony there to get an elaboration of why it is so 
important to permit those sections that you said are very 
valuable to you to remain and not be sunsetted.
    If I could just even at this point ask you for any 
additional information that you could elaborate for us on that 
point, I would appreciate it, because one thing that we want to 
do in this Subcommittee is be sure that when that debate on 
sunsetting begins that we have developed all of the information 
we need to to demonstrate why we need to retain key provisions 
of the PATRIOT Act and why, in fact, it is working and doing a 
job right now. And that was your point.
    Mr. Malcolm. Well, I welcome that opportunity and I will be 
certain to do so in even greater detail than what I am about to 
tell you in follow-up questions. But certainly in terms of the 
ability to get computer records through nationwide search 
warrants, the enlarged scope of information that is obtainable 
by subpoena--those are tools that prosecutors across the 
country are using everyday to catch terrorists and serious 
criminals.
    In terms of things like, for instance, the emergency 
exception for obtaining stored communications, I know of at 
least one case that involved a bomb threat to a high school in 
which the owner of the network had not been aware of the fact 
that there was now a life-and-limb emergency disclosure 
exception. Upon being made aware of that, he turned over the 
content of those communications and law enforcement authorities 
were immediately able to trace the perpetrator of that threat 
to a student in the school.
    I know that that disclosure exception has also been used 
recently in the threat against a U.S. embassy overseas. There 
are many examples that I am confident I will be able to provide 
you.
    Chairman Kyl. Thank you for that. I think it is really 
important that we get this information out because, as you 
know, the PATRIOT Act is under attack by some who I think fail 
to appreciate the way in which it has helped our law 
enforcement. So the more we can get that information out, the 
better we are going to be.
    Mr. Malcolm. Thank you, Senator.
    Chairman Kyl. This past week, DHS launched the Protected 
Critical Infrastructure Information program to enable the 
private sector to voluntarily submit infrastructure information 
to the Government. In the past, we have had testimony before 
our Subcommittee that businesses have been reluctant to provide 
certain information to the Government or even share it with 
other businesses, fearing, for example, that it would harm 
their business of the public understood what was potentially or 
actually happening to them.
    They also feared that information might be obtained by the 
public under the Freedom of Information Act, and also possibly 
that sharing of this information or strategies of dealing with 
it might even violate antitrust laws. That was another concern 
that they expressed to us. Senator Bennett and I had a bill in 
2001 that would have eliminated those problems, and the 
Homeland Security Act of 2002 did address the FOIA issue which 
established an exception for certain data submitted to DHS.
    Particularly for Mr. Yoran or Mr. Malcolm, do you know of 
any impediments today that prevent the private sector from 
fully reporting cyber intrusions and critical information data 
to the PCII program or other Federal agencies? Is there 
anything further that we need to do that you know of?
    Mr. Malcolm. Actually, Senator, I testified about that 
issue. Really, that question would probably be better addressed 
to Mr. Schmidt on the second panel, since he is in the private 
sector and they are the people who possess the information.
    Chairman Kyl. Okay.
    Mr. Malcolm. We have certainly, with the help of people 
such as yourself, tried to address those concerns so that we 
can get the information that we need to do our job, since, as 
has been pointed out several times now, 85 to 90 percent of 
these networks are controlled by the private sector. To some 
extent, we don't know what we don't know, but we have certainly 
bent over backwards and appreciate your assistance to make it 
easier to report that information.
    Chairman Kyl. I appreciate that. Of course, we will ask the 
question. But, before, it was the law enforcement agencies that 
were saying we are not getting cooperation from the private 
sector because they have these fears. So that was really the 
impetus for our legislation.
    This is kind of a general follow-up, but in your testimony, 
for example, you discussed the Department's successes in 
prosecuting cyber criminals. Are there any other modifications 
to the law that you can think of that you want to bring to our 
attention that might help you in doing your job?
    Mr. Malcolm. I am confident, Mr. Chairman, that if I put my 
mind to it, I could think of one or two. Suffice it to say 
these are very sophisticated criminals who are very good at 
perpetrating these acts and very good at covering their tracks. 
We are constantly thinking of new ways to get information as 
rapidly as possible because this type of evidence is truly 
evanescent and is gone within seconds. We are happy to work 
with your staff to come up with some proposals.
    Chairman Kyl. Okay. Well, for all three of you, anytime--
not just after this hearing, but anytime you become aware of 
improvements that we could make in the law, I mean one of our 
jobs in this Subcommittee is to constantly--that is why we have 
had so many hearings on this subject, to pin you. Is there 
anything else we need to be doing here to follow through on 
your request to retain these provisions in the PATRIOT Act and 
provide a forum for discussion and education on that matter?
    So if at any time there is something that comes across your 
desk that you think we could profitably deal with, we invite 
you to bring that to our attention. That is our job in this 
Subcommittee.
    Mr. Malcolm. Thank you.
    Chairman Kyl. Is there anything else that any of you, based 
upon what I have said--I didn't mean to ever cut any of you 
off, but is there anything that any of you would like to bring 
to our attention here before we bring up our second panel?
    Well, we will look forward to reviewing the NIE and then 
getting back to you and determining whether there is any 
follow-up that we need to make from that. Unless you have any 
further, then what we will do is call the second panel up. I 
want to thank you for your testimony here. We will be staying 
in touch with you, and again call on us if you think that our 
Subcommittee can help.
    Mr. Malcolm. Thank you, Mr. Chairman.
    Chairman Kyl. Thank you.
    I have already introduced our other two witnesses, Mr. Dan 
Verton and Mr. Howard Schmidt. Simply because that is the way 
you line up, unless by prior agreement you would like to switch 
it, Mr. Verton, we could start with you and follow with Mr. 
Schmidt.
    Is that all right with the two of you?
    Mr. Verton. Yes.
    Chairman Kyl. All right. Again, we will use the lighting 
system here to just let you know when you have concluded 5 
minutes, but obviously we are anxious to hear anything you have 
to say. So thank you.

