[House Hearing, 109 Congress]
[From the U.S. Government Printing Office]



 
H.R. 285: DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY ENHANCEMENT ACT 
                                OF 2005

=======================================================================

                                HEARING

                               before the

                        SUBCOMMITTEE ON ECONOMIC
                        SECURITY, INFRASTRUCTURE
                     PROTECTION, AND CYBERSECURITY

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             FIRST SESSION

                               __________

                             APRIL 20, 2005

                               __________

                           Serial No. 109-11

                               __________

       Printed for the use of the Committee on Homeland Security
                                     
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13

                                     

  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html

                               __________

                    U.S. GOVERNMENT PRINTING OFFICE
22-904                      WASHINGTON : 2005
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512�091800  
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�0900012005


                     COMMITTEE ON HOMELAND SECURITY

                 Christopher Cox, California, Chairman

Don Young, Alaska                    Bennie G. Thompson, Mississippi
Lamar S. Smith, Texas                Loretta Sanchez, California
Curt Weldon, Pennsylvania, Vice      Edward J. Markey, Massachusetts
Chairman                             Norman D. Dicks, Washington
Christopher Shays, Connecticut       Jane Harman, California
Peter T. King, New York              Peter A. Defazio, Oregon
John Linder, Georgia                 Nita M. Lowey, New York
Mark E. Souder, Indiana              Eleanor Holmes Norton, District of 
Tom Davis, Virginia                  Columbia
Daniel E. Lungren, California        Zoe Lofgren, California
Jim Gibbons, Nevada                  Sheila Jackson-Lee, Texas
Rob Simmons, Connecticut             Bill Pascrell, Jr., New Jersey
Mike Rogers, Alabama                 Donna M. Christensen, U.S. Virgin 
Stevan Pearce, New Mexico            Islands
Katherine Harris, Florida            Bob Etheridge, North Carolina
Bobby Jindal, Louisiana              James R. Langevin, Rhode Island
Dave G. Reichert, Washington         Kendrick B. Meek, Florida
Michael McCaul, Texas
Charlie Dent, Pennsylvania

                                 ______

   Subcommittee on Economic Security, Infrastructure Protection, and 
                             Cybersecurity

                Daniel E. Lungren, California, Chairman

Don Young, Alaska                    Loretta Sanchez, California
Lamar S. Smith, Texas                Edward J. Markey, Massachusetts
John Linder, Georgia                 Norman D. Dicks, Washington
Mark E. Souder, Indiana              Peter A. DeFazio, Oregon
Tom Davis, Virginia                  Zoe Lofgren, California
Mike Rogers, Alabama                 Sheila Jackson-Lee, Texas
Stevan Pearce, New Mexico            Bill Pascrell, Jr., New Jersey
Katherine Harris, Florida            James R. Langevin, Rhode Island
Bobby Jindal, Louisiana              Bennie G. Thompson, Mississippi 
Christopher Cox, California (Ex      (Ex Officio)
Officio)

                                  (II)


                            C O N T E N T S

                              ----------                              
                                                                   Page

                               STATEMENTS

The Honorable Daniel E. Lungren, a Representative in Congress 
  From the State of California, and Chairman Subcommittee on 
  Economic Security, Infrastructure Protection and Cybersecurity.     1
The Honorable Loretta Sanchez, a Representative in Congress From 
  the State of California, and Ranking Member, Subcommittee on 
  Economic Security, Infrastructure Protection and Cybersecurity.     3
The Honorable Christopher Cox, a Representative in Congress From 
  the State of California, and Chairman, Committee on Homeland 
  Security.......................................................     4
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security
  Oral Statement.................................................    49
  Prepared Statement.............................................    49
The Honorable Bobby Jindal, a Representative in Congress From the 
  State of Louisiana.............................................    53
The Honorable Zoe Lofgren, a Representative in Congress From the 
  State of California
  Oral Statement.................................................     4
  Prepared Statement.............................................     6
The Honorable Stevan Pearce, a Representative in Congress From 
  the State of New Mexico........................................    51

                               WITNESSES

Ms. Catherine Allen, President and CEO, BITS, Financial Services 
  Roundtable
  Oral Statement.................................................    21
  Prepared Statement.............................................    23
Mr. Paul Kurtz, Executive Director, Cyber Security Industry 
  Alliance
  Oral Statement.................................................    16
  Prepared Statement.............................................    18
Mr. Harris Miller, President, Information Technology Association 
  of America
  Oral Statement.................................................    11
  Prepared Statement.............................................    12
Mr. Ken Silva, Chairman of the Board of Directors, Internet 
  Security Alliance
  Oral Statement.................................................    37
  Prepared Statement.............................................    39
Mr. Amit Yoran, President, Yoran Associates
  Oral Statement.................................................     7
  Prepared Statement.............................................     9

                                Appendix

Questions and Responses from Ms. Catherine A. Allen..............    57
Questions and Responses from Mr. Paul B. Kurtz...................    61
Questions and Responses from Mr. Ken Silva.......................    63


                    H.R. 285: DEPARTMENT OF HOMELAND
                   SECURITY CYBERSECURITY ENHANCEMENT
                              ACT OF 2005

                              ----------                              


                       Wednesday, April 20, 2005

                          House of Representatives,
 Subcommittee on Economic Security, Infrastructure 
                     Protection, and Cybersecurity,
                            Committee on Homeland Security,
                                                   Washington, D.C.
    The subcommittee met, pursuant to call, at 11:05 a.m., in 
Room 210, Cannon House Office Building, Hon. Dan Lungren 
[chairman of the subcommittee] presiding.
    Present: Representatives Lungren, Souder, Pearce, Jindal, 
Cox (ex officio), Sanchez, Dicks, Lofgren, Langevin, Thompson 
(ex officio), and Linder.
    Mr. Lungren. The Committee on Homeland Security 
Subcommittee on Economic Security, Infrastructure Protection, 
and Cybersecurity will come to order. The subcommittee is 
meeting today to hear testimony on H.R. 285, the Department of 
Homeland Security Cybersecurity Enhancement Act.
    In 1983, the film ``War Games'' depicted smart, tech-savvy 
teenagers finding a back door into the Department of Defense 
tactical computer. Mistaking real life for a war game, they 
inadvertently bring the country to the brink of a nuclear war. 
Although enjoyable as a film and fictional, the movie is a 
stark reminder of the potential threats, vulnerabilities and 
consequences of cyberattack.
    Today's world is even more interconnected through 
cyberspace, not just through the use of computers, but because 
of our increasing reliance on cybersystems to control our 
national infrastructures and economy.
    Ensuring that essential services and industries survive an 
attack has always been a part of our national security 
strategy. What is new is how cyberspace networks have created 
complex interdependencies that have never existed to this 
extent before. The complexity and extent of these networks is 
not fully understood. The technology and networks are 
themselves constantly changing.
    Identifying what is critical is becoming simultaneously 
more difficult and more vital. Furthermore, the majority of 
critical infrastructure is outside of Federal control, with 85 
percent in private hands. The Department must work hand in hand 
with the private sector not only because the majority of 
structure is owned privately, but because the private sector is 
at the forefront of innovative, productive and efficient 
technologies to secure cyberspace and associated critical 
infrastructure.
    Many of us recognize the average cyberattack such as a worm 
or virus is a nuisance, one that irritates us, slows down our 
computers or prevents us from e-mailing. Yet deliberate 
cyberattacks have the potential to do physical harm in the form 
of attacks on cybersystems controlling critical 
infrastructures, such as dams and power plants or medical 
systems. Since I live just downriver of a dam, I am 
particularly acutely aware of that. They can also be launched 
coincident with physical attacks to interfere with our response 
and to make a bad situation even worse.
    It is typical to measure the potential cost of 
probabilities of such attacks. There are no standard 
methodologies for cost measurement, although the 2003 loss 
estimates due to hostile digital acts range from $13 billion, 
worms and viruses only, to $226 billion for all forms of overt 
attacks.
    Although accidental, the blackout of August 2003 may have 
cost us about 6--to $10 billion for the U.S. economy alone, 
which would amount to 1/10 of 1 percent of GDP. Clearly if the 
attack had been deliberate, the potential loss could have been 
much worse, and an attack on the financial services sector or 
the stock market could have incalculable long-term economic 
repercussions.
    Recognizing this importance of cybersecurity to homeland 
and economic security, the Congress, when it created the 
Department of Homeland Security, directed this new department 
to lead the effort to develop a comprehensive cybersecurity 
strategy for the Nation. In response, the Department 
established the National Cybersecurity Division within the 
Information, Analysis and Infrastructure Protection Directorate 
headed by a Director reporting to the Assistant Secretary of 
Infrastructure Protection.
    As chairman of the subcommittee, I appreciate the oversight 
work that was done by the Select Committee on the Homeland 
Security Subcommittee on Cybersecurity, Science, and Research 
and Development during the last Congress, which culminated in 
the subcommittee's excellent report entitled Cybersecurity for 
the Homeland.
    The report makes clear that under current organizational 
structure, cybersecurity has not received the priority and 
attention it deserves within the Department, and that the 
National Cybersecurity Division needs explicit statutory duties 
and authorities. These findings led to the drafting and 
introduction of the bill that we are considering today, H.R. 
285, the DHS Cybersecurity Enhancement Act of 2005, which was 
introduced earlier this year by Congressman Mac Thornberry, the 
former subcommittee chairman, and Congresswoman Zoe Lofgren, 
the former Ranking Member and currently a member of our 
subcommittee.
    I am pleased we have an excellent panel of witnesses today 
to help the subcommittee examine the need for this legislation. 
In particular. We will hear from Mr. Amit Yoran, who was the 
first Director of the National Cybersecurity Division with DHS, 
and is a highly regarded cybersecurity expert. He left the 
Department after 1 year and is in the unique position to help 
us explore the challenges of cybersecurity within DHS.
    Passage of H.R. 285 would not solve all of the problems 
with cybersecurity within DHS, but it would elevate the mission 
within the Department by creating a new position of Assistant 
Secretary of Cybersecurity. This change would give the head of 
the National Cybersecurity Division not only increased 
prominence within the Department, but also give this official 
greater clout across the Federal Government and the private 
sector.
    The bill also contains specific language that would outline 
the responsibilities of the assistant secretary, guiding the 
work that needs to be done to identify the threats and 
vulnerabilities, mitigate those vulnerabilities, institute a 
warning system, and be able to effectively and quickly respond 
to an attack should one occur.
    These statutory authorities will also serve to clarify 
within DHS for the outside world the role and responsibilities 
of the DHS Cybersecurity Office. Under the bill, the assistant 
secretary also would assume authority over the National 
Communications System, which will bring an end to DHS's current 
treatment of telecommunications as separate from information 
technology. This is essential because the real world 
convergence of telephony and data is proceeding rapidly, and 
DHS must integrate policy for securing these elements of the 
cyberworld.
    Today we have witnesses who represent the leading experts 
in the cybersecurity industry with extensive experience working 
either in or with DHS. We look forward to hearing from them and 
why they think this legislation is important, presuming they do 
believe it is important.
    I would thank you all for appearing today.
    I would recognize the Ranking Member Ms. Sanchez for any 
opening remarks you would make.
    Ms. Sanchez. Thank you, Mr. Chairman, and thank you all for 
appearing before us today. We are looking forward to your 
testimony. This morning we are going to hear testimony, and 
this afternoon we are going to mark up H.R. 285, the Department 
of Homeland Security Cybersecurity Enhancement Act of 2005.
    I am so proud that this was written by my good friend from 
California Ms. Zoe Lofgren and by Mr. Thornberry of Texas in 
the last Congress when they had the roles of heading up the 
subcommittee that handled cybersecurity, which of course now 
has been put into this larger committee. I congratulate both of 
them for the diligent work that they did and for bringing it 
forward.
    I am very grateful to the chairman of this committee and to 
Mr. Cox and our Ranking Member Bennie Thompson for seeing the 
necessity to bring this forward early in this session so that 
we could get it done.
    I know that it is a very bipartisan manner in which Ms. 
Lofgren and Mr. Thornberry worked on this. I am happy to be a 
cosponsor of this particular bill. I think it is incredibly 
important that we look at the cybersecurity component of our 
economic security of this country, in particular banking and 
finance. I myself used to work in that arena on Wall Street. I 
believe it is just incredibly important for us to make sure 
that we do secure this.
    I hope that this bill, H.R. 285, will raise the visibility 
of the need to really explore cybersecurity, understand it, and 
get that under control so that we don't have an attack on 
either one of our infrastructure pieces, like a dam, for 
example, or, more importantly, that we don't lose everybody's 
money somewhere out in cyberspace or to the bad guys.
    So I am looking forward to this. I think having an 
assistant secretary is going to be important, and that person 
will be able to raise the visibility of this. I am confident 
that we are going to pass this piece of legislation.
    So, thank you, Mr. Chairman, and I--.
    Ms. Lofgren. Would the gentlelady yield?
    Ms. Sanchez. Should I yield to her, or will you be 
recognizing her?
    Mr. Lungren. I was going to recognize her after I recognize 
the chairman of the full committee.
    Ms. Lofgren. Okay.
    Mr. Lungren. The chairman of the full committee.
    Mr. Cox. Thank you very much.
    Since we are about to hear from Congresswoman Lofgren, and 
since Mr. Thornberry is not here, let me acknowledge both of 
them, and thank you for your leadership on this legislation. 
The Homeland Security Committee has organized itself again, as 
we did as a select committee in the preceding Congress, in 
subcommittee around this mission of cybersecurity. It is the 
fact that not only is the Department of Homeland Security, our 
newest Cabinet department, already the third largest Cabinet 
department, but, in addition, it is the locus within the 
Federal Government for a new mission not just for our 
government, but for our country, and that is cybersecurity.
    It is the focal point within the Federal Government for all 
of our efforts not just at the government level, but also 
internationally and in the private sector, to prevent harm to 
our national security and to our economy from cyberattacks.
    We have, I think, some skeletal frameworks from which to 
work: HSPD 7, the President's National Strategy to Secure 
Cyberspace, the National Response Plan to the extent that it 
treats cyberincidents. But what we need clearly inside the 
Department of Homeland Security is leadership, and that entails 
organizational responsibility and the opportunity to lead. So 
this Committee in the 109th Congress, the Select Committee in 
the 108th, have identified, with our partners outside the 
government, this organizational step as a key one, the step 
that we are proposing to take in this legislation.
    I am very, very anxious to hear from our witnesses today to 
make sure that we continue on the right track. But I believe 
that an extraordinary amount of thought has been given to this 
over the period of now a few years under the leadership of Mr. 
Thornberry and Ms. Lofgren. So I want to thank you for that 
leadership.
    I want to thank the chairman and Ranking Member of this 
subcommittee for renewing our efforts as a Homeland Security 
Committee and to see this job through completion. I hope that 
today's hearing moves us along on that path.
    Mr. Lungren. Thank you, Mr. Chairman.
    Before we hear from the panel, I would recognize the 
gentlelady from California Ms. Lofgren, who is the author of 
the bill and a member of this subcommittee.
    Ms. Lofgren. Thank you very much, Mr. Chairman.
    I do believe this bill is very important, and as has been 
mentioned, it is very bipartisan in nature. It was largely 
prepared through the direction of Congressman Mac Thornberry 
and myself in our roles in the last Congress in the 
Cybersecurity Subcommittee. Want to thank Mac Thornberry and 
also his staff for their collaboration and hard work on this 
bill. I am really very proud of the work that Mac and I did in 
a truly bipartisan way on the issue of cybersecurity in the 
last Congress.
    During that 108th Congress, the subcommittee conducted many 
hearings and briefings from Members of Congress and staff on 
cybersecurity issues. The subcommittee also reached out to 
diverse groups of individuals on seeking ways to improve 
cybersecurity for the Nation. Since May of 2003, 15 hearings 
and briefings were conducted, as well as additional and formal 
meetings with Members and staff. We heard from private sector 
experts who operate critical information infrastructure; 
Federal, State and local officials; academic experts and the 
like. A variety of witnesses also discussed the Department of 
Homeland Security's role and responsibilities in securing 
cyberspace.
    To make a long story short, as the chairman of the full 
committee has mentioned, we do have an adopted strategy, but 
the strategy has not yet been implemented. It has become clear 
to myself and Congressman Thornberry and many, many others that 
we need a higher level of attention within the Department. 
Obviously, there is much to do. This bill will not in and of 
itself solve the issues, but it will put us on a footing, we 
believe, to actually get the attention that we need.
    The position would be an Assistant Secretary of 
Cybersecurity within the Information, Assurance and 
Infrastructure Protection Directorate, and the second--the path 
the bill also accomplishes is to define cybersecurity at the 
department level so that a consistent and authoritative 
definition can be integrated throughout the Department.
    I would ask that my full statement be submitted for the 
record, but I would note that the Department of Homeland 
Security is not alone in focusing on the issue of 
cybersecurity. Clearly most of the infrastructure is within the 
private sector, not within the government. NSF has recently 
engaged in a very important funding of research in the 
cybersecurity area with a number of academic institutions. One 
of them, Professor Shankar Sastry at the University of 
California, who has been very helpful to us on this effort, was 
recently quoted and talking about the issue of cybersecurity, 
that we don't want to have a digital equivalent of Pearl 
Harbor.
    So right now we are worried about viruses and worms, but 
the exposure that we have is very large. We are very behind in 
where we need to be to protect the infrastructure of the 
Nation. So this is serious stuff. I believe that adopting this 
bill promptly will get us further down the road to where we 
need to be.
    I appreciate the support of the chairman and Ranking 
Member, both of the full committee and the subcommittee, in 
promptly moving this forward.
    I yield back the balance of my time, and I thank you.

          Prepared Statement of the Congresswoman Zoe Lofgren

     This bill addresses an issue that I believe is very 
important making sure that our government, working together with the 
private sector and academia, is doing all that it can to ensure that 
cyber security is a top priority in our nation's homeland security 
strategy.
     This bill is bipartisan in nature and was largely prepared 
through the direction of Representative Mac Thornberry and myself in 
our roles as leaders of the Cyber security Subcommittee last year. I 
thank Mac and his staff for their collaboration and hard work on this 
bill, I am proud to have been able to work with him in a truly 
bipartisan fashion to address this great need.
     During the 108th Congress, the Subcommittee conducted 
numerous hearings and briefings fro Members of Congress and staff on 
cyber security issues. The Subcommittee also reached out to diverse 
groups and individuals on ways to improve cyber security for the 
nation. Since May 2003, fifteen hearings and briefings were conducted, 
as well as several other informal sessions with Members and staff. The 
committee heard from private sector experts who own and operate 
critical information infrastructure. Federal, state and local 
government officials and academic experts testified on the need to 
fortify the nation's cyber security. A variety of witnesses also 
discussed the Department of Homeland Security's role and 
responsibilities in securing cyberspace.
     The subcommittee initially focused its oversight on the 
key management functions required for the success of any organization. 
Through hearings and oversight letters, the Subcommittee questioned DHS 
about its cyber security mission and functions. The subcommittee was 
also interested in how DHS was developing working definitions related 
to cyber security and what progress it was making to implement a viable 
organizational structure, as well as formal personnel, resource and 
programmatic efforts.
     Unfortunately, the level and detail of planning documents 
needed to manage the new cyber mission within DHS was not forthcoming. 
Budget paperwork throughout the fiscal year was vague. It is still 
unknown whether spending plans and detailed budget execution data 
exists.
     These are some of the reasons why I believe this bill is 
necessary and can only help to improve our nation's level of cyber 
security.
     This bill accomplishes two essential tasks: it establishes 
an Assistant Secretary of Cyber Security within the Information 
Assurance and Infrastructure Protection Directorate to prioritize cyber 
security and protect our computer networks.
     The position, at this higher level, will be better able to 
coordinate with other Assistant Secretaries within the Directorate, as 
well as officials throughout the Department, other federal agencies, 
and the private sector.
     The second task this bill accomplishes is to define cyber 
security at the Department level, so that a consistent and 
authoritative definition can be integrated throughout the Department's 
mission and policy functions.
     I continue to hear from cyber security experts about the 
threats and vulnerabilities facing our nation's networks and 
systems.Unfortunately, these continue to grow faster than our nation 
can address them.
     These vulnerabilities will continue to hamper our homeland 
security efforts if we do not make cyber security a major priority.As 
long as our critical infrastructures are interconnected and 
interdependent, the likelihood that a cyber attack will disrupt major 
services or cripple our economy will remain and the threat will 
increase.
     If a cyber attack occurred simultaneously as a physical 
attack, critical emergency response systems and communications 
operations could be taken out, increasing the casualties and confusion 
of an attack.
     The Department needs to be advancing on cyber security - 
it cannot afford to sit back and make minimal, if any, progress in this 
area. It certainly needs to be doing more than re-creating programs 
that existed before the Department's creation.Unfortunately, that is 
all that is happening today.
     I fear that the Department is unable to move forward on 
cyber security because it lacks the leadership necessary to focus on 
its unique and cross-cutting nature. The individual responsible for 
leading the government's cyber security efforts must have more 
authority within the Department of Homeland Security.
     I recognize that the government cannot develop plans for 
physical security in a vacuum--those dealing with both of those issues 
must be able to communicate and collaborate. At the same time, though, 
the government cannot be naive in its approach. The first responders 
and security actors for cyber assets are not the same as in the 
physical world. This bill recognizes this difference, while keeping in 
place the mechanisms for collaboration with the Infrastructure 
Protection Directorate.
     Thank you Chairman Cox and Ranking Member Thompson for 
bringing this bill before us today. I am certain that our discussion 
that we are about to have on the merits and the importance of this 
bill.
     I know that some may argue that this bill is unnecessary 
and that the Department already has authority to do this work now. If 
that is true, then I ask why it has not been done already. In our role 
of as the authorizers and the overseers of the Department of Homeland 
Security, I believe it is critical for us to give the Department 
guidance as to how it should manage the tremendous tasks that it has 
been given. To sit by and do nothing would place our nation in greater 
danger than it is today, and I for one am unwilling to do nothing.
     I strongly urge you to vote in favor of this bill.

    Mr. Lungren. I thank the gentlelady for her comments and 
congratulate her on this piece of legislation.
    Other members of the committee are reminded that opening 
statements may be submitted for the record.
    We are pleased to have the distinguished panel of witnesses 
before us on this important topic.
    The Chair now recognizes Mr. Amit Yoran, the president of 
Yoran Associates and the former Director of the National 
Cybersecurity Division of the Department of Homeland Security.
    Before you testify, could you tell me if I am pronouncing 
your name correctly?
    Mr. Yoran. Yes, sir, that was perfect.
    Mr. Lungren. Very good. Thank you.
    All witnesses should know that your written testimony will 
be submitted for the record. I would ask that you try to limit 
your comments to 5 minutes so that we can make sure that we 
hear all of you and then get involved in Q and A.
    Mr. Yoran.

      STATEMENT OF AMIT YORAN, PRESIDENT, YORAN ASSOCIATES

    Mr. Yoran. Good afternoon, Chairman Lungren and 
distinguished members of the subcommittee. I would like to 
first thank Congressman Thornberry and Congresswoman Lofgren 
and their staffs for their tireless efforts in the important 
topic of cybersecurity and for the entire subcommittee's 
bipartisan attention to this important topic.
    My name is Amit Yoran, and I am pleased to have the 
opportunity to appear before the subcommittee today to discuss 
enhancements to our national efforts to secure cyberspace. I am 
president of Yoran Associates, a technology strategy and risk 
advisory business headquartered in northern Virginia.
    In our practice we advise a number of global enterprises on 
their technology strategy and mitigating associated business 
risks and exposures. Prior to founding Yoran Associates, I 
served as the Director of the National Cybersecurity Division 
of the Department of Homeland Security responsible for building 
a national cyberresponse system, a national threat and 
vulnerability reduction program, a national cyberawareness and 
training program, and establishing increased security and 
coordination among and between government and international 
counterparts. Much work has been done in the implementation of 
the above responsibilities by both the public and private 
sectors, and even more work remains ahead of us.
    Protecting America from physical threats is a concept well 
understood by senior leadership and risk managers, where sound 
understanding of the challenges, consequences of failure and 
specific work plans to be accomplished are ongoing as part of a 
unified protection effort. Our ability to conceptualize and 
defend against physical threats has matured over many years. 
Changes to critical infrastructures do not occur on a highly 
dynamic basis.
    On the other hand, our use of and reliance on technology 
transforms continually in today's modern competitive 
environments. Significant challenges remain in raising 
awareness and understanding of vulnerabilities to cyberfailure 
or attacks to the leadership which structure and resource 
defensive efforts. The challenge to change our thinking is 
consistent in both the government and private sector.
    Since the creation of the Department of Homeland Security 
approximately 2 years ago, a massive restructuring has occurred 
in the Federal Government. More important than the 
restructuring and the organizational charts is the fantastic 
work being accomplished by so many talented and dedicated 
public servants serving in the most noble and challenging of 
undertakings, protecting our homeland and the American people.
    Responsibility for protecting these business-critical 
systems lies largely in the private sector, where nearly all of 
these critical infrastructure systems are owned and operated. 
Organizational leadership must encourage the inclusion of 
technology risks into their business risk management practices. 
Responsible business risk practices require a thorough 
evaluation and informed acceptance of technology and business 
exposures, or investment in risk mitigation techniques. 
Forward-thinking organizations are protecting themselves from 
significant threats and exercising their response plans in 
simulated cybercrisis scenarios. These types of activities can 
be used effectively to create awareness among organizational 
leadership. In essence, industry must not wait for government 
action before securing systems and improving their 
organizational policies and procedures.
    Some critical functions and responsibilities in our 
national cybersecurity efforts are inherently governmental, 
such as providing a survivable communications capability in 
various bad-case cyber and telecommunications outage scenarios, 
raising the awareness of threat information and coordinating 
national response efforts. I challenge the committee to assist 
the Department in increasing the investments being made in 
fundamental cybersecurity research and development.
    Secretary Chertoff is in the midst of his departmental 
analysis and restructuring effort, the second stage review. The 
Directorate of Information Analysis and Infrastructure 
Protection under which the National Cybersecurity Division 
resides is charged with performing some of the most important 
mission functions of DHS. It is imperative that we afford the 
Secretary the opportunity to design and structure the 
Department to the best of his ability and satisfaction and to 
provide him and his team whatever support we can in 
accomplishing their mission. Creating greater unity and clarity 
around cyberefforts will result in further inclusion and better 
integration of cybersecurity thinking, awareness and protective 
measures across all of the various programs and efforts taking 
place to protect America.
    The creation of an assistant secretary position to address 
cybersecurity issues is not inconsistent with a unified or 
integrated risk management approach. On its own, it does not 
address the government's challenges in cybersecurity. There are 
several areas where greater clarity is needed and support must 
be given to centralize cybersecurity functions across the 
government. The Department of Homeland Security struggles with 
its mission responsibility of security for government computer 
systems, but FISMA authorities lay entirely within OMB. 
Consideration of this topic by the committee can provide needed 
attention and have significant impact on improving operations 
on government cyberpreparedness.
    Procurement practices by the Federal Government to enhance 
cybersecurity features, functionality and requirements are not 
effective and are rarely enforced with consistency, resulting 
in the single greatest missed opportunity to positively 
influence and drive better security capabilities into the 
products that are used by both government and private sectors.
    There are many dedicated Americans in both the public and 
private sector working on these challenges to our economic and 
homeland security. It is my hope that the Committee on Homeland 
Security can provide them further mission guidance, support our 
common cause and assistance wherever possible.
    I look forward to answering any questions you may have.
    Mr. Lungren. Thank you very much, Mr. Yoran.
    [The statement of Mr. Yoran follows:]

                    Prepared Statement of Amit Yoran

    Good afternoon, Chairman Lungren and distinguished Members of the 
Subcommittee. My name is Amit Yoran and I am pleased to have an 
opportunity to appear before the subcommittee today to discuss 
enhancements to our national efforts to security cyberspace. I am the 
President of Yoran Associates, a technology strategy and risk advisory 
business headquartered in Northern Virginia. In our practice, we advise 
a number of global enterprises on their technology strategy and 
associated business risks and exposures. Prior to founding Yoran 
Associates I served as the Director of the National Cyber Security 
Division of the Department of Homeland Security (DHS), responsible for 
building, (1) a national cyber response system; (2) a national threat 
and vulnerability reduction program; (3) a national cyber awareness and 
training program; and (4) establishing increased security and 
coordination among and between government and international 
counterparts. Much work has been done in the implementation of the 
above responsibilities by both the public and private sector and even 
more work remains ahead of us.
    Protecting America from physical threats is a concept well 
understood by senior leadership and risk managers, where sound 
understanding of the challenges, consequences of failure, and specific 
work plans to be accomplished are ongoing as part of a unified 
protection effort. Our ability to conceptualize and defend against 
physical threats has matured over many years. Changes to critical 
infrastructures do not occur on a highly dynamic basis. On the other 
hand, our use of and reliance on technology transforms continually in 
modern competitive environments . Significant challenges remain in 
raising awareness and understanding of vulnerability to cyber failures 
or attacks to the leadership which structure and resource defensive 
efforts. This challenge to change our thinking is consistent in 
government and the private sector.
    Since the creation of the Department of Homeland Security, 
approximately two years ago, a massive restructuring has occurred in 
the Federal Government. But more important than the restructuring and 
the organizational charts is the fantastic work being accomplished by 
so many talented and dedicated public servants serving in the most 
noble and challenging undertakings; protecting our homeland and the 
American people.
    The task in securing America's cyber infrastructures is a daunting 
and very real challenge. Efforts to secure the computer systems on 
which our nation's critical infrastructures and our economic stability 
rely are being addressed with a pre-9/11 lack of urgency. As we failed 
to grasp the gravity of the World Trade Center bombings in 1993, today 
we are not acting aggressively on the numerous warning signs of 
critical infrastructure computer failures; the Northeast-Midwest 
blackout of 2003, ATM outages and airline system failures or on the 
numerous computer threats actively working against our economic 
security. Simply put, many American business interest have a 
significant if not complete reliance on general purpose computers and 
inter-connected networks which can generally be categorized as 
untrustworthy. The recipes for disaster are present.
    Responsibility for protecting these business critical systems lies 
largely in the private sector where nearly all of these critical 
infrastructure systems are owned and operated. Organizational 
leadership must encourage the inclusion of technology risks into their 
business risk management practices. Responsible business risk practices 
require a thorough evaluation and informed acceptance of technology and 
business exposures or investment in risk mitigation techniques. Forward 
thinking organizations are protecting themselves from significant 
threats and exercising their response plans in simulated cyber crisis 
scenarios. These types of activities can be used to effectively create 
awareness among organizational leadership. In essence, industry must 
not wait for government action to begin securing systems and improving 
organizational policies and procedures.Sec. 
    Some critical functions and responsibilities in our national cyber 
security efforts are inherently governmental, such as providing a 
survivable communications capabilities in various bad-case cyber and 
telecommunications outage scenarios, raising awareness of threat 
information and coordinating national response efforts. I challenge the 
Committee to assist the Department in increasing the investments being 
in fundamental cyber security research and development.
    Secretary Chertoff is in the midst of his departmental analysis and 
restructuring effort--the second stage review. The Directorate of 
Information Analysis and Infrastructure Protection under which the 
National Cyber Security Division resides, is charged with performing 
some of the most important mission functions of DHS. It is imperative 
that we afford the Secretary the opportunity to design and structure 
the Department to the best of his ability and satisfaction and to 
provide him and his team whatever support we can in accomplishing their 
mission. Creating greater unity and clarity around cyber efforts will 
result in the further inclusion and better integration of cyber 
security thinking, awareness and protective measures across all of the 
various programs and efforts taking place to protect America.
    The creation of an Assistant Secretary position to address 
cybersecurity issues is not inconsistent with a unified or integrated 
risk management approach. On its own it does not address the 
Government's challenges in cyber security. There are several areas 
where greater clarity is needed and support must be given to centralize 
cyber security functions across government. The Department of Homeland 
Security struggles with its mission responsibilities of security for 
government computer systems, but FISMA authorities lay entirely within 
OMB. Consideration of this topic by the Committee can provide needed 
attention and have significant impact on improving operations and 
government cyber preparedness. Procurement practices by the Federal 
Government to enhance cyber security features, functionality and 
requirements are not effective and are rarely enforced with 
consistency, resulting in the single greatest missed opportunity to 
positively influence and drive better security capabilities into the 
product sets used by both government and private sectors.
    There are many dedicated Americans in both the public and private 
sector working on these challenges our economic and homeland security. 
It is my hope that this Committee on Homeland Security can provide them 
further mission guidance, support our common cause and assistance 
wherever possible. I look forward to answering any questions you may 
have.

    Mr. Lungren. The Chair now recognizes Mr. Harris Miller, 
president of the Information Technology Association of America, 
to testify. I must say I knew Mr. Miller in another life when 
he was neither as well dressed or as profitable-looking as he 
is now. It is good to see you have reached success in your 
older years.

     STATEMENT OF HARRIS N. MILLER, PRESIDENT, INFORMATION 
               TECHNOLOGY ASSOCIATION OF AMERICA

    Mr. Miller. Thank you, Mr. Chairman. It is a great honor 
and pleasure to be here in front of Lungren 2, Congressman 
Lungren's return. We got the great opportunity to work with you 
on the Judiciary Committee. It was a great honor and pleasure 
to serve you there. It is a great honor to appear before you, 
Congresswoman Sanchez, Chairman Cox and Ranking Member 
Thompson, and other members of the subcommittee today.
    I want to join in commending Congressman Thornberry and 
Congresswoman Lofgren for introducing this important 
legislation, and I urge the subcommittee to pass it and move it 
through the full committee of the House, and we hope to get 
cooperation from the other side of the Hill, too.
    Exhibit A about why this legislation is sitting immediately 
to my right. Mr. Yoran is too much of a gentleman to perhaps 
explain fully why he is back in the private sector after a 
relatively short period of time in the government, and I am not 
going to put any words in his mouth, but we at the private 
sector were very excited when he agreed to come back into 
government to serve in this position.
    But we felt that because of where the position is located 
in the Department, a head of a division as opposed to an 
assistant secretary level, that a lot of the ideas and work and 
enthusiasm that might have been brought to the position simply 
couldn't be done because of where the position is located.
    We also commend the current Acting Director Mr. Purdy. He 
is also trying very hard. But at the end of the day, Mr. 
Chairman, as you know very well, in this town where you stand 
is where you sit; and where you sit is where you stand. When 
you are down as a head of a division, you simply cannot bring 
the firepower and the leadership to the issue that you can as 
an assistant secretary, a confirmable position.
    So we think that the idea that Congressman Thornberry and 
Congresswoman Lofgren have incorporated into this legislation 
is critical. We urge you and the subcommittee to move it 
forward.
    Certainly, a couple of simple points, number one, prior to 
the formation of the Department of Homeland Security, the 
cybersecurity issue was so important in this administration 
that the position was a special advisor to the President of the 
United States. That is where the locus of this government's 
focus on cybersecurity was. After the Department was formed, it 
was--ended up--as a head stuck in a division. That shows you 
that without any real indication of any change of the 
importance of the issue in terms of our country and protecting 
our homeland, the position was significantly downgraded. As a 
result, a lot of the work that President Bush and his 
administration put into the National Strategy to Secure 
Cyberspace, which was released a little over 2 years ago, 
frankly hasn't been implemented because we have not had the 
type of leadership we need. This is no slap on Secretary Ridge 
and now Secretary Chertoff, but at the end of the day, if you 
don't have someone high enough in the organization to show 
leadership on the issue, it simply isn't going to happen.
    Now we understand that--the argument on the other side, 
that physical security and cybersecurity need to be closely 
integrated. That is why they initially didn't want to have an 
Assistant Secretary for Cybersecurity because it not was not 
thought to be a separate issue. We understand that there is an 
argument on that side, But we happen to think it is inaccurate 
for reasons that Mr. Yoran indicated.
    Just think about it. At the end of the day, people are much 
more afraid of bombs and anthrax than they are of viruses and 
worms. They have a lot of experience of dealing with these 
physical threats. But the cyberworld is much different. It is 
much more out there in cyberspace, so to speak, and people 
don't quite understand it. So, again, putting it in the 
physical arena, the resources, the attention, the expertise and 
the government was all loaded toward people on the physical 
side, which is incredibly important, Mr. Chairman. We are not 
saying it is not, but it simply is different.
    There is also a fundamental cultural issue. How many people 
involved in law enforcement and physical threats have ever gone 
to cyberschool, and how many cybergeeks have ever gone to 
physical school? They simply live in different cultures, in 
difference worlds. Now there are a few people that have skills 
on both sides, but it is a different world. It is a different 
set of issues.
    Again, having someone in government who understands that 
fundamentally at the right level of government, at the 
assistant secretary level, we think is critically important to 
furthering the agenda that is absolutely necessary. It is all 
about resource allocation. It is all about allocating those 
resources, and it is all about having the ear of the people at 
the top.
    At the end of the day, Mr. Chairman, as you said in your 
opening statement, 85 percent of our critical infrastructure is 
controlled by the private sector. One of the most important 
roles the government can play in cybersecurity is as a bully 
pulpit, getting out in front of people in the private sector to 
explain to them why they have to put as much priority on 
cybersecurity as they do on physical security, why they can't 
always be trying to turn around and say, what is the ROI on 
this? Again, I ask you, is it more likely to be successful if 
that person sending that message is an Assistant Secretary for 
Cybersecurity, or is it someone who frankly is pretty far down 
in the bureaucracy?
    Mr. Chairman, as you said your opening statement, creating 
an assistant secretary is not going to solve all the problems, 
but it will get the cybersecurity issue back to the level of 
attention it had prior to the creation of the Department of 
Homeland Security. It will enable us to move forward with so 
many great ideas, which are included in President Bush's 
National Strategy.
    I think moving this legislation will be very important to 
the protection of our Nation's homeland.
    Mr. Lungren. Thank you, Mr. Miller.
    [The statement of Mr. Miller follows:]

                 Prepared Statement of Harris N. Miller

Introduction
    I am Harris N. Miller, President of the Information Technology 
Association of America (ITAA), representing over 380 member companies 
in the information technology (IT) industry--the enablers of the 
information economy. Our members are located in every state in the 
United States, and range from the smallest IT start-ups to industry 
leaders in the software, services, systems integration, 
telecommunications, Internet, and computer consulting fields. These 
firms are listed on the ITAA website at www.itaa.org.
    I appreciate this Subcommittee taking time from its very busy 
schedule to hold this hearing today on the need to elevate the issue of 
cyber security within the Department of Homeland Security (DHS) by 
creating an Assistant Secretary for Cyber Security. The constant 
attention by this Committee to the importance of cyber security in 
protecting our nation against terrorism is greatly appreciated by my 
members and all IT customers, whether they be individuals or companies.
    After a lull in major network exploits, we have seen the issues of 
information security and critical infrastructure protection spring back 
into the news with the recent data breaches experienced by data 
brokers, database companies, universities, payroll processors and other 
types of organizations. As the development and adoption of electronic 
commerce evolves, the issue of ``trust'' becomes increasingly 
important. Businesses, government and citizens alike must trust the 
security of their information and the identity of the person or company 
on the other end. They must know the systems they are using are 
reliable. Events that shake this trust--whether real or perceived--pose 
a threat to the development of electronic commerce and the growth of 
the U.S. economy.
    ITAA has played a major role in addressing the numerous issues of 
enhanced information security and cyber crime prevention. Our 
information security program dates back to 1999, with active 
participation from 250 IT companies. Since that time, along with many 
other accomplishments, ITAA has been proud to serve as a co-founder of 
the National Cyber Security Partnership, to chair the Partnership for 
Critical Infrastructure Protection, to co-found the National Cyber 
Security Alliance and the IT Information Sharing and Analysis Center 
(IT-ISAC) and to act as Sector Coordinator for the IT industry under 
Homeland Security Presidential Directive 7.

Why the U.S. Needs an Assistant Secretary for Cyber Security
    Since the creation of the Department of Homeland Security, the 
Congress has become increasingly aware of the enormously complex 
challenges related to cyber security. The result is overwhelming 
bipartisan support in the committees of jurisdiction for a robust 
National Cyber Security Division (NCSD) to meet the broad challenges 
posed in the 2003 President's National Strategy to Secure Cyberspace. 
These challenges include creating and managing: a national cyber 
response system; a national program to reduce cyber security threats 
and vulnerabilities; a national cyber awareness and training program; 
and programs of coordination among federal, state and local 
governments, as well as with the private sector and with international 
partners.
    ITAA, too, has been for several years advocating the need for a 
senior cyber security executive within the Federal government to help 
coordinate national cyber security policy among all industry, 
government and private sector stakeholders. We were the first 
organization to call for the creation of a cyber security ``czar,'' and 
were very pleased that first President Clinton, by holding a White 
House meeting on cyber security in early 2000, and then President Bush, 
by establishing a cyber security advisor in the White House at the 
beginning of his term, each showed great leadership. But since the 
creation of the Department of Homeland Security, and the effective 
organizational demotion of the cyber security position, our concerns 
about Executive Branch leadership have returned.
    Given strong bipartisan calls within Congress for a more robust 
NCSD capable of pulling together and coordinating among diverse 
entities within both government and the private sector, we feel very 
strongly that an Assistant Secretary position leading the NCSD is 
needed to meet the growing public administration, resource and policy 
challenges related to cyber security. This means coordinating closely 
with, but outside of, the Infrastructure Protection Division. When DHS 
was created, the decision was made to subsume cyber security 
coordination and outreach functions under an Assistant Secretary for 
Infrastructure Protection, on the premise that the integration of 
physical security and cyber security is better managed by one person, 
and that cyber security is only one component of physical security.
    Our view, on the contrary, is that integration is best managed by 
two individuals, each experts in their respective fields, with a 
commitment to coordinating physical and cyber security where they are 
interrelated, with neither vital function subordinated to the other. It 
is clear that all of the nation's critical infrastructures, including 
water, chemicals, transportation, energy, financial services, health 
care, and others, rely significantly on computer networks to deliver 
the services that maintain our safety and national economy. It, 
therefore, is incumbent on the owners and operators of those critical 
infrastructures to manage improvements in the security of their 
information systems and to have a senior individual within the 
government, with effective influence and budget authority, who can 
coordinate collaborative efforts across critical infrastructure sectors 
and with state and local governments.
    The NCSD has indeed made some progress; we applaud the valiant 
efforts of the former director and the current acting director and 
their creative and dedicated staff. But the current integration of 
cyber security and physical security is not working. As the IT Sector 
Coordinator, co-founder of the National Cyber Security Partnership and 
Chair of the Partnership for Critical Infrastructure Security--the 
cross-sectoral council of Federally-designated sector coordinators--
ITAA has witnessed the growing demands the Congress has placed on the 
NCSD to implement policies consistent with and beyond the President's 
National Strategy to Secure Cyberspace. ITAA also has experienced 
ongoing frustration with the confusion in the NCSD and its unrealized 
potential.
    Indeed, the President's National Strategy is not being implemented 
as quickly and fully as it should, in large part, we believe, because 
the current organizational structure at DHS allows cyber security 
priorities to be marginalized against other physical security 
activities considered to have higher priority. Good management is 
always about allocating resources to the highest priorities set by both 
the Department and Congress, but too often the cyber security function 
has suffered from missteps, and an increasing inability to meet the 
growing challenges that have been identified by Congress, government 
entities and the private sector.

Among them:
         DHS took several months to provide formal response to 
        major private sector recommendations emerging from the December 
        2003 National Cyber Security Summit (see 
        www.cyberpartnership.org), conducted in partnership with DHS 
        and Secretary Ridge and designed to act on the President's 
        National Strategy;
         A major ``Partner Program'' conference scheduled last 
        year with industry and DHS was abruptly cancelled days before 
        the event without explanation;
         The development of implementing regulations under the 
        Homeland Security Act to protect critical infrastructure 
        information (PCII) voluntarily submitted by private sector 
        entities fails to facilitate information flows--as the law 
        intended--from the private sector custodians of cyber security 
        early warning, analysis, and forensics--to DHS. The IT-ISAC, 
        for example, has submitted no critical cyber security 
        information to DHS under this program, because the prescribed 
        process does not reflect the realities of information 
        management and proprietary business information within the 
        private sector;
         DHS attempts to reorganize the private-sector ``Sector 
        Coordinator'' and ISAC structures under Homeland Security 
        Presidential Directive 7 proceeded against the counsel of 
        several critical infrastructure representatives whose views may 
        have been better reflected in this DHS initiative had they been 
        heard at a more senior political level--such as an Assistant 
        Secretary--with guiding authority over staff;
         NCSD's cyber security R&D budget authority remains low 
        and ineffectual. A division with an Assistant Secretary at the 
        helm would likely command more resources; and
         It will not be until November of 2005 before we have a 
        full cyber threat and attack exercise as a component of the 
        DHS/industry critical infrastructure protection/emergency 
        response exercises in the TOPOFF series, despite the real and 
        identified threat of a coordinated physical/cyber attack on one 
        or more of our critical infrastructures
    The resulting bipartisan proposal within the Intelligence Reform 
bill to authorize the creation of an Assistant Secretary for Cyber 
Security underscores Congressional demands for a confirmable position 
of increased leadership within DHS that reflects the need for greater 
accountability to Congress.

Congressional Leadership
    Last year, an amendment in the 9/11 bill creating the Assistant 
Secretary position was removed because of confusion during 11th hour 
negotiations. What was clear, however, was a White House position of 
``no objection'' to the bill. Administrations as a matter of principle 
object to Congressional micromanagement of the President's 
organizational prerogatives. The official White House position of 
neutrality in this particular case, however, speaks volumes, in our 
view, about the level of support within the White House for an 
improvement in the functioning of the cyber security activities of DHS.
    The House Subcommittee on Cyber Security, Science and Research & 
Development underscored the need for an Assistant Secretary in its 
December 2004 Report on Cyber Security for the Homeland. The 
Subcommittee cited creation of this position as one of six ``core'' 
areas in its cyber security roadmap for the future.
    We wholeheartedly applaud and support Congress in its efforts to 
provide the legislative impetus for this important position, and 
accordingly support H.R. 285.
    While we believe the Assistant Secretary position is critical, it 
is not the only critical step remaining in this journey. The cyber 
security threat is constantly changing, and Congress has a role in 
assuring that adequate investment is made in safeguarding critical 
infrastructure and the U.S. economy from next generation threats.
    Practical steps involve increasing appropriations for cyber 
security research as authorized in the Cyber Security Research and 
Development Act of 2002. More research is needed to improve information 
systems, and identify and reduce their vulnerabilities. Congress should 
also authorize and appropriate increases in the funding of NIST to 
support its Computer Security Division--a critical resource in the 
development of computer security standards and best practices for the 
private sector and government agencies.
    Congress should also act to encourage the private sector to adopt 
more rigorous information security practices. For instance, lawmakers 
should explore whether, and under what circumstances, commercially 
viable information security insurance can be used as a market driver 
toward improvements in information security management in the 
enterprise. Other potentially productive strategies include considering 
limits on liability from cyber security breaches for companies that 
implement industry-agreed practices and creating economic incentives 
for information security technology procurement and implementation
    Finally, the Senate should ratify the Council of Europe Convention 
on Cyber Crime, signed by the United States in November 2001.

Conclusions
    No government executive will create single-handedly the policies or 
regulations to herald a new age of information security or to make 
cyber vulnerability a thing of the past. Logic tells us that we have 
turned a corner in our reliance on the Internet, and that along with 
the many blessings of the information economy and the knowledge society 
come the risks posed by the cyber delinquent, cyber criminal and cyber 
terrorist. A responsible government takes the steps necessary to 
maximize the benefits and to manage the risks appropriately.
    Creating an Assistant Secretary for Cyber Security advances the 
cause of information security, introducing practical advantages and 
sending an important symbolic message. Much needs to be done to improve 
the performance and to elevate the position of cyber security as an 
issue in the Administration, to coordinate information security across 
disparate government agencies, and to build the necessary bridges 
between the federal government and critical infrastructure industries. 
For far too long, the federal government's symbolic role in information 
security has gone begging--the ``bully pulpit'' stands empty. 
Consumers, small businesses and other organizations peg their response 
to various issues by the actions (or lack thereof) of policymakers. We 
believe that cyber security is one such issue.
    In calling for the increased leadership that we believe an 
Assistant Secretary will bring to the goal of heightened cyber 
security, industry also stands ready to do its part--and the good news 
is that we have done much already. An ITAA-commissioned survey 
conducted by the University of Southern California's Institute for 
Critical Information Infrastructure Protection (ICIIP) at the Marshall 
School of Business identified 175 examples of cyber security enhancing 
products, services or activities from 65 responding organizations, 
including cross-sectoral and vertical industry groups and trade 
associations, multinational and owner-operated businesses, academic 
institutions, and professional societies. Intrusion detection and early 
warning networks, structures for information sharing, enhanced 
commercial products across an array of information security 
functionalities, guides, white papers, no-charge anti-virus protections 
and automatic software update capabilities are just some examples of 
the industry-led strides to raise the nation's cyber security profile.
    The federal government faces a full agenda of cyber security 
issues. The challenges of providing critical infrastructure protection 
are formidable today and are likely to be even significant in the 
future. An Assistant Secretary for Cyber Security can make an important 
difference. We thank the Subcommittee for bringing this important issue 
to the attention of the American people.
    Thank you very much.

    Mr. Lungren. The Chair will now recognize Mr. Paul Kurtz, 
the executive director of the Cybersecurity Industry Alliance, 
to testify.