        STATEMENT OF DAN VERTON, AUTHOR, BURKE, VIRGINIA

    Mr. Verton. Well, thank you, Mr. Chairman. I want to thank 
you for the honor of appearing before you today to discuss what 
I think is an urgent national security matter.
    I am heartened to hear that the National Intelligence 
Estimate will be released this week. I might add that my latest 
research shows that that is about 5 years late at this point. 
One of your colleagues in the House requested one that long ago 
and it is finally coming out. I don't know if 5 years is really 
the time frame fast enough to keep up with cyber threats, so I 
think that is a very important development this week.
    Chairman Kyl. If I could just interrupt, I concur in your 
comments. When we scheduled this hearing prior to our break, we 
did not know that this was the time that the NIE was going to 
be released or perhaps we would have done it afterward. 
However, given the fact that a lot of that will be classified 
and not subject to discussion in an open forum like this, I 
think it is well to go forward with this hearing, but perhaps 
we will have to do some follow-up. But thank you for that.
    Mr. Verton. What I would like to do today, Mr. Chairman, is 
actually try to give you an open-source threat assessment, if 
you will. What I would like to cover today is the Nation's 
current level of vulnerability to cyberterrorism, al-Qaeda's 
specific capability to conduct cyberterrorism, and the 
potential implications for a combined physical and 
cyberterrorist attack against U.S. critical infrastructure.
    Before meaningful discussion can be conducted about the 
Nation's vulnerability to cyberterrorism, I think it is 
important to know that there is no longer any separation 
between the physical, real world and the cyber world. Computers 
control real things in the real world, and most of these 
things, as you have already heard, are critical infrastructures 
that have both financial and economic implications, as well as 
public safety implications.
    This understanding must lead us to a new, more flexible 
definition of cyberterrorism. We can no longer view 
cyberterrorism with blinders on, simply from the perspective of 
somebody sitting behind a computer and launching malicious code 
or hacking and disrupting other computers and other computer 
networks.
    If there is one thing we learned from 9/11, it is that 
traditional physical terrorist attacks can have devastating 
cyber ramifications for the U.S. critical infrastructure, and 
it can also disrupt to a significant extent the United States 
economy. A little bit later on in my statement, I am going to 
get to where the economic aspects of cyberterrorism fit into 
this puzzle.
    It is an unprecedented level of interdependency that right 
now accounts for most of the vulnerability of the U.S. critical 
infrastructure. The economy right now has multiple Achilles 
heels. Every sector is dependent upon another sector for their 
day-to-day operation. As we learned on August 14, which I will 
address a little bit later in more detail, no one sector can 
survive without electric power, without telecommunications, and 
so on and so forth.
    Perhaps one of the most important areas where an 
unprecedented level of vulnerability remains today is in the 
widespread adoption of wireless technologies. Although there 
are tested ways to secure wireless technologies that are being 
adopted today, they are not always adopted correctly, they are 
not always managed correctly, and sometimes they are not 
deployed at all.
    In my research, I have found evidence of unprotected 
wireless networks in use at hospitals; curbside baggage 
checking at some of the Nation's largest airlines; remote 
heating systems for portions of the railroad network; in 
support of emergency controls and alarms for uranium mining 
operations; at water and waste water treatment facilities; 
security cameras at both airlines, airports, and at defense 
installations; and at oil wells and water flood operations 
around the country.
    Let me just say a word about SCADA systems, since you have 
heard some talk about SCADA systems this morning already from 
the first panel. Despite what you may be told, SCADA systems 
are not the secretive, proprietary systems that their names 
implies--supervisory control and data acquisition systems--nor 
are they separate from the public Internet.
    In some cases, they are indeed protected, but in most 
cases--and I have seen this through my own research with my own 
eyes--wiring diagrams that connect the real-time control 
systems that run the day-to-day operations of the electric 
power grid in the United States are connected to the corporate 
networks of some of the utilities around the country.
    Now, this indirect connection provides the connection to 
the public Internet and is what makes these control systems 
vulnerable to things like the Blasto Worm, and so on and so 
forth. So there is, to my knowledge, a major research and 
development program underway right now to provide security for 
those systems. But make no mistake about it, they are indeed 
vulnerable to attacks over the general Internet.
    My fear then, Mr. Chairman, is that the next time we 
experience a major power failure, such as August 14 of last 
year, it will not be a self-inflicted wound--for example, a 
self-inflicted failure--but it will be a terrorist-induced 
failure that is quickly followed up either by suicide bombings, 
by out-of-control gunmen on the streets of Manhattan where 
thousands of people are coalescing, or by chemical or 
biological attacks on the folks who are stranded in the subway 
systems. And that goes directly to the use of cyberterrorist 
tactics as a force multiplier, not in an end to itself, but as 
a force multiplier effect for traditional-style terrorist 
attacks.
    As far as the ability of groups such as al Qaeda to carry 
out successful cyberterrorist attacks, I think it is important 
for us to start now thinking differently about the future, and 
particularly thinking differently about the future of 
international terrorism.
    The high-tech future of terrorism is inevitable, and like 
the events leading up to September 11--events that we ignored 
for 8 years prior to that event--we are now beginning to see 
the indications and warnings that terrorist groups understand 
the advantages of using cyberterrorist tactics against the 
United States. Also, these tactics, as you will see here in a 
few minutes in my statement, support the strategic goals of 
groups like al Qaeda, strategic goals that we have not yet paid 
much attention to.
    Terrorism is in a constant state of evolution, and 
terrorist tactics and modes of operation evolve over time. 
Sometimes, they evolve so slowly that we fail to recognize 
them. Al Qaeda's view of cyberterrorism is a case in point, and 
because I think I am running out of time here, let me get 
quickly to some concrete examples of al Qaeda's movement toward 
the adoption of cyber tactics from an offensive standpoint.
    L'Houssaine Kherchtou was a 36-year-old Moroccan who was 
recruited by al Qaeda and he attended electronics training in a 
guest house owned by Osama bin Laden in Peshawar, Pakistan, in 
the early to mid-1990's. Mr. Kherchtou showed up with 
absolutely no credentials whatsoever in electronics training, 
and there were two instructors that were present at the 
facility and they were working on advanced encryption 
algorithms, advanced methods of breaking encryption for the 
nations that were trying to track them down, and various other 
ways to use high technology to create fraudulent travel 
documents.
    Because he had no understanding and no formal training in 
electronics, they basically started him at the ground floor. 
They handed him a book and told him to take apart an old 
computer and start to learn what the components of the computer 
were.
    Several weeks later when a more senior instructor arrived 
at the guest house, he asked Mr. Kherchtou the same question. 
What are your credentials? And, of course, he said he had no 
credentials. That senior instructor then said to him he was not 
allowed to attend that training. He first needed to go to the 
local university and earn a degree in engineering and then he 
would be allowed to come back and conduct that training.
    Now, the importance of this example is that the picture 
most Americans have of al Qaeda and other terrorist groups is 
as a mindless hoard of thugs living a hand-to-mouth existence 
in caves in Afghanistan. But the example I just gave you is a 
technologically sophisticated, thinking enemy that values 
formal training and I think we need to change our--this goes 
directly to the National Intelligence Estimate and the 
questions that you were asking about who are we worried about.
    The second example that I will give you is an interview I 
conducted in November of 2002 with a gentleman named Sheikh 
Omar Bakri Muhammad. Just to give you an idea of the type of 
individual we are talking about, Bakri Muhammad is the leader 
of a London-based organization called al Muhajirun. He 
considers himself to be the official spokesman for the 
political wing of al Qaeda, as if there is such a thing as the 
political wing of al Qaeda. This is an individual who has 
recruited suicide bombers by his own admission, and his 
organization has been linked through FBI memos to various 
individuals at Phoenix area flight schools to his London-based 
organization.
    He spoke to me for about 30 minutes, during which most of 
the time was taken up speaking about the justification for 
using weapons of mass destruction in support of the global 
jihad being waged by al Qaeda. But then he got specifically to 
the issue of using technology against the United States, and 
you can attribute the following quotes to Bakri.
    ``In a matter of time, you will see attacks on the stock 
market.'' ``I would not be surprised if tomorrow I hear of a 
big economic collapse because of somebody attacking the main 
technical systems in big companies.'' And he said, ``The third 
letter from Osama bin Laden...was clearly addressing using the 
technology in order to destroy the economy of the capitalist 
states. This is a matter that is very clear.''
    This is the first time that a high-profile radical Islamic 
cleric has spoken in such a detailed manner about the potential 
for using sophisticated cyber attack tools against the United 
States in support of a strategic goal, which is to damage the 
economy of the United States.
    There is nothing in the driving factors from my research 
behind al Qaeda's operations, which are intent, resources and 
opportunity, to suggest that al Qaeda would rule out using this 
method of attack.
    First, the strategic intent of this group is clear. Al 
Qaeda wants to cripple the economy of the United States in 
order to force us to withdraw our military from around the 
world, and also to withdraw our support for Israel and the 
Middle East. The targeting of corporate America in this respect 
is clear.
    Second, the growing number of technologically sophisticated 
sympathizers around the world, especially among young Muslim 
children around the world who are successfully being 
radicalized by groups like al Qaeda today--these are the 
children who are now studying computer science and mathematics, 
who tomorrow may feel it is more advantageous for them to 
strike out at the United States through computers or targeting 
the cyber infrastructure rather than strapping dynamite around 
their waists and walking into crowded cafes. Tomorrow's threat 
may not look like today's threat. In fact, tomorrow's threat 
probably will not look like today's threat, and the frightening 
thing is that tomorrow may literally be tomorrow.
    Finally, America continues to present al Qaeda, as you have 
heard this morning, and other terrorist groups with ample 
economic targets in cyberspace. There is really great work 
being done, but we are almost now heading into the third 
anniversary of 9/11 and we are nowhere near where we should be, 
in my opinion.
    Finally, the potential danger stemming from combined 
physical and cyberterrorist attacks was proven in November of 
2000 during the first major infrastructure interdependency 
exercise that took place in the Pacific Northwest.
    Known by its code name Black Ice, the exercise was 
sponsored by the U.S. Department of Energy and the Utah Olympic 
Public Safety Command. When it was over, Black Ice demonstrated 
in frightening detail how the effects of a major cyberterrorist 
attack can significantly amplify the effects of either a 
natural disaster or a traditional physical-style terrorist 
attack.
    Without going into details of the exercise, I will make 
this one point about the exercise. Unlike many other similar 
exercises that have taken place since, this was an exercise 
scenario that was developed with the help of the actual owners 
and operators of the critical infrastructures in that region.
    So the owners of the electric power grid, the owners of the 
telecommunications networks, the owners of the natural gas, 
government, emergency services, got together and they asked 
them to provide them with their worst-case scenarios, their 
worst fears based on their inside knowledge of their own 
vulnerabilities. It was a very realistic scenario.
    The end result, according to my interviews with the 
officials who put together the exercise, was that electric 
power from a combined physical and cyberterrorist attack would 
be lost for at least a month throughout a five-State region of 
the United States and three Canadian provinces. Some estimates 
put it at several months, and a lot of that had to do with the 
physical aspects of the attack because we do not stockpile 
strategic reserves of electric-generating systems. Most of them 
are manufactured overseas and it would probably take that long, 
if those systems were physically destroyed, to get them here 
into the country.
    Black Ice showed the growing number of critical 
interdependencies that exist throughout the various 
infrastructure systems and how devastating these types of 
attacks can be. Perhaps most important, the final report on the 
lessons learned from Black Ice, as well as a follow-on exercise 
code named Blue Cascades, concluded the final statement: 
government and private sector participants, quote, 
``demonstrated at best a surface-level understanding of 
interdependencies and little knowledge of the critical assets 
of other infrastructures.'' Moreover, most companies and 
government officials failed to recognize their own 
``overwhelming dependency upon IT-related resources to continue 
business operations and execute recovery plans.''
    So with that, Mr. Chairman, I will hand it over to my 
colleague, Mr. Schmidt, and I will be happy to answer your 
questions.
    [The prepared statement of Mr. Verton appears as a 
submission for the record.]
    Chairman Kyl. Thank you, Mr. Verton.
    Mr. Schmidt.