  STATEMENT OF PAUL KURTZ, EXECUTIVE DIRECTOR, CYBER SECURITY 
                       INDUSTRY ALLIANCE

    Mr. Kurtz. Thank you, Mr. Chairman. Thank you, Ranking 
Member Sanchez.
    I want to recognize, as Amit and Harris have done, the work 
of Congressman Thornberry and Congresswoman Lofgren in putting 
together this piece of legislation. As executive director of 
CSIA, I am also pleased to speak on behalf of the Business 
Software Alliance on the need for an Assistant Secretary for 
Cybersecurity at DHS.
    We want to urge early and urgent passage of H.R. 285. Since 
the late 1990s, we have spoken of a partnership to secure the 
critical infrastructure. For this partnership to work and to 
truly be successful and not be simply rhetoric, we need a clear 
leader in the Department of Homeland Security to act as the 
focal point.
    A director or a deputy-assistant-secretary-level position 
does not have the sufficient stature, programmatic authority or 
accountability to reach across government and industry sectors. 
A leader in securing the critical infrastructure must have the 
authority and resources to accomplish this important and 
complex mission. This leader must be at least at the assistant 
secretary level to have the impact needed.
    Unlike other sectors, the information infrastructure is 
dynamic. It will continue to evolve for the foreseeable future. 
Changes within the information infrastructure are driving 
change in all other sectors. Cyber and physical infrastructure 
security will receive greater respect and attention with an 
Assistant Secretary For Cybersecurity working alongside another 
assistant secretary focused on the protection of the physical 
structure while remaining integrated under an Under Secretary 
for IAIP.
    It is particularly important that the Assistant Secretary 
for Cybersecurity have primary authority over the National 
Communications System, which is, of course, included in this 
bill. This is important given the convergence of data and voice 
networks.
    As you know, the National Communications System has control 
over priority communications. These networks proved critical in 
the immediate aftermath of 9/11. CSIA strongly believes that 
the government needs a comprehensive approach to cybersecurity, 
and by establishing assistant secretary, we can do much better 
than we are today.
    I think there are three documents that we could look at 
that set out the government's overall policy or the 
administration's policy in cybersecurity. The first is the 
President's National Strategy, the second is Homeland Security 
Presidential Directive Number 7, and the third is the National 
Response Plan.
    There are some common characteristics among those 
documents. I think in the first instance, it is worthwhile 
pointing out that these documents bound, if you will, the 
responsibilities of DHS--they don't, and DHS too, if you will, 
boil the ocean. They bound their responsibilities in the area 
of creating an emergency communications network in case of an 
attack, to prepare contingency plans in the case of an attack, 
to carefully look at reconstitution issues in case of an 
attack, to look at early warning issues; for example, if the 
government has the means to understand through intelligence 
assets that might be overseas or here, to pass that information 
on to the private sector, and it might not be readily available 
to the private sector. Those are private tasks that the 
Department of Homeland Security has been given under the three 
documents I mentioned.
    The progress to date at the Department has not been what 
you would hope. They have a myriad of programs set up, 
wonderful intentions, but at the end of the day, they are not 
succeeding in those very critical tasks that are so important 
to our economic and national security.
    If I were to prioritize those tasks, they would be just as 
I have outlined. It would be simply working on to identify and 
prioritize critical infrastructure related to information 
systems, prepare for contingencies by ensuring that we have 
survivable communications in place, work closely with the 
private sector on any sort of reconstitution plans that need to 
be put in place, provide warning of disruption, provide early 
warning of an attack through intelligence means. These tasks 
can really only be effectively done at the assistant secretary 
level or higher. They cannot be done at a lower level.
    I want to speak very quickly, before I close, on the 
difference between cyber and physical infrastructure. By 
advocating for an Assistant Secretary of Cybersecurity, we are 
not dismissing the need to integrate cyber and physical 
infrastructure protection, nor are we saying that the 
protection of cyberinfrastructure is more important than the 
protection of physical infrastructure. Although it is--
increasingly the IT infrastructure is a critical component in 
the operation of our physical infrastructures.
    Cyberinfrastructure is attacked and defended differently 
than the physical infrastructure. Cyberinfrastructure is 
largely defended by technical specialist, not through guns, 
gates, guards and cameras. Vulnerabilities are discovered 
through technical means and often require immediate remediation 
involving a variety of parties across different sectors of the 
economy.
    A cyberattack may be launched remotely, requiring no 
physical access to a target. Cyberattacks may not necessarily 
be abrupt. For instance, a cyberattack may be low and slow, 
changing or otherwise corrupting political data over an 
extended period of time.
    The infrastructure is dynamic, constantly changing. Amit 
and Harris have addressed this. But I want to point out also, 
in the event of an event of national significance affecting one 
or more sectors across the economy, we are going to turn to our 
information systems to help bail us out.
    The National Communications System post-9/11 helped us in 
that environment. By the way, the National Communications 
System under DOD was run by a lieutenant general. Now we are at 
an acting--acting director level. It is important that we have 
an assistant secretary in place as soon as possible. During Q 
and A I would be happy to speak to source issues.
    Thank you.
    Mr. Lungren. Thank you very much, Mr. Kurtz.
    [The statement of Mr. Kurtz follows:]

                  Prepared Statement of Paul B. Kurtz

    Thank you, Chairman Lungren and Ranking Member Sanchez for inviting 
the Cyber Security Industry Alliance (CSIA) to testify before this 
subcommittee in reference to HR 285. I would also like to acknowledge 
Congressman Thornberry and Congresswoman Lofgren for their continued 
efforts in support of an Assistant Secretary for Cyber Security 
position in DHS. Their bi-partisan work is evident in their co-
sponsorship of this bill.
    As Executive Director of CSIA, I am pleased to speak about the need 
for an Assistant Secretary for Cyber Security in the Department of 
Homeland Security. CSIA supports rapid passage of HR 285.
    The members of the Business Software Alliance also support this 
legislation and I am also speaking on their behalf.
    Since the late 1990s, we have spoken of a ``partnership'' to secure 
the critical infrastructure of the United States, particularly the 
information infrastructure, since it is owned and operated by the 
private sector. For this partnership to truly be successful and not 
simply rhetoric, we need a clear leader in the Department of Homeland 
Security to act as a focal point for this partnership. A Director-level 
position does not have the sufficient stature or programmatic authority 
for accountability, or to reach across sectors. A leader in securing 
the critical infrastructure must have the authority and resources to 
accomplish this important and complex mission.
    This leader must be at least at the Assistant Secretary level to 
have the impact that is needed.
    Unlike other sectors, the information infrastructure is dynamic and 
will continue to evolve for the foreseeable future. Changes within the 
information infrastructure are driving change in all other sectors. 
Cyber and physical infrastructure security will receive greater 
respective attention with an Assistant Secretary for Cyber Security 
working alongside the Assistant Secretary for Infrastructure 
Protection, while remaining integrated under the leadership of the 
Undersecretary for Infrastructure Protection and Information Analysis. 
It is particularly important that the Assistant Secretary for Cyber 
Security have primary authority over the National Communications 
System, given the convergence of voice and data networks.
    CSIA strongly believes that the Federal government needs a 
comprehensive approach to cyber security protection. The establishment 
of an Assistant Secretary for Cyber Security in the Department of 
Homeland Security is a critical initial step in this approach.
    I will cover three areas in my testimony:
         A brief introduction to CSIA
         An overview of the roles and responsibilities of the 
        Department of Homeland Security in the area of cyber security
         The importance of clear leadership on the issue of 
        cyber security

Introduction to CSIA
    CSIA is dedicated to enhancing cyber security through public policy 
initiatives, public sector partnerships, corporate outreach, academic 
programs, alignment behind emerging industry technology standards and 
public education. CSIA is the only CEO-led public policy and advocacy 
group exclusively focused on cyber security policy issues. We believe 
that ensuring the security, integrity and availability of global 
information systems is fundamental to economic and national security. 
We are committed to working with the public sector to research, create 
and implement effective agendas related to national and international 
compliance, privacy, cybercrime, and economic and national security. We 
work closely with other associations representing vendors as well as 
critical infrastructure owners and operators, as well as consumers.
    Members of the CSIA include BindView Corp; Check Point Software 
Technologies Ltd.; Citadel Security Software Inc.; Citrix Systems, 
Inc.; Computer Associates International, Inc.; Entrust, Inc.; Internet 
Security Systems Inc.; iPass Inc.; Juniper Networks, Inc.; McAfee, Inc; 
PGP Corporation; Qualys, Inc.; RSA Security Inc.; Secure Computing 
Corporation; Symantec Corporation and TechGuard Security, LLC.
    CSIA understands that the private sector bears a significant burden 
for improving cyber security. CSIA embraces the concept of sharing that 
responsibility between information technology suppliers and operators 
to improve cyber security. Cyber security also requires non-partisan 
government leadership. Work to strengthen cyber security began in the 
Clinton administration. The Bush administration has continued and 
boosted this work, through the creation of the National Strategy to 
Secure Cyberspace. The National Strategy remains timely and salient.

Roles and Responsibilities
    Last December, the Cyber Security Industry Alliance released an 
agenda for the administration that outlined twelve steps to help build 
a more secure critical infrastructure that called for an Assistant 
Secretary level post in the Department of Homeland Security. To 
understand why we feel this is critically important to the protection 
of our cyber infrastructure, I thought it would be helpful to expand on 
the Agenda and offer a framework to help define Federal versus private 
sector responsibilities in the area of cyber security.
    By outlining the responsibilities of the Department of Homeland 
Security in the area of cyber security, we feel that the need for an 
Assistant Secretary-level position can be better understood.
    Three Federal documents provide a framework for Federal 
responsibilities to secure cyberspace:
         The President's National Strategy to Secure Cyberspace 
        (February 14, 2003)
         Homeland Security Presidential Directive-7 (December 
        17, 2003)
         The National Response Plan's Cyber Incident Annex 
        (January 6, 2005)
         President's National Strategy to Secure Cyberspace

    The President's National Strategy is an appropriate place to start. 
While the Strategy's recommendations receive substantial attention, it 
also provides clear policy guidance on the Federal government's role. 
The President's cover letter for the Strategy states:
    ``The policy of the United States is to protect against the 
debilitating disruption of the operation of information systems for 
critical infrastructures and, thereby help to protect the people, 
economy, and national security of the United States.'' He continues, 
``We must act to reduce our vulnerabilities to these threats before 
they can be exploited to damage the cyber systems supporting our 
nation's critical infrastructure and ensure that such disruptions of 
cyberspace are infrequent, of minimal duration, manageable and cause 
the least damage possible.''
    The strategy adds some additional guidance on its role, noting that 
it is appropriate for the government to assist with forensics, attack 
attribution, protection of networks and systems critical to national 
security, indications and warnings, and protection against organized 
attacks capable of inflicting debilitating damage to the economy.
    Additionally, Federal activities should also support research and 
development that will enable the private sector to better secure 
privately-owned portions of the nation's critical infrastructure.
    These statements lead to the conclusion that Federal activity is 
bounded to protecting against debilitating attacks against critical 
infrastructure, attack attribution for national security systems, 
forensics and research and development.
    The Strategy also sets specific responsibilities for Federal 
agencies, including the Department of Homeland Security. The Strategy 
states that the Department should:
         Develop a comprehensive plan to secure critical 
        infrastructure.
         Provide crisis management and technical assistance to 
        the private sector with respect to recovery plans for failures 
        of critical information systems
         Coordinate with other Federal agencies to provide 
        specific warning information and advice about appropriate 
        protective measures and countermeasures to state, local and 
        nongovernmental organizations including the private sector, 
        academia and the public
         Perform and fund research and development along with 
        other agencies that will lead to new scientific understanding 
        and technologies in support of homeland security.
    It is important to note that the Strategy does not place 
responsibility for every problem associated with cyber security with 
DHS, but focuses its role on contingency planning and emergency 
communications--two critical areas of defense against threats to our 
national security.
HSPD-7
    HSPD-7 establishes the U.S. government's policy for the 
identification and protection of critical infrastructure from terrorist 
attacks. It advances the President's strategy in a number of areas and 
helps further refine the Federal government's role in securing 
cyberspace.
    HSPD-7 focuses in large part on the identification and protection 
of assets that if attacked would cause catastrophic health effects or 
mass casualties comparable to those from the use of a weapon of mass 
destruction. It also addresses the protection of infrastructure that if 
attacked would:
         Undermine state and local government capacities to 
        maintain order and to deliver minimum essential public 
        services.
         Damage the private sector's capability to ensure the 
        orderly functioning of the economy and delivery of essential 
        services
         Have a negative effect of the economy through the 
        cascading disruption of other critical infrastructure and key 
        resources.
         Undermine the public's morale and confidence in our 
        national economic and political institutions.
    HSPD-7 designated the Department of Homeland Security as a focal 
point for information infrastructure protection, including cyber 
security, stating:
    11The Secretary will continue to maintain an organization to serve 
as a focal point for the security of cyberspace. The organization's 
mission includes analysis, warning, information sharing, vulnerability 
reduction, mitigation, and aiding national recovery efforts for 
critical infrastructure information systems.''

The National Response Plan's Cyber Incident Annex
    The National Response Plan (NRP) upholds the President's National 
Strategy to Secure Cyberspace and HSPD-7. The NRP Cyber Incident Annex 
states that the Federal government plays a significant role in managing 
intergovernmental (Federal, state, local and tribal) and, where 
appropriate, public-private coordination in response to cyber incidents 
of national significance.

A Framework for Federal Action
    The President's National Strategy to Secure Cyberspace, 
Presidential Directive 7 and the National Response Plan yield a 
possible two-tier framework for Federal responsibility.
    Tier One--Functions Critical to U.S. Economic and National Security
        1. Identify and prioritize critical information infrastructure 
        that if disrupted would have a debilitating impact on critical 
        infrastructure or systems essential to U.S. economic or 
        national security
        2. Prepare for such contingencies by ensuring survivable 
        communications networks among key critical information 
        infrastructure operations in the government and private sector
        3. Prepare contingency plans in the event of a disruption that 
        include crisis management and restoration of critical networks, 
        and regularly exercise, test and refine these plans.
        4. Provide warning of attack or disruption to critical 
        infrastructure owners and operators from resources or 
        capabilities that are not available to the private sector 
        through such means as intelligence.
    Tier Two--Supporting Functions that Improve Coordination, 
Awareness, Education and Personnel Readiness
        1. Facilitate coordination between individual sectors of the 
        economy by establishing appropriate government advisory 
        committees
        2. Facilitate and support general awareness among all 
        information system users, including home users and small 
        businesses
        3. Track trends and costs associated with information 
        infrastructure attacks and disruptions, through such means as 
        U.S. CERT.
        4. Coordinate and support long-term research and development 
        for cyber security.

The Importance of Clear Leadership on the Issue of Cyber Security
    When you look closely at the responsibilities of The Department of 
Homeland Security in the area of cyber security, you see that while it 
may be narrowly defined, its responsibilities are extremely significant 
to our economic and national security. DHS is the government's focal 
point for the prevention, response and recovery from cyber security 
incidents that have a debilitating impact on our national and economic 
security. While the private sector has a critical role to play in the 
protection of critical information infrastructure, DHS serves as the 
government's and nation's point of coordination for all our efforts. 
Senior DHS leadership is needed to build an effective government-
private sector relationship, to understand the technical and global 
complexities of cyber security, and to marshal the resources necessary 
to provide an effective partnership with private sector organizations 
and initiatives.

Cyber vs. Physical Infrastructure Protection
    By advocating for an Assistant Secretary for Cyber Security, we are 
not dismissing the need to integrate cyber and physical infrastructure 
protection. Nor are we saying that the protection of the cyber 
infrastructure is more important than the protection of the physical 
infrastructure--although it is increasingly a critical component in the 
operation of our physical infrastructures, and in fact, it cuts across 
all of our physically infrastructures. The physical and cyber 
infrastructures are related, but they are fundamentally different in a 
variety of ways. For example:
         Cyber infrastructure is attacked and defended 
        differently than the physical infrastructure. Cyber 
        infrastructure is largely defended by technical specialists, 
        not through guns, gates, guards, and cameras. Vulnerabilities 
        are discovered through technical means and often require 
        immediate remediation involving a variety of parties across 
        different sectors of the economy. A cyber attack may be 
        launched remotely, requiring no physical access to a target. 
        Cyber attacks may not necessarily be abrupt. For example, a 
        cyber attack may be ``low and slow,'' changing or otherwise 
        corrupting critical data over an extended period of time.
         Cyber infrastructure is dynamic, where the physical 
        infrastructure is more static. For example, power plants, power 
        lines, chemical plants, railroads, bridges remain stationary 
        with more gradual changes in technology, where information 
        networks are rapidly changing. An IP-based transaction may 
        traverse the globe via satellite, wireless, or terrestrial 
        cable. The technologies that support these different means are 
        changing rapidly.
    In an event of national significance affecting one or more of the 
physical infrastructures, the cyber infrastructure takes on additional 
responsibility for ensuring we have the ability to coordinate and 
respond to attacks. Our IT infrastructure is operational; without it, 
our national response capability is crippled.
    We believe it is appropriate to have an Assistant Secretary for 
Cyber Security working along side an assistant secretary responsible 
for securing the physical infrastructure under the leadership of an 
Under Secretary as proposed in H. 285.

Conclusion
    Mr. Chairman, we are seeing increased threats and vulnerabilities 
associated with our information infrastructure. We rely upon our 
information infrastructure, yet there is no one clearly in charge of 
coordinating its security and reliability. Presidential guidance and 
the Homeland Security Act clearly identify the Department of Homeland 
Security as the most appropriate focal point for coordinating the 
protection of our information infrastructure. We strongly support HR 
285 and its creation of a more senior position at DHS to lead efforts 
to build a more secure information infrastructure for both the 
government and private sector.

    Mr. Lungren. The Chair now recognizes Catherine Allen, 
president and CEO of BITS, a division of the Financial Services 
Roundtable, to testify.

    STATEMENT OF CATHERINE ALLEN, PRESIDENT AND CEO, BITS, 
                 FINANCIAL SERVICES ROUNDTABLE

    Ms. Allen. Thank you very much. Thank you, Chairman Lungren 
and committee members, for the opportunity to testify before 
the committee. We commend Congressman Thornberry and 
Congresswoman Lofgren on the bill.
    I am Catherine Allen, CEO of BITS, a nonprofit industry 
consortium of the largest 100 financial institutions in the 
U.S. We are a nonlobbying division of the Financial Services 
Roundtable. Our mission is to serve the financial services 
needs at the interface between commerce, technology and 
financial services. We work with government organizations, DHS, 
Treasury, Federal financial regulators, the Federal Reserve and 
other technology associations.
    Given the short amount of time, I want to focus on three 
major points today: First, the state of cybersecurity; second, 
reasons in favor of elevating the cybersecurity position at 
DHS; and third, steps the government could take to strengthen 
cybersecurity.
    My written statement contains additional information on 
BITS, cybersecurity, crisis management, critical 
infrastructure, management of outsources and fraud reduction 
efforts. It also contains suggestions that BITS has given to 
DHS in the past, as well as others on how to strengthen 
cybersecurity.
    The importance of cybersecurity cannot be overstated. Our 
Nation's economic and national security relies on the security, 
reliability, recoverability, continuity and maintenance of 
information systems. The security and reliability of the 
information systems are increasingly linked to consumer and 
investor confidence.
    As I speak, criminals are writing code to compromise 
systems. Viruses are epidemic. Hackers are closing the window 
between the discovery of a flaw and the release of a new virus, 
now an average of 5.8 days. Over 1,200 new security flaws were 
discovered just in the last 6 months of 2004.
    Beyond threats to our Nation's infrastructure, leaders in 
the financial services industry are growing increasingly 
concerned about the impact on consumer confidence. As one 
example, fraudsters are finding new ways to trick consumers in 
providing initial information that can facilitate ID theft 
through phishing, pharming and other e-scams.
    The financial services industry has been aggressive in its 
efforts to strengthen cybersecurity and reduce fraud. We are 
sharing information; analyzing threats; creating best 
practices; urging the software and technology providers to do 
more to secure their products and services, something we call a 
higher duty of care; and combating fraud and identity theft.
    Just last week BITS and the Roundtable announced the 
permanent creation of an Identity Theft Assistance Center, a 
free service to financial institution customers that helps 
victims restore their financial identity. The ITAC has helped, 
to date, nearly 700 consumers restore their financial 
identities since it became operational last August. The ITAC 
information is shared with law enforcement to help prosecute 
the perpetrators, and the ITAC is the cornerstone of a broader 
industry effort to detect and prevent fraud, help victims 
address the causes of identity theft and prosecution of 
fraudsters.
    In a related effort, BITS created a phishing prevention and 
investigation network, again helping our industry to shut down 
on-line scams and aid in investigating perpetrators and 
providing a united front with law enforcement.
    Last year I submitted a letter in support of a proposal to 
elevate the position of Cybersecurity Director at the 
Department of Homeland Security to the assistant secretary 
level. We support rapid passage of H.R. 285. Cybersecurity is 
handled in DHS at a level far below where most financial 
services corporations handle the issues today, and that is at 
the board-room level. Elevating this critical position and 
insuring that adequate funding is provided will help us to 
focus greater attention on cybersecurity issues within the 
government and provide a more senior-level dialogue with the 
private sector. It will enable implementation of many key 
elements that were identified in the administration's National 
Strategy to Secure Cyberspace.
    Much of the focus at DHS has been on physical security. 
While that is important, we believe there are several areas 
that need much more focus. It starts with cybersecurity, but 
also a means addressing the interdependencies between our 
sector and other critical infrastructures, including the 
telecommunications and power industries. They, too, rely and 
need a strengthened cybersecurity effort. Elevating the 
cybersecurity position within DHS should be a first significant 
step as part of a broader strategy to strengthening 
cybersecurity.
    For the record, it is important for the committee to 
understand that the financial regulators are taking 
cybersecurity issues seriously. Treasury is a sector leader. 
DHS plays an important role in bringing the other sectors along 
in addressing the cybersecurity issues.
    We believe that there is much more that can be done to 
strengthen cybersecurity. My written statement includes a more 
detailed review of seven key elements that the Federal 
Government should support to ensure information technology 
security. I refer to them by the acronym PREPARE.
    The first is promote, playing an important role of 
promoting the importance of secure information technology and 
in facilitating collaboration.
    The second is responsibility, promoting shared 
responsibility between the suppliers and the end users for 
developing, deploying and maintaining secure information 
software and networks.
    The third is educate. All sectors should make it a priority 
to communicate to all users of information technology the 
importance of safe practices.
    The fourth is procure, using its purchasing power to 
leverage security requirements, such as software testing. Along 
with employing best practices developed by public and private 
sectors, the government can play an important role in 
encouraging the changes that need to take place.
    The fifth is analyze. Government should collect and provide 
to the critical infrastructures and policymakers the kinds of 
statistics we need on threats, risks and vulnerabilities.
    The next to last is research. The government can play an 
important role in funding R&D in the development of more secure 
software development practices, testing and certification 
programs.
    Lastly, enforce. Law enforcement must do more to enforce, 
investigate and prosecute cybercrimes here and abroad. E-crimes 
are growing and undermine our economy. Law enforcement must 
have the resources and mandate to go forward.
    In conclusion, the financial services sector is a key part 
of the Nation's critical infrastructure. Customer trust in the 
security of financial transactions is vital to the security of 
not only the infrastructure, but the strength of the Nation's 
economy. Our sector is a target of cybercriminals as well as 
terrorists. We have a vested interest in this being raised to a 
higher level of dialogue in the community.
    We have taken major strides to respond to the risks that we 
have today. We need the government to support these efforts, to 
support cybersecurity, with the same level of the energy, 
resources and stature as protecting physical security through 
DHS. Elevating the cybersecurity position to an assistant 
secretary level is a step in the right direction, but there is 
much more that is needed.
    Thank you for the opportunity to testify.
    Mr. Lungren. Thank you very much, Ms. Allen.
    [The statement of Ms. Allen follows:]

                Prepared Statement of Catherine A. Allen

Introduction
    Thank you, Chairman Lungren and Ranking Member Sanchez, for the 
opportunity to submit testimony before the House Committee on Homeland 
Security's Subcommittee on Economic Security, Infrastructure Protection 
and Cybersecurity about proposed legislation to elevate the Cyber 
Security Director at the Department of Homeland Security (DHS) to the 
Assistant Secretary level.
    I am Catherine Allen, CEO of BITS, a nonprofit industry consortium 
of 100 of the largest financial institutions in the U.S. BITS is the 
non-lobbying division of The Financial Services Roundtable. BITS' 
mission is to serve the financial services industry's needs at the 
interface between commerce, technology and financial services. BITS 
members hold about $9 trillion of the nation's total managed financial 
assets of about $18 trillion. BITS works as a strategic brain trust to 
provide intellectual capital and address emerging issues where 
financial services, technology and commerce intersect. BITS' activities 
are driven by the CEOs and their direct reports--CIOs, CTOs, Vice 
Chairmen and Executive Vice President-level executives of the 
businesses. BITS works with government organizations including the U.S. 
Department of Homeland Security, U.S. Department of the Treasury, 
federal financial regulators, Federal Reserve, technology associations, 
and major third-party service providers to achieve its mission. 
Attached to this statement is an overview of our work related to cyber 
security, crisis management coordination, critical infrastructure 
protection, and fraud reduction.
    The importance of cyber security cannot be overstated. Our nation's 
economic and national security relies on the security, reliability, 
recoverability, continuity, and maintenance of information systems. IT 
security has a direct and profound impact on the government and private 
sectors, and the nation's critical infrastructure. Further, the 
security and reliability of information systems is increasingly linked 
to consumer and investor confidence.
    As I speak, hackers are writing code to compromise systems. Viruses 
are epidemic. Hackers are closing the window between the discovery of a 
flaw and the release of a new virus. Fraudsters are finding new ways to 
trick consumers into providing personal information that can facilitate 
ID theft. Beyond threats to our nation's infrastructure, leaders in the 
financial services industry are growing increasingly concerned with the 
impact on consumer confidence.
    The financial services industry has been aggressive in its efforts 
to strengthen cyber security. We are sharing information, analyzing 
threats, urging the software and technology industries to do more to 
provide more secure products and services, and combating fraud and 
identity theft. Just last week, BITS and The Roundtable announced the 
results of a pilot of the Identity Theft Assistance Center (ITAC). The 
ITAC has helped nearly 700 consumers restore their financial identities 
since it became operational last August. The ITAC is a free service to 
financial institution customers. It is a key part of industry efforts 
to help victims and address the causes of identity theft.
    Last year I submitted a letter in support of a proposal to elevate 
the position of Cyber Security Director at the Department of Homeland 
Security to the Assistant Secretary level (Attachment A).
    BITS and The Financial Services Roundtable support this effort to 
increase the administration's focus on cyber security concerns and 
address our sector's concerns. While much of DHS' focus has been on 
physical security, it has not focused enough attention on addressing 
cyber security concerns. Elevating the cyber security position is a 
small step as part of a broader strategy to strengthen cyber security. 
Cyber security is handled at a level far below where most corporations 
handle the issues today. Elevating this critical position and ensuring 
that adequate funding is provided will help to focus greater attention 
on cyber security issues within the government and throughout the 
private sector and thus implement many areas identified in the 
Administration's National Strategy to Secure Cyberspace.
    Since the creation of DHS in March 2003, BITS has worked closely 
with many DHS officials, including the director and acting director of 
the Cyber Security Division. We have provided numerous suggestions for 
DHS actions to strengthen cyber security and ways it can work in 
partnership with leaders in the private sector. Earlier this year, the 
National Cyber Security Division convened a ``retreat'' of 
representatives from the major associations (e.g., BITS, Center for 
Internet Security, Cyber Security Industry Alliance, Educause, 
Information Technology Association of America, ISAlliance, Technet, 
SANS Institute, U.S. Chamber of Commerce), individual companies (e.g., 
IBM, Microsoft, RSA), law enforcement (e.g., Federal Bureau of 
Investigations, U.S. Secret Service) and government (e.g., Central 
Intelligence Agency, Commerce Department, Defense Department, Homeland 
Security Department, House of Representatives, Justice Department, 
Treasury Department, National Security Agency). DHS played an important 
leadership role in convening the meeting and other meetings of the US-
CERT program. Attachment B is a summary of answers to several questions 
DHS officials asked in advance of the meeting.