   STATEMENT OF HOWARD A. SCHMIDT, VICE PRESIDENT AND CHIEF 
 INFORMATION SECURITY OFFICER, EBAY, INC., SAN JOSE, CALIFORNIA

    Mr. Schmidt. Thank you, Mr. Chairman. It is good to see you 
again and thank you for your leadership, and Senator Feinstein, 
for this issue that is very critical to all of us.
    As you are very much aware, when we put out the National 
Strategy to Defend Cyberspace almost a year ago now, a little 
over a year ago, it was probably the first and maybe only time 
that we have ever engaged in public dialogue in the creation of 
a national strategy. We held a series of town hall meetings. We 
held meetings with CEOs, with journalists, with anyone we could 
get a hold of to talk about what it would take to secure and 
defend cyberspace. As you made the comment in your opening 
comments, Secretary Ridge has also stated an insecure computer 
anywhere is a weakness within the network.
    Today, my remarks will primarily focus on some of the 
threats we see, the nature of the threats themselves, some 
insights as to what we have been doing relative to the private-
public partnerships, and a few ideas that I think the 
Subcommittee would hopefully find valuable, some things we can 
do moving forward.
    The good thing about being the clean-up hitter is all the 
scary stories have already been told, so I get to focus a 
little bit on some of the things that we can do to help 
remediate some of these.
    First and foremost, I would like to put things in 
perspective. It is estimated today that there are over 840 
million users on the Internet, and it is expected to grow to 
over 904 million at the end of 2004. So even though we have 
this great capacity--and eBay is a perfect example of that; 
millions of people worldwide make their living in using this 
great resource we have and providing a global economic 
democracy. But by the same token, our dependencies have 
increased significantly as we have put more systems out there 
to work with.
    The interesting piece of this is during the Cold War we had 
the ability, those of us in defense, to look at many different 
many aspects of threat assessments and intelligence data, 
satellite data, to sort of determine where the enemy was 
looking at and where we need to protect.
    But in this era of the online world, particularly in 
cyberspace, we don't have that capability. It doesn't make any 
difference to many of us whether the attack comes from the 
Mideast or the Midwest, Eastern Europe or northern Arizona. If 
it is disruptive to our critical infrastructure, our critical 
cyber infrastructure, we care about it.
    Now, we see this manifesting itself in a number of 
fashions; first and foremost, denial of service attacks; 
hacking; phreaking, which used to be very prevalent in the 
1980's and which is coming back again, that is the hacking of 
PBX systems; authentication attacks; identity theft; phishing, 
the latest scams that we have been seeing which could lead very 
easily to identity theft; malicious code; viruses, et cetera; 
and, of course, as many of us have mentioned, the SCADA and 
digital control systems.
    But we have seen an evolution. It used to be at one time if 
you wanted to take on a nation or you wanted to take even a 
small country on, you needed some sort of weaponry. Now, we 
have seen with the--and I will use the illustration of the 
denial of service attacks in 2000. A number of universities and 
businesses were taken over to launch attacks, ranging in the 
space of about 800 megabits per second, 800 million characters 
per second being thrown at systems.
    What we are seeing now with the great advent of technology 
and cable modems and DSL is we are seeing instances where there 
are 20 to 30,000 systems that now are owned by unknown groups 
that can launch those same denial of service attacks at more 
than 2-gigabit-per-second rates.
    Also, the area of zero-day vulnerabilities. The time frame 
between the discovery of a vulnerability and the release of an 
exploit is increasingly smaller. We have seen initially 6 
months to a year; now, we are seeing a matter of hours and days 
that takes place.
    The last threat I am concerned about, of course, is what we 
refer to as the blended threats. We saw this in the form of 
Code Red and NIMDA and, of course, NIMDA occurred just one week 
after September 11. And neither one of those today have we been 
able to identify the source, whether it was indeed a criminal 
organization, a clever hobbyist, or indeed a terrorist 
activity.
    Now, quickly to the private-public partnerships, one of the 
major improvements we have seen in working with the 
manufacturers of software and hardware over the past couple of 
years is their commitment to make products more secure out of 
the box, and to make sure that they reduce the number of 
vulnerabilities. But this will take some time.
    We don't have the capability or the financial wherewithal 
in today's economy to rip out IT infrastructure that was not 
designed to meet the current threats that we are dealing with. 
So it is going to be an evolutionary process. It is going to 
take some resources and it is going to take some planning to be 
able to do this.
    Additionally, the creation of the U.S. CERT at Carnegie 
Mellon University with DHS has also provided a gateway for the 
private sector to get more up-to-date information around 
threats that don't have to be a part of a big organization. 
Anybody can do it, regardless of the size of their 
organization.
    Another thing that has been helpful for the private-public 
partnerships is the FBI, as John Malcolm mentioned, and the G8 
Subcommittee on Cyber Crime have now engaged private sector 
representatives as delegates of these discussions. Also, the 
State Department has engaged the private sector. So we do have 
a lot more private sector involvement in these areas.
    In my final few seconds here, I want to touch briefly on 
some quick recommendations that I see of vital importance to 
us. First and foremost, in the area of cyber crime 
investigations, as you pointed out earlier, we don't know until 
we put the habeas gravis on someone what their motive is or 
where they are coming from. But it is important to make sure as 
we develop this information, as we conduct investigations, 
including investigations where we never identify someone, that 
we have the ability to correlate and aggregate that data.
    Currently, a lot of the agencies, particularly Federal 
agencies--the Secret Service's Electronic Crimes Task Force, 
the FBI's cyber crime squads--are doing really good work. But 
what we are not seeing is that joining of the forces to be able 
to at some point connect the dots that says an investigation 
that one agency is working on is related to one that someone 
else is working on. My fear, Mr. Chairman, is someday we will 
have a Committee hearing on why we didn't connect those dots 
relative to law enforcement activity.
    The second piece is identity management. We have seen, as 
was mentioned earlier by Senator Feinstein, attacks on defense 
systems. A lot of those have been successful in the past just 
because someone has been able to hijack someone's identity by 
failure of the system, a blank password, for example.
    Identity management is crucial to us to be able to do a 
better job in securing the systems. Two-factor authentications, 
such as Defense is now going to with the smart card concept--
the two-factor is something you have, such as a physical device 
and the PIN number, very similar to the ATM cards we use today. 
These things are critical to provide better authentication into 
our systems as we move forward.
    The last one, as was touched on by the previous panel, is 
vulnerability remediation and patch management. General Dave 
Brian at the Joint Task Force for Computer Network Operations 
at DoD has cited for a number of years that 98.7 percent of the 
successful intrusions into defense systems were related to not 
having a patch on the system. If we could reduce the 
vulnerability by that amount, it would be a tremendous service 
to our ability to secure the critical infrastructure.
    In my reserve capacity as a special agent with Army CID, I 
get to work with the folks over at the Law Enforcement 
Counterintelligence Cell. And to your earlier question about 
the threat analysis, these folks are doing that on a regular 
basis, and DoD has been doing it for a long time, identifying 
potential threats both in nation states and including organized 
hacker groups.
    So with that, I would like to thank you once again for the 
opportunity and turn it back to you, and I would be happy to 
answer any questions you may have.
    [The prepared statement of Mr. Schmidt appears as a 
submission for the record.]
    Chairman Kyl. Well, thank you both very much. First, let me 
just follow up on a question that I asked the previous panel 
that has to do with the needs of the private sector.
    Mr. Schmidt, I will start with you on this. We did the FOIA 
legislation, so that you don't have to worry if you are bank 
and you report to the center that you are being hacked. You 
don't have to worry about people later being able to find out 
all about that, but there are still some concerns like the 
antitrust concerns.
    Is there anything that you know of, based upon your work 
with the private sector, that we need to do from either a 
Federal legislative standpoint or better administering the 
cooperative efforts between the private sector and the 
Government?
    Mr. Schmidt. Yes, and I thank you. I had dinner with 
Senator Bennett last night and thanked him once again for the 
FOIA legislation. That has really opened up some doors. I think 
the concern we still have, though, is the States and the 
sunshine laws that we face in the States.
    During my time at the White House, I worked with the folks 
at the New York Department of Homeland Security, and the public 
utilities commission was sending out subpoena after subpoena 
asking for information from telecommunications carriers and 
energy providers to provide them with information which is 
fully discoverable.
    So some sort of a Federal preemption would be helpful in 
order to be able to work across this area with the relative 
security of knowing that we can provide this information to 
help better secure up the infrastructure without displaying our 
vulnerabilities to anybody that cares to exploit them.
    Chairman Kyl. Okay, at least perhaps starting with some 
effort at a voluntarily cooperative effort with State law 
enforcement and other officials, and maybe start with that 
before we try to actually preempt the field. But maybe we would 
have to preempt it is what you are saying?
    Mr. Schmidt. Well, I think that is one of the options. And 
to your point of the relationship with State law enforcement as 
well as Federal authorities, we have had a number of cyber 
crime summits around the country, generally led by the 
Information Technology Association of America and the FBI. 
These brought in senior leadership, as well as senior law 
enforcement folks, to engage in that dialogue on a voluntary 
basis, and we see that taking place.
    But as you know yourself, that is often agent-to-agent or 
investigator-to-investigator type of activity. But when you go 
to the general counsel and say, well, listen, we think we have 
something we need to talk to someone about, there is a great 
deal of concern about that. I think the way to mitigate that is 
to actually get this down the system enough to make sure that 
we can say, yes, we are protected by the some of the 
legislation that is currently in place.
    Chairman Kyl. Mr. Verton, your book uses the term 
``invisible threat.'' We know that terrorists' primary goal is 
to spread fear, to spread terror. If you are a terrorist now 
and you are very familiar with the Internet--you raise money 
with it, you communicate with your buddies through use of the 
computer--what kind of a plan would you dream of putting into 
place to maximize the spreading of terror throughout our 
society?
    Mr. Verton. Well, Mr. Chairman, in my book I provide some 
fictional scenarios, and the interesting thing about those 
scenarios is that they are all based on actual events that have 
really taken place in the real world and I have just gone ahead 
and taken the liberty to put them all into one scenario.
    The scenarios are endless, but the things that pop to mind 
when you talk about fear and uncertainty--and, you know, a lot 
of the experts out there, a lot of the people in the IT 
community feel that the term ``cyber terrorism'' or terrorist 
use of information technologies is and of itself fear, 
uncertainty and doubt, something that will never happen because 
they are not interested in it.
    Well, the fact of the matter is, as your question implies, 
fear and uncertainty and doubt are key components of 
cyberterror, what they would like to create by using this 
tactic. So I can imagine a scenario where some of the wireless 
technologies that I outlined in my testimony at hospitals, for 
example--you can sit in the parking lot and potentially do 
things like change blood types in patient records, so that all 
of a sudden you have people dying of the wrong blood 
transfusions or getting sick so people will become fearful that 
that will happen to them if they get put into the hospital.