More Can Be Done
    As an organizational and symbolic step, elevating this critical 
position will help to focus greater attention on cyber security issues 
within the government and throughout the private sector.
    However, this should be viewed as just one of many steps that must 
be taken to strengthen cyber security.
    Government plays an enormous role. Our nation's economic and 
national security relies on the security, reliability, recoverability, 
continuity, and maintenance of information systems. IT security has a 
direct and profound impact on the government and private sectors, and 
the nation's critical infrastructure. Further, the security and 
reliability of information systems is increasingly linked to consumer 
and investor confidence. In recent years, members of the user community 
that rely on technology provided by the IT industry--private-sector 
companies, universities and government agencies--are demanding greater 
accountability for the security of IT products and services.

PREPARE
    The federal government can play an important role in protecting the 
nation's IT assets. The following are seven key elements that the U.S. 
government should support to secure information technology.
    Promote. Government can play an important role in promoting the 
importance of secure information technology. Also, government should do 
more to facilitate collaboration among critical infrastructure sectors 
and government. Some sectors, such as financial services, are heavily 
regulated and supervised to ensure that customer information is 
protected and that financial institutions operate in a safe and sound 
manner. Examples of actions the government can take include:
         Government should lead by example by ensuring that the 
        issue of cyber security receives adequate attention in the 
        Department of Homeland Security. Today, cyber security is 
        handled at a level far below where most corporations handle 
        these issues. Congress could create a more senior-level policy 
        level position within DHS to address cyber security issues and 
        concerns and ensure that adequate funding is provided.
         Strengthen information sharing coordination 
        mechanisms, such as the Information Sharing and Analysis 
        Centers (ISACs), by ensuring adequate funding is made available 
        to Federal agencies sponsoring such organizations. Information 
        sharing and trend analysis within a sector is essential to 
        protecting information security and responding to events. 
        Information sharing among sectors is equally important as cyber 
        threats sometimes reach some sectors before others.
         Create an emergency communication and reconstitution 
        system in the event of a major cyber attack or disruption of 
        information networks. Such an attack or disruption could 
        potentially cripple many of the primary communication channels. 
        To allow maximum efficiency of information dissemination to key 
        individuals in such an event, a thorough and systematic plan 
        should be in place. The financial services industry has 
        developed such a plan for industry-specific events in the BITS/
        FSR Crisis Communicator. Other organizations have developed 
        similar communication mechanisms. These emergency 
        communications programs should be examined as potential models 
        for a national cyber security emergency communication system.
         Reform of the Common Criteria/National Information 
        Assurance Partnership (NIAP). The current software 
        certification process is costly, inefficient, used on a limited 
        basis by the Federal government, and virtually unknown to the 
        private sector. NIAP should be reformed so that it is more cost 
        effective for vendors to seek certification while ensuring 
        consistent Federal procurement practices and expanded 
        commercial adoption of NIAP-certified products. The BITS 
        Product Certification Program may well be able to serve as a 
        model.
    Responsibility. Government should promote shared responsibility 
between suppliers and end users for developing, deploying, and 
maintaining secure information networks. Government can play an 
important role in establishing incentives and making producers of 
software and hardware accountable for the quality of their products. 
Examples of actions the government can take include:
         Provide tax or other incentives for achieving higher 
        levels of Common Criteria certification. Incremented incentives 
        would help to compensate companies for the time and cost of 
        certification. This should encourage certification and increase 
        the overall security of hardware and software.
         Provide tax or other incentives for certification of 
        revised or updated versions of previously certified software. 
        Under Common Criteria, certification of updated versions is 
        costly and time consuming. Incentives are necessary to ensure 
        that all software is tested for security
         Require software providers to immediately notify ISACs 
        of newly discovered cyber threats and to provide updated 
        information on such threats until an effective patch is 
        provided. It is vital that critical infrastructure companies 
        receive immediate notice of serious vulnerabilities.
         Establish requirements that improve the patch-
        management process to make it more secure and efficient and 
        less costly to organizations.
    Educate. Communicate to all users of information technology the 
importance of safe practices. Public confidence in e-commerce and e-
government is threatened by malicious code vulnerabilities, online 
fraud, phishing, spam, spyware, etc. Ensuring that users (home users, 
businesses of all sizes, and government) are aware of the risks and 
take appropriate precautions is an important role for government and 
the private sector. Examples of actions the government can take 
include:
         Fund joint FTC/DHS consumer cyber security awareness 
        campaign. The FTC should focus its efforts on building consumer 
        awareness, and DHS should coordinate more detailed technical 
        education regarding specific serious threats. In addition, 
        government employees should be trained in proper cyber safety 
        measures.
         Train government employees on proper cyber security 
        measures.
         Educate corporate executives and officers regarding 
        their duties under Sarbanes-Oxley, GLBA, and HIPAA as they 
        relate to cyber security.

    Procure. Using its purchasing power and leveraging security 
requirements and best practices developed by the public and private 
sectors, government can play an important role in encouraging the IT 
industry to deliver and implement more secure systems. Examples of 
actions the government can take include:
         Require high levels of cyber security in software 
        purchased by the government through procurement procedures. 
        Extend such requirements to software used by government 
        contractors, subcontractors, and suppliers.
         Provide NIST with adequate resources to develop 
        minimum cyber security requirements for government procurement. 
        NIST should include software developers and other stakeholders 
        in the standard-creation process.

    Analyze. Government should collect information and analyze the 
costs and impact of information security risks, vulnerabilities and 
threats and provide this analysis to policy makers. Examples of actions 
the government can take include:
         Assign to the Commerce Department or another 
        appropriate agency the responsibility of tracking and reporting 
        such costs and their impact on the economy. Measuring and 
        making these costs transparent will aid law makers and 
        regulators as they assign resources to cyber security programs.

    Research. Government can play an important role in funding R&D in 
the development of more secure software development practices, testing 
and certification programs. In addition, training future generations of 
programmers, technicians and business leaders that understand and 
manage information security can be accomplished by establishing 
university and educational/certification programs. Government can help 
by facilitating collaboration with the users and suppliers of IT to 
develop standards for safe practices. Examples of actions the 
government can take include:
         Enhance DHS, NSF, and DARPA cyber security R&D 
        funding.
         Carefully manage long- and short-term R&D to avoid 
        duplication.
         Establish a mechanism to share educational training 
        and curricula.

    Enforce. Law enforcement must do more to enforce, investigate and 
prosecute cyber crimes here and abroad. Examples of actions the 
government can take include:
         Ratify the Council of Europe's Convention on 
        Cybercrime.
         Enhance criminal penalties for cyber crimes.
         Make cyber crimes and identity theft enforcement a 
        priority among law enforcement agencies.
         Encourage better coordination among law enforcement 
        agencies in order to detect trends.

The Financial Services Industry Is Leading the Way
in Responding to the Cyber Security Challenge
    The financial services sector is a key part of the nation's 
critical infrastructure. Customer trust in the security of financial 
transactions is vital to the stability of financial services and the 
strength of the nation's economy. At the same time, our sector is a 
favorite target of cyber criminals as well as of terrorists, as was 
made clear on 9/11.
    Since 9/11, the financial services sector has taken major strides 
to respond to the risks we face today. BITS has made coordinating 
financial services industry crisis management efforts a top priority. 
Senior executives at our member companies have dedicated countless 
hours to preparing for the worst. We have convened numerous conferences 
and meetings to bring together leaders and experts, developed emergency 
communication tools, strengthened our sector's Information Sharing and 
Analysis Center (FS/ISAC), conducted worst case scenario exercises, 
engaged in partnerships with the telecommunications sector and key 
software providers, compiled lessons learned from 9/11 and the August 
2003 blackout, developed best practices and voluntary guidelines, 
created a model for regional coalitions, developed liaisons and pilots 
with the telecommunications industry for diversity and redundancy, and 
combated new forms of online fraud. Additionally, BITS is now 
developing best practices in collaboration with the electric power 
industry.

Lessons Learned
    BITS regularly gathers and disseminates ``lessons learned'' from 
its membership. These lessons are a critical building block for BITS' 
best practices. Below are some of those lessons for the Committee to 
consider.
    We must work with other parties in the private and public sectors 
to address these issues sufficiently. We understand that the risks for 
national security and economic soundness cannot be underestimated. 
Neither can the importance of our working together to address them.
    We need to look strategically and holistically at the nation's 
critical infrastructures and what can be done to enhance resiliency and 
reliability. We urge the Committee to consider all aspects of critical 
infrastructure--the software and operating systems, the critical 
infrastructure industries, and the practices of firms, industries and 
the government--in addressing software security and vulnerability 
management.
    Preparation is critical. The events of 9/11 and subsequent 
preparations by the private sector and government enhanced mutual trust 
and the ability to communicate, shift to backup systems, and continue 
operations. Prior to the August 2003 blackout, BITS conducted a 
scenario exercise that included the West Coast power grid being out for 
seven days and the impact that might have on the sector. That exercise 
helped the industry think through things like communications, water 
shortages, backup for ATM operations, and fuel for generators.
    Critical infrastructure industries and the public need to have an 
understanding of the scope and cause as early as possible when a major 
event occurs. During the August 2003 blackout, the announcement that 
the problem was not the result of a terrorist event alleviated public 
concerns and made for orderly execution of business continuity 
processes. If it had been a terrorist event, other communications and 
directives such as ``shields up''--in which external communications to 
institutions are blocked--might have occurred.
    Diverse and resilient communication channels are essential. Diverse 
elements--such as cell phones, wireless email devices, landline phones, 
and the Internet--are required. Both diversity and redundancy are 
needed within critical infrastructures to assure backup systems are 
operable and continuity of services will be maintained.
    The power grid must be considered among the most vital of critical 
infrastructures and needs investment to make sure it works across the 
nation. The cascading impact on the operation of financial services, 
access to fuel, availability of water, and sources of power for 
telephone services and Internet communications cannot be overstated.
    Recognize the dependence of all critical infrastructures on 
software operating systems and the Internet. A clear understanding of 
the role of software operating systems and their ``higher duty of 
care,'' particularly when serving the nation's critical 
infrastructures, needs to be explored. Further, the Committee should 
recognize that the financial sector is driven by its ``trusted'' 
reputation as well as regulatory requirements. Other industries do not 
have the same level of regulatory oversight, liability, or business 
incentives. However, we rely on other sectors because of our 
interdependencies. Responsibility and liability need to be shared.

Financial Industry Efforts to Strengthen Cyber Security
    In October 2003, BITS began its Software Security and Patch 
Management initiative to respond to increasing security risks and 
headline-sweeping viruses. Since then, BITS has worked to mitigate 
security risks to financial services consumers and the financial 
services infrastructure, ease the burden of patch management caused by 
vendor practices, and help member companies comply with regulatory 
requirements. BITS also began forging partnerships with the software 
vendors most commonly used in our industry.
    In February 2004, BITS and The Financial Services Roundtable held a 
Software Security CEO Summit. The event launched BITS and Roundtable 
efforts to promote CEO-to-CEO dialogue on software security issues. 
More than 80 executives from financial services, other critical 
infrastructure industries, software companies, and government discussed 
software vulnerabilities and identified solutions. A ``toolkit'' with 
software security business requirements, sample procurement language, 
and talking points for discussing security issues with IT vendors was 
distributed to 400 BITS and Roundtable member company executives. One 
important deliverable from this Forum is the set of Software Security 
Business Requirements, which are essential from the perspective of the 
financial services sector. These requirements and the full ``toolkit'' 
are available in the public area of the BITS website, at 
www.bitsinfo.org.
    A theme of the event was the importance of collaborating with other 
critical infrastructure industries and government. Since the Summit we 
have worked with all the associations representing the financial 
services industry, as well as The Business Roundtable, the Cyber 
Security Industry Alliance and other relevant groups.
    In April 2004, BITS and The Financial Services Roundtable announced 
a joint policy statement calling on the software industry to improve 
the security of products and services it provides to financial services 
customers. The policy statement calls on software providers to accept 
responsibility for their role in supporting financial institutions and 
other critical infrastructure companies. BITS and The Roundtable 
support incentives and other measures that encourage implementation of 
more secure software development processes and sustain long-term R&D 
efforts to support stronger security in software products. We also 
support protection from antitrust laws for critical infrastructure 
industry groups to discuss baseline security specifications for the 
software and hardware that they purchase. Additionally, as part of the 
policy, BITS and The Roundtable are encouraging regulatory agencies to 
explore supervisory tools to ensure critical third-party service 
providers and software vendors deliver safe and sound products and 
services to the financial services industry.
    We continue to work with software companies to create solutions 
acceptable to all parties. In 2004 BITS successfully negotiated with 
Microsoft to provide additional support to BITS member companies using 
Windows NT. We have provided Microsoft and other software and hardware 
companies with Software Security Business Requirements. (See Attachment 
A.) BITS members agree that these requirements are critical to the 
soundness of systems used in the financial services industry.
    In July 2004, BITS published best practices for software patch 
management in response to the increasing urgency of patch 
implementation, given the speed with which viruses are targeting new 
vulnerabilities. This document is available to the public at no cost 
and applicable to industries outside of financial services.\1\
---------------------------------------------------------------------------
    \1\ Patch management and implementation alone can cost one 
financial institution millions of dollars annually. A BITS survey of 
member institutions found that costs to the financial services industry 
associated with software security, including patch management, are 
approaching $1 billion annually. BITS' best practices help companies 
mitigate these costs.
---------------------------------------------------------------------------
    In July, BITS published The Kalculator: BITS Key Risk Measurement 
Tool for Information Security Operational Risks. This tool helps 
financial institutions evaluate critical information security risks to 
their businesses. Financial institutions use the Kalculator to score 
their own information security risks based on the likelihood of an 
incident, the degree to which the organization has defended itself 
against the threat, and the incident's possible impact. The tool brings 
together an extensive body of information security risk categories 
outlined in international security standards and emerging operational 
risk regulatory requirements. Like the patch management best practices, 
the Kalculator is available to the public at no cost and applicable to 
industries outside of financial services.
    BITS participated in the Corporate Information Security Working 
Group (CISWG) sponsored by Congressman Adam Putnam, then-Chairman of 
the House of Representatives' Subcommittee on Technology, Information 
Policy, Intergovernmental Relations on the Census. CISWG is made up of 
corporate, industry and academic leaders and is working to pursue a 
private sector-driven approach to enhancing the protection of the 
nation's corporate computer networks. BITS is active in the best 
practices, incentives, and procurement subgroups. In addition, BITS has 
participated in task forces established by DHS and several technology 
associations.
    Finally, the BITS Product Certification Program is another 
important part of our work to address software security. The BITS 
Product Certification Program is a testing capability that provides 
security criteria against which software can be tested. A number of 
software companies are considering testing. The criteria are also used 
by financial institutions in their procurement processes. We are 
working to hand this over to DHS and secure ongoing funding for it.

Identity Theft and Phishing: Prevention and Victim Assistance
    Just as financial institutions are a key target for hackers and 
other cyber criminals, our industry is increasingly the target of 
fraudsters operating online. BITS and The Financial Services Roundtable 
are responding to the escalation in identity theft with a series of 
steps to facilitate prevention of the crime and assist victims when it 
occurs. The goals of these efforts are to help maintain trust in the 
financial services system, assist member companies' customers, and 
mitigate fraud losses. BITS and The Roundtable are working with the 
Administration, Congress, and law enforcement and regulatory agencies 
to accomplish these goals.
    A cornerstone to these efforts is the Identity Theft Assistance 
Center (ITAC). Developed by BITS and The Roundtable, with the support 
of 50 founding member institutions, the ITAC helps victims of identity 
theft restore their financial identity. If a consumer or a member 
company suspects a problem, the consumer and the company resolve any 
issues, and if the problem involves identity theft, the customer is 
offered the ITAC service. The ITAC walks the consumer through his or 
her credit report to find any other suspicious activity. Then, the ITAC 
notifies the affected creditors and places fraud alerts with the credit 
bureaus. The ITAC also shares information with the Federal Trade 
Commission and law enforcement agencies, to help arrest and convict the 
perpetrators and prevent future identity theft crimes.
    Because a consistent understanding of the problem is essential to 
finding solutions, a 2003 BITS white paper on identity theft outlines 
the full identity theft landscape, establishing key terms as well as 
identifying factors that contribute to identity theft. The paper 
provides background about the legislative and policy environment, 
including existing and proposed laws, as well as industry best 
practices.
    Along with the white paper, BITS developed guidelines for financial 
institutions to use to prevent identity theft and restore victims' 
financial identities. The guidelines include processes for providing a 
``single point of contact'' at companies to whom victims may report 
cases of identity theft.
    Additionally, the BITS Fraud Reduction Steering Committee and the 
Federal Trade Commission have created a Uniform Affidavit to simplify 
the recovery process for victims. The Uniform Affidavit streamlines the 
reporting process by recording the victim's information about the 
crime, so that victims only have to tell their story once.
    BITS is also responding to ``phishing'' through its Fraud Reduction 
Program. Phishing is the practice of luring consumers to provide bank 
account and other personal information to fraudsters through bogus 
email messages. In response to these and other online scams, BITS has 
created a Phishing Prevention and Investigation Network. The Phishing 
Network provides member institutions with information and resources to 
expedite investigations and address phishing/spoofing incidents. The 
Phishing Network includes a searchable database of information from 
financial institutions on their phishing incident and response 
experience, including contacts at law enforcement agencies, foreign 
governmental agencies, and ISP Web administrators. The Phishing Network 
also provides data on trends to help law enforcement build cases and 
shut down identity theft operations.
    Financial institutions are regulated to ``know your customers.'' 
However, financial institutions currently do not have access to various 
government databases to validate information provided at new account 
openings. For instance, financial institutions cannot validate that a 
passport number belongs to the individual providing it and matches the 
address given at a new account opening. This is also true of driver's 
license and tax ID numbers. (A pilot is underway with Social Security 
numbers; BITS is hopeful that financial institutions will finally be 
able to validate Social Security numbers.) Financial institutions do 
not want direct access to the information; they would like to have 
access to a ``yes'' or ``no'' response through a trusted third party.

Complying with Regulatory Requirements
    As you know, financial institutions are heavily regulated and 
actively supervised by the Federal Reserve, Federal Deposit Insurance 
Corporation, Office of the Comptroller of Currency, Office of Thrift 
Supervision, National Credit Union Administration, and the Securities 
and Exchange Commission. Regulators have stepped up their oversight on 
business continuity, information security, third party service 
providers, and critical infrastructure protection. Our industry is 
working consistently and diligently to comply with new regulations and 
ongoing examinations. In addition, BITS and other industry associations 
have developed and disseminated voluntary guidelines and best practices 
as part of a coordinated effort to strengthen all critical players in 
the sector.
    Regardless of how well financial institutions respond to 
regulations, we simply cannot address these problems alone. Our 
partners in other critical industry sectors--particularly the 
telecommunications and software industries--must also do their fair 
share to ensure the soundness of our nation's critical infrastructure.

Recommendations
    The Congress can help the financial services sector meet the 
challenges of a post 9/11 environment in a number of ways. We have 
developed these key recommendations for the Committee to consider:
        1. Recognize that the financial sector is driven by its 
        ``trusted'' reputation as well as regulatory requirements. 
        Other industries do not have the same level of regulatory 
        oversight, liability, or business incentives. However, we rely 
        on other sectors because of our interdependencies. 
        Responsibility and liability need to be shared.
        2. Maintain rapid and reliable communication. Critical 
        infrastructure industries and the public need to have an early 
        understanding of the scope and cause as early as possible when 
        a major event occurs. Diverse communication channels such as 
        cell phones, wireless email devices, landline phones, and the 
        Internet are necessary. Both diversity and redundancy are 
        needed within critical infrastructures to assure backup systems 
        are operable and continuity of services will be maintained.
        3. Recognize the dependence of all critical infrastructures on 
        software operating systems and the Internet. Given this 
        dependence, the Congress should encourage providers of software 
        to the financial services industry to accept responsibility for 
        the role their products and services play in supporting the 
        nation's critical infrastructure. In so doing, Congress should 
        support measures that make producers of software more 
        accountable for the quality of their products and provide 
        incentives such as tax incentives, cyber-insurance, liability/
        safe harbor/tort reform, and certification programs that 
        encourage implementation of more secure software. Congress also 
        could provide protection from U.S. antitrust laws for critical 
        infrastructure industry groups that agree on baseline security 
        specifications for the software and hardware that they 
        purchase.
        4. Encourage regulatory agencies to review software vendors--
        similar to what the regulators currently do in examining third-
        party service providers--so that software vendors deliver safe 
        and sound products to the financial services industry.
        5. Encourage collaboration and coordination among other 
        critical infrastructure sectors and government agencies to 
        enhance the diversity and resiliency of the telecommunications 
        infrastructure. For example, the government should ensure that 
        critical telecommunications circuits are adequately protected 
        and that redundancy and diversity in the telecommunications 
        networks are assured.
        6. Invest in the power grid because of its critical and 
        cascading impact on other industries and other critical 
        infrastructures. The power grid must be considered among the 
        most vital of critical infrastructures and needs investment to 
        make sure it works across the nation.
        7. Establish improved coordination procedures across all 
        critical infrastructures and with federal, state, and local 
        government when events occur. Coordination in planning and 
        response between the private sector and public emergency 
        management is inadequate and/or inconsistent. For example, a 
        virtual national command center for the private sector that 
        links to the Homeland Security Operations Center would help to 
        provide consistency.
        8. Encourage law enforcement to prosecute cyber criminals and 
        identity thieves, and publicize U.S. government efforts to do 
        so. These efforts help to reassure the public and businesses 
        that the Internet is a safe place and electronic commerce is an 
        important part of the nation's economy.
    On behalf of both BITS and The Financial Services Roundtable, thank 
you for the opportunity to testify before you today. I will now answer 
any questions.
Attachment A
Letter from BITS and The Financial Services Roundtable

                    The Financial Services Rountable

                                  BITS

                           FINANCIAL SERVICES

                               ROUNTABLE

JULY 13, 2004

Representative Christopher Cox,
Chairman, Select Committee on Homeland Security
2402 Rayburn House Office Building
Washington, DC 20515

Representative Jim Turner
Ranking Member, Select Committee on Homeland Security
330 Cannon House Office Building
Washington, DC 20515

Representative Mac Thornberry
Chairman, Cybersecurity Subcommittee
2457 Rayburn House Office Building
Washington, DC 20515

Representative Zoe Lofgren
Ranking Member, Cybersecurity Subcommittee
102 Cannon House Office Building
Washington, D.C. 20515

RE: Cybersecurity Concerns

Dear Representatives Cox, Turner, Thornberry and Lofgren:
    Thank you for the opportunity to discuss the concerns of financial 
institutions with regard to strengthening software security.
    The Financial Services Roundtable (FSR) and BITS want to offer our 
support for the recommendation to elevate the position of cybersecurity 
director to the level of Assistant Secretary. We support this effort as 
a way to increase the administration's focus on cybersecurity concerns 
and address issues such as those outlined in the attached BITS/FSR 
Software Security Policy Statement. Furthermore, we believe that this 
elevation to Assistant Secretary will provide support for those areas 
identified by the National Strategy as requiring additional actions.
    Finally, we would like to acknowledge the responsiveness of the 
National Communications System (NCS) to meeting the needs of the 
financial services industry. As such, we would like to ensure that 
moving the NCS into the Cybersecurity Division will not undermine the 
excellent work of the NCS.

Best regards,
                                     Steve Bartlett
                      President, The Financial Services Roundtable.

                                 Catherine A. Allen
                                           Chief Executive Officer.

Enclosure: BITS/FSR Software Security Policy Statement

                           SOFTWARE SECURITY

    Security is a fundamental building block for all financial 
services. It is also a regulatory requirement. The financial services 
industry relies upon software to operate complex systems and provide 
services, as well as to protect customer information.
    Financial services companies comply with a host of legal and 
regulatory requirements to ensure the privacy and security of customer 
information. Recently, the prevalence of security risks, threats and 
viruses, combined with a lack of accountability for software 
vulnerabilities, has saddled financial institutions with significant 
risks and skyrocketing costs.
    In early 2004, BITS surveyed its members to estimate the costs to 
financial institutions of addressing software security and patch-
management problems. Based on the survey, BITS and Financial Services 
Roundtable members pay an estimated $400 million annually to deal with 
software security and patch management. Extrapolated to the entire 
financial services industry, these costs are approaching $1 billion 
annually.