    You have got scenarios where you can have people fearful of 
putting their money in the market if attacks on the stock 
market are successful. That is not necessarily maybe terrorism, 
per se, but it is certainly fear that would have an economic 
impact on the economy.
    Chairman Kyl. Well, I appreciate that and that leads to my 
second question for both of you. You heard the first panel. We 
discussed the need for a threat analysis, as well as a 
vulnerability analysis. We have had a lot of the latter, and 
except for the Defense Department which you pointed out, Mr. 
Schmidt, I haven't seen a whole lot of the former.
    So take the case, for example, of al Qaeda looking at the 
U.S. stock market. Is it possible that understanding that 
potential threat as a terrorist threat would cause us to plan 
differently, to put in place different kinds of protections and 
to react differently, as opposed to simply looking at it from 
the back end as a threat-independent situation when it occurs 
and focusing just on the vulnerability of the system?
    In other words, can we protect the infrastructure without 
understanding and taking into consideration the origin of the 
activity; i.e. the nature of the threat? Does it help us both 
to prevent and to deal with the aftermath of an attack if we 
have been able to understand its etiology rather than just its 
effect?
    Mr. Schmidt. You know, that is something we have wrestled 
with for quite a long time, is trying to determine does the 
nature of the threat or the source of the threat make any 
difference on how we are going to protect against it.
    Chairman Kyl. That is better way to put my long question.
    Mr. Schmidt. I think most of us in the business agree that 
irrespective of the nature of the threat, we are going to have 
to take the same forward steps to protect against anything 
because we never know. As I mentioned earlier, during NIMDA and 
Code Red, we to this day don't know the source of that. It 
could have very easily been a terrorist, it could have easily 
been a hacker group. But the steps that we have take to protect 
against that are the same thing as if it were a terrorist 
attack as well.
    It is interesting. The Banking Committee held a hearing in 
the aftermath of the blackout last year and one of the 
questions was were we better prepared from a cyber perspective 
because of much of what we had done as far as vulnerability 
remediation in that event. And the answer was yes, because the 
same response mechanism to bring the systems back up and the 
same ability to identify the systems that are critical to us 
were in play for either scenario.
    Chairman Kyl. Let me give you a devil's advocate question, 
then. Mr. Verton talked about the combination of a physical 
attack and a cyber attack with a synergistic effect far greater 
than the effect of either one of them. That is the kind of 
threat that one would want to be able to anticipate and to deal 
with that would not come from a hacker or somebody trying to 
commit a crime, probably.
    So wouldn't it make sense to try to anticipate the effect 
of the combination of those two occurring at the same time, and 
doesn't that point you more to a threat assessment of terrorism 
potential as opposed to just hacking?
    Mr. Schmidt. The simple answer is yes, that is very much 
the case. The idea of looking at the interdependencies between 
the physical and the cyber world is something that we 
originally had that the National Infrastructure Assessment 
Center is supposed to be working on, looking at the 
interdependencies, looking at the critical systems and what 
happens if we do lose the physical aspect of, say, a telecom 
hotel in New York City. What effect is that going to have on 
our ability to communicate? Those things are critical, and the 
protection of those resources is critical as well.
    Mr. Verton. Mr. Chairman, I will just add to that that 
there is something to be said for knowing your enemy when we 
start to talk about a threat assessment of any group, al Qaeda 
or any other terrorist organization.
    In terms of knowing your enemy, I would hope--and I have no 
way to know this--that there are constant red-teaming exercises 
that are being conducted against the U.S. critical 
infrastructure, a la Eligible Receiver. I don't know that those 
are taking place. However, once you have established a 
capability profile, per se, of a group like al Qaeda, I would 
hope that the NIE, for example, would have some classified data 
on who al Qaeda cells have been coordinating with or 
communicating with in the black hat community, for example, who 
may, in fact, be working with them, if they are at all.
    That would allow us to be able to think like the people who 
are trying to do us harm and to conduct Eligible Receiver-like 
red-teaming against the infrastructure to test our own ability 
to withstand those attacks.
    Chairman Kyl. And it seems to me also that if we were lucky 
enough to find some documents of al Qaeda or some other 
terrorist group that discussed ways of attacking our 
infrastructure, that becomes part of a threat assessment that 
adds some texture to the just general understanding we have 
about the vulnerability of our systems. It gives us a specific 
reason to be perhaps prioritizing.
    Another question here is we have a lot to do and we can't 
do it all at once. You talked about the need to actually 
rebuild portions of our infrastructure because they are not 
secure, and in terms of identifying the priorities one way of 
doing that would be to focus on what potential threats we 
thought were most imminent.
    Mr. Schmidt. That is correct, sir. That is one way to do 
it. One of the things that I think we have developed in that 
public-private partnership ever since the President's 
Commission for Critical Infrastructure Protection in 1996 took 
place is clear identification to the private sector owner-
operators of where their components fit into the bigger 
structure of the overall infrastructure.
    It is kind of an interesting thing because I was with 
Defense at that time, and as I went out and met with CEOs and 
met with other folks, they were very focused on their business 
model and it wasn't very clear to them the dependency that we 
had in Defense, the dependency we have in Justice, the 
dependency we had in the economy of their infrastructure. It 
was just a business to them.
    I think we have seen that change slowly but surely as we 
started to approach Y2K, and then dramatically after the 
September 11 attacks. We have seen people looking at this. 
Where do I fit in this big picture and how can I remediate it 
quickly?
    Even though I disagree with the fundamental premise of Rich 