    The members of BITS and The Financial Services Roundtable believe:
         Because the financial services industry plays a 
        central role in the nation's critical infrastructure and is 
        dependent on the products and services of software providers, 
        such providers of mission critical software to the financial 
        services industry need to accept responsibility for the role 
        their products and services play in supporting the nation's 
        critical infrastructure and should exhibit and be held to a 
        ``higher duty of care'' to satisfy their own critical 
        infrastructure responsibilities.
         Software vendors should ensure their products are 
        designed to include security as part of the development process 
        using security-trained and security-certified developers on 
        product development and lifecycle teams.
         Software vendors should ensure through testing that 
        their products meet quality standards and that financial 
        services security requirements are met before products are 
        sold.
         Software providers should develop patch-management 
        processes that minimize costs, complexity, downtime, and risk 
        to user organizations. Software vendors should identify 
        vulnerabilities as soon as possible and ensure that the patch 
        is thoroughly tested.
         Software vendors should continue patch support for 
        older, but still viable, versions of software.
         Collaboration and coordination among other critical 
        infrastructure sectors and government agencies are essential to 
        mitigate software security risks.

The members of BITS and The Financial Services Roundtable:
         Support measures that make producers of software more 
        accountable for the quality of their products.
         Support incentives (e.g., tax incentives, cyber-
        insurance, liability/safe harbor/tort reform, certification 
        programs) and other measures that encourage implementation of 
        more secure software development processes and sustain long-
        term R&D efforts to support stronger security in software 
        products.
         Seek protection from U.S. antitrust laws for critical 
        infrastructure industry groups that agree on baseline security 
        specifications for software and hardware that they purchase.
         Encourage regulatory agencies to explore supervisory 
        tools to ensure that critical third-party service providers and 
        software vendors deliver safe and sound products to the 
        financial services industry.
         Support and incorporate, where possible, the BITS 
        Product Security Criteria into security policies, and encourage 
        technology vendors to test products to meet these criteria.
         Apply a risk-management approach to software security 
        by assessing risks and applying appropriate tools and best 
        practices to ensure the most secure deployment and application 
        of software possible across the entire enterprise.
         Participate in and support efforts to strengthen the 
        Financial Services Information Sharing and Analysis Center (FS/
        ISAC) in order to share vulnerability information on the 
        products deployed by financial institutions.
         Educate policy makers on the significance of the risks 
        posed to the financial services sector and other critical 
        infrastructure industries and the need to take action to 
        mitigate these risks.

                         BUSINESS REQUIREMENTS

                                  FOR

                 SOFTWARE SECURITY AND PATCH MANAGEMENT

    Members of BITS and The Financial Services Roundtable believe 
software vendors should take responsibility for the quality of their 
products. Especially when selling products to companies that are within 
critical infrastructure industries, certain minimum requirements should 
be met. Following are recommended critical infrastructure sector 
Business Requirements.
    Provide a higher ``duty of care'' when selling to critical 
infrastructure industry companies.
    To meet this higher duty of care, vendors should:
         Make security a fundamental component of software 
        design.
         Support older versions of software (e.g., NT), 
        particularly if existing programs are functional and not past 
        the end of their estimated life cycle.
         Make upgrading easier, less cumbersome and less 
        costly, and offer more support.
                -- Products should be less prone to failure and have an 
                automated back-out feature.
                -- Components (including embedded components used in 
                other products) should be clearly defined in order for 
                the customer to assess the cascading effect of the 
                upgrade or installation.
                -- Publish metrics on security of new and existing 
                products.
                -- Expand coordination and establish better 
                communication with individual clients and industry 
                groups.
                -- Vendors should give customers an aggressive ``patch 
                playbook'' which would provide clear guidance and 
                explicit instructions for risk mitigation throughout 
                the patch management process and especially in times of 
                crisis.
                -- Vendors should offer critical infrastructure 
                customers access to one-on-one, private, early 
                vulnerability notice prior to notifying the general 
                public, possibly by establishing ``preferred'' customer 
                levels. (Some vendors offer financial institutions 
                advanced notification if they agree to serve as a 
                ``beta'' site, however, this is not practical as an 
                industry-wide solution.)
         Provide better security-trained and security-certified 
        developers on product teams.
         Establish Regional Centers of Excellence to service 
        major financial institutions in their area. Centers would keep 
        IT profiles for each institution in order to:
                -- Inform institutions of the likely effects of a new 
                vulnerability on their specific IT environment.
                -- Continually advise institutions on how to best apply 
                patches.
                -- Expedite patch installation by visiting the 
                financial institution site.
                -- Make on site or remote consultation available when 
                patches affect other applications.
Comply with security requirements before releasing software products.
Vendors should:
         Meet minimum security criteria, such as BITS software 
        security criteria and/or the Common Criteria.
         Thoroughly test software products, taking into 
        consideration that:
                -- Testing needs to address both quality assurance as 
                well as functionality against known and unknown 
                threats.
         Conduct code reviews.
                --Whether conducted internally or outsourced, code 
                reviews should involve tools or processes, such as code 
                profilers and threat models, to ensure code integrity.
    Improve the patch-management process to make it more secure and 
efficient and less costly to organizations.
Vendors should:
         Issue patch alerts as early as possible.
         Continue patch support for older software.
                -- Vendors should be clear about the level of support 
                provided for each software version.
                --Vendors are strongly encouraged to provide support 
                for up to two versions of older software, i.e., the N-2 
                level.
         Provide automatic, user-controlled patch-management 
        systems, such as uniform, reliable, and, possibly, industry-
        standard installers.
         Ensure all patches come with an automated back-out 
        function and do not require reboots.
         Support clients who purchase third-party installer 
        tools (until a standard is established).
         Thoroughly test patches before release.
                -- Testing should include patch-to-patch testing to 
                identify any cascade effects and in-depth compatibility 
                testing for effects on networks and applications.
         Issue better patch and vulnerability technical 
        publications. Publications should include more thorough 
        analyses of the impact of vulnerabilities on unpatched systems 
        as well as data on the environments and applications for which 
        the patches were tested. Impact on other patches should also be 
        addressed.
         Conduct independent security audits of the patch-
        development and deployment processes.
         Distribute a communication and mitigation plan, 
        including how vulnerability/patch information will be relayed 
        to the customer, for use in times of crisis.
Attachment B

   BITS Response to DHS' Questions on Cyber Security January 4, 2005

    The National Cyber Security Division of DHS hosted a retreat at Wye 
River, Maryland on January 6-7, 2005 to assess private and public 
sector progress in meeting the goals and objectives of the 
Administration's National Strategy to Secure Cyberspace. DHS asked 
participants in advance of the meeting to answer three questions. BITS 
submitted the following answers to these questions.
    Question 1: What are the top three initiatives your organization is 
currently involved in to advance cybersecurity (such as the goals 
articulated in the National Strategy to Secure Cyber Space)?
    BITS is involved in numerous efforts to address cyber security and 
protect the Nation's critical infrastructure. For 2005, BITS will focus 
on the following top three initiatives to advance cybersecurity: (1) 
urge major software vendors to address software security business 
requirements; (2) combat on-line fraud and identity theft; and (3) 
support efforts to develop meaningful software product certification 
programs. In addition to the three initiatives outlined below, BITS 
also will continue to educate policy makers on cyber security risks and 
steps that can be taken to protect the Nation's critical 
infrastructure. (See appendix B for a summary of BITS' accomplishments 
in 2004.)
    A. Urge major software vendors to address the BITS/FSR software 
security business requirements. In April 2004, BITS and The Financial 
Services Roundtable announced a joint policy statement calling on the 
software industry to improve the security of products and services it 
provides to financial services customers. The policy statement calls on 
software providers to accept responsibility for their role in 
supporting financial institutions and other critical infrastructure 
companies. BITS and the Roundtable support incentives (e.g., tax 
incentives, cyber-insurance, liability/safe harbor/tort reform, 
certification programs) and other measures that encourage 
implementation of more secure software development processes and 
sustain long-term research and development efforts to support stronger 
security in software products. (The BITS/FSR Software Security Business 
Requirements are attached to the April 2004 BITS/FSR Software Security 
Policy statement which is available at http://www.bitsinfo.org/
bitssoftsecuritypolicyapr04.pdf) In addition, BITS is working with 
major software vendors to discuss business requirements. In June 2003, 
BITS announced it had successfully negotiated with Microsoft to provide 
additional support to BITS member companies for Windows NT. We have 
provided Microsoft and other software and hardware companies with the 
Software Security Business Requirements. BITS members agree that these 
requirements are critical to the soundness of systems used in the 
financial services industry. BITS also is working with or has plans in 
early 2005 to work with Cisco, IBM and RedHat on software security 
issues.
    B. Combat on-line fraud and identity theft and explore appropriate 
authentication strategies. BITS is involved in supporting the pilot of 
the BITS/FSR Identity Theft Assistance Center (ITAC), developing the 
BITS Phishing Prevention and Investigation Network, and focusing on 
authentication practices and strategies.
    The ITAC is a one-year pilot program intended to help victims of 
identity theft by streamlining the recovery process and enabling law 
enforcement to identify and prosecute perpetrators of this crime. ITAC 
is an initiative of The Financial Services Roundtable and BITS, which 
represent 100 of the largest integrated financial services companies. 
Fifty BITS and Roundtable Members are participating and funding the 
ITAC pilot program as a commitment to their customers and maintain 
trust in the Nation's financial services system. The ITAC's services 
are free-of-charge to customers and made available based on referrals 
to the ITAC by one of the 50 members of the ITAC pilot program. BITS 
has also published several business practices guidelines and white 
papers on various aspects of identity theft and fraud reduction 
strategies.
    The BITS Phishing Prevention and Investigation Network has three 
primary purposes. First, the Network helps financial institutions shut 
down online scams. Second, it aids in investigations of scam 
perpetrators by providing law enforcement with trend data. Law 
enforcement agencies can use the data to build cases and stop scamming 
operations. Finally, the BITS Network facilitates communication among 
fraud specialists at financial institutions, law enforcement agencies 
and service providers, resulting in a ``united front'' for combating 
online scams. Financial institutions can also use the BITS Network to 
share information about online scams. Through its searchable database, 
fraud professionals at BITS member institutions learn from other 
institutions' phishing incidents and responses. The database provides 
quick access to contacts at law enforcement agencies, foreign 
governmental agencies, and ISP administrators. Founded under the 
auspices of the BITS eScams Subcommittee of the BITS Internet Fraud 
Working Group, the Network is hosted by the Financial Services 
Information Sharing and Analysis Center (FS/ISAC). Resources to develop 
the Network were contributed by Microsoft Corporation and RDA 
Corporation.
    On March 8, 2005, BITS will host a Forum entitled ``A Strategic 
Look at Authentication'' in Washington, DC. Authentication issues have 
emerged in a number of BITS' working groups. This strategic Forum will 
focus on the following issues: business issues that drive the need for 
authentication; business challenges to implementation; public policy 
implications; and emerging technologies in the authentication area.
    C. Support efforts to develop meaningful software product 
certification programs. The BITS Product Certification Program (BPCP) 
is an important part of our work to address software security. The BPCP 
provides product testing by unbiased and professional facilities 
against baseline security criteria established by the financial 
services industry. A product certification, the BITS Tested Mark, is 
awarded to those products that meet the defined criteria. An option is 
available for technology providers to meet the product certification 
requirements via the internationally recognized Common Criteria 
certification schema. BITS has initiated discussions with DHS to 
support efforts to enhance product certification programs, including 
the Common Criteria program run by the National Security Agency (NSA) 
and National Institutes of Technology and Standards (NIST). DHS has 
expressed support for broad-based, not sector specific, certification 
programs. Moreover, DHS wants ``buy in'' from the broader user 
community. Consequently, BITS has been in discussions with The Business 
Roundtable, NIST, and the Cyber Security Industry Alliance (CSIA) to 
develop a joint proposal.
    Question 2 & 3: Aside from funding, what can the government (if 
appropriate, specify which agency(ies)) do to help advance the 
cybersecurity agenda/priority(ies)/initiative(s) of your organization? 
What else should government and the private sector be doing to help 
facilitate enhanced cybersecurity?
    Our Nation's economic and national security relies on the security 
of information technology (IT). This security depends on the 
reliability, recoverability, continuity, and maintenance of information 
systems. The issue of secure information technology has a direct and 
profound impact on both the government and private sectors, and 
includes the Nation's critical infrastructure. The security and 
reliability of information systems are increasingly linked to consumer 
and investor confidence. Financial institutions (and others that make 
up the ``user'' community) are demanding greater accountability for the 
security of IT products and services. The federal government can play 
an important role in protecting the Nation's IT assets. The following 
are steps the U.S. government can and should take to secure information 
technology.
         Strengthen the Information Sharing and Analysis 
        Centers (ISACs) by providing complete and adequate federal 
        funding. Information sharing and trend analysis within a sector 
        is essential to protecting information security and responding 
        to events. The ISACs are a good vehicle for such sharing, but 
        they require additional resources.
         Encourage sharing of essential information among 
        industry ISACs. Threats to cyber security will reach some 
        sectors before others--oftentimes resulting in simultaneous or 
        cascading effects. Mandatory sharing among the ISACs will 
        provide valuable advance notice to sectors not immediately 
        threatened.
         Utilize the ISACs to inform critical infrastructures 
        of cyber threats discovered through national intelligence and 
        law enforcement. As a primary target of cyber attacks, the 
        government expends substantial resources to protect, detect and 
        respond to attacks. The information gathered by the government 
        regarding present, imminent, or gathering threats should be 
        shared with sectors that are widely understood to be critical 
        to the security of the country. ISACs represent a centralized 
        way of quickly disseminating important security information.
         Create an emergency communication system in the event 
        of a massive cyber attack. Such an attack could potentially 
        cripple many of the primary communication channels. To allow 
        maximum efficiency of information dissemination to key 
        individuals in such an event, a thorough and systematic plan 
        should be in place. The financial services industry relies on 
        the BITS/FSR Crisis Management Process and Manual of 
        Procedures, including the BITS/FSR Crisis Communicator.
         Create and promote security standards for technology 
        products which address the Common Criteria certification 
        concerns noted by the National Cyber Security Partnership 
        (NCSP). These concerns include:
                 Cost and delay of the certification process
                 Need to make certification applicable to the 
                needs of both government and industry
                 Uniform tying of federal procurement policies 
                to the certification system
    In the alternative to repairing the Common Criteria, a new system 
should be developed that would address from the beginning the 
limitations of the Common Criteria. DHS has expressed interest in such 
a certification program if it is not sector specific. The BITS Product 
Certification Program may well be able to serve as a model for such a 
certification program.
         Increase staffing, funding, and prominence of cyber 
        security in the DHS. Cyber security is a unique threat to 
        national security. As such, it should be elevated in importance 
        at DHS.
         Create a more senior level policy level position 
        within DHS to address cyber security issues and concerns.
         Provide tax or other incentives for achieving higher 
        levels of Common Criteria certification. Presently, Common 
        Criteria certification is the primary uniform means of 
        evaluating the security of software and hardware. Incremented 
        incentives, based upon the level of certification achieved, 
        would help to compensate companies for the time and cost of 
        certification. This should encourage more certification and 
        increase the overall security of hardware and software.
         Provide tax or other incentives for certification of 
        revised or updated versions of previously certified software. 
        Under Common Criteria, certification of updated versions is 
        costly and time consuming. Incentives are necessary to ensure 
        that all software is tested for security and not a single build 
        or version of a product.
         Require software providers to immediately notify ISACs 
        of newly discovered cyber threats and to provide updated 
        information on such threats until an effective patch is 
        provided. Regulatory controls may be necessary to prevent the 
        wider broadcast of such information, but it is vital that the 
        critical infrastructure receive immediate notice of serious 
        vulnerabilities. Regulatory action will also be necessary to 
        police software provider compliance with such an information 
        sharing requirement.
         Establish requirements which improve the patch-
        management process to make it more secure and efficient and 
        less costly to organizations that use software.
         Fund joint FTC/DHS consumer cyber security awareness 
        campaign. The FTC should focus its efforts on building consumer 
        awareness, and DHS should coordinate more detailed technical 
        education regarding specific serious threats. In addition, 
        government employees should be trained in proper cyber safety 
        measures.
         Train government employees on proper cyber security 
        measures.
         Provide tax or other incentives for industry cyber 
        security awareness campaigns. Because security should not be 
        grounds for competitive advantage, cyber security awareness 
        campaigns undertaken on an industry-wide basis should be 
        encouraged.
         Educate corporate executives and officers regarding 
        their duties under Sarbanes-Oxley, GLBA, and HIPAA as relates 
        to cyber security.
         Require high levels of cyber security in software 
        purchased by the government through procurement procedures. 
        Extend such requirements to software used by government 
        contractors, subcontractors, and suppliers.
         Provide NIST with adequate resources to develop 
        minimum cyber security requirements for government procurement. 
        NIST should include software developers and other stakeholders 
        in the standard creation process.
         Assign to the Commerce Department or another 
        appropriate agency the responsibility of tracking and reporting 
        such costs and the impact on the economy. Measuring and making 
        transparent these costs will aid law makers and regulators as 
        they assign resources to cyber security programs.
         Fund research and development of more secure software 
        development practices, testing and certification programs.
         Facilitate collaboration with the users and suppliers 
        of information technology to develop standards for safe 
        practices.
         Enhance DHS, NSF, and DARPA cyber security R&D 
        funding.
         Carefully manage long and short term R&D to avoid 
        duplication.
         Establish a mechanism to share educational training 
        and curriculum.
         Encourage law enforcement to enforce, investigate and 
        prosecute cyber crimes here and abroad.
         Ratify the Council of Europe's Convention on 
        Cybercrime.
         Enhance criminal penalties for cyber crimes.
         Make cyber crimes and identity theft enforcement a 
        priority among law enforcement agencies.
         Encourage better coordination among law enforcement 
        agencies in order to detect trends, share information and 
        identify and prosecute offenders.

    Mr. Lungren. I think the chief clerk wants to make sure 
that we hear Mr. Silva. This is high-tech right here.
    The Chair now recognizes Mr. Ken Silva, chairman of the 
board of directors of the Internet Security Alliance, to 
testify. Thank you for appearing.

  STATEMENT OF KEN SILVA, CHAIRMAN OF THE BOARD OF DIRECTORS, 
                   INTERNET SECURITY ALLIANCE

    Mr. Silva. Good morning, Mr. Chairman.
    I am Ken Silva. I am the chief security officer and vice 
president for infrastructure security of VeriSign, 
Incorporated. I am also chairman of the board for the Internet 
Security Alliance, on whose behalf I am here today. With the 
Chairman's permission, I ask that my entire statement be 
inserted into the record.
    Before I detail what is in H.R. 285 that the IS Alliance 
finds promising, let me tell you a little bit about ISA and one 
of its members companies, VeriSign. ISA was established in 
April of 2001 as a trade association comprising over 200 member 
companies spanning four continents. ISA member companies 
represent a wide diversity of economic sectors representing the 
vendors and users of the technology network, and the ISA 
focuses exclusively on information security issues. Among IS 
Alliance's core beliefs are, first, because we are the stewards 
of the Internet's physical assets, it is the private sector's 
responsibility to aggressively secure them.
    Second, more needs to be done by both government and 
industry to provide adequate information security. This means 
security not only securing the physical and logical elements of 
the network--but also securing the highly valuable electronic 
cargo running over the network.
    Third, a great deal can be accomplished simply with 
enhanced technology and greater awareness and training of 
individuals--from the top corporate executives down to the 
solitary PC user.
    Fourth, while technology, education and information sharing 
are critical to cybersecurity, they must be supported by 
research, aggressive global intelligence gathering, information 
sharing, and vigorous law enforcement efforts against those who 
attack the network.
    Lastly, new and creative structures and incentives need to 
evolve to ensure adequate and ongoing information security. 
VeriSign, as one of the member companies of the Internet 
Security Alliance, is in a unique position to preserve and 
protect the Internet's infrastructure, at least part of it, in 
our role as steward for the dot.com and dot.net top-level 
domains of the Internet and also 2 of the 13 root servers.
    I am pleased to have the opportunity to speak in support of 
H.R. 285, the Department of Homeland Security Cybersecurity 
Enhancement Act of 2005. I would like to make three overarching 
points about this legislation.
    First, both the public and private sectors need to become 
more proactive with respect to cybersecurity. The FBI declares 
cybercrime to be our Nation's fastest-growing crime. According 
to the CERT, there has been an increase of nearly 4,000 percent 
in computer crimes since 1997. We also know from reliable 
intelligence that has been reported that terrorist groups are 
not only using cybercrime to fund their activities, but 
studying how to use the information and attacks to undermine 
our critical infrastructures.
    Second, the administrative changes in management tasking 
set out in H.R. 285 must be supported by an adequate level of 
funding to permit the Department to carry out critical mandates 
of this bill. In particular, increased funding for 
cybersecurity research is one critical area not specifically 
mentioned in this legislation. The Internet's basic protocols 
are nearly 30 years old, and at the time of their creation, 
they didn't contemplate the security or scale issues we face 
today.
    Third, sufficient real authority and trust must be invested 
in the person who heads up the cybersecurity organization. 
Without this stature and trust, the elevation of the 
organization to an office and the bestowing of an assistant 
secretary title will have little benefit.
    Mr. Chairman, there is no shame in pointing out what we all 
know to be true. Our economic and national security depends on 
this job being done right. Cybersecurity means the protection 
of physical and logical assets of a complex distributed 
network. Cybersecurity means protection of the economic and 
national security activity carried on that infrastructure.
    These infrastructure assets support activity that in the 
commercial area alone account for about $3 trillion daily. 
According to the Federal--excuse me, this is according to the 
Federal Reserve Board. That is $130 billion an hour that 
depends on there being a safe, reliable and available Internet. 
An infrastructure of such great importance to America's 
economic and national security demands leadership that is 
trusted, visible and effective.
    In summary, Mr. Chairman, the challenge of America and the 
rest of the Internet-dependent world, security organizations 
like DHS, is threefold. First, DHS and other government 
cyberagencies need to understand the architecture of the 
network today and to recognize its ever-growing diversity and 
complexity.
    Second, cybersecurity agencies need to collaborate with the 
industries that operate most of these network assets and 
exchange and understand the information exchanged with 
industry, including employing the best engineering talent 
available.
    Lastly, the cybersecurity agencies here and around the 
world must be organized and cooperate to respond to threats and 
attacks against our cyberinfrastructure rapidly and 
effectively.
    Mr. Chairman, this H.R. 285 moves the Department of 
Homeland Security in the direction of addressing these three 
challenges. It is especially helpful simply because it applies 
more attention to cybersecurity.
    IS Alliance members want to work with the committee and the 
Department to ensure that good intentions expressed in this 
document become a reality that strengthens America's ability to 
prevent attacks against our networks and to make them strong 
enough to withstand any attacks that do come our way.
    Thank you, Mr. Chairman.
    Mr. Lungren. Thank you very much, Mr. Silva.
    [The statement of Mr. Silva follows:]

                    Prepared Statement of Ken Silva

    Good morning Mr. Chairman. I am Ken Silva. I am the Chief Security 
Officer and Vice President for Infrastructure Security of VeriSign, 
Incorporated. I have the privilege of being the Chairman of the Board 
of the Internet Security Alliance (ISAlliance), on whose behalf I am 
here today
    Before I detail what it is in H.R. 285 that the IS Alliance finds 
promising, let me tell you a bit more about both the IS Alliance and 
VeriSign.
    Established in April 2001 as collaboration between Carnegie Mellon 
University and the Electronic Industries Alliance, the IS Alliance is a 
trade association comprising over 200 member companies spanning four 
continents. IS Alliance member companies represent a wide diversity of 
economic sectors including banking, insurance, entertainment, 
manufacturing, IT, telecommunications, security, and consumer products.
    The IS Alliance programs focus exclusively on information security 
issues. We provide our member companies with a full suite of services 
including: information sharing, best practice, standard, and 
certification development, updated risk management tools, model 
contracts to integrate information technology with legal compliance 
requirements, and market incentives to motivate an ever-expanding 
perimeter of security.
    Among the IS Alliance's core beliefs are:
    First, because the Internet is primarily owned and operated by 
private organizations, it is the private sector's responsibility to 
aggressively secure the Internet.
    Second, not enough is currently being done by either government or 
industry to provide adequate information security. This means security 
not only of the physical and logical elements of the network--but also 
security of the highly valuable electronic cargo running over the 
network. Third, a great deal can be accomplished simply with enhanced 
technology and greater awareness and training of individuals--from the 
top corporate executives down to the solitary PC users.
    Fourth, while technology, education, and information sharing are 
critical, they are insufficient to maintain appropriate cybersecurity 
and respond to an ever-changing technological environment. Research, 
aggressive global intelligence gathering, information sharing, and 
vigorous law enforcement efforts against those who attack our networks 
are also essential.
    Fifth, new and creative structures and incentives may need to 
evolve to assure adequate and ongoing information security. While 
government is a critical partner, industry must shoulder a substantial 
responsibility and demonstrate leadership in this field if we are to 
eventually succeed.
    As Chairman of ISAlliance's Board, one of my roles is to carry 
these messages not only to government, but also to potential new 
members of the ISAlliance. When VeriSign helped found the ISAlliance 
four years ago, there were fewer than a dozen members. But the 
ISAlliance's key points resonate with ANY organization that uses the 
information superhighway to conduct its affairs--whether commercial 
business, academic institution, NGOs, or government. Thus, it is not 
surprising that, since its inception, the ISAlliance has grown by 
nearly twenty-fold.
    Certainly, my own company, VeriSign takes these principles 
seriously. VeriSign is a microcosm of the diverse ``e'' activities on 
the Internet, of the convergence of the traditional ``copper'' networks 
with computer driven digital networks, soon to become the ``NGNs'' or 
Next Generation Networks. Commerce, education, government, and 
recreation all are enabled by the infrastructures and services we and 
our colleague companies support. VeriSign, the company I am privileged 
to serve as Chief Security Officer, was founded 10 years ago in 
Mountain View, California. VeriSign operates the Internet 
infrastructure systems that manage .com and .net, handling over 14-
billion Web and email look-ups every day. We run one of the largest 
telecom signaling networks in the world, enabling services such as 
cellular roaming, text messaging, caller ID, and multimedia messaging. 
We provide managed security services, security consulting, strong 
authentication solutions, and commerce, email, and anti-phishing 
security services to over 3,000 enterprises and 400,000 Web sites 
worldwide. And, in North America alone, we handle over 30 percent of 
all e-commerce transactions, securely processing $100 million in daily 
sales.
    Of these activities, the one that places us in a very unique 
position to observe, and to protect the Internet's infrastructure is 
our role as steward of the .COM and .NET top level domains of the 
Internet, and of two of the Internet's 13 global root servers. These 
are the Internet's electronic ``directory'' The services VeriSign 
provides over many hundreds of millions of dollars worth of servers, 
storage and other infrastructure hardware enables the half trillion 
daily Internet address lookups generated by all of your web browsing 
and emails to actually reach their intended destinations. Consequently 
as the manager of several 24x7 watch centers where our engineering 
staff observe as these 500 billion daily requests circle the globe, we 
see when elements of the infrastructure are attacked, impaired, taken 
off the air for maintenance, or otherwise have their status or 
performance altered. Because we observe and record this, VeriSign is 
capable of, and often involved in the identification of the nature, 
severity, duration, type, and sometimes even source of attacks against 
the Internet. Our experience in doing this for over a decade, I believe 
makes VeriSign uniquely interested in how the government architects its 
companion cybersecurity services.
    I am pleased to have the opportunity to speak in support of H.R. 
285, the Department of Homeland Security Cybersecurity Enhancement Act 
of 2005; I would like to make three overarching points about the 
legislation:
    First, both the public and private sectors need to become more pro-
active with respect to cybersecurity.
    A smattering of statistics can briefly outline the growing nature 
of the growing cyber security problem. According to Carnegie-Mellon 
University's CERT, there has been an increase of nearly 4000 percent in 
computer crime since 1997. The FBI declares Cybercrime to be our 
nation's fastest growing crimes. One FTC estimate puts the number of 
Americans who have experienced identity theft at nearly 20 million in 
the past 2 years, suggesting the link between Cybercrime and identity 
theft is not merely coincidental. CRS reported last year that the 
economic loss to companies suffering cyber attacks can be as much as 5 
percent of stock price. Furthermore, the OECD reports that as many as 1 
in 10 e-mails are viruses and that every virus launched this year has a 
zombie network backdoor or Trojan (RAT). Globally they estimate 30 
percent of all users, which would mean more than 200 million PCs 
worldwide, are controlled by RATs.
    Perhaps most ominously, we know from reliable intelligence that 
terrorist groups are not only using Cybercrime to fund their 
activities, but are studying how to use information attacks to 
undermine our critical infrastructures.
    Second, the administrative changes and management taskings set out 
in H.R. 285 must be supported by an adequate level of funding to permit 
the Department to carry out the critical mandates of this bill.
    In particular, cybersecurity research is one area of critical 
financial need NOT specifically mentioned in the legislation. The basic 
protocols the Internet is based on are nearly 30 years old; they did 
not contemplate the security or scale issues we face today and will 
continue to face in the future. Increasing Federal funding for 
cybersecurity research and development was recently cited by the 
President's Information Technology Advisory Committee, (the ``PITAC''). 
After studying the U.S. technology infrastructure for nearly a year, 
PITAC noted in its report entitled ``Cyber Security: A Crisis of 
Prioritization'' that ``most support is given to short-term, defense-
oriented research, but that little is given to research that would 
address larger security vulnerabilities.'' The IS Alliance fully 
agrees. Substantial funding needs to be provided for basic research in 
cybersecurity. Industry, itself, can not sustain the level of research 
investment that is required. The US government must increase its 
investment.
    Third, sufficient REAL authority and trust need to be invested in 
the person who heads up the Cybersecurity organization within the 
Department. Without this stature and trust, the elevation of the 
organization to an ``Office'' and the bestowing of an Assistant 
Secretary title will have little benefit. Mr. Chairman, there should be 
no shame in pointing out what we all know to be true: our economic and 
national security depends on this job being done right.
    ``Cybersecurity'' means the protection of the physical and logical 
assets of a complex distributed network comprised of long-haul fiber, 
large data switching centers, massive electronic storage farms, and 
other physical assets worth hundreds of billions of dollar; the 
software programs, engineering protocols, and human capital and 
expertise which underlie it all are equally valuable. And cybersecurity 
means protection of the activity--economic and national security--
carried on that infrastructure. All of these infrastructure assets 
combine to support activity that, in the commercial area alone, account 
for about $3 trillion dollars daily, according to the Federal Reserve 
Board. That's $130 billion per hour that depends on a safe, reliable, 
and available Internet. An infrastructure of such great importance to 
America's economic and national security demands leadership that is 
trusted, visible, and effective.
    Several provisions of H.R. 285 are of special note:
    First, the final section does us all the important service of 
attempting to define--and to BROADLY ``define--cybersecurity'', to 
encompass all of the diverse legacy, present and emerging networked 
electronic communications tools and systems.
    Second, the bill's repeated emphasis on collaboration between the 
Department and the private sector--in each present and proposed NCSO 
operational area, as well as across government--reflects a wise 
understanding of the dynamic nature of the cyber infrastructure, and 
the diverse interests in and out of government which must cooperate to 
assure the networks' security and stability. I will address some 
specifics, as well as IS Alliance's incentives programs, later in my 
testimony.
    Third, in a related area, language in Section 2 (d) directs the 
consolidation into the NCSO of the existing National Communications 
System (NCS) and its related NCC industry watch center, which for two 
decades has provided industry-based alert, warning, and analysis 
regarding attacks against the traditional telephone networks. These 
existing important watch functions support critical national security 
and emergency preparedness communications; their consolidation will 
bring Departmental practice more inline with emerging technological 
realities. If done with appropriate care and recognition of the 
valuable, unique role the NCC has played in supporting NS/EP 
communications for two decades, consolidation could also make the 
function stronger and better able to protect these converging assets.
    Fourth, the IS Alliance strongly supports voluntary cybersecurity 
best practices highlighted in section 5(A). We believe that market-
driven cyber security is the appropriate model to compel positive 
cybersecurity improvements within the nation's cyber critical 
infrastructure. Towards this end, the insurance industry, among others, 
have made great strides and continue to advance the state-of-the-art 
among market-driven cybersecurity best practices.

COMMENTS on SPECIFIC PROVISIONS
    Developing new tools to address cyber threats depends on real 
public-private cooperation. H.R. 285 provides the Department with 
significant improvements that the ISAlliance believes may help achieve 
better organization, more cooperation, and greater effectiveness in its 
collaborations with the industrial, private-sector custodians of the 
cyber infrastructure, in its cooperation with other agencies of 
government at the Federal, sub-Federal and international levels, and in 
its development of new tools to combat cyber threats.
    With its focus on government-industry cooperation and cross-
governmental cooperation, this bill correctly identifies the two 
centers of gravity for successfully meeting the cybersecurity 
challenge. Current programs must continue, which address:
         analysis of threat information;
         detection and warning of attacks against the cyber 
        infrastructure;
         restoration of service after attacks;
         reducing vulnerabilities in exiting network 
        infrastructure, including assessments and risk mitigation 
        programs;
         awareness, education, and training programs on 
        cybersecurity across both the public and private sectors;
         coordination of cybersecurity (as directed by HSPD-7 
        and the Homeland Security Act) across Federal agencies, and 
        between Federal and sub--federal jurisdictions; and
         international cybersecurity cooperation.
    All of these are essential functions. Even in our custodial role 
for many of the infrastructures that support the $10 trillion 
U.S.''eConomy'', few would assert that private industry can, or even 
SHOULD, manage these functions. They are PUBLIC functions, properly 
performed by government, but in cooperative collaboration--persistent 
and polite collaboration between government and industry. I want to 
note here, Mr. Chairman, that we realize the challenges for DHS/NCSD 
are far, far easier said than done. Everyone working at the Department, 
including those in the infrastructure protection and cybersecurity 
divisions, deserves our sincerest gratitude. I want to personally thank 
my colleague on the panel today Mr. Yoran, as well as his predecessors, 
Mr. Clark & Mr. Simmons, as well as his successor Acting Director 
Purdy. And Mr. Liscouski who oversaw the entire infrastructure 
division; they all worked, or are working, as hard as they can at an 
imposing task.
    That said however, it is a task that must be completed, no matter 
how difficult And IS Alliance is not unmindful of cost. But a national 
cybersecurity awareness and training program as provided by subsection 
(1)(C), a government cybersecurity program to coordinate and consult 
with Federal, State, and local governments to enhance their 
cybersecurity programs as provided by subsection (1)(D), and a national 
security and international cybersecurity cooperation program as 
provided by subsection (1)(E) are all important and welcome 
improvements to the nation's overall cybersecurity posture. Absent 
adequate funding however, the long-term effectiveness of these critical 
cybersecurity programs will be uncertain.
    Unfortunately, and despite great effort to date, the track-record 
of the Department and NCSD in achieving even an effective dialogue on 
how to conduct these essential activities has been spotty and even 
disappointing.
    The provisions of Section 2 of H.R. 285 that direct these specific 
functions may--hopefully, WILL--jumpstart the collaborations that will 
rapidly make these programs a reality. America cannot fail in doing 
these things; a cyber Pearl Harbor is not just a catch phrase, but very 
much a potential reality. The Department's own ``Red Cell'' exercises, 
including a notable one published last September, clearly forecasts 
``blended'' terror attacks against the physical and logical assets of 
our information networks and institutions that depend on them. Such 
unavoidably attractive targets have the potential to disrupt economic, 
social, and government activities at all levels. Improved cyber-
resiliency--established in part through effective public-private 
cooperation such as spelled out in Section 2 of H.R. 285--is one 
important step in reducing that threat.
    Similarly, cross-agency collaborations within Department 
components--and with other security and anti-terrorism components of 
government--is not merely common sense, they are essential. In 
VeriSign's business, we have had opportunities from time to time to try 
to ``go it alone'' and reap the innovator's premium from the 
marketplace, or to cooperate with competitors on standards and 
accessible platforms that grow markets and increase business 
opportunities for all participants. I can tell you that cooperation and 
the ``rising tide raises all boats'' approach is preferable to being 
the single-handed sailor. In cybersecurity, the expertise of many 
different agencies--Treasury on financial crimes, or Justice on 
international frauds--being brought to bear just seems compelling.
    Several other provisions of the bill have been long-standing areas 
of interest to the IS Alliance:
    The information sharing provision of HR 285 refers back to Section 
214 of the Homeland Security Act; the Department's ``Protected Critical 
Infrastructure Information'' program attempting to implement this 
Congressional mandate is long overdue for reexamination. The ``PCII'' 
program, though perhaps well meaning has, rather than encouraging 
information sharing between industry and the Department, chilled the 
flow of information. The implementing regulations represent a complex 
bureaucratic structure that seems more intent on keeping Federal 
employees from accidentally mishandling information, and thus facing 
prosecution, rather than encouraging a timely flow of attack and threat 
information from network custodians to the Department. VeriSign and 
some of our ISAlliance partners who are members of the IT-ISAC helped 
draft the original Section 214 of the Homeland Security Act. We are 
anxious to see it work in a manner consistent with its original 
Congressional intent and enable information flow that will help respond 
to attacks, mitigate the damage and, above all, prevent a recurrence.
    And, as mentioned earlier, the proposal to merge the watch 
functions of the NCS into NCSO, and create a single, industry-supported 
watch effort that covers traditional and IP-based assets is clearly a 
beneficial way to manage the monitoring of network exploits. However, 
cyber-security is not the sole mission of the National Communications 
System. Executive Order (EO) 12472 assigns the NCS with support for 
critical communications of the President and government including, the 
National Security Council, the Director of the Office of Science and 
Technology Policy and the Director of the Office of Management and 
Budget. The NCS was established by EO 12472 as a Federal interagency 
group assigned national security and emergency preparedness (NS/EP) 
telecommunications responsibilities throughout the full spectrum of 
emergencies--disaster and warfare as well as cyber attacks. These 
responsibilities include planning for, developing, and implementing 
enhancements to the national telecommunications infrastructure to 
achieve improvements in survivability, interoperability, and 
operational effectiveness under all conditions and seeking greater 
effectiveness in managing and using national telecommunication 
resources to support the Government during any emergency. While this 
mission does cover the spectrum of cyber-security issues, there is more 
to the legacy role of the NCS that must not be forgotten or overlooked 
and from which the NCSO can learn as these functions move forward 
together.
    A key issue is missing from HR. 285, however. Funding for 
cybersecurity research and development is essential. The Director of 
the U.K.'s equivalent agency, the NISCC, observed recently that the 
U.K. alone last year spent 3 times as much on cyber R&D in 2004 as the 
$68 million spent by the Department and the National Academy's ``cyber 
trust'' programs to fund private sector cyber R&D. The United States 
should not be taking a second place position in the funding of 
cybersecurity research. While we are benefited by the many investments 
being made by intelligence and defense agencies that do not appear on 
such comparative scorecards, R&D to support improved security for the 
majority privately-held network assets must continue and must grow. In 
a tech industry where 2-3 percent is not an unusual R&D budget, the FY 
2004 $68 million number is an amount you would expect one $2 billion 
cyber company to spend on R&D, not the entire government of the country 
that invented the technology.
    We are increasingly seeing the solutions for improved security 
originating from research outside the United States, with outside 
investment and ownership in the solutions. Unless the U.S. commits to 
self-defense, funding the research locally at our universities that 
will produce solutions to secure our nation's economic infrastructure, 
we run the risk of having our security developed and managed by others 
than Americans--and that could be a fragile policy both economically 
and from the perspective of homeland security. We must figure out a way 
to invest more to match the clever advances being made by the 
terrorists who WILL attack these networks.
    Finally, let me cite three examples of marketplace incentives that 
IS Alliance believe promote improved cybersecurity investment by 
industry: The ISAlliance, together with AIG, have agreed on a program 
wherein if member companies comply with our published best practices 
they will be eligible to receive up to 15 percent off their cyber 
insurance premiums. Visa, another ISAlliance member company, has 
developed its KISP program which again uses market entry, in this case 
the ability of commercial vendors to use the Visa card, as a motivator 
to adopt cybersecurity best practices. And the IS Alliance has recently 
launched its Wholesale Membership Program which allows small companies 
access to IS Alliance services at virtually no cost, provided their 
trade associations also comply with IS Alliance criteria.
    There is also a role for the government to play in promoting 
industry cyber security; government should be a critical partner if 
incentive programs will have their maximum impact. Examples of critical 
incentive programs include the need to motivate and enhance the 
insurance industry participation in offering insurance for cyber-
security risks, where AIG has been a leader, and the creation of 
private sector certification programs such as those provided by Visa in 
its Digital Dozen program. These and several other government incentive 
programs were highlighted last year in the report of the Corporate 
Information Security Working Group on Incentives which we commend to 
the Committee for its consideration.
    In summary. Mr. Chairman, the challenge of America's--and the rest 
of the Internet-dependant world's security organizations--like the 
Department's is threefold:
    First, DHS and other government cyber agencies need to understand 
the architecture of the network today and to recognize its ever-growing 
diversity and complexity;
    Second, cybersecurity agencies need to collaborate with the 
industries that operate most of these network assets and exchange and 
understand the information exchanged with industry (including employing 
the best engineering talent available); and
    Third, the cybersecurity agencies here and around the world need to 
cooperate to respond to threats and attacks against our cyber 
infrastructure rapidly and effectively.
    Mr. Chairman, H.R. 285 moves the Department of Homeland Security in 
the direction of addressing these three challenges. It is especially 
helpful simply because it applies more attention to cyber security. 
ISAlliance members want to work with the Committee and the Department 
to assure that the good intentions expressed in this document become a 
reality that strengthens America's ability to prevent attacks against 
our networks and to make them strong enough to withstand any attacks 
that do come our way.
    I appreciate the opportunity to bring our views before you today, 
and I am happy take any questions you may have.

    Mr. Lungren. I thank all of you for your testimony. I would 
just like to ask a question of all of you, and that is it is 
premised on the fact that this hearing, while it is a hearing 
on a particular bill, is actually part of oversight in a sense. 
If we didn't think we needed a bill like this, we wouldn't be 
doing it for a position there.
    So I would ask this, and I would just go down right to 
left, starting with Mr. Silva, and asking each of you, do you 
believe there is a sense of urgency to pass this bill so that 
it prods DHS to do what everyone seems to suggest we want DHS 
to be doing? Mr. Silva?
    Mr. Silva. Well, Mr. Chairman, I think that the sooner we 
start, if you will, getting on the ball with the cybersecurity 
issues, I think the better. Decisions around this have sort of 
floundered for long enough. The longer we wait, the longer this 
is going to linger as an issue and potentially lose interest. I 
think the sooner you could get this passed, I think it will 
express to the Department how urgent you feel this issue is. 
With our support, I think we will also reinforce that as well.
    Mr. Lungren. Ms. Allen.
    Ms. Allen. Yes. I do think there is a sense of urgency, 
first of all because of the escalation of attacks that are 
occurring; secondly, because we need leadership from the 
government; and, thirdly, I think, as said before, we have the 
potential of having a digital Pearl Harbor, and we want to 
avoid that.
    Mr. Lungren. Mr. Kurtz. Everybody trying to share a 
computer monitor.
    Mr. Kurtz. Yes. Simply stated, I think it is urgent that we 
seek passage of this. It has been 2 years since the National 
Strategy was issued. We have a crisis of organization and 
prioritization at DHS with regard to cybersecurity, and it 
would be nice if we could do this and not have to learn the 
hard way.
    Having an assistant secretary will help develop those 
programs and plans and the communications issues in order for 
us, when we have an eventual attack, work out of it more 
cleanly than we are in a position now.
    Mr. Lungren. Thank you.
    Mr. Miller.
    Mr. Miller. Yes.
    Mr. Lungren. Thank you.
    Mr. Yoran.
    Mr. Yoran. I am a cybersecurity strategist and operator. 
Just to point out the obvious, I am not particularly well 
versed in legislative process or motive. All of the fundamental 
concepts represented in this bill are well informed and 
constructive, and should be dealt with with the sense of 
urgency that they deserve.
    Mr. Lungren. Well, let me ask you this. From your 
testimony, it doesn't sound to me like you think that it is 
right now receiving, that is the issue of cybersecurity, the 
kind of urgency, the kind of priority that is necessary. Would 
that be a correct characterization of your feeling?
    Mr. Yoran. I would say that the threat against our Nation 
and our Nation's vulnerability to cyberattacks is increasing at 
a rate that is faster than the problem is being dealt with.
    Mr. Lungren. Let me ask you this then, Mr. Yoran. If I were 
to ask you what the top three priorities would be, if we were 
to establish an Assistant Secretary of Cybersecurity, what 
would you say they would be; the most important priorities that 
we need right now to address from the standpoint of DHS, and, 
if this law passes, within the personification of this person 
as Assistant Secretary For Cybersecurity?
    Mr. Yoran. Mr. Chairman, I believe that the single top 
priority for an assistant secretary, should one be created, 
would be to refine the Department's mission statement around 
the area of cybersecurity to go beyond the National Strategy 
and get to more specificity around what activities are under 
way within the Department, and also to point government 
counterparts as well as private sector counterparts to other 
components of the Federal Government which are playing an 
active role in our Nation's defense from cybersecurity threats. 
So that single top priority would be to refine the mission 
statement.
    The second would be to integrate cybersecurity activities 
and priorities into and across all of the various programs of 
the Department of Homeland Security and across the Federal 
Government. So to the extent that cybersecurity and physical 
security risks have not been fully integrated and fully brought 
to the table to address vulnerabilities which may exist, I 
think that would be a top--a second priority for an assistant 
secretary.
    The third would be in the area of resource allocation, once 
the mission definition has been refined; once more active 
participation has been integrated into various protection 
programs of the Department and across the Federal Government, 
to look at the resource allocation challenges and determine if 
the resources are sufficient for dealing with the refined 
mission and requirements.
    Mr. Lungren. Thank you. My 5 minutes are up.
    So Ms. Sanchez is recognized for 5 minutes of questions.
    Ms. Sanchez. Thank you, Mr. Chairman, and thank you all for 
testifying once again.
    I actually think that the whole arena of cybersecurity is 
so large and so vast and with so many things being so 
interconnected that it is just an incredibly overwhelming job. 
I represent Newport Beach, Santa Ana, Irvine area in Orange 
County, which, you know, is one of the top places for white-
collar crime, most of it involving either telephone or 
computer. So it is just so overwhelming when my law enforcement 
officials tell me about all the scams that go on and the way 
that people get taken.
    My question is about the identity theft that is going on 
in, like, for example, the ChoicePoint situation that we 
recently had. What do you think that a new Assistant Secretary 
of Cybersecurity should do or can begin to do to address some 
of these just large databases that exist that can be either 
broken into or that you can pay $9.95 and find out everything 
you ever wanted to know about Loretta Sanchez, including her 
Social Security number, bank account and name of her kitty cat, 
et cetera? What are we going to do about that? Do you have any 
suggestions? I think that is just one of the scariest things 
that I see out there on the horizon for us. Any of you have any 
ideas on that?
    Mr. Miller. I think, Congresswoman, you have addressed a 
critical point. I think this is an example, again, where the 
assistant secretary position would make a difference, because 
what you are in need of is partnership between government and 
industry; having an assistant secretary there to work with the 
Treasury Department, with organizations like Ms. Allen's 
organization and others in the financial services industry and 
others to come up with an aggressive process that protects 
these data better, protects the citizens and the consumers 
whose data are at risk without harming electronic commerce, 
without making electronic transactions impossible to actually 
conduct.
    Having someone at the assistant secretary level could 
convene a meeting along with his level, along with his or her 
colleagues and the other relevant agencies, as well as the 
Federal Trade Commission and Department of Treasury. But again, 
it is very hard to do that. It is very hard to have someone who 
is the head of the division to have internal clout to bring all 
the parties together and/or, frankly, to bring all the members 
of the industry together. So by passing this legislation that 
has been crafted by Congresswoman Lofgren and Mr. Thornberry, 
then you get the kind of clout you need to make these 
partnerships happen.
    Ms. Sanchez. Thank you.
    Anybody else on that?
    Mr. Kurtz. I will expand briefly on what Harris has 
described. I think a lot of this comes down to leadership and 
having that focal point within the Department that other 
agencies can look at across the Federal Government, as well as 
individuals in the private sector. And that is absent now. That 
is why we have this drift.
    Now, is the Department of Homeland Security ultimately 
responsible for removing all spyware or stopping all phishing 
and stopping all data warehouse issues? I would argue, frankly, 
no, at the end of the day. They have a leadership role, but 
that is largely the responsibility of the private sector. But, 
nonetheless, we need that focal point and leader within a 
department that people can turn to to pull together that 
overall strategy.
    I would contend that the key priorities for the Department 
remain identifying that critical infrastructure that is so 
important to our economic and national security and working on 
communications, contingency plans, recovery plans. That is 
consistent with the mission of the Department; and that, to me, 
is what is absent today at the Department of Homeland Security.
    Ms. Allen. I would just say I think there is a role for the 
DHS to play. Certainly on the identity theft issue, just as you 
said, it is a very complex issue. That is a crime that comes 
out of software vulnerabilities. It is a crime that comes out 
of processes that may be lax. It is something that is just not 
a financial services issue. And certainly our regulators are 
very active and very strongly supporting those kinds of 
processes and technology changes that will help address some of 
the issues.
    The problem is the data is out there. You can go on the 
Internet in a very short period of time and find out everything 
that you need to know about you. So the Internet has 
exacerbated the problem by making it easier to pull this 
information together. So it is a combination of educating, 
preparing people and consumers and businesses to understand 
what these threats are and how to prevent them from either a 
process or a technology point of view. It is a point of going 
after the software vulnerabilities and encouraging the 
providers of IT to close those gaps. It is an issue of best 
practices and policies that can be instituted in all kinds of 
institutions. And, most important, it is support of law 
enforcement, the people that are talking to you, letting them 
have both the knowledge and the resources to go after these 
fraudsters.
    Ms. Sanchez. Thank you.
    Thank you, Mr. Chairman, for the time. I appreciate it.
    Mr. Lungren. Thank you.
    And now the Chair recognizes the Chairman of the full 
committee, Mr. Cox.
    Mr. Cox. I thank the Chairman.
    I want to thank, once again, each of our witnesses for your 
outstanding presentations.
    I want to ask about the National Computer Security Division 
and ask you whether or not you agree or disagree with the 
position of the previous assistant secretary of homeland 
security for information analysis and infrastructure 
protection, who told us that keeping the National Computer 
Security Division under the assistant secretary for 
infrastructure protection was the correct thing to do. In the 
assistant secretary's view, its placement there allowed better 
integration of efforts to protect critical infrastructure from 
both physical and cyberthreats.
    Do you agree or disagree with this position and why? And 
can you also add to that whether you see any ways to address 
perceived problems with integration? And, finally, could that 
integration occur at a higher level?
    Yes, Mr. Kurtz.
    Mr. Kurtz. I would respectfully disagree with the previous 
assistant secretary. I think the elegance of the bill that has 
been put together is that you don't lose the integration in 
what has been proposed. Under the bill, you have created a new 
assistant secretary that focuses on cybersecurity who works 
alongside an assistant secretary who presumably is working on 
physical security, and you have your information analysis 
assistant secretary working there as well. So you have three 
assistant secretaries working under an under secretary, and the 
under secretary can work to integrate programs and policies as 
appropriate.
    So I think, you know, in my written remarks, in my oral 
remarks, I also think there is a fundamental misunderstanding 
of how we defend information networks versus physical assets 
which we require a different set of skill set. It is far more 
complex, I would argue, than securing a physical 
infrastructure. So I would--.
    Mr. Cox. And are you of the view that NCS would come under 
the new assistant secretary?
    Mr. Kurtz. Most definitely, especially with the integration 
voice and data networks. I think it would be a mistake to leave 
the NCS out to the side.
    I would note that when we talk about priority 
communications, which are the responsibility of the NCS, if you 
were to set that to the side in a VOIP environment, it would be 
very difficult and cumbersome to coordinate downstream. You 
need to--we need to recognize the confluence of telecom and IP 
networks and have the leadership in place to take care of it.
    Ms. Allen. I would respectfully disagree, also. The reason 
is it is a different skill set in cybersecurity; and it is much 
more complex, as Paul mentioned, to understand the 
cybersecurity issues. And in a way the model of how the public-
private sector works together is one of cooperation and 
collaboration. I don't see why that can't occur within the 
Department of Homeland Security; and I think it would be 
important for Congress to reward success in collaboration and 
problem solving and working together, as opposed to having silo 
approaches.
    Lastly, let me address--the NCS I think is a fabulous 
organization. BITS has worked very closely with them on the 
telecom redundancy and diversity issues. They have been a key 
player in addressing some of the problems that we had after 9/
11 with the business continuity issues, with the telecom 
industry, and I think they belong under the cybersecurity 
arena.
    Mr. Cox. Mr. Miller.
    Mr. Miller. Mr. Cox, the other point I would add, I totally 
agree with my colleagues, with all due respect to the former 
assistant secretary's view. But in addition why this is so 
important is the reason that Ms. Allen brought up so eloquently 
in her testimony is the cross-sectorial work. Not having an 
assistant secretary to bring the other government agencies 
together and get them to focus more on cyber in addition to 
physical is a problem.
    Until yesterday, when my tenure ended, I spent the last 16 
months chairing the Partnership For Critical Infrastructure 
Security, which is an organization of private sector 
representatives of each of the critical sectors. Until I 
brought Mr. Yoran to speak before them about a year and a half 
ago at one of our meetings, many of those other sectors had 
never even thought about the cyber issue, Ms. Allen's 
organization's being a great exception, because financial 
services does and telecommunications does, but many of the 
other sectors hadn't even thought about these issues. And the 
government agencies with which they liaise, Mr. Chairman, a lot 
of them don't have expertise internally. Having an assistant 
secretary at the Department of Homeland Security can help the 
other agencies do a better job in terms of working with these 
other critical sectors.
    Mr. Cox. I just want to note, Mr. Chairman, that the 
legislation that is before us would in fact give the assistant 
secretary primary authority within the Department over the 
National Communications System.
    My time has expired.
    Mr. Lungren. I thank you.
    The Chair now recognizes the ranking member of the full 
committee, Mr. Thompson.
    Mr. Thompson. Thank you, Mr. Chairman; I have an opening 
statement that I want to include in the record, rather, now at 
this time.
    [The statement of Mr. Thompson follows:]