Pethia saying that there are just too many things to do out 
there and we will never get them done, we can get things done, 
but it has to be done on a priority basis and with the economic 
resources we have, which is a challenge, as you know.
    Chairman Kyl. Let me ask you a final question. It has been 
a year since the President put forward the National Strategy to 
Secure Cyber Space, and you were one of the authors of that. 
What is your assessment of the progress that we have made in 
implementing that strategy?
    Mr. Schmidt. I think we are pretty well on track, and I 
know there are some folks who are somewhat cynical on that, 
saying, well, we expect DHS to do more, we expect the NCSD to 
do more. My answer has been all along that, as everyone has 
pointed out, 80 to 85 percent of this critical infrastructure 
is owned by the private sector. So the call to arms was made, 
the rallying call was there, and the private sector has been 
organizing amongst themselves.
    I flew in on the red-eye this morning from RSA. Senator 
Bennett was out there, and we have organized now 70 chief 
security officers of major corporations, from Hershey Foods to 
Royal Bank of Canada, with us sharing information about how we 
can better conduct our audits, how we can keep our supply chain 
going. That is one example of the private sector not waiting 
for the Government to do something. The expectation was that 
they have got enough work to do trying to organize DHS and we 
will continue to call this forward.
    In December of last year, we had a cyber security summit 
and we have held five task forces. As a matter of fact, on 
March 1 we will have the task force reports that come back, 
everything from awareness and education to corporate 
governance. So there has been a lot of movement. It has not 
been as public as maybe we could have been to advertise it, but 
the movement continues and I think we are making good progress.
    Chairman Kyl. Just one suggestion. Make sure they all have 
a copy of Black Ice. That will get them motivated.
    Mr. Schmidt. I am still waiting for mine.
    Chairman Kyl. Mr. Verton?
    Mr. Verton. Mr. Chairman, I will just add to that that the 
proof is in the pudding. While I applaud the national strategy, 
all of my work suggests that the current non-regulatory model--
and you can make the argument that there is plenty of 
regulation out there already, but the current non-regulatory 
model has not worked yet, has not proven itself up to the 
challenge. I will say otherwise when the situation gets 
appreciably better in terms of security.
    My argument all along was that it is unprecedented in 
American history that the private sector owns so much of the 
national security equation today in terms of owning and 
operating 85-plus percent of the national infrastructure. The 
problem is they have no mandate to be the defenders of America 
against these types of attacks.
    Traditionally, historically it has fallen to the Federal 
Government. The model now is hands-off; allow the private 
sector to do it because the private sector is concerned about 
losing the ability to innovate, losing the ability to be 
flexible in their business processes.
    Well, the problem has been that there is no pressure from 
the consumers on the private sector developers of these 
technologies to change the formula. The buyers are buying what 
the sellers are selling, and right now I have heard time and 
time again that the sellers are not necessarily selling very 
good products from a security standpoint. So until that 
equation changes, I don't think the national strategy will have 
much of an effect.
    Chairman Kyl. In fact, also we encourage a lot of 
competition and deregulation which results in less and less 
robust redundancy and infrastructure. Back in the days of the 
regulated monopolies, for example, of the phone system or the 
utility systems, there was an awful lot of costly redundancy 
built into the system. But the companies could afford to do it 
because they were monopolies.
    Now, you have got a lot of competition out there and 
everybody wants to go right to the margin, so that nobody has 
the incentive to really invest in that robustness of the system 
which from a national security perspective we do have to see 
built in. This is one of the challenges we are going to have to 
deal with, and getting it right, the degree of mandate versus 
an expectation that the private sector will do what is in its 
own best interest. But its own best interest won't necessarily 
always coincide with national security interests.
    Mr. Schmidt. Senator, I would like to just make one quick 
comment relative to Dan. It is sort of disagreement. I bet you 
there are a whole lot of CEOs that I have talked with and Dick 
Clarke has talked with and other folks have talked that believe 
they do have a mandate. They believe they have a clear mandate 
to make this infrastructure more secure.
    As a matter of fact, about the time we are having this 
hearing, Bill Gates is going to be making an announcement at 
RSA. Bill Chambers and everyone is committed, and I believe 
they understand they have a clear mandate to make it more 
secure.
    Chairman Kyl. Well, I appreciate that. That mandate has to 
be understood all across the spectrum, and there are certainly 
some leaders and you have certainly mentioned them here. But, 
obviously, through hearings like this and books and through the 
good work that you are doing, Mr. Schmidt, and others, we can 
get the information out there that we have all got a stake in 
this. To the extent that we all participate in the system, we 
can help to protect this Nation.
    Mr. Verton. Mr. Chairman, I think the issue is to get that 
mandate message to the owner of the small utility. Those are 
the individuals I am really referring to.
    Chairman Kyl. Yes, and as somebody mentioned before, it is 
the weakest-link problem that we have here.
    Well, I appreciate both of you testifying here today and 
would appreciate the ability to continue to be in touch with 
you and have you comment on what we are doing here, on the NIE 
when it comes out, to the extent you are able to review it, and 
to provide us with any other information that you think will 
help us do our job.
    I want to make it clear that the hearing record here is 
going to remain open for questions until 5:00 p.m. on Tuesday, 
March 2, and for you all to put anything else into the record 
that you think would be appropriate.
    With that, if there is nothing further to come before the 
Subcommittee, I will declare this hearing adjourned.
    [Whereupon, at 11:44 a.m., the Subcommittee was adjourned.]
    [Submissions for the record follow.]