 Prepared Statement of the Honorable Bennie Thompson, Ranking Member, 
                     Committee on Homeland Security

    Thank you Mr. Chairman, Ranking Member Sanchez. I am glad we are 
here today to consider this important legislation.
    H.R. 285 is an important step in fixing a very big problem at the 
Department of Homeland Security. It is clear from the Department's 
actions over the past two years that it does not consider cybersecurity 
to be an important issue.
    For example, the last Director of the National Cybersecurity 
Division, Mr. Amit Yoran who is with us today, left last Fall ? and the 
Department has still made no attempt to identify a replacement.
    In addition, the Department has moved slowly, if at all, to 
implement the goals set out in the National Strategy to Secure 
Cyberspace.
    This inaction is inexcusable. Cybersecurity is about more than just 
the world of computers and hackers. In the 21st century, the prosperity 
of each and every American is dependent in one way or another on 
information technology, and those systems must be protected against 
breaches like the ones experienced by LexisNexis or ChoicePoint.
    Vital assets such as the electric power grid, gas pipelines, 
nuclear power plants, and our air traffic control systems rely on the 
cyber infrastructure for operation. This is also true of vital 
government and military systems. With the ever-changing threats facing 
our cyber infrastructure, time is of the essence.
    It is hard for me to understand how the Administration can be so 
reluctant on this issue, given the overwhelming support by the private 
sector, our colleagues across the aisle, and the Democrats in Congress.
    Today, as we hear from the private sector, I hope to hear 
suggestions as to how the Department of Homeland Security can improve 
its strategy, management skills, and resource allocation to get the job 
done.
    We also need to know whether, from your perspective, you think that 
the government is living up to its obligation in this public-private 
partnership. Is there someone in the government devoting 24-hours a 
day, 7 days a week to cybersecurity? If a cyberattack were to happen 
today, would we be ready for it?
    When it comes to ensuring cybersecurity, I believe that government 
and industry must work together closely, and that this effort requires 
attention at the highest level in both the public and private sectors.
    We can develop a culture of security within our computer networks 
and ensure our national security. But first, we must have effective 
leadership on cybersecurity issues at the Department and we must have 
that leadership now.
    That is why I urge my colleagues, during the markup of H.R. 285 
later today, to vote for this critical legislation. Thank you.

    Mr. Thompson. Let me first compliment and congratulate Mr. 
Silva for his promotion. We all could benefit from such lofty 
movement. Congratulations.
    And I want to compliment Ms. Lofgren and Mr. Thornberry for 
this bill. It is a wonderful bill. We have tried for a while to 
make it happen. There is no question about the fact that we 
need to elevate the position. In Washington, unless you are at 
a certain level, people don't pay you much attention. I think 
clearly the issue of cybersecurity has not been given the level 
of attention that it should have, and hopefully we will correct 
it.
    With respect to merging cyber and physical infrastructure, 
is that something that individually you all see as something 
that is very positive for what is going on, or how do you see 
those two issues?
    Mr. Silva. I think we can't overlook the need to have at 
least close collaboration between the physical and the cyber 
side. I think, as my colleagues have already pointed out, there 
are clearly different disciplines there, but to spin cyber 
separate from physical I think would probably--I think what we 
don't want to do is we don't want to create too much of a 
disconnect between those two, because there is a relationship 
between the physical and the cyber, and I think it shouldn't be 
ignored. As we said in our testimony, or as I said in my 
testimony, it is very important that the leaders of both of 
those organizations, physical and cyber, be empowered 
individuals and be able to work closely together and coordinate 
their efforts in such a way that we don't sacrifice one for the 
other.
    Mr. Thompson. Ms. Allen.
    Ms. Allen. I think that there is an interdependency. 
Certainly, the systems that run much of our critical 
infrastructure are run off the same operating system that the 
financial services runs, that the first responders run. So we 
have to understand the interdependency that our industries, the 
physical industries have on the IT industry, the software 
operating systems, on the telecommunications and the power 
industries. Because if they are down or if there is a cascading 
effect of them being down, our physical structures as well as 
our cyberstructures are going to be--we will not be able to 
communicate. So I do think there need to be separate assistant 
secretary level positions, but I do think there needs to be the 
collaboration and cooperation in addressing the issues.
    Mr. Kurtz. I would essentially agree with what Cathy has 
just pointed out. I think there is--if you pictured a physical 
infrastructure in one circle and the cyberinfrastructure in 
another, there is certainly some overlap between the two. But 
the disciplines through which you use to protract those 
infrastructures, to defend those infrastructures are very 
different. So, on the whole, yeah, there needs to be that 
integration under an under secretary type individual, but there 
is different disciplines involved in protection and defense.
    Mr. Yoran. Sir, I would point out that, just as battle 
plans may include elements of air power, armor, sea power, 
intelligence, similarly we need integrated risk management 
practices. But all of those disciplines are highly specialized 
in and of themselves and need to remain specialized in order to 
be effective.
    I would also--if I could just take a second or two to 
answer the previous question with a slightly different 
perspective, and that is it may have been possible that at the 
initial phases of the National Cyber Security Division it was a 
more effective strategy to make it part of infrastructure 
protection. Simply put, there was no organization. It was a 
from-ground-zero startup. We had to go in and recruit the 
individuals, and having a larger organization to participate in 
may have facilitated some growth and enabled us to build and 
accomplish what we were able to accomplish.
    As Secretary Chertoff moves into his second stage review, I 
would say we also need to look at how in the current 
environment, not with legacy perspectives, we can integrate our 
cybercapabilities into a holistic risk management practice. 
This means having cybersecurity at the table along with 
physical security and participating in the grant programs, the 
emergency planning and readiness programs, the Office of 
Domestic Preparedness, and State and local programs across the 
Department and, just as importantly, alongside other 
departments and agencies. Many of the issues and challenges 
mentioned earlier by my counterparts include many policy 
coordination roles in which the FDC, the Department of State, 
the Department of Justice, and Commerce have a primary 
regulatory or significant stake.
    Mr. Lungren. Thank you very much.
    The gentleman Mr. Pearce is recognized.
    Mr. Pearce. Thank you, Mr. Chairman.
    Ms. Allen, you had stated that investor confidence and 
reliability of information systems are linked to the security 
and reliability. What countries are excelling in that 
particular relationship today, in security and reliability?
    Ms. Allen. Well, the U.S. has the leadership. Even though 
we have headlines about breaches or problems that we have with 
cybersecurity, the U.S. has the most sophisticated people in 
terms of information security and IT. So if you look at best 
practices or you look at the development of software, anti-
intrusion software or other types of software that help to 
prevent or identify breaches, it is mostly U.S. based.
    Mr. Pearce. Also, it would be useful to know, if I were to 
look at the nearest competition, how many laps behind us are 
they? Are they catching up, or is the rest of the world moving? 
Because as we look at the flows of financial capital, this is 
going to be the determining factor.
    Ms. Allen. That is right. In the U.S., we fortunately have 
a good reputation in terms of the--and because of all the 
regulation that we have of the financial community and the 
economic system; and I think we will continue to enjoy that. 
The U.S. is light years ahead of regulators in other countries 
around regulating us against or for information security, 
information technology, all of the issues that help us to 
provide safety and soundness. So we are far ahead of any other 
country in that area.
    There are other countries, however, that have the 
leadership role, so to speak, in the bad guys, the hackers and 
the countries where the ISPs, the Internet service providers, 
are not regulated or there is not oversight.
    So I think we have a challenge in the U.S. to not only 
maintain leadership to maintain our economic livelihood, but we 
also have a challenge to help bring the other regulators and 
the other countries up to speed on these issues, and to help--
to cooperate with them to go after the fraudsters and the 
hackers and the criminals.
    Mr. Pearce. Sure. Actually, the flows of financial capital 
have actually disciplined them very well. I am not so concerned 
that we bring them up, because simply the evaporation of 
capital from them as they fail to do their own internal 
strengthening is going to accomplish that. And we saw that even 
in the recent trip to South America and to some of the 
countries that have turned sharply to the left. Their political 
climate shifted to the left, but their business advisers, their 
economic advisers stayed solidly in the business sector. And 
that is with realization that we can talk what we want to in 
politics, but we had better keep our financial house moving 
forward.
    You talked somewhat in your written testimony about market 
incentives, and I have got one more question for Mr. Silva. So 
if you could give me a very brief description of the market 
incentives that you see available for these functions.
    Ms. Allen. I think both R&D dollars that could help to 
encourage the development of technologies. Because, in the end, 
we are going to have to address this partially as a 
technological issue, the ability to have software that will 
counteract what is happening.
    I think a second is tax incentives to build the critical 
infrastructures. Again, I come back to the telecommunications 
industry as one where we are all reliant on their diversity and 
resiliency, and we need--they are in dire need of help to 
develop that capability.
    Mr. Pearce. Thank you.
    Mr. Silva, you talk about the essential information sharing 
and the fact that it has been hindered by the complex 
bureaucratic structure that mostly is worried about protecting 
people from lawsuits. How can we basically see that the new 
structure is free from those constraints?
    Mr. Silva. I think that particularly--some of this had been 
addressed a couple of years ago with some of the protections 
for FOIA protection and some other areas. But the problem is 
that when organizations want to share information with the 
government, the government either has to make it available to 
all of them or, if it chooses to provide that information only 
to a select few, then there are going to be issues that arise 
from that.
    I mean, there are so many different organizations; and what 
tends to happen is when the information--whenever we create a 
new sharing relationship with an organization that seems to be 
at the exclusion of the other organizations--and this is very 
confusing to the various organizations. In fact, if you want to 
have your bases covered, you have to sort of join every 
organization to make sure that you are covered, and it is quite 
confusing. If the Department can establish a unified policy of 
sharing across the board with all of the organizations that are 
relevant, then I think that would go a long ways to solving 
that problem.
    Mr. Pearce. Thank you. Thank you, Mr. Chairman.
    Mr. Lungren. The gentlelady from California, Ms. Lofgren.
    Ms. Lofgren. Thank you, Mr. Chairman. And I will be brief 
because I think the witnesses have covered the issues very well 
and thoroughly.
    I would just note, as I said in my opening statement, that 
the staff on the subcommittee in the last Congress worked very 
hard and together. I mentioned Mr. Thornberry's excellent 
staff; and I see that Jessica Herrera who was his Democratic 
staffer, has also came. She also did a fabulous job, and I 
would like to publicly add my thanks to her along with Mr. 
Thornberry's staff.
    As some of the witnesses have mentioned, there is much to 
do, I mean, from identifying and prioritizing the critical 
infrastructure in the cyberspace, to increased funding, to 
implementing the strategy. I mean, we are behind where we 
should be as a nation. And this bill alone doesn't solve that 
problem. What it does is set the stage to solve that problem, I 
believe.
    We in the Congress cannot do the hire for this position. 
That would be inappropriate. But I think that we will give the 
Department an essential tool to recruit an excellent person, 
because the assistant secretary will have the clout and the 
prestige and the authority to actually get the job done. I 
think that has been a frustration for those in the Department 
who have worked hard and who are smart people and who are 
skillful, but they haven't really had the ability to use their 
talents to move the country forward in a way that is so 
important.
    Mr. Thornberry and I, at the end of the last Congress in 
December, issued a report of the activities and findings of the 
cybersecurity subcommittee, and I think some of the issues 
raised here today are really covered in that report in the to 
do list. I am hopeful that this subcommittee, although we have 
a very wide range of responsibilities, that we will have the 
time to schedule some hearings and some oversight on the 
elements that Mr. Thornberry and I identified in the last 
Congress.
    The General Accounting Office is coming back with reports 
to us on some of the issues. One I think has just been received 
in draft form, and we will be receiving another. They are very 
helpful. We know that we need to pay some attention to whether 
or not we need to act to provide incentives for market 
solutions. I mean, there are differences of opinion that are 
valid, but we need--we have not seen the market move forward in 
the way that we had expected. I think we need to explore why 
that has happened and whether there is anything we can or 
should do about that.
    The one thing we do know is that we don't want a heavy 
legislative regulatory approach to this, because our lawmaking 
will never catch up with the code writers. I mean, we really 
need to use market incentives in the leadership of the Federal 
Government in ways that are successful.
    There isn't enough time to really go through how much needs 
to be done. In addition to the reach efforts that have been 
mentioned here, I am very grateful to NSF for stepping up to 
the bat, but clearly there are things that the Department needs 
to do. So I am pleased to be here today. I look forward to the 
markup later today, and I would yield back the balance of my 
time with thanks, Mr. Chairman.
    Mr. Lungren. Thank you very much.
    Mr. Jindal.
    Mr. Jindal. I have two quick questions. The first was 
regarding--Ms. Allen talked about the international 
marketplace, international response to the issue of 
cyberterrorism. I am wondering, is there a need for more 
coordinated international response given the fact that maybe 
attacks may be launched abroad because of the lack of 
protection overseas? Is there more that could be done? Or what 
can be done?
    And the second question--I will go ahead and ask both my 
questions, also building on this question, about the legal 
liability. My question was, how is the insurance industry 
responding to this? Have they created products for the private 
sector to insure against these kinds of risks? If they haven't, 
what can we do to help integration of those products?
    Ms. Allen. I am going to answer both quickly, and I am 
going to defer to Paul on one of the issues of what we can do 
on an international basis.
    The answer is, yes, there is much more that we need to do 
on an international basis, not only cooperation with the laws 
but also with law enforcement. Most of the phishing attacks 
that occur in the U.S. are launched from overseas. Most of the 
phishing attacks that come from the U.S. are launched on 
overseas institutions, and we have got to cooperate and try to 
shut down these fraudsters. So it is a higher level of 
cooperation; and I know Paul will tell you exactly, or at least 
one way to do that.
    Secondly, on your question on market incentives. Yes, the 
insurance industry is developing products that will help to 
ensure best practices or appropriate behaviors of institutions, 
not just financial institutions, but all institutions, 
practices in cybersecurity. I think most of you know, on the 
legal liability side, the financial institutions are by law 
required to make all customers whole if there is any problem in 
an electronic delivery or an electronic transaction. Not all 
other countries have that same restriction. So it is also one 
of the things that makes us a target for potential fraud. There 
is much to do here, but we are looking at market incentives 
from the insurance industry to help move companies along.
    Mr. Jindal. Thank you.
    Mr. Silva. So, while I have the mike on my end, actually, 
some of the insurance companies have started market incentives 
already. In fact, AIG, which is one of our member companies, 
actually offers discounts to companies that adhere to a set of 
best practices. Now, while this is certainly not an end all to 
everything, I think it is an example of a market incentive 
which has a very positive effect and I think offers a 
reasonable reward to companies that are willing to take the 
steps. So I think that it is just starting. It is just 
starting.
    Mr. Miller. On the international, just coincidentally this 
week there is actually a meeting going on in Delhi between 
officials of the U.S. government, the Indian government, the 
U.S. IT industry, the U.S. financial services industry, and the 
industry of India, because India has become such a destination 
for so much offshore work.
    But I would certainly agree, we are really in the infancy 
in the international cooperation. In addition to my chairing 
the U.S. IT association, I chair an international organization 
which is 65 countries. I spend a lot of time traveling around 
the world. And this issue simply hasn't raised itself at a 
higher level in other countries.
    In the IT industry, and most customers, as Ms. Allen said 
in an earlier response to Mr. Pearce's question, certainly in 
the financial services industry, the U.S. is far ahead.
    And, again, while the DHS has domestic responsibility, I 
would contend that having an assistant secretary--to come back 
to the purpose of the hearing--would help to elevate the issue. 
The State Department is doing some good work in holding 
bilateral meetings with other countries around the world. The 
Department of Justice, the Cyber Crime Division, has been doing 
some work with the G8 and other countries. But I think having 
someone at DHS at a higher position would help the 
internationalization of the need to collaborate on these 
issues.
    Mr. Kurtz. I will just expand on what has been said.
    I worked a lot on international issues when I was at the 
White House and did some of the initial trips at India and 
other places to foster international cooperation. At the time, 
we had a good pedestal to stand on. We had a national 
cybersecurity czar. We had a special adviser to the President. 
We don't have that now. It is hard for us to make the point to 
other countries that they need to organize and react when we 
ourselves are not in the position we used to be. This is where 
I go to Harris's point. Having an assistant secretary would 
help us in this space.
    Second point, the Council of Europe Convention on Cyber 
Crime, negotiated under President Clinton, signed under 
President Bush, it is in with the Senate. We would urge 
ratification of the Council of Europe Convention on Cyber 
Crime. I believe Business Software Alliance, ITAA, BITS, and a 
few other organizations have come together to say, to urge for 
ratification of this convention. What will that do? It will put 
in place that global framework for us to go afterSec.  excuse 
me, for law enforcement to go after and prosecute 
cybercriminals abroad. We don't have that framework now.
    Finally, on the insurance question. There is insurance out 
there. I think the problem has been there is no actuarial data 
available, or very little, which means there needs to be some 
sort of best practice or standard put in place. And I think 
until we have that best practice or standard in place that can 
be more widely adopted, we aren't going to see the insurance 
industry be all it can be, if you will, in that space.
    Mr. Jindal. Thank you.
    Mr. Lungren. The gentleman's time has expired.
    We thank all the panelists, all the witnesses for their 
valuable testimony and the members for their questions. Members 
of the committee may have some additional questions for the 
witnesses, and they may submit them in writing to you. We would 
ask you to respond to them, if you can.
    The hearing record will be held open for 10 days.
    The subcommittee stands adjourned. We are going to be 
meeting at 2:00 for markup on this. Thank you very much.
    [Whereupon, at 12:36 p.m., the subcommittee was adjourned.]


                            A P P E N D I X

                   Material Submitted For the Record

Questions Submitted by the Honorable James R. Langevin for Catherine A. 
                                 Allen

    Question 1: One thing I have heard consistently over the past two 
years is that government regulation is the wrong way to bolster cyber 
security. The argument is that the government cannot move nearly as 
rapidly as market forces where it comes to information systems and 
security. Best practices are frequently used to demonstrate how the 
private sector is working to encourage a culture of security, except 
that it seems they are not updated as often as may be needed. This begs 
the question of whether these should be standardized by a group like 
NIST or not. I would like the panel's honest assessment of what the 
government's role in cybersecurity.
    Answer 1: Financial institutions are heavily regulated and actively 
supervised at the federal level by the Federal Reserve, Federal Deposit 
Insurance Corporation, Office of the Comptroller of Currency, Office of 
Thrift Supervision, National Credit Union Administration, and the 
Securities and Exchange Commission and at the state level by numerous 
state banking and insurance commissioners. In recent years, these 
regulators have stepped up their oversight on business continuity, 
information security, third party service providers, and critical 
infrastructure protection. The financial services industry is working 
consistently and diligently to comply with new regulations and ongoing 
examinations. In addition, BITS and other industry associations have 
developed and disseminated voluntary guidelines and best practices as 
part of a coordinated effort to strengthen all critical players in the 
financial sector.
    The financial services industry has been aggressive in its efforts 
to strengthen cyber security. We are sharing information, analyzing 
threats, urging the software and technology companies to do more to 
provide more secure products and services, and to combat fraud and 
identity theft.
    Regardless of how well financial institutions respond to 
regulations, we simply cannot address these problems alone. Our 
partners in other critical industry sectors--particularly the 
telecommunications and software industries which are not regulated from 
a safety and soundness or data protection perspective--must do their 
fair share to ensure the soundness of our nation's critical 
infrastructure.
    Our nation's economic and national security relies on the security, 
reliability, recoverability, continuity, and maintenance of information 
systems. IT security has a direct and profound impact on the government 
and private sectors, and the nation's critical infrastructure. Further, 
the security and reliability of information systems is increasingly 
linked to consumer and investor confidence. In recent years, members of 
the user community that rely on technology provided by the IT 
industry--private-sector companies, universities and government 
agencies--are demanding greater accountability for the security of IT 
products and services.
    The federal government can play an important role in protecting the 
nation's IT assets. The following are seven key elements that the U.S. 
government should support to secure information technology. I refer to 
these as PREPARE, which is an acronym based on the first letter of each 
element.
    Promote. Government can play an important role in promoting the 
importance of secure information technology. Also, government should do 
more to facilitate collaboration among critical infrastructure sectors 
and government. Some sectors, such as financial services, are heavily 
regulated and supervised to ensure that customer information is 
protected and that financial institutions operate in a safe and sound 
manner. Examples of actions the government can take include:
         Government should lead by example by ensuring that the 
        issue of cyber security receives adequate attention in the 
        Department of Homeland Security. Today, cyber security is 
        handled at a level far below where most corporations handle 
        these issues. Congress could create a more senior-level policy 
        level position within DHS to address cyber security issues and 
        concerns and ensure that adequate funding is provided.
         Strengthen information sharing coordination 
        mechanisms, such as the Information Sharing and Analysis 
        Centers (ISACs), by ensuring adequate funding is made available 
        to Federal agencies sponsoring such organizations. Information 
        sharing and trend analysis within a sector is essential to 
        protecting information security and responding to events. 
        Information sharing among sectors is equally important as cyber 
        threats sometimes reach some sectors before others.
         Create an emergency communication and reconstitution 
        system in the event of a major cyber attack or disruption of 
        information networks. Such an attack or disruption could 
        potentially cripple many of the primary communication channels. 
        To allow maximum efficiency of information dissemination to key 
        individuals in such an event, a thorough and systematic plan 
        should be in place. The financial services industry has 
        developed such a plan for industry-specific events in the BITS/
        FSR Crisis Communicator. Other organizations have developed 
        similar communication mechanisms. These emergency 
        communications programs should be examined as potential models 
        for a national cyber security emergency communication system.
         Reform of the Common Criteria/National Information 
        Assurance Partnership (NIAP). The current software 
        certification process is costly, inefficient, used on a limited 
        basis by the Federal government, and virtually unknown to the 
        private sector. NIAP should be reformed so that it is more cost 
        effective for vendors to seek certification while ensuring 
        consistent Federal procurement practices and expanded 
        commercial adoption of NIAP-certified products. The BITS 
        Product Certification Program may well be able to serve as a 
        model.
    Responsibility. Government should promote shared responsibility 
between suppliers and end users for developing, deploying, and 
maintaining secure information networks. Government can play an 
important role in establishing incentives and making producers of 
software and hardware accountable for the quality of their products. 
Examples of actions the government can take include:
         Provide tax or other incentives for achieving higher 
        levels of Common Criteria certification. Incremented incentives 
        would help to compensate companies for the time and cost of 
        certification. This should encourage certification and increase 
        the overall security of hardware and software.
         Provide tax or other incentives for certification of 
        revised or updated versions of previously certified software. 
        Under Common Criteria, certification of updated versions is 
        costly and time consuming. Incentives are necessary to ensure 
        that all software is tested for security
         Require software providers to immediately notify ISACs 
        of newly discovered cyber threats and to provide updated 
        information on such threats until an effective patch is 
        provided. It is vital that critical infrastructure companies 
        receive immediate notice of serious vulnerabilities.
         Establish requirements that improve the patch-
        management process to make it more secure and efficient and 
        less costly to organizations.
    Educate. Communicate to all users of information technology the 
importance of safe practices. Public confidence in e-commerce and e-
government is threatened by malicious code vulnerabilities, online 
fraud, phishing, spam, spyware, etc. Ensuring that users (home users, 
businesses of all sizes, and government) are aware of the risks and 
take appropriate precautions is an important role for government and 
the private sector. Examples of actions the government can take 
include:
         Fund joint FTC/DHS consumer cyber security awareness 
        campaign. The FTC should focus its efforts on building consumer 
        awareness, and DHS should coordinate more detailed technical 
        education regarding specific serious threats. In addition, 
        government employees should be trained in proper cyber safety 
        measures.
         Train government employees on proper cyber security 
        measures.
         Educate corporate executives and officers regarding 
        their duties under Sarbanes-Oxley, GLBA, and HIPAA as they 
        relate to cyber security.
    Procure. Using its purchasing power and leveraging security 
requirements and best practices developed by the public and private 
sectors, government can play an important role in encouraging the IT 
industry to deliver and implement more secure systems. Examples of 
actions the government can take include:
         Require high levels of cyber security in software 
        purchased by the government through procurement procedures. 
        Extend such requirements to software used by government 
        contractors, subcontractors, and suppliers.
         Provide NIST with adequate resources to develop 
        minimum cyber security requirements for government procurement. 
        NIST should include software developers and other stakeholders 
        in the standard-creation process.
    Analyze. Government should collect information and analyze the 
costs and impact of information security risks, vulnerabilities and 
threats and provide this analysis to policy makers. Examples of actions 
the government can take include:
         Assign to the Commerce Department or another 
        appropriate agency the responsibility of tracking and reporting 
        such costs and their impact on the economy. Measuring and 
        making these costs transparent will aid law makers and 
        regulators as they assign resources to cyber security programs.
    Research. Government can play an important role in funding R&D in 
the development of more secure software development practices, testing 
and certification programs. In addition, training future generations of 
programmers, technicians and business leaders that understand and 
manage information security can be accomplished by establishing 
university and educational/certification programs. Government can help 
by facilitating collaboration with the users and suppliers of IT to 
develop standards for safe practices. Examples of actions the 
government can take include:
         Enhance DHS, NSF, and DARPA cyber security R&D 
        funding.
         Carefully manage long- and short-term R&D to avoid 
        duplication.
         Establish a mechanism to share educational training 
        and curricula.
    Enforce. Law enforcement must do more to enforce, investigate and 
prosecute cyber crimes here and abroad. Examples of actions the 
government can take include:
         Ratify the Council of Europe's Convention on 
        Cybercrime.
         Enhance criminal penalties for cyber crimes.
         Make cyber crimes and identity theft enforcement a 
        priority among law enforcement agencies.
         Encourage better coordination among law enforcement 
        agencies in order to detect trends.