    [GRAPHIC] [TIFF OMITTED] T4639.001
    
    [GRAPHIC] [TIFF OMITTED] T4639.002
    
    [GRAPHIC] [TIFF OMITTED] T4639.003
    
    [GRAPHIC] [TIFF OMITTED] T4639.004
    
    [GRAPHIC] [TIFF OMITTED] T4639.005
    
    [GRAPHIC] [TIFF OMITTED] T4639.006
    
    [GRAPHIC] [TIFF OMITTED] T4639.007
    
    [GRAPHIC] [TIFF OMITTED] T4639.008
    
    [GRAPHIC] [TIFF OMITTED] T4639.009
    
    [GRAPHIC] [TIFF OMITTED] T4639.010
    
    [GRAPHIC] [TIFF OMITTED] T4639.011
    
    [GRAPHIC] [TIFF OMITTED] T4639.012
    
    [GRAPHIC] [TIFF OMITTED] T4639.013
    
    [GRAPHIC] [TIFF OMITTED] T4639.014
    
    [GRAPHIC] [TIFF OMITTED] T4639.015
    
    [GRAPHIC] [TIFF OMITTED] T4639.016
    
    [GRAPHIC] [TIFF OMITTED] T4639.017
    
    [GRAPHIC] [TIFF OMITTED] T4639.018
    
    [GRAPHIC] [TIFF OMITTED] T4639.019
    
    [GRAPHIC] [TIFF OMITTED] T4639.020
    
    [GRAPHIC] [TIFF OMITTED] T4639.021
    
    [GRAPHIC] [TIFF OMITTED] T4639.022
    
    [GRAPHIC] [TIFF OMITTED] T4639.023
    
    [GRAPHIC] [TIFF OMITTED] T4639.024
    
    [GRAPHIC] [TIFF OMITTED] T4639.025
    
    [GRAPHIC] [TIFF OMITTED] T4639.026
    
    [GRAPHIC] [TIFF OMITTED] T4639.027
    
    [GRAPHIC] [TIFF OMITTED] T4639.028
    
    [GRAPHIC] [TIFF OMITTED] T4639.029
    
    [GRAPHIC] [TIFF OMITTED] T4639.030
    
    [GRAPHIC] [TIFF OMITTED] T4639.031
    
    [GRAPHIC] [TIFF OMITTED] T4639.032
    
    [GRAPHIC] [TIFF OMITTED] T4639.033
    
    [GRAPHIC] [TIFF OMITTED] T4639.034
    
    [GRAPHIC] [TIFF OMITTED] T4639.035
    
    [GRAPHIC] [TIFF OMITTED] T4639.036
    
    [GRAPHIC] [TIFF OMITTED] T4639.037
    
    [GRAPHIC] [TIFF OMITTED] T4639.038
    
    [GRAPHIC] [TIFF OMITTED] T4639.039
    
    [GRAPHIC] [TIFF OMITTED] T4639.040
    
    [GRAPHIC] [TIFF OMITTED] T4639.041
    
    [GRAPHIC] [TIFF OMITTED] T4639.042
    
    [GRAPHIC] [TIFF OMITTED] T4639.043
    
    [GRAPHIC] [TIFF OMITTED] T4639.044
    
    [GRAPHIC] [TIFF OMITTED] T4639.045
    
    [GRAPHIC] [TIFF OMITTED] T4639.046
    
    [GRAPHIC] [TIFF OMITTED] T4639.047
    
    [GRAPHIC] [TIFF OMITTED] T4639.048
    
    [GRAPHIC] [TIFF OMITTED] T4639.049
    
    [GRAPHIC] [TIFF OMITTED] T4639.050
    
    [GRAPHIC] [TIFF OMITTED] T4639.051
    
    [GRAPHIC] [TIFF OMITTED] T4639.052
    
    [GRAPHIC] [TIFF OMITTED] T4639.053
    
    [GRAPHIC] [TIFF OMITTED] T4639.054
    
    [GRAPHIC] [TIFF OMITTED] T4639.055
    
    [GRAPHIC] [TIFF OMITTED] T4639.056
    
    [GRAPHIC] [TIFF OMITTED] T4639.057
    
    [GRAPHIC] [TIFF OMITTED] T4639.058
    
    [GRAPHIC] [TIFF OMITTED] T4639.059
    
    [GRAPHIC] [TIFF OMITTED] T4639.060
    
    [GRAPHIC] [TIFF OMITTED] T4639.061
    
    [GRAPHIC] [TIFF OMITTED] T4639.062
    
                                 