    Question: 2: If you do not want regulation, what do you want? Can 
DHS actually have an impact if it is only a coordinator and not an 
enforcer? Do you feel it is possible to draft regulations that would 
require minimum security standards, or would that encourage 
complacency?
    Answer 2: Financial institutions are heavily regulated so no 
additional regulation of financial institutions is warranted. Financial 
institutions view the question as how best to urge the software 
industry, telecommunications industry and power industry to take 
greater responsibility for their products and services. It is important 
for members of Congress and the Administration to recognize the 
dependence of all critical infrastructures on software operating 
systems and the Internet. Given this dependence, the Congress should 
encourage providers of software to the financial services industry to 
accept responsibility for the role their products and services play in 
supporting the nation's critical infrastructure. In so doing, Congress 
should support measures that make producers of software more 
accountable for the quality of their products and provide incentives 
such as tax incentives, cyber-insurance, liability/safe harbor/tort 
reform, and certification programs that encourage implementation of 
more secure software. Congress also could provide protection from U.S. 
antitrust laws for critical infrastructure industry groups that agree 
on baseline security specifications for the software and hardware that 
they purchase.
    In addition, DHS can encourage collaboration and coordination among 
other critical infrastructure sectors and government agencies to 
enhance the diversity and resiliency of the telecommunications 
infrastructure. For example, the government should ensure that critical 
telecommunications circuits are adequately protected and that 
redundancy and diversity in the telecommunications networks are 
assured. Further, the Congress should encourage law enforcement to 
prosecute cyber criminals and identity thieves, and publicize U.S. 
government efforts to do so. These efforts help to reassure the public 
and businesses that the Internet is a safe place and electronic 
commerce is an important part of the nation's economy.
    Since its creation in 2003, DHS has focused primarily on physical 
security. It has not focused enough attention on addressing cyber 
security concerns. Elevating the cyber security position is a small 
step as part of a broader strategy to strengthen cyber security. Cyber 
security issues are handled in the government at a level far below 
where most corporations in the private sector handle these issues 
today. Elevating this critical position and ensuring that adequate 
funding is provided will help to focus greater attention on cyber 
security issues within the government and throughout the private sector 
and thus implement many areas identified in the Administration's 
National Strategy to Secure Cyberspace.
    Since its creation, DHS has devoted substantial resources in 
bringing interested parties together to discuss cyber security risks. 
For example, DHS has hosted or supported fora to discuss steps that 
government and the private sector can and should do to mitigate cyber 
security risks. However, DHS has not devoted enough resources to 
address other key components of securing cyberspace. This include 
efforts to raise awareness of cyber security risks and steps consumers 
can take to protect themselves, facilitating collaboration among 
critical infrastructure sectors and government, strengthening a 
information sharing coordination mechanisms, such as the Information 
Sharing and Analysis Centers (ISACs), reforming the Common Criteria/
National Information Assurance Partnership (NIAP), and urging the IT 
industry to take on greater responsibility for the security/quality of 
its products and services.

    Question 3: Ms. Allen, I would like to get your opinion on the 
recent joint rules made by the FDIC, Comptroller of the Currency and 
other agencies regarding data theft at financial institutions. Do you 
believe they overstepped their bounds by doing this? If so, how do you 
feel this growing problem should be dealt with?
    Answer 3: The federal financial regulators issued a final rule on 
customer notice breach requirements in March 2005 following a notice 
and comment period. About 80 organizations submitted comment letters, 
including BITS and The Financial Services Roundtable. Fortunately, the 
regulators responded to some of the concerns voiced in these comment 
letters. Consequently, the regulators provided greater flexibility for 
financial institutions when deciding when and how best to notify 
customers in response to a security breach.
    Notifying customers is a complicated and complex process and can, 
if poorly done, undermine confidence in the financial services 
industry. Care must be exercised in alerting consumers to steps they 
can take to protect themselves from ID theft and other forms of fraud 
while averting needless alarm.
    Members of BITS and The Financial Services Roundtable believe 
financial institutions have a strong track record in protecting 
customer information and in communicating with customers when security 
concerns arise. Protecting customer information is of paramount concern 
and our member institutions have taken a proactive approach in this 
regard. Examples of these efforts include the creation of the Identity 
Theft Assistance Center (ITAC) as well as BITS guidelines and best 
practices for reducing fraud, managing third party providers, engaging 
law enforcement agencies, and communicating with customers.
    We believe that financial institutions should have the flexibility 
to develop their own risk-based approaches toward dealing with 
unauthorized access to customer information, whether at their own 
operations or with a third party service provider, within the current 
guidelines set forth in section 501b of GLBA. For example, financial 
institutions should be given flexibility in determining a course of 
action when they ``flag'' and secure accounts that have been 
threatened.
    Efforts by various states and regulatory agencies raise significant 
implementation problems for financial institutions. In a transient 
society, notification should occur uniformly regardless of which state 
the consumer may live in. Moreover, inconsistent application of 
inconsistent state law inevitably creates a compliance nightmare for 
institutions with a multi-state presence.
    Members of BITS and The Roundtable believe it is important for 
legislators and regulators to adopt uniform national standards to avoid 
serious implementation problems and inconsistent applications. Our 
members also encourage legislators and regulators to mandate 
notification only when there is some indication that the breach 
actually has the potential to cause harm or injury. If harm is 
demonstrably contained, for example, and no risk really exists, there 
should not be any reason to notify and scare people. Moreover, we 
believe it is wise policy that legislators and regulators require 
companies that discover breaches in security to immediately notify law 
enforcement authorities, as well as consumer reporting agencies, so 
that law enforcement authority can get a jump on any existing 
criminality and Credit Reporting Agencies may be better prepared for 
the potential volume of consumer inquiries about the impact of any 
breach on consumer credit history. Further, BITS and the Roundtable 
support measures to impose caps on damages. Any allowable damages 
should have firm caps and there should be no damages absent a showing 
of intent or actual harm. Absent negligence, an affirmative defense 
should be available if the company can demonstrate that is it a victim 
of fraud. Other measures include providing ``safe harbors'' from 
lawsuits for companies if they have instituted reasonable internal 
notification procedures.

  Questions Submitted by the Honorable Daniel Lungren for Paul B. Kurt

    Question: 1. What is the Government's role in cybersecurity? If you 
don't want regulation, what do you want? Can DHS actually have an 
impact if it is only a coordinator and not an enforcer? Do you feel is 
it possible to draft regulations that would require minimum security 
standards, or would that encourage complacency?

Government's Role in Cybersecurity
    The Federal Government is positioned to assist with forensics, 
attack attribution, protection of networks and systems critical to 
national security, indications and warnings, and protection against 
organized attacks capable of inflicting debilitating damage to the 
economy. Additionally, Federal activities should also support research 
and development that will enable the private sector to better secure 
privately-owned portions of the nation's critical infrastructure.

    Three Federal documents provide a framework for Federal 
responsibilities to secure cyberspace:
         The President's National Strategy to Secure Cyberspace 
        (February 14,2003)
         Homeland Security Presidential Directive-7 (HSPD-7) 
        (December 17, 2003)
         The National Response Plan's Cyber Incident Annex 
        (January 6, 2005)
    The President's National Strategy to Secure Cyberspace provides 
clear policy guidance on the Federal government's role: ``The policy of 
the United States is to protect against the debilitating disruption of 
the operation of information systems for critical infrastructures and, 
thereby, to help protect the people, economy, and national security of 
the United States. . . We must act to reduce our vulnerabilities to 
these threats before they can be exploited to damage the cyber systems 
supporting our nation's critical infrastructure and ensure that such 
disruptions of cyberspace are infrequent, of minimal duration, 
manageable and cause the least damage possible.''
    HSPD-7 establishes the U.S. government's policy for the 
identification and protection of critical infrastructure from terrorist 
attacks. It focuses in large part on the identification and protection 
of assets that would cause catastrophic health effects or mass 
casualties if attacked, comparable to those from the use of a weapon of 
mass destruction.
    Finally, The National Response Plan's Cyber Incident Annex upholds 
the President's National Strategy to Secure Cyberspace and HSPD-7. The 
NRP Cyber Incident Annex states that the Federal government plays a 
significant role in managing intergovernmental coordination (Federal, 
state, local and tribal) and, where appropriate, public-private 
coordination in response to cyber incidents of national significance.
    Ultimately, Federal activity is bounded by these three documents to 
protecting against debilitating attacks against critical 
infrastructure, attack attribution for national security systems, 
forensics, and research and development.

The DHS Impact
    The Department of Homeland Security (DHS), as designated by HSPD-7 
and the National Strategy, is the government's focal point for 
prevention, response and recovery from cyber security incidents that 
have a debilitating impact on our national and economic security. The 
Strategy sets specific responsibilities for the DHS, including:
     Developing a comprehensive plan to secure critical 
infrastructure
     Coordinating with other Federal agencies to provide 
specific warning information and advice about appropriate protective 
measures and countermeasures to state, local and nongovernmental 
organizations including the private sector, academia and the public.
    DHS's responsibilities in the area of cyber security, although 
narrowly defined, are extremely significant to our economic and 
national security. DHS serves as the point of coordination for all 
government and national efforts. Senior DHS leadership, at the 
Assistant Secretary level or higher, is needed to build an effective 
government-private sector relationship, to understand the technical and 
global complexities of cyber security, and to marshal the resources 
necessary to provide an effective partnership with private sector 
organizations and initiatives.

Regulation
    Regulation is difficult, due to rapid technology changes, and 
regulation can also stymie innovation. A report from the Business 
Roundtable (BRT) states, ``traditional regulations directing how 
companies should configure their information systems and networks could 
discourage more effective and successful efforts by driving cyber 
security practices to a lowest common denominator, which evolving 
technology would quickly marginalize.'' A regulatory approach could 
result in more homogeneous security architectures that are less secure 
than those currently deployed. Given the complexity and dynamism of 
cyberspace, the marketplace will provide in most cases the necessary 
impetus for improving IT security. In those instances where existing 
market forces fail to provide such impetus, incentive programs that 
rectify market shortfalls and encourage proactive security solutions 
should be considered and adopted as appropriate.

Minimum Standards
    CSIA believes we should encourage the adoption of existing 
standards, rather than creating new ones. Several sets of standards and 
best practices exist today. Some are required under current regulation, 
such as Gramm-Leach-Bliley or the FDA Part 21, while others are 
voluntary, such as International Standards Organization (ISO) 17799, or 
Control Objectives for Information Technology and Related Systems 
(COBIT).

    Question 2: What can be done to improve cybersecurity within the 
Government? Why is the Government's coordination so bad? Should DHS be 
responsible for the Federal government's cybersecurity, or should OMB 
retain this duty?
    The Government has to address cybersecurity in a holistic manner, 
rather than attempting to solve each problem piece by piece. By 
securing entire networks from the ground up, coordination within the 
Government will improve.
    To even begin to accomplish this, OMB needs to look to the 
authority it was granted in the Federal Information Security Management 
Act of 2002 (FISMA). FISMA positions OMB to strengthen the federal 
information security program, evaluation, and reporting requirements 
for federal agencies. However, this has not been achieved to its 
highest level, nor are there adequate--resources and personnel 
available to accomplish this. The security of Federal systems could be 
improved by ensuring OMB has more resources to ensure oversight of 
FISMA implementation.
    The government needs to use the power of procurement to encourage 
vendors to provide products that meet a higher government standard. 
Subsequently, the government can coordinate to implement standard 
practices, procedures, and policies across all the federal agencies.
    The security of Federal systems could also be improved by ensuring 
FISMA is more thoroughly applied to contractors supporting the Federal 
government. The GAO's recent report, ``Improving Oversight of Access to 
Federal Systems and Data by Contractors Can Reduce Risk'' discusses 
this issue in detail.
    Finally, GAO identifies in ``Continued Efforts Needed to Sustain 
Progress in Implementing Statutory Requirements'' the use of the annual 
``report card'' on governmental information security as an effective 
tool to identify and address security weaknesses.

    Question 3: Is the private sector doing enough to educate consumers 
and users about the importance of cyber security? There have been 
several studies recently that show most computer users do not take 
security very seriously. What can we do about this?
    Based on the number of security breaches and increasing cases of 
identity theft, it is fair to say that consumers are not as educated on 
the importance of cybersecurity as they should be, leaving a large 
percentage of computers unprotected. The private sector has increased 
its efforts in recent years to educate consumers about cybersecurity 
issues. Primarily, the private sector has established partnerships with 
the major networking and operating system providers, which have eased 
the burden on the consumer, while working to secure cyberspace.
    Awareness campaigns, such as October's National Cyber Security 
Awareness Month, have also helped in the effort. CSIA and the National 
CyberSecurity Alliance(NCSA), along with a number of other awareness 
organizations, work with the FTC, FBI, the Small Business 
Administration, the Department of Homeland Security, the Department of 
Commerce, and other government agencies at the federal, state, and 
local level to promote cyber security awareness.
    In instances where existing market forces fail to provide adequate 
impetus, incentive programs that rectify market shortfalls and 
encourage proactive security solutions should be considered and adopted 
as appropriate. A recent Congressional Research Service Report 
discusses incentives that may be adopted to help foster cyber security.
    Finally, Federal government's leadership, particularly through an 
Assistant Secretary position at DHS, fostering collaboration, reducing 
legal barriers, and leading by example, will continue to assist the 
private sector in educating consumers.

  Questions Submitted by the Honorable James R. Langevin for Ken Silva

Questions: One thing I have heard consistently over the past two years 
is that government regulation is the wrong way to bolster cyber 
security. The argument is that government cannot move nearly as rapidly 
as market forces when it comes to information systems and security. 
Best practices are frequently used to demonstrate how the private 
sector is working to encourage a culture of security, except it seems 
they are not updated as often as may be needed. This begs the questions 
of weather these should be standardized by a group like NIST or not. I 
would like the panel's honest assessment of what the government's role 
in cyber security is.
    * If you don't want regulation what do you want? Can DHS actually 
have an impact if it is only the coordinator and not the enforcer? Do 
you feel it is possible to draft regulations that would require 
minimum-security standards or would that encourage complacency?
    Answer: You are correct that there seems to be a fairly broad 
consensus not just in the private sector, but in the National Strategy 
to Secure Cyber Space published by the Bush Administration, that 
federal regulation is not the appropriate approach to improving cyber 
security.
    However, it is not just because the regulatory process is slow. 
There are many other reasons as well.
    I'm not sure the federal government is on very firm ground in 
asserting that if they, through NIST of any other mechanism, wrote 
standards that there would be dramatic improvement. After all, for the 
fifth consecutive year the average score of the 24 federal agencies, 
which are charged with meeting such federal standards for cyber 
security, was a D+.As bad as things are generally in the private 
sector, recent research shows there is a substantial minority of firms, 
probably about 20% who are doing an excellent job at cyber security by 
following best practices. I'm not aware that the federal government's 
record is nearly that good.
    And, while it is fine to say that federal standards intent would 
only be to create a floor many feel that floor would, in reality, 
become a ceiling. The last thing we want in the cyber security field is 
something like we have in the campaign finance field where everyone 
claims they meet the federal standards and no one really believes the 
regulations are accomplishing their intended goals.
    In the last Congress one of your colleagues, Congressman Adam 
Putnam, circulated a draft bill that would have attempted to layout a 
regulatory system. It was resoundingly opposed by virtually all 
segments of the industry.
    In response Congressman Putnam appointed the Corporate Information 
Security Working Group (CISWG) to address the question you ask today. 
At the conclusion of that effort last year Chairman Putnam wrote of the 
CISWG group that: "The corresponding recommendations have provided 
valuable information and have already produced a variety of initiatives 
that have made a measurable difference."
    The Internet Security Alliance was very active in that group and is 
responsible for some of theses initiatives. The co-chairs of the 
Committee on Incentives, Liability and Safe Harbors was co-chaired by 
my first Vice Chairman on the ISAlliance Board, Ty Sagalow of AIG, and 
our ISAlliance Chief Operating Officer, Larry Clinton.
    15 different trade associations participated in the Incentives/
Liability Sub Group and produced two fairly detailed reports go a long 
way toward answering your question. I am supplying the reports for the 
record.
    Briefly the group first answered your question of why regulatory 
measures were inappropriate to address this issue. They provided a 
series of reasons including the following:
        1. The traditional regulatory structure (i.e. FCC/SEC style 
        regulation) is likely to be both ineffective and potentially 
        counterproductive to the interests of implementing a 
        comprehensive cyber security program.
        2. A cyber security program based on positive incentives is 
        more likely to generate safer and more attractive products. 
        This will increase consumer and business confidence in advanced 
        technology and result in a better environment for the American 
        economy in general and American businesses and consumers in 
        particular.
        3. Traditional regulatory structures are likely to be 
        ineffective because:
                 The international nature of the cyber security 
                issue demands a cross-boarder solution which national 
                legislation cannot achieve.
                 The ever-evolving nature of the Internet and 
                the cyber security threat demands a solution that can 
                be quickly adapted to changing circumstances which is 
                inconsistent with the nature of the traditional 
                regulatory structure.
                 The current US political consensus is that 
                regulation of the Internet is unwise and hence the time 
                it may take to enact a regulatory structure may not be 
                appropriate given the urgency of the worldwide cyber 
                security problem.
        4. Traditional regulatory approach to cyber security is 
        potentially counterproductive because:
                 The traditional regulatory structure is an 
                open process of public comment and reply comments. Such 
                a process could lead to providing a roadmap of 
                vulnerabilities to nefarious parties intent on causing 
                damage.
                 Private industry is better able to innovate 
                and maintain the array of tools necessary to adequately 
                police Internet security. Relying on inadequate 
                resources could lead to the unsophisticated decisions 
                yielding less, rather than more security
                 The political process by which traditional 
                regulatory standards are reached encourages compromise 
                rather than maximum effectiveness. Hence the political 
                process could result in an inefficient program that 
                could yield a false sense of security.
                 Government regulation of technology may blunt 
                innovation resulting in less consumer choice, economy 
                and security.
        5. Hence a program of positive incentives such as insurance 
        incentives, liability incentives and tax incentives is likely 
        to be an effective, comprehensive and ongoing program of 
        managing the security risks consistent with the ever evolving 
        and international nature of the technology and the threats to 
        it.
    Based on this assessment the CISWG concluded, as did the National 
Strategy to Secure Cyber Space, that the best approach would be for 
governments and industry to work together. Specifically, the Working 
Group outlined six different incentive programs that should be 
considered three of which would be led by industry and three of which 
would be led by government.

    In summary they are:

        Industry Led:
                1. Development of Common Measurement Tools/Seal of 
                Approval and Vendor Certification Programs
                2. Better Use of Cyber insurance tied to best practice 
                adoption
                3. Development of market entry incentives

        Government Led
                1. Safe harbor/tort reform tied to best practice 
                implementation
                2. Tax incentives
                3. Credit programs such as FEMA credits or use of 
                government procurement to drive better security in 
                products sold
    In the final phase of the CIWG process the group began to develop a 
new paradigm which could be used to drive best practice adoption on an 
international level by tying the various incentives into broadly 
adopted best practices which would use market forces to continually 
generate updates and modernizations.
    The Sub-Group found that within the marketplace there already 
exists a robust assortment of published regulations, standards, best 
practices, and similar guidance. Research shows that compliance with 
these existing practices can result in demonstrable improvements in 
cyber security. Indeed, the largest study in the field to date found 
that the approximately 20% of companies deemed the "best practices 
group" suffered less monetary damage and downtime than less careful 
corporations, and one-third of this group suffered no such 
inconvenience despite being targeted by attackers regularly.
    Further, the Group found that while there are apparently effective 
best information security practices operative in the world, there is 
still a consensus that no one size fits all. What qualifies for a 
specific entity, as a best practice will be affected by size of the 
entity, the culture or cultures it operates within, its sector specific 
regulatory status, and a range of other variables?
    Government's role in the public-private partnership is to fashion 
an incentive program for the good actors that will create a business 
advantage for them over less careful players. In so doing, we hope to 
harness the power of the market to motivate cyber security.
    The group specifically did not endorse the creation of a federally 
specified standard of information security to be applied to the vast 
private sector. Rather they were concerned that such an approach would 
be too static and could put U.S. business at a competitive 
disadvantage. Such an approach also might not be appropriate across 
various sectors, might be weaker than needed due to the political 
nature of the regulatory process, and hence, could be counter 
productive. It would also be very hard to enact legislatively.
    Instead, they proposed that companies have available federal 
incentives if they implement information security pursuant to and meet 
the:
         Information security procedures adopted by a Federal 
        sector-specific regulatory agency.
         Standards established and maintained by the following 
        recognized standards organizations:
                 International Organization for Standardization
                 American National Standards Institute
                 Electronic Industries Alliance
         National Institute of Standards and Technology
         Standards established and maintained by an accredited 
        security certification organization or a self-regulatory 
        organization such as NASD, BITS, or the emerging CISP 
        structure.
    Finally, the Sub-Group analyzed the various types of incentives 
available and proposes a series of classes for organizing these 
incentives with the greater ability of an entity to demonstrate 
performance of agreed upon security practices yielding greater benefit. 
These incentives and their classification will require further analysis 
as part of the enactment process security controls pursuant to the 
identified standards should not be considered as conducting an unfair 
or deceptive practice. Similar state-based claims would also be 
preempted.

    These benefits include:
         Limits on FTC Jurisdiction--a company that 
        demonstrates it implemented information security controls 
        pursuant to the identified standards should not be considered 
        as conducting an unfair or deceptive practice. Similar state-
        based claims would also be preempted.
         Limits on State Actions--Once a company has 
        demonstrated it has met the security requirements, then 
        plaintiffs should face additional burdens, such as increases in 
        the burdens of proof, caps on punitive damages, prohibitions on 
        third-party liability, prelitigation notice requirements, or a 
        cap on damages.
    In summary Mr. Langevin, the Internet is a new type of technology 
that will require different methods of management and assurance than 
those that have been applied to previous technologies. Federal 
standards, for the reasons cited, above are not the answer.
    This is not to say that the government, and governnient agencies 
such as NIST have no role. Quite the contrary, they have a very 
important role working with the private sector as part of a new model 
to insure long term information security.
    The Internet Security Alliance would be pleased to work with the 
Committee in further developing this new model.